GSSAPI only identities credential if we actually have one. ---------------------------------------------------------- Key: ELY-1280 URL: https://issues.jboss.org/browse/ELY-1280 Project: WildFly Elytron Issue Type: Bug Reporter: Martin Choma Assignee: Darran Lofthouse Priority: Blocker Fix For: 1.1.0.CR3 In ER2 kerberos authentication in remoting does not work with IBM java. I see same error in 2 scenarios: * Elytron kerberos authentication for management interface - CLI * Elytron kerberos authenticaiton for EJB This issue (reproducer/description)is based on CLI case. As it seems to me it is caused by same error. {code} 13:15:25,038 INFO [org.jboss.eapqe.krbldap.utils.CustomCLIExecutor] (main) Command:[/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/../tests/target/dist/jboss-eap/bin/jboss-cli.sh, -Djboss.cli.config=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/../tests/target/dist/jboss-eap/bin/jboss-cli.xml, -c, --controller=remote+http://localhost.localdomain:9990, --timeout=60000, -Djavax.security.auth.useSubjectCredsOnly=false, -Djava.security.krb5.conf=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb5-4030706113084817464.conf, -Dsun.security.krb5.debug=true, -Dcom.ibm.security.jgss.debug=all, -Dcom.ibm.security.krb5.Krb5Debug=all, -Djavax.net.ssl.trustStore=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/KerberosCLITestCase/localhost.keystore, :whoami] 13:15:26,352 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Initialized connection from /127.0.0.1:41690 to /127.0.0.1:9990 with options {org.jboss.remoting3.RemotingOptions.SASL_PROTOCOL=>remote} 13:15:26,352 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Accepted connection from /127.0.0.1:41690 to localhost.localdomain/127.0.0.1:9990 13:15:26,353 TRACE [org.jboss.remoting.remote] (management I/O-1) Setting read listener to org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial@6a1d77d9 13:15:26,353 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Sent 28 bytes 13:15:26,353 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Flushed channel 13:15:26,375 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) No buffers in queue for message header 13:15:26,375 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Allocated fresh buffers 13:15:26,375 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Received 56 bytes 13:15:26,375 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Received message java.nio.HeapByteBuffer[pos=0 lim=52 cap=8192] 13:15:26,375 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Received java.nio.HeapByteBuffer[pos=0 lim=52 cap=8192] 13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received capabilities request 13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received capability: version 1 13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received capability: remote endpoint name "cli-client" 13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received capability: message close protocol supported 13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received capability: remote version is "5.0.0.CR4-redhat-1" 13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received capability: remote channels in is "40" 13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received capability: remote channels out is "40" 13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received capability: authentication service 13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) No EXTERNAL mechanism due to lack of SSL 13:15:26,380 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Added mechanism GSSAPI 13:15:26,381 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Added mechanism PLAIN 13:15:26,381 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Sent 81 bytes 13:15:26,381 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Flushed channel 13:15:27,194 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) No buffers in queue for message header 13:15:27,194 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Allocated fresh buffers 13:15:27,194 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Received 583 bytes 13:15:27,194 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Received message java.nio.HeapByteBuffer[pos=0 lim=579 cap=8192] 13:15:27,194 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Received java.nio.HeapByteBuffer[pos=0 lim=579 cap=8192] 13:15:27,194 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received authentication request 13:15:27,194 TRACE [org.wildfly.security] (management I/O-1) Handling MechanismInformationCallback type='SASL' name='GSSAPI' host-name='localhost.localdomain' protocol='remote' 13:15:27,194 TRACE [org.wildfly.security] (management I/O-1) Handling MechanismInformationCallback type='SASL' name='GSSAPI' host-name='localhost.localdomain' protocol='remote' 13:15:27,197 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-1) configuredMaxReceiveBuffer=16777215 13:15:27,197 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-1) relaxComplianceChecks=false 13:15:27,197 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-1) QOP={AUTH} 13:15:27,197 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-1) Obtaining GSSCredential for the service from callback handler... 13:15:27,197 TRACE [org.wildfly.security] (management I/O-1) No valid cached credential, obtaining new one... 13:15:27,198 TRACE [org.wildfly.security] (management I/O-1) Logging in using LoginContext and subject [Subject: ] 13:15:27,218 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 JAAS config: debug=true 13:15:27,218 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 JAAS config: principal=remote/localhost.localdomain(a)JBOSS.ORG 13:15:27,218 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 JAAS config: credsType=accept only 13:15:27,218 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 config: useDefaultCcache=false (default) 13:15:27,219 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 config: useCcache=null 13:15:27,219 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 config: useDefaultKeytab=false 13:15:27,220 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 config: useKeytab=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.4304838673032362747.keytab 13:15:27,224 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 JAAS config: forwardable=false (default) 13:15:27,224 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 JAAS config: renewable=false (default) 13:15:27,224 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 JAAS config: proxiable=false (default) 13:15:27,224 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 JAAS config: tryFirstPass=false (default) 13:15:27,224 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 JAAS config: useFirstPass=false (default) 13:15:27,224 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 JAAS config: moduleBanner=false (default) 13:15:27,225 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 JAAS config: interactive login? no 13:15:27,225 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 Try keytab for principal=remote/localhost.localdomain(a)JBOSS.ORG 13:15:27,327 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 No Kerberos creds in keytab for principal remote/localhost.localdomain(a)JBOSS.ORG 13:15:27,327 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 Login successful 13:15:27,327 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 kprincipal : remote/localhost.localdomain(a)JBOSS.ORG 13:15:27,327 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 remote/localhost.localdomain(a)JBOSS.ORG added to Subject 13:15:27,327 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 KeyTab added to Subject 13:15:27,328 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 No keys to add to Subject for remote/localhost.localdomain(a)JBOSS.ORG 13:15:27,328 TRACE [org.wildfly.security] (management I/O-1) Logging in using LoginContext and subject [Subject: Principal: remote/localhost.localdomain(a)JBOSS.ORG Private Credential: /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.4304838673032362747.keytab for remote/localhost.localdomain(a)JBOSS.ORG ] succeed 13:15:27,329 TRACE [org.wildfly.security] (management I/O-1) Creating GSSName for Principal &#39;remote/localhost.localdomain(a)JBOSS.ORG&#39; 13:15:27,337 TRACE [org.wildfly.security] (management I/O-1) Obtained GSSCredentialCredential [org.wildfly.security.credential.GSSKerberosCredential@b7cba9ed] 13:15:27,337 TRACE [org.wildfly.security] (management I/O-1) Handling ServerCredentialCallback: successfully obtained credential type type=class org.wildfly.security.credential.GSSKerberosCredential, algorithm=null, params=null 13:15:27,339 TRACE [org.wildfly.security] (management I/O-1) Created SaslServer for mechanism GSSAPI and protocol remote 13:15:27,339 TRACE [org.wildfly.security] (management I/O-1) Created SaslServer [org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1@7e6923d] for mechanism [GSSAPI] 13:15:27,339 TRACE [org.jboss.remoting.endpoint] (management I/O-1) Allocated tick to 9 of endpoint "localhost:MANAGEMENT" <43fd3bb3> (opened org.jboss.remoting3.EndpointImpl$TrackingExecutor@48dbe42) 13:15:27,599 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-6) Negotiated mechanism 1.2.840.113554.1.2.2 13:15:27,599 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-6) No response so triggering next state immediately. 13:15:27,599 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-6) Not offering a security layer so zero length. 13:15:27,601 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-6) Transitioning to receive chosen security layer from client 13:15:27,601 TRACE [org.jboss.remoting.remote.server] (management task-6) Server sending authentication challenge 13:15:27,601 TRACE [org.jboss.remoting.remote] (management task-6) Setting read listener to org.jboss.remoting3.remote.ServerConnectionOpenListener$Authentication@aa1379f 13:15:27,601 TRACE [org.jboss.remoting.endpoint] (management task-6) Resource closed count 00000008 of endpoint "localhost:MANAGEMENT" <43fd3bb3> (closed org.jboss.remoting3.EndpointImpl$TrackingExecutor@48dbe42) 13:15:27,601 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Sent 37 bytes 13:15:27,601 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Flushed channel 13:15:27,608 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) No buffers in queue for message header 13:15:27,608 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Allocated fresh buffers 13:15:27,608 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Received 37 bytes 13:15:27,608 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Received message java.nio.HeapByteBuffer[pos=0 lim=33 cap=8192] 13:15:27,608 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Received java.nio.HeapByteBuffer[pos=0 lim=33 cap=8192] 13:15:27,608 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received authentication response 13:15:27,608 TRACE [org.jboss.remoting.endpoint] (management I/O-1) Allocated tick to 9 of endpoint "localhost:MANAGEMENT" <43fd3bb3> (opened org.jboss.remoting3.EndpointImpl$TrackingExecutor@48dbe42) 13:15:27,609 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-7) Client selected security layer AUTH, with maxBuffer of 0 13:15:27,610 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-7) Authentication ID=jdukec4c36a8b-173f-41e7-af5b-7492f91a404c(a)JBOSS.ORG, Authorization ID=jdukec4c36a8b-173f-41e7-af5b-7492f91a404c(a)JBOSS.ORG 13:15:27,610 TRACE [org.wildfly.security] (management task-7) Principal assigning: [jdukec4c36a8b-173f-41e7-af5b-7492f91a404c(a)JBOSS.ORG], pre-realm rewritten: [jdukec4c36a8b-173f-41e7-af5b-7492f91a404c], realm name: [fileSystemRealm], post-realm rewritten: [jdukec4c36a8b-173f-41e7-af5b-7492f91a404c], realm rewritten: [jdukec4c36a8b-173f-41e7-af5b-7492f91a404c] 13:15:27,611 TRACE [org.wildfly.security] (management task-7) Role mapping: principal [jdukec4c36a8b-173f-41e7-af5b-7492f91a404c] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles [] 13:15:27,611 TRACE [org.wildfly.security] (management task-7) Authorizing principal jdukec4c36a8b-173f-41e7-af5b-7492f91a404c. 13:15:27,611 TRACE [org.wildfly.security] (management task-7) Authorizing against the following attributes: [] => [] 13:15:27,611 TRACE [org.wildfly.security] (management task-7) Permission mapping: identity [jdukec4c36a8b-173f-41e7-af5b-7492f91a404c] with roles [] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true 13:15:27,611 TRACE [org.wildfly.security] (management task-7) Authorization succeed 13:15:27,611 TRACE [org.wildfly.security] (management task-7) RunAs authorization succeed - the same identity 13:15:27,611 TRACE [org.wildfly.security] (management task-7) Handling AuthorizeCallback: authenticationID = jdukec4c36a8b-173f-41e7-af5b-7492f91a404c(a)JBOSS.ORG authorizationID = jdukec4c36a8b-173f-41e7-af5b-7492f91a404c(a)JBOSS.ORG authorized = true 13:15:27,613 TRACE [org.jboss.remoting.remote.server] (management task-7) Server sending authentication rejected: java.lang.IllegalArgumentException: Parameter 'gssCredential' may not be null at org.wildfly.common.Assert.checkNotNullParamChecked(Assert.java:70) at org.wildfly.common.Assert.checkNotNullParam(Assert.java:48) at org.wildfly.security.credential.GSSKerberosCredential.<init>(GSSKerberosCredential.java:53) at org.wildfly.security.credential.GSSKerberosCredential.<init>(GSSKerberosCredential.java:43) at org.wildfly.security.sasl.gssapi.GssapiServer.evaluateMessage(GssapiServer.java:284) at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180) at org.wildfly.security.sasl.gssapi.GssapiServer.evaluateResponse(GssapiServer.java:122) at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58) at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106) at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:57) at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245) at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217) at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:468) at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:898) at org.jboss.remoting3.EndpointImpl$TrackingExecutor$$Lambda$905.00000000201F9C40.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1153) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.lang.Thread.run(Thread.java:785) 13:15:27,614 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-7) dispose 13:15:27,614 TRACE [org.wildfly.security] (management task-7) Handling AuthenticationCompleteCallback: fail 13:15:27,614 TRACE [org.jboss.remoting.remote] (management task-7) Setting read listener to org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial@18fce815 13:15:27,614 TRACE [org.jboss.remoting.endpoint] (management task-7) Resource closed count 00000008 of endpoint "localhost:MANAGEMENT" <43fd3bb3> (closed org.jboss.remoting3.EndpointImpl$TrackingExecutor@48dbe42) 13:15:27,614 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Sent 5 bytes 13:15:27,614 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Flushed channel 13:15:27,615 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) No buffers in queue for message header 13:15:27,615 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Alloca {code} Test pass just fine on Oracle/OpenJDK JDK In stacktrace there is involved code introduced by https://github.com/wildfly-security/wildfly-elytron/commit/faf1aff340c3a2... .