[JBoss JIRA] (TEIID-4499) OData Kerberos cannot access VDB

Monday, 31 October 2016



    [
https://issues.jboss.org/browse/TEIID-4499?page=com.atlassian.jira.plugin...
] 

Jan Stastny commented on TEIID-4499:
------------------------------------

I tried a more complicated scenario:
# Odata war kerberos secured
# VDB secured by the same kerberos realm
# DB secured by the same kerberos realm

And I want to:
# After authentication access the Odata api
# Via Odata API access the secured VDB
# VDB to connect to kerberos secured datasource

I can't make this scenario work.
The only visible error is:
{code:plain}
15:21:00,199 DEBUG [org.teiid.SECURITY] (http-127.0.0.1:8080-1) Logon successful, created
session: sessionid=uYLsRzXNNXZO; userName=KRBUSR05\@EXAMPLE.COM(a)EXAMPLE.COM;
vdbName=oracle_kerberos; vdbVersion=1; createdTime=Mon Oct 31 15:21:00 GMT+01:00 2016;
applicationName=JDBC; clientHostName=null; clientHardwareAddress=null; IPAddress=null;
securityDomain=EXAMPLE.COM; lastPingTime=Mon Oct 31 15:21:00 GMT+01:00 2016
15:21:00,217 FINE  [org.teiid.jdbc] (http-127.0.0.1:8080-1) Successfully obtained a
session.
15:21:00,219 FINE  [org.teiid.jdbc] (http-127.0.0.1:8080-1) Connection Url=
15:21:00,219 FINE  [org.teiid.jdbc] (http-127.0.0.1:8080-1) ApplicationName=JDBC
15:21:00,219 FINE  [org.teiid.jdbc] (http-127.0.0.1:8080-1)
PassthroughAuthentication=true
15:21:00,219 FINE  [org.teiid.jdbc] (http-127.0.0.1:8080-1) local-transport-name=odata
15:21:00,219 FINE  [org.teiid.jdbc] (http-127.0.0.1:8080-1) waitForLoad=0
15:21:00,219 FINE  [org.teiid.jdbc] (http-127.0.0.1:8080-1) batch-size=256
15:21:00,219 FINE  [org.teiid.jdbc] (http-127.0.0.1:8080-1)
VirtualDatabaseName=oracle_kerberos.1
15:21:00,219 FINE  [org.teiid.jdbc] (http-127.0.0.1:8080-1) transportName=odata
15:21:00,219 FINE  [org.teiid.jdbc] (http-127.0.0.1:8080-1) skiptoken-cache-time=300000
15:21:00,219 FINE  [org.teiid.jdbc] (http-127.0.0.1:8080-1) The JDBC Driver successfully
obtained a connection.
15:21:00,362 DEBUG [org.teiid.ODATA] (http-127.0.0.1:8080-1) Teiid-Query: /*+
cache(ttl:300000 scope:USER) */ SELECT g0."user" FROM BQT1.dual AS g0 ORDER BY
g0."user" LIMIT 1 /* uYLsRzXNNXZO */
15:21:00,379 DEBUG [org.teiid.PROCESSOR] (http-127.0.0.1:8080-1) Request Thread
uYLsRzXNNXZO.0 with state NEW
15:21:00,380 DEBUG [org.teiid.TXN_LOG] (http-127.0.0.1:8080-1) before
getOrCreateTransactionContext:org.teiid.dqp.internal.process.TransactionServerImpl@a0ca8f5(uYLsRzXNNXZO)
15:21:00,381 DEBUG [org.teiid.TXN_LOG] (http-127.0.0.1:8080-1) after
getOrCreateTransactionContext : uYLsRzXNNXZO NONE ID:NONE
15:21:00,385 DEBUG [org.teiid.PROCESSOR] (http-127.0.0.1:8080-1) uYLsRzXNNXZO.0 executing
prepared /*+ cache(ttl:300000 scope:USER) */ SELECT g0."user" FROM BQT1.dual AS
g0 ORDER BY g0."user" LIMIT 1 /* uYLsRzXNNXZO */
15:21:00,468 WARN  [org.jboss.jca.core.connectionmanager.pool.strategy.PoolBySubject]
(http-127.0.0.1:8080-1) IJ000604: Throwable while attempting to get a new connection:
null: javax.resource.ResourceException: No matching credentials in Subject!
