[jboss-user] [Security & JAAS/JBoss] - using Java 6 Kerberos provider for http client connections

Arvoreen do-not-reply at jboss.com
Wed May 9 16:44:01 EDT 2007 

So I have a web app that does not define ANY authentication requirements (legacy app, handles authentication/authorization internally).

This application is also making client http connections to other resources and it needs to do so using the integrated Java 6 kerberos login provider, so that it can connect via NTLM and/or SPNEGGO to Windows pages.

However, when I first make the client connection attempt, I get 

  | org.jboss.security.auth.spi.UsersRolesLoginModule Failed to load users/passwords/role files
  | java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
  | 	at org.jboss.security.auth.spi.Util.loadProperties(Util.java:315)
  | 	at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
  | 	at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
  | 	at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
  | 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  | 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  | 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  | 	at java.lang.reflect.Method.invoke(Method.java:597)
  | 	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:756)
  | 	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
  | 	at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
  | 	at java.security.AccessController.doPrivileged(Native Method)
  | 	at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
  | 	at javax.security.auth.login.LoginContext.login(LoginContext.java:575)
  | 	at sun.security.jgss.GSSUtil.login(GSSUtil.java:246)
  | 	at sun.security.jgss.krb5.Krb5Util.getTicket(Krb5Util.java:136)
  | 	at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:331)
  | 	at java.security.AccessController.doPrivileged(Native Method)
  | 	at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:328)
  | 	at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:128)
  | 	at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:106)
  | 	at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:172)
  | 	at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:209)
  | 	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:195)
  | 	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
  | 	at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(SpNegoContext.java:846)
  | 	at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:304)
  | 	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:230)
  | 	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
  | 	at sun.net.www.protocol.http.NegotiatorImpl.init(NegotiatorImpl.java:86)
  | 	at sun.net.www.protocol.http.NegotiatorImpl.<init>(NegotiatorImpl.java:95)
  | 	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
  | 	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
  | 	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
  | 	at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
  | 	at sun.net.www.protocol.http.Negotiator.getSupported(NegotiateAuthentication.java:265)
  | 	at sun.net.www.protocol.http.NegotiateAuthentication.isSupported(NegotiateAuthentication.java:106)
  | 	at sun.net.www.protocol.http.AuthenticationHeader.parse(AuthenticationHeader.java:170)
  | 	at sun.net.www.protocol.http.AuthenticationHeader.<init>(AuthenticationHeader.java:119)
  | 	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1070)
  | 	at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:373)
  | 

So I tried to setup an auth policy that points directly to the KRB5 modules in the login-config.xml


  |    <!-- KRB5 Policy -->
  |     <application-policy name="krb5">
  |        <authentication>
  |           <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
  |             <module-option name="storeKey">true</module-option>
  |             <module-option name="keyTab">/etc/eonkeytab</module-option>
  |             <module-option name="doNotPrompt">true</module-option>
  |             <module-option name="useKeyTab">true</module-option>
  |             <module-option name="realm">AMS.GBLXINT.COM</module-option>
  |             <module-option name="principal">HTTP/dlktzt79.ams.gblxint.com at AMS.GBLXINT.COM</module-option>
  |             <module-option name="useTicketCache">true</module-option>
  |             <module-option name="debug">true</module-option>
  |           </login-module>
  |        </authentication>
  |     </application-policy>
  | 

and added the following to the jboss-web.xml

  | <security-domain>java:/jaas/krb5</security-domain>
  | 

No luck whatsoever...same errors occuring.

Anyone have any pointers?

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4044480#4044480

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4044480

More information about the jboss-user mailing list