[jboss-user] [Security & JAAS/JBoss] - Re: Minimal JBoss config to use GSSAPI/Kerberos acceptSecCon

[quinntaylor]

Glad to hear you've gotten a bit further, although neither of us has it working in JBoss yet...

Actually, I strongly suspect that JBoss is honoring the keyTab entry in the GSS config file, but isn't allowing the GSS call to createCredential() to access the keytab file. The code I'm having issues with was written completely independent of JBoss, and it works perfectly when compiled to a jar file and run from the Terminal. (I'm curious whether your code also works if you invoke it directly, and not through JBoss. If so, it's probably safe to say that the JBoss security manager is the problem.) When I run it in JBoss, the client blocks while waiting for a web service response, and the server ends up waiting for user input (username/password, as I mentioned).

When I do a stack trace on the pid for JBoss (using `jstack' on OS X), the thread that's handling the request is buried in I/O functions under a heap of authentication calls, including javax.security.auth.login.LoginContext.login(), org.jboss.security.auth.spi.UsersRolesLoginModule.login(), and org.jboss.security.auth.spi.UsernamePasswordLoginModule.getUsernameAndPassword(), with a few calls in between each of these.

Since clients must present a username and password to gain access to the web service, I'm trying to figure out how to get JBoss to just allow the code to do whatever it needs to with the keytab file. This wasn't an issue with the previous rev of the code, since it used some very crufty and hackish JNI to do the GSS-API tasks, but the new code is pure Java.

I'm in the middle of reading the resource mentioned in this thread/sticky. Hopefully it will help with getting JBoss to get out of the way for this particular code.  :-)

View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4213531#4213531

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4213531