	at
org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnectionFactory.getConnectionProperties(BaseWrapperManagedConnectionFactory.java:965)
	at
org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:233)
	at
org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.createConnectionEventListener(SemaphoreArrayListManagedConnectionPool.java:858)
	at
org.jboss.jca.core.connectionmanager.pool.mcp.SemaphoreArrayListManagedConnectionPool.getConnection(SemaphoreArrayListManagedConnectionPool.java:413)
	at
org.jboss.jca.core.connectionmanager.pool.AbstractPool.getSimpleConnection(AbstractPool.java:457)
	at
org.jboss.jca.core.connectionmanager.pool.AbstractPool.getConnection(AbstractPool.java:429)
	at
org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getManagedConnection(AbstractConnectionManager.java:344)
	at
org.jboss.jca.core.connectionmanager.tx.TxConnectionManagerImpl.getManagedConnection(TxConnectionManagerImpl.java:367)
	at
org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:499)
	at
org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:143)
	at
org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:69)
	at
org.teiid.translator.jdbc.JDBCExecutionFactory.getConnection(JDBCExecutionFactory.java:270)
[translator-jdbc-8.12.7.6_3-redhat-1.jar:8.12.7.6_3-redhat-1]
	at
org.teiid.translator.jdbc.JDBCExecutionFactory.getConnection(JDBCExecutionFactory.java:68)
[translator-jdbc-8.12.7.6_3-redhat-1.jar:8.12.7.6_3-redhat-1]
	at org.teiid.translator.ExecutionFactory.getConnection(ExecutionFactory.java:202)
[teiid-api-8.12.7.6_3-redhat-1.jar:8.12.7.6_3-redhat-1]
	at
org.teiid.dqp.internal.datamgr.ConnectorManager.buildCapabilities(ConnectorManager.java:179)
	at
org.teiid.dqp.internal.datamgr.ConnectorManager.getCapabilities(ConnectorManager.java:163)
	at org.teiid.dqp.internal.process.CachedFinder.findCapabilities(CachedFinder.java:108)
	at
org.teiid.query.metadata.TempCapabilitiesFinder.findCapabilities(TempCapabilitiesFinder.java:78)
	at
org.teiid.query.optimizer.relational.rules.CapabilitiesUtil.getCapabilities(CapabilitiesUtil.java:439)
	at
org.teiid.query.optimizer.relational.rules.CapabilitiesUtil.supports(CapabilitiesUtil.java:459)
	at
org.teiid.query.optimizer.relational.rules.CapabilitiesUtil.requiresCriteria(CapabilitiesUtil.java:444)
	at
org.teiid.query.optimizer.relational.rules.RulePlaceAccess.addAccessNode(RulePlaceAccess.java:196)
	at
org.teiid.query.optimizer.relational.rules.RulePlaceAccess.execute(RulePlaceAccess.java:86)
	at
org.teiid.query.optimizer.relational.RelationalPlanner.executeRules(RelationalPlanner.java:925)
	at
org.teiid.query.optimizer.relational.RelationalPlanner.optimize(RelationalPlanner.java:228)
	at org.teiid.query.optimizer.QueryOptimizer.optimizePlan(QueryOptimizer.java:159)
	at org.teiid.dqp.internal.process.Request.generatePlan(Request.java:442)
	at
org.teiid.dqp.internal.process.PreparedStatementRequest.generatePlan(PreparedStatementRequest.java:119)
	at org.teiid.dqp.internal.process.Request.processRequest(Request.java:470)
	at
org.teiid.dqp.internal.process.PreparedStatementRequest.processRequest(PreparedStatementRequest.java:294)
	at org.teiid.dqp.internal.process.RequestWorkItem.processNew(RequestWorkItem.java:642)
	at org.teiid.dqp.internal.process.RequestWorkItem.process(RequestWorkItem.java:337)
	at org.teiid.dqp.internal.process.AbstractWorkItem.run(AbstractWorkItem.java:51)
	at org.teiid.dqp.internal.process.RequestWorkItem.run(RequestWorkItem.java:274)
	at org.teiid.dqp.internal.process.DQPCore.executeRequest(DQPCore.java:306)
	at org.teiid.dqp.internal.process.DQPCore.executeRequest(DQPCore.java:238)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_102]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
[rt.jar:1.8.0_102]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.8.0_102]
	at java.lang.reflect.Method.invoke(Method.java:498) [rt.jar:1.8.0_102]
	at org.teiid.logging.LogManager$LoggingProxy.invoke(LogManager.java:121)
[teiid-api-8.12.7.6_3-redhat-1.jar:8.12.7.6_3-redhat-1]
	at org.teiid.jboss.TransportService$2.invoke(TransportService.java:241)
	at com.sun.proxy.$Proxy20.executeRequest(Unknown Source)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_102]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
[rt.jar:1.8.0_102]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.8.0_102]
	at java.lang.reflect.Method.invoke(Method.java:498) [rt.jar:1.8.0_102]
	at org.teiid.transport.LocalServerConnection$1$1.call(LocalServerConnection.java:180)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266) [rt.jar:1.8.0_102]
	at org.teiid.dqp.internal.process.DQPWorkContext.runInContext(DQPWorkContext.java:276)
	at org.teiid.dqp.internal.process.DQPWorkContext.runInContext(DQPWorkContext.java:260)
	at org.teiid.transport.LocalServerConnection$1.invoke(LocalServerConnection.java:178)
	at com.sun.proxy.$Proxy20.executeRequest(Unknown Source)
	at org.teiid.jdbc.StatementImpl.execute(StatementImpl.java:688)
	at org.teiid.jdbc.StatementImpl.executeSql(StatementImpl.java:554)
	at org.teiid.jdbc.PreparedStatementImpl.executeQuery(PreparedStatementImpl.java:260)
	at org.teiid.jdbc.PreparedStatementImpl.executeQuery(PreparedStatementImpl.java:73)
	at org.teiid.olingo.service.LocalClient.executeSQL(LocalClient.java:234)
	at
org.teiid.olingo.service.TeiidServiceHandler.executeQuery(TeiidServiceHandler.java:349)
	at org.teiid.olingo.service.TeiidServiceHandler.read(TeiidServiceHandler.java:172)
	at
org.apache.olingo.server.core.requests.DataRequest$EntityRequest.execute(DataRequest.java:332)
	at org.apache.olingo.server.core.requests.DataRequest.execute(DataRequest.java:255)
	at
org.apache.olingo.server.core.ServiceDispatcher.internalExecute(ServiceDispatcher.java:160)
	at org.apache.olingo.server.core.ServiceDispatcher.execute(ServiceDispatcher.java:98)
	at org.apache.olingo.server.core.OData4HttpHandler.process(OData4HttpHandler.java:66)
	at org.teiid.olingo.web.ODataServlet.service(ODataServlet.java:43)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
	at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
	at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
	at org.teiid.olingo.web.ODataFilter.internalDoFilter(ODataFilter.java:231)
	at org.teiid.olingo.web.ODataFilter.doFilter(ODataFilter.java:100)
	at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
	at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
	at
org.jboss.security.negotiation.NegotiationAuthenticator$WrapperValve.invoke(NegotiationAuthenticator.java:492)
	at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:512)
	at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854)
	at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:654)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
	at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_102]
{code}


Only extra configuration different from the previous scenario is setting up the
passthrough security security-domain to mentioned datasource.
Datasource has configured security-domain:
{code:xml}
<security>
	<security-domain>passthrough-security</security-domain>
</security>
{code}
Whereas configuration of the security-domain is:
{code:xml}
<security-domain name="passthrough-security">
    <authentication>
        <login-module code="org.teiid.jboss.PassthroughIdentityLoginModule"
flag="required" module="org.jboss.teiid">
            <module-option name="userName" value="guest"/>
            <module-option name="password" value="guest"/>
        </login-module>
    </authentication>
</security-domain>
{code}

...
 OData Kerberos cannot access VDB
 --------------------------------

                 Key: TEIID-4499
                 URL: https://issues.jboss.org/browse/TEIID-4499
             Project: Teiid
          Issue Type: Bug
          Components: OData
    Affects Versions: 8.12.6.6_3
            Reporter: Jan Stastny
            Assignee: Steven Hawkins
             Fix For: 9.2, 9.0.5, 9.1.1


 When configured odata war for Kerberos using
https://teiid.gitbooks.io/documents/content/security/Kerberos_support_thr...
an error occurs when accessing a vdb, which is also secured by Kerberos.
 The error is following:
 {code:plain}
 11:44:53,360 WARN  [org.teiid.ODATA] (http-127.0.0.1:8080-1) TEIID16047 Could not process
OData 4 request: 08001 TEIID40055 org.teiid.core.TeiidException: TEIID40055
org.teiid.net.ConnectionException: TEIID40055 Wrong logon method is being used. Server is
not set up for GSS based authentication.: org.teiid.core.TeiidProcessingException: 08001
TEIID40055 org.teiid.core.TeiidException: TEIID40055 org.teiid.net.ConnectionException:
TEIID40055 Wrong logon method is being used. Server is not set up for GSS based
authentication.
 	at org.teiid.olingo.web.ODataFilter.internalDoFilter(ODataFilter.java:233)
[teiid-olingo-8.12.6.6_3-redhat-1.jar:8.12.6.6_3-redhat-1]
 	at org.teiid.olingo.web.ODataFilter.doFilter(ODataFilter.java:100)
[teiid-olingo-8.12.6.6_3-redhat-1.jar:8.12.6.6_3-redhat-1]
 	at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
[jbossweb-7.5.17.Final-redhat-1.jar:7.5.17.Final-redhat-1]
 	at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
[jbossweb-7.5.17.Final-redhat-1.jar:7.5.17.Final-redhat-1]
 	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
[jbossweb-7.5.17.Final-redhat-1.jar:7.5.17.Final-redhat-1]
 	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
[jbossweb-7.5.17.Final-redhat-1.jar:7.5.17.Final-redhat-1]
 	at
org.jboss.security.negotiation.NegotiationAuthenticator$WrapperValve.invoke(NegotiationAuthenticator.java:492)
[jboss-negotiation-common-2.3.11.Final-redhat-1.jar:2.3.11.Final-redhat-1]
 	at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:512)
[jbossweb-7.5.17.Final-redhat-1.jar:7.5.17.Final-redhat-1]
 	at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
[jboss-as-web-7.5.9.Final-redhat-2.jar:7.5.9.Final-redhat-2]
 	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150)
[jbossweb-7.5.17.Final-redhat-1.jar:7.5.17.Final-redhat-1]
 	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
[jbossweb-7.5.17.Final-redhat-1.jar:7.5.17.Final-redhat-1]
 	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
[jbossweb-7.5.17.Final-redhat-1.jar:7.5.17.Final-redhat-1]
 	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
[jbossweb-7.5.17.Final-redhat-1.jar:7.5.17.Final-redhat-1]
 	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854)
[jbossweb-7.5.17.Final-redhat-1.jar:7.5.17.Final-redhat-1]
 	at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:654)
[jbossweb-7.5.17.Final-redhat-1.jar:7.5.17.Final-redhat-1]
 	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
[jbossweb-7.5.17.Final-redhat-1.jar:7.5.17.Final-redhat-1]
 	at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_102]
 Caused by: org.teiid.jdbc.TeiidSQLException: TEIID40055 org.teiid.core.TeiidException:
TEIID40055 org.teiid.net.ConnectionException: TEIID40055 Wrong logon method is being used.
Server is not set up for GSS based authentication.
 	at org.teiid.jdbc.TeiidSQLException.create(TeiidSQLException.java:135)
 	at org.teiid.jdbc.TeiidSQLException.create(TeiidSQLException.java:71)
 	at org.teiid.jdbc.EmbeddedProfile.connect(EmbeddedProfile.java:55)
 	at org.teiid.jdbc.TeiidDriver.connect(TeiidDriver.java:105)
 	at org.teiid.olingo.service.LocalClient.buildConnection(LocalClient.java:119)
[teiid-olingo-8.12.6.6_3-redhat-1.jar:8.12.6.6_3-redhat-1]
 	at org.teiid.olingo.service.LocalClient.open(LocalClient.java:89)
[teiid-olingo-8.12.6.6_3-redhat-1.jar:8.12.6.6_3-redhat-1]
 	at org.teiid.olingo.web.ODataFilter.internalDoFilter(ODataFilter.java:226)
[teiid-olingo-8.12.6.6_3-redhat-1.jar:8.12.6.6_3-redhat-1]
 	... 16 more
 Caused by: org.teiid.core.TeiidException: TEIID40055 org.teiid.core.TeiidException:
TEIID40055 org.teiid.net.ConnectionException: TEIID40055 Wrong logon method is being used.
Server is not set up for GSS based authentication.
 	at org.teiid.core.util.ReflectionHelper.create(ReflectionHelper.java:308)
[teiid-common-core-8.12.6.6_3-redhat-1.jar:8.12.6.6_3-redhat-1]
 	at org.teiid.jdbc.ModuleHelper.createFromModule(ModuleHelper.java:53)
 	at org.teiid.jdbc.EmbeddedProfile.createServerConnection(EmbeddedProfile.java:60)
 	at org.teiid.jdbc.EmbeddedProfile.connect(EmbeddedProfile.java:50)
 	... 20 more
 Caused by: org.teiid.core.TeiidException: TEIID40055 org.teiid.net.ConnectionException:
TEIID40055 Wrong logon method is being used. Server is not set up for GSS based
authentication.
 	at org.teiid.core.util.ReflectionHelper.create(ReflectionHelper.java:345)
[teiid-common-core-8.12.6.6_3-redhat-1.jar:8.12.6.6_3-redhat-1]
 	at org.teiid.core.util.ReflectionHelper.create(ReflectionHelper.java:306)
[teiid-common-core-8.12.6.6_3-redhat-1.jar:8.12.6.6_3-redhat-1]
 	... 23 more
 Caused by: org.teiid.net.ConnectionException: TEIID40055 Wrong logon method is being
used. Server is not set up for GSS based authentication.
 	at
org.teiid.transport.LocalServerConnection.authenticate(LocalServerConnection.java:146)
 	at
org.teiid.transport.LocalServerConnection.<init>(LocalServerConnection.java:106)
 	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
[rt.jar:1.8.0_102]
 	at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
[rt.jar:1.8.0_102]
 	at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
[rt.jar:1.8.0_102]
 	at java.lang.reflect.Constructor.newInstance(Constructor.java:423) [rt.jar:1.8.0_102]
 	at org.teiid.core.util.ReflectionHelper.create(ReflectionHelper.java:343)
[teiid-common-core-8.12.6.6_3-redhat-1.jar:8.12.6.6_3-redhat-1]
 	... 24 more
 Caused by: org.teiid.client.security.LogonException: TEIID40055 Wrong logon method is
being used. Server is not set up for GSS based authentication.
 	at org.teiid.transport.LogonImpl.logon(LogonImpl.java:119)
 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_102]
 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
[rt.jar:1.8.0_102]
 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.8.0_102]
 	at java.lang.reflect.Method.invoke(Method.java:498) [rt.jar:1.8.0_102]
 	at org.teiid.transport.LocalServerConnection$1$1.call(LocalServerConnection.java:180)
 	at java.util.concurrent.FutureTask.run(FutureTask.java:266) [rt.jar:1.8.0_102]
 	at org.teiid.dqp.internal.process.DQPWorkContext.runInContext(DQPWorkContext.java:276)
 	at org.teiid.dqp.internal.process.DQPWorkContext.runInContext(DQPWorkContext.java:260)
 	at org.teiid.transport.LocalServerConnection$1.invoke(LocalServerConnection.java:178)
 	at com.sun.proxy.$Proxy81.logon(Unknown Source)
 	at
org.teiid.transport.LocalServerConnection.authenticate(LocalServerConnection.java:142)
 	... 30 more
 {code}
 Authentication of the user succeeded:
 {code:plain}
 principal is dv(a)EXAMPLE.COM
 Will use keytab
 Commit Succeeded 
 {code}
 Authentication of the server succeeded:
 {code:plain}
 11:44:52,873 INFO  [stdout] (http-127.0.0.1:8080-1) Acquire TGT from Cache
 11:44:52,874 INFO  [stdout] (http-127.0.0.1:8080-1) Principal is
HTTP/localhost(a)EXAMPLE.COM
 11:44:52,874 INFO  [stdout] (http-127.0.0.1:8080-1) null credentials from Ticket Cache
 11:44:53,234 INFO  [stdout] (http-127.0.0.1:8080-1) principal is
HTTP/localhost(a)EXAMPLE.COM
 11:44:53,234 INFO  [stdout] (http-127.0.0.1:8080-1) Will use keytab
 11:44:53,236 INFO  [stdout] (http-127.0.0.1:8080-1) Commit Succeeded 
 {code}
 Initial request:
 {code:plain}
 12:44:52,325 DEBUG [MainClientExec] Opening connection {}->http://localhost:8080
 12:44:52,327 DEBUG [DefaultHttpClientConnectionOperator] Connecting to
localhost/127.0.0.1:8080
 12:44:52,328 DEBUG [DefaultHttpClientConnectionOperator] Connection established
127.0.0.1:47980<->127.0.0.1:8080
 12:44:52,328 DEBUG [MainClientExec] Executing request GET
/odata4/kerberos_teiid/BQT1/smalla HTTP/1.1
 12:44:52,328 DEBUG [MainClientExec] Target auth state: UNCHALLENGED
 12:44:52,329 DEBUG [MainClientExec] Proxy auth state: UNCHALLENGED
 12:44:52,330 DEBUG [headers] http-outgoing-0 >> GET
/odata4/kerberos_teiid/BQT1/smalla HTTP/1.1
 12:44:52,330 DEBUG [headers] http-outgoing-0 >> Host: localhost:8080
 12:44:52,330 DEBUG [headers] http-outgoing-0 >> Connection: Keep-Alive
 12:44:52,330 DEBUG [headers] http-outgoing-0 >> User-Agent: Apache-HttpClient/4.5.2
(Java/1.8.0_51)
 12:44:52,330 DEBUG [headers] http-outgoing-0 >> Accept-Encoding: gzip,deflate
 12:44:52,330 DEBUG [wire] http-outgoing-0 >> "GET
/odata4/kerberos_teiid/BQT1/smalla HTTP/1.1[\r][\n]"
 12:44:52,330 DEBUG [wire] http-outgoing-0 >> "Host:
localhost:8080[\r][\n]"
 12:44:52,331 DEBUG [wire] http-outgoing-0 >> "Connection:
Keep-Alive[\r][\n]"
 12:44:52,331 DEBUG [wire] http-outgoing-0 >> "User-Agent:
Apache-HttpClient/4.5.2 (Java/1.8.0_51)[\r][\n]"
 12:44:52,331 DEBUG [wire] http-outgoing-0 >> "Accept-Encoding:
gzip,deflate[\r][\n]"
 12:44:52,331 DEBUG [wire] http-outgoing-0 >> "[\r][\n]"
 {code}
 Negotiate request from server:
 {code:plain}
 12:44:52,457 DEBUG [wire] http-outgoing-0 << "HTTP/1.1 401
Unauthorized[\r][\n]"
 12:44:52,457 DEBUG [wire] http-outgoing-0 << "Server:
Apache-Coyote/1.1[\r][\n]"
 12:44:52,457 DEBUG [wire] http-outgoing-0 << "Pragma: