[Security & JAAS/JBoss] - Re: Problems with SPNEGO
by Antei
"darran.lofthouse(a)jboss.com" wrote : Developing the authenticator I did see a similar error, in my situation the client
|
| machine had cached an old ticket for the host so when the ticked was decoded there was a checksum problem.
|
| In my situation logging out of the test client and back in caused the tickets to be correctly reloaded.
|
| I would suggest doing this and possibly the same on the machine hosting JBoss as well.
|
Thank you, Darran, for your response.
Unfortunately you suggestion didn't help me.
I decided to describe the settings I made according your User Guide. May be you will point me what is wrong...
In my last experiment I had configuration as below:
1st host: Windows 2003 Server
Host Name: ws2003e
Domain: mydomain.com
Software:
- Active Directory
- DNS
2nd host: Windows 2003 Server
Host Name: testserver
Domain: mydomain.com
Software:
- Active Directory (just second controller)
- jdk1.6.0_06
- jboss-4.2.2.GA
3rd host: Windows XP SP2
Software:
- IE 6.0
To model real network configuration I am going to apply SPNEGO to I have 2 domain controllers. But it doesn't matter, I
think. All tunes I made on the 2nd host.
1. I created 'testserver' user in Active Directory, entered valid password 'c,jhybr1' and selected 'Do not requires
Kerberous preauthentication' option.
2. Then I executed the commands as in User Guide:
C:\Tools\MS Windows tools\support>setspn.exe -a host/testserver.mydomain.com testserver
| Registering ServicePrincipalNames for CN=TESTSERVER,OU=Domain Controllers,DC=mydomain,DC=com
| host/testserver.mydomain.com
| Updated object
|
| C:\Tools\MS Windows tools\support>setspn.exe -a HTTP/testserver.mydomain.com testserver
| Registering ServicePrincipalNames for CN=TESTSERVER,OU=Domain Controllers,DC=mydomain,DC=com
| HTTP/testserver.mydomain.com
| Updated object
|
| C:\Tools\MS Windows tools\support>setspn -l testserver
| Registered ServicePrincipalNames for CN=TESTSERVER,OU=Domain Controllers,DC=mydomain,DC=com:
| HTTP/testserver.mydomain.com
| GC/testserver.mydomain.com/mydomain.com
| HOST/testserver.mydomain.com/mydomain.com
| HOST/testserver.mydomain.com/MYDOMAIN
| ldap/c5439fc5-8c99-4e04-9046-498d9d5c635d._msdcs.mydomain.com
| ldap/testserver.mydomain.com/MYDOMAIN
| ldap/TESTSERVER
| ldap/testserver.mydomain.com
| ldap/testserver.mydomain.com/mydomain.com
| E3514235-4B06-11D1-AB04-00C04FC2DCD2/c5439fc5-8c99-4e04-9046-498d9d5c635d...
| NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/testserver.mydomain.com
| HOST/TESTSERVER
| HOST/testserver.mydomain.com
|
C:\Tools\MS Windows tools\support>ktpass -princ host/testserver(a)mydomain.com -pass c,jhybr1 -mapuser
|
| MYDOMAIN\testserver -out C:\testserver.host.keytab
|
| Using legacy password setting method
| WARNING: realm "mydomain.com" has lowercase characters in it.
| We only currently support realms in UPPERCASE.
| assuming you mean "MYDOMAIN.COM"...
| Successfully mapped host/testserver to testserver.
| WARNING: pType and account type do not match. This might cause problems.
| Key created.
| Output keytab to C:\testserver.host.keytab:
| Keytab version: 0x502
| keysize 63 host/testserver(a)MYDOMAIN.COM ptype 0 (KRB5_NT_UNKNOWN) vno 4 etype 0x17 (RC4-HMAC) keylen
| gth 16 (0x83b49186a15ae791f11bb029fb59a206)
|
After 'ktpass' command 'C:\testserver.host.keytab' file was created and its lenght was 69 bytes.
Then I run 'ktab' command
C:\Program Files\Java\jdk1.6.0_06\bin>ktab -k c:\testserver.host.keytab -a testserver(a)MYDOMAIN.COM
| Password for testserver@MYDOMAIN.COM:c,jhybr1
| Done!
| Service key for testserver(a)MYDOMAIN.COM is saved in c:\testserver.host.keytab
|
After 'ktab' 'C:\testserver.host.keytab' file was overwritten and its lenght became 366 bytes.
I made JBoss settings as below:
jboss-4.2.2.GA/server/default/deploy/properties-service.xml:
<mbean code="org.jboss.varia.property.SystemPropertiesService" name="jboss:type=Service,name=SystemProperties">
| <attribute name="Properties">
| java.security.krb5.kdc=testserver.mydomain.com
| java.security.krb5.realm=MYDOMAIN.COM
| </attribute>
| </mbean>
jboss-4.2.2.GA/server/default/deploy/jboss-web.deployer/META-INF/jboss-service.xml:
<server>
| <mbean code="org.jboss.web.tomcat.service.JBossWeb" name="jboss.web:service=WebServer"
|
| xmbean-dd="META-INF/webserver-xmbean.xml">
|
| <attribute name="Authenticators" serialDataType="jbxb">
| <java:properties xmlns:java="urn:jboss:java-properties" xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"
|
| xs:schemaLocation="urn:jboss:java-properties resource:java-properties_1_0.xsd">
|
| ...
|
| <java:property>
| <java:key>SPNEGO</java:key>
| <java:value>org.jboss.security.negotiation.spnego.SPNEGOAuthenticator</java:value>
| </java:property>
| </java:properties>
| </attribute>
| ...
jboss-4.2.2.GA/server/default/conf/login-config.xml:
<application-policy name="host">
| <authentication>
| <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
| <module-option name="storeKey">true</module-option>
| <module-option name="useKeyTab">true</module-option>
| <module-option name="principal">host/testserver(a)MYDOMAIN.COM</module-option>
| <module-option name="keyTab">C:/testserver.host.keytab</module-option>
| <module-option name="doNotPrompt">true</module-option>
| <module-option name="debug">true</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
|
| <application-policy name="SPNEGO">
| <authentication>
|
| <login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="requisite">
| <module-option name="password-stacking">useFirstPass</module-option>
| <module-option name="serverSecurityDomain">host</module-option>
| </login-module>
|
| <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
| <module-option name="password-stacking">useFirstPass</module-option>
| <module-option name="usersProperties">props/spnego-users.properties</module-option>
| <module-option name="rolesProperties">props/spnego-roles.properties</module-option>
| </login-module>
|
| </authentication>
| </application-policy>
I run JBoss with parameter --host=testserver.mydomain.com
After that I tried to access http://testserver.mydomain.com:8080/jboss-negotiation-toolkit from 3rd host (Windows XP, IE
6.0):
- Basic Negotiation - passed
- Security Domain Test - passed
- Secured - failed
What is wrong in my settings?
Thanx in advance.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4168698#4168698
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4168698
17 years, 8 months
[Security & JAAS/JBoss] - Another SPNEGO Problem
by chausberger
Hello
after all tests with the JBoss Negotiation Toolkits pass, I tried to add SPNEGO to my own application.
I left the login-config as it is and configured web.xml and jboss-web.xml in my app exactly the same way as those in the negotiation toolkit.
now I get this error from the web server:
This request requires HTTP authentication ().
in the log file, I found this:
12:37:10,051 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
at org.jboss.security.auth.spi.Util.loadProperties(Util.java:315)
at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:756)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
at org.jboss.security.negotiation.spnego.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:103)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
at java.lang.Thread.run(Thread.java:595)
It seems that the UserRolesLoginModule can't find the "props/spnego-users.properties" and "props/spnego-roles.properties" as specified in the login-config.xml.
what could be the problem here? is the "conf" directory always in the class path?
my appliaction is a "ear" with many servlets and EJBs.
any hints welcome.
Claus
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4168694#4168694
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4168694
17 years, 8 months
[JBoss jBPM] - Regarding very first example using http://docs.jboss.com/jbp
by prajapati1985
Hi All,
I am following below given tutorial.
http://docs.jboss.com/jbpm/v3/demos/movies/jbpm-overview.htm
Here , once i have deployed the process archive then when i try to access process what i have created like request entry and request evaluation it doenst show any forms as it is showing into the tutorial.
I can only see that process is running i cant see request entry process form to enter details.
Followings are the log.
****************************Start*****************************
14:40:31,531 WARN [JpdlXmlReader] process xml warning: swimlane 'initiator' does not have an assignment
14:40:31,562 WARN [JpdlXmlReader] process parse warning: swimlane 'initiator' does not have an assignment
14:41:01,109 ERROR [STDERR] Aug 5, 2008 2:41:01 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/D:/jbpm-jpdl-suite-3.2.3/jbpm-jpdl-3.2.3/server/server/jbpm/tmp/deploy/tmp57222jbpm-console-exp.war/WEB-INF/lib/jsf-facelets.jar!/META-INF/jstl-core.taglib.xml
14:41:01,125 ERROR [STDERR] Aug 5, 2008 2:41:01 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/D:/jbpm-jpdl-suite-3.2.3/jbpm-jpdl-3.2.3/server/server/jbpm/tmp/deploy/tmp57222jbpm-console-exp.war/WEB-INF/lib/jsf-facelets.jar!/META-INF/jstl-fn.taglib.xml
14:41:01,140 ERROR [STDERR] Aug 5, 2008 2:41:01 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/D:/jbpm-jpdl-suite-3.2.3/jbpm-jpdl-3.2.3/server/server/jbpm/tmp/deploy/tmp57222jbpm-console-exp.war/WEB-INF/lib/jbpm4jsf.jar!/META-INF/tf-compat.taglib.xml
14:41:01,187 ERROR [STDERR] Aug 5, 2008 2:41:01 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/D:/jbpm-jpdl-suite-3.2.3/jbpm-jpdl-3.2.3/server/server/jbpm/tmp/deploy/tmp57222jbpm-console-exp.war/WEB-INF/lib/jbpm4jsf.jar!/META-INF/core.taglib.xml
14:41:01,234 ERROR [STDERR] Aug 5, 2008 2:41:01 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/D:/jbpm-jpdl-suite-3.2.3/jbpm-jpdl-3.2.3/server/server/jbpm/tmp/deploy/tmp57222jbpm-console-exp.war/WEB-INF/lib/gravel.jar!/META-INF/gravel-compat.taglib.xml
14:41:01,296 ERROR [STDERR] Aug 5, 2008 2:41:01 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/D:/jbpm-jpdl-suite-3.2.3/jbpm-jpdl-3.2.3/server/server/jbpm/tmp/deploy/tmp57222jbpm-console-exp.war/WEB-INF/lib/jsf-facelets.jar!/META-INF/jsf-core.taglib.xml
14:41:01,312 ERROR [STDERR] Aug 5, 2008 2:41:01 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/D:/jbpm-jpdl-suite-3.2.3/jbpm-jpdl-3.2.3/server/server/jbpm/tmp/deploy/tmp57222jbpm-console-exp.war/WEB-INF/lib/jbpm4jsf.jar!/META-INF/tfl-compat.taglib.xml
14:41:01,312 ERROR [STDERR] Aug 5, 2008 2:41:01 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/D:/jbpm-jpdl-suite-3.2.3/jbpm-jpdl-3.2.3/server/server/jbpm/tmp/deploy/tmp57222jbpm-console-exp.war/WEB-INF/lib/jsf-facelets.jar!/META-INF/jsf-html.taglib.xml
14:41:01,328 ERROR [STDERR] Aug 5, 2008 2:41:01 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/D:/jbpm-jpdl-suite-3.2.3/jbpm-jpdl-3.2.3/server/server/jbpm/tmp/deploy/tmp57222jbpm-console-exp.war/WEB-INF/lib/jbpm4jsf.jar!/META-INF/identity.taglib.xml
14:41:01,359 ERROR [STDERR] Aug 5, 2008 2:41:01 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/D:/jbpm-jpdl-suite-3.2.3/jbpm-jpdl-3.2.3/server/server/jbpm/tmp/deploy/tmp57222jbpm-console-exp.war/WEB-INF/lib/jsf-facelets.jar!/META-INF/jsf-ui.taglib.xml
14:41:01,375 ERROR [STDERR] Aug 5, 2008 2:41:01 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/D:/jbpm-jpdl-suite-3.2.3/jbpm-jpdl-3.2.3/server/server/jbpm/tmp/deploy/tmp57222jbpm-console-exp.war/WEB-INF/lib/gravel.jar!/META-INF/gravel-data.taglib.xml
14:41:01,406 ERROR [STDERR] Aug 5, 2008 2:41:01 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/D:/jbpm-jpdl-suite-3.2.3/jbpm-jpdl-3.2.3/server/server/jbpm/tmp/deploy/tmp57222jbpm-console-exp.war/WEB-INF/lib/jbpm4jsf.jar!/META-INF/tfl.taglib.xml
14:41:01,421 ERROR [STDERR] Aug 5, 2008 2:41:01 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/D:/jbpm-jpdl-suite-3.2.3/jbpm-jpdl-3.2.3/server/server/jbpm/tmp/deploy/tmp57222jbpm-console-exp.war/WEB-INF/lib/gravel.jar!/META-INF/gravel-action.taglib.xml
14:41:01,453 ERROR [STDERR] Aug 5, 2008 2:41:01 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/D:/jbpm-jpdl-suite-3.2.3/jbpm-jpdl-3.2.3/server/server/jbpm/tmp/deploy/tmp57222jbpm-console-exp.war/WEB-INF/lib/jbpm4jsf.jar!/META-INF/tf.taglib.xml
14:41:01,453 ERROR [STDERR] Aug 5, 2008 2:41:01 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/D:/jbpm-jpdl-suite-3.2.3/jbpm-jpdl-3.2.3/server/server/jbpm/tmp/deploy/tmp57222jbpm-console-exp.war/WEB-INF/lib/gravel.jar!/META-INF/gravel-nav.taglib.xml
14:41:01,656 ERROR [STDERR] Aug 5, 2008 2:41:01 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/D:/jbpm-jpdl-suite-3.2.3/jbpm-jpdl-3.2.3/server/server/jbpm/tmp/deploy/tmp57222jbpm-console-exp.war/WEB-INF/lib/gravel.jar!/META-INF/gravel-simple.taglib.xml
14:41:17,828 WARN [ProxyWarnLog] Narrowing proxy to class org.jbpm.graph.node.StartState - this operation breaks ==
14:41:21,750 WARN [ProxyWarnLog] Narrowing proxy to class org.jbpm.graph.node.StartState - this operation breaks ==
14:41:25,875 WARN [ProxyWarnLog] Narrowing proxy to class org.jbpm.graph.node.StartState - this operation breaks ==
14:41:29,390 WARN [ProxyWarnLog] Narrowing proxy to class org.jbpm.graph.node.StartState - this operation breaks ==
****************************End******************************
Can anybody tell me how can i get user interface as shown in tutorial while after deployment of process archive.
Because in my case i can see the center blank and in left i can see Task Summary, View and Actions.
Regards,
prajapati
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4168682#4168682
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4168682
17 years, 8 months
[JBoss Portal] - Re: persistent setRenderParameters
by julien@jboss.com
Portlet session indeed is what you can use.
With Portlet 2.0 you can are request attributes which are preserved by the portlet container on the next render only but it is also using the session underlyingly.
"anton.evangelatov" wrote : Hello,
| When I call response.setRenderParameter() in processAction, they are not cleared on the next request, even though in the javadoc it is said "These parameters will be accessible in all sub-sequent render calls via the PortletRequest.getParameter call until a request is targeted to the portlet."
|
| Is this the normal behaviour and I haven't correctly understood the javadoc, or it is a bug?
|
| If it is the normal behaviour, how can I clear them?
|
| I am using this method to pass parameters from processAction to doView, but I want to do it only once, meaning that I want the parameters to be cleared at the end of doView for example.
|
| Currently I am using the PortletSession to do that and I clear the attribute manually, but I don't think this is the right solution.
|
| Thank you very much in advance!
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4168680#4168680
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4168680
17 years, 8 months
[JBoss Portal] - Re: persistent setRenderParameters
by julien@jboss.com
what is meant by request is a action or render URL.
if the URL target the page of the portlet or another portlet on the same page, then the render parameters remain unchanged.
"anton.evangelatov" wrote : Hello,
| When I call response.setRenderParameter() in processAction, they are not cleared on the next request, even though in the javadoc it is said "These parameters will be accessible in all sub-sequent render calls via the PortletRequest.getParameter call until a request is targeted to the portlet."
|
| Is this the normal behaviour and I haven't correctly understood the javadoc, or it is a bug?
|
| If it is the normal behaviour, how can I clear them?
|
| I am using this method to pass parameters from processAction to doView, but I want to do it only once, meaning that I want the parameters to be cleared at the end of doView for example.
|
| Currently I am using the PortletSession to do that and I clear the attribute manually, but I don't think this is the right solution.
|
| Thank you very much in advance!
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4168679#4168679
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4168679
17 years, 8 months