[jboss-user] [Security & JAAS/JBoss] - Re: JBOSS Negotiate toolkit Secured servlet throws 403 Acces

dufferdo25 do-not-reply at jboss.com
Thu Jun 18 10:36:42 EDT 2009 

Here is a dump of console whilst I access Secured servlet


14:16:19,722 INFO  [STDOUT] Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /home/admin/jportal.host.keytab refreshKrb5Config is false principal is host/jportal at BASE.MYCO.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
  | 14:16:19,739 INFO  [STDOUT] >>> KeyTabInputStream, readName(): BASE.MYCO.COM
  | 14:16:19,740 INFO  [STDOUT] >>> KeyTabInputStream, readName(): host
  | 14:16:19,740 INFO  [STDOUT] >>> KeyTabInputStream, readName(): jportal
  | 14:16:19,741 INFO  [STDOUT] >>> KeyTab: load() entry length: 69; type: 23
  | 14:16:19,741 INFO  [STDOUT] >>> KeyTabInputStream, readName(): BASE.MYCO.COM
  | 14:16:19,742 INFO  [STDOUT] >>> KeyTabInputStream, readName(): jportal
  | 14:16:19,742 INFO  [STDOUT] >>> KeyTab: load() entry length: 55; type: 3
  | 14:16:19,743 INFO  [STDOUT] >>> KeyTabInputStream, readName(): BASE.MYCO.COM
  | 14:16:19,743 INFO  [STDOUT] >>> KeyTabInputStream, readName(): jportal
  | 14:16:19,743 INFO  [STDOUT] >>> KeyTab: load() entry length: 55; type: 1
  | 14:16:19,744 INFO  [STDOUT] >>> KeyTabInputStream, readName(): BASE.MYCO.COM
  | 14:16:19,744 INFO  [STDOUT] >>> KeyTabInputStream, readName(): jportal
  | 14:16:19,745 INFO  [STDOUT] >>> KeyTab: load() entry length: 63; type: 23
  | 14:16:19,746 INFO  [STDOUT] >>> KeyTabInputStream, readName(): BASE.MYCO.COM
  | 14:16:19,746 INFO  [STDOUT] >>> KeyTabInputStream, readName(): jportal
  | 14:16:19,746 INFO  [STDOUT] >>> KeyTab: load() entry length: 71; type: 16
  | 14:16:19,747 INFO  [STDOUT] >>> KeyTabInputStream, readName(): BASE.MYCO.COM
  | 14:16:19,747 INFO  [STDOUT] >>> KeyTabInputStream, readName(): jportal
  | 14:16:19,747 INFO  [STDOUT] >>> KeyTab: load() entry length: 63; type: 17
  | 14:16:19,883 INFO  [STDOUT] Added key: 23version: 3
  | 14:16:19,884 INFO  [STDOUT] Ordering keys wrt default_tkt_enctypes list
  | 14:16:19,885 INFO  [STDOUT] Using builtin default etypes for default_tkt_enctypes
  | 14:16:19,885 INFO  [STDOUT] default etypes for default_tkt_enctypes:
  | 14:16:19,886 INFO  [STDOUT]  3
  | 14:16:19,886 INFO  [STDOUT]  1
  | 14:16:19,887 INFO  [STDOUT]  23
  | 14:16:19,887 INFO  [STDOUT]  16
  | 14:16:19,888 INFO  [STDOUT]  17
  | 14:16:19,888 INFO  [STDOUT] .
  | 14:16:19,889 INFO  [STDOUT] principal's key obtained from the keytab
  | 14:16:19,889 INFO  [STDOUT] Acquire TGT using AS Exchange
  | 14:16:19,891 INFO  [STDOUT] Using builtin default etypes for default_tkt_enctypes
  | 14:16:19,892 INFO  [STDOUT] default etypes for default_tkt_enctypes:
  | 14:16:19,892 INFO  [STDOUT]  3
  | 14:16:19,893 INFO  [STDOUT]  1
  | 14:16:19,893 INFO  [STDOUT]  23
  | 14:16:19,893 INFO  [STDOUT]  16
  | 14:16:19,894 INFO  [STDOUT]  17
  | 14:16:19,894 INFO  [STDOUT] .
  | 14:16:19,895 INFO  [STDOUT] >>> KrbAsReq calling createMessage
  | 14:16:19,896 INFO  [STDOUT] >>> KrbAsReq in createMessage
  | 14:16:19,898 INFO  [STDOUT] >>> KrbKdcReq send: kdc=dc.base.myco.com UDP:88, timeout=30000, number of retries =3, #bytes=162
  | 14:16:19,902 INFO  [STDOUT] >>> KDCCommunication: kdc=dc.base.myco.com UDP:88, timeout=30000,Attempt =1, #bytes=162
  | 14:16:19,904 INFO  [STDOUT] >>> KrbKdcReq send: #bytes read=645
  | 14:16:19,905 INFO  [STDOUT] >>> KrbKdcReq send: #bytes read=645
  | 14:16:19,907 INFO  [STDOUT] >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
  | 14:16:20,057 INFO  [STDOUT] >>> KrbAsRep cons in KrbAsReq.getReply host/jportal
  | 14:16:20,058 INFO  [STDOUT] principal is host/jportal at BASE.MYCO.COM
  | 14:16:20,058 INFO  [STDOUT] EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 25 6D AD 1A 24 E1 4D C2   77 B3 7C 54 67 45 EA AA  %m..$.M.E..TgE..
  | 14:16:20,061 INFO  [STDOUT] Added server's keyKerberos Principal host/jportal at BASE.MYCO.COMKey Version 3key EncryptionKey: keyType=23 keyBytes (hex dump)=
  | 0000: 25 6D AD 1A 24 E1 4D C2   77 B3 7C 54 67 45 EA AA  %m..$.M.E..TgE..
  | 14:16:20,061 INFO  [STDOUT] 		[Krb5LoginModule] added Krb5Principal  host/jportal at BASE.MYCO.COM to Subject
  | 14:16:20,061 INFO  [STDOUT] Commit Succeeded 
  | 14:16:20,072 INFO  [STDOUT] 		[Krb5LoginModule]: Entering logout
  | 14:16:20,072 INFO  [STDOUT] 		[Krb5LoginModule]: logged out Subject
  | 14:16:20,129 INFO  [STDOUT] Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /home/admin/jportal.host.keytab refreshKrb5Config is false principal is host/jportal at BASE.MYCO.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
  | 14:16:20,130 INFO  [STDOUT] KeyTab instance already exists
  | 14:16:20,130 INFO  [STDOUT] Added key: 23version: 3
  | 14:16:20,131 INFO  [STDOUT] Ordering keys wrt default_tkt_enctypes list
  | 14:16:20,131 INFO  [STDOUT] Using builtin default etypes for default_tkt_enctypes
  | 14:16:20,132 INFO  [STDOUT] default etypes for default_tkt_enctypes:
  | 14:16:20,132 INFO  [STDOUT]  3
  | 14:16:20,133 INFO  [STDOUT]  1
  | 14:16:20,133 INFO  [STDOUT]  23
  | 14:16:20,134 INFO  [STDOUT]  16
  | 14:16:20,134 INFO  [STDOUT]  17
  | 14:16:20,135 INFO  [STDOUT] .
  | 14:16:20,135 INFO  [STDOUT] principal's key obtained from the keytab
  | 14:16:20,136 INFO  [STDOUT] Acquire TGT using AS Exchange
  | 14:16:20,136 INFO  [STDOUT] Using builtin default etypes for default_tkt_enctypes
  | 14:16:20,137 INFO  [STDOUT] default etypes for default_tkt_enctypes:
  | 14:16:20,137 INFO  [STDOUT]  3
  | 14:16:20,138 INFO  [STDOUT]  1
  | 14:16:20,139 INFO  [STDOUT]  23
  | 14:16:20,139 INFO  [STDOUT]  16
  | 14:16:20,140 INFO  [STDOUT]  17
  | 14:16:20,140 INFO  [STDOUT] .
  | 14:16:20,141 INFO  [STDOUT] >>> KrbAsReq calling createMessage
  | 14:16:20,141 INFO  [STDOUT] >>> KrbAsReq in createMessage
  | 14:16:20,142 INFO  [STDOUT] >>> KrbKdcReq send: kdc=dc.base.myco.com UDP:88, timeout=30000, number of retries =3, #bytes=162
  | 14:16:20,143 INFO  [STDOUT] >>> KDCCommunication: kdc=dc.base.myco.com UDP:88, timeout=30000,Attempt =1, #bytes=162
  | 14:16:20,145 INFO  [STDOUT] >>> KrbKdcReq send: #bytes read=645
  | 14:16:20,145 INFO  [STDOUT] >>> KrbKdcReq send: #bytes read=645
  | 14:16:20,146 INFO  [STDOUT] >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
  | 14:16:20,148 INFO  [STDOUT] >>> KrbAsRep cons in KrbAsReq.getReply host/jportal
  | 14:16:20,148 INFO  [STDOUT] principal is host/jportal at BASE.MYCO.COM
  | 14:16:20,149 INFO  [STDOUT] EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 25 6D AD 1A 24 E1 4D C2   77 B3 7C 54 67 45 EA AA  %m..$.M.E..TgE..
  | 14:16:20,151 INFO  [STDOUT] Added server's keyKerberos Principal host/jportal at BASE.MYCO.COMKey Version 3key EncryptionKey: keyType=23 keyBytes (hex dump)=
  | 0000: 25 6D AD 1A 24 E1 4D C2   77 B3 7C 54 67 45 EA AA  %m..$.M.E..TgE..
  | 14:16:20,151 INFO  [STDOUT] 		[Krb5LoginModule] added Krb5Principal  host/jportal at BASE.MYCO.COM to Subject
  | 14:16:20,152 INFO  [STDOUT] Commit Succeeded 
  | 14:16:20,165 INFO  [STDOUT] Found key for host/jportal at BASE.MYCO.COM(23)
  | 14:16:20,167 INFO  [STDOUT] Entered Krb5Context.acceptSecContext with state=STATE_NEW
  | 14:16:20,169 INFO  [STDOUT] >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
  | 14:16:20,172 INFO  [STDOUT] Using builtin default etypes for permitted_enctypes
  | 14:16:20,173 INFO  [STDOUT] default etypes for permitted_enctypes:
  | 14:16:20,173 INFO  [STDOUT]  3
  | 14:16:20,174 INFO  [STDOUT]  1
  | 14:16:20,174 INFO  [STDOUT]  23
  | 14:16:20,175 INFO  [STDOUT]  16
  | 14:16:20,175 INFO  [STDOUT]  17
  | 14:16:20,176 INFO  [STDOUT] .
  | 14:16:20,176 INFO  [STDOUT] >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
  | 14:16:20,178 INFO  [STDOUT] >>> Config reset default kdc BASE.MYCO.COM
  | 14:16:20,179 INFO  [STDOUT] replay cache for dufus at BASE.MYCO.COM is null.
  | 14:16:20,180 INFO  [STDOUT] object 0: 1245334529003/3463
  | 14:16:20,180 INFO  [STDOUT] object 0: 1245334529003/3463
  | 14:16:20,181 INFO  [STDOUT] >>> KrbApReq: authenticate succeed.
  | 14:16:20,182 INFO  [STDOUT] Krb5Context setting peerSeqNumber to: 752264326
  | 14:16:20,184 INFO  [STDOUT] >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
  | 14:16:20,186 INFO  [STDOUT] Krb5Context setting mySeqNumber to: 467205704
  | 14:16:20,187 INFO  [STDOUT] 		[Krb5LoginModule]: Entering logout
  | 14:16:20,187 INFO  [STDOUT] 		[Krb5LoginModule]: logged out Subject
  | 

As you can see there arent any errors. As I said earlier, I get success on the first 2 servlets but I get the generic" HTTP Status 403 - Access to the requested resource has been denied" 
dufus is the user name and he belongs to the User group in AD.
jportal is the service account that I user for the principal.
jportal  is also the name of the host that jboss is running on.
dc is the name of my AD DC.
Thanks again!

View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4238509#4238509

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4238509

More information about the jboss-user mailing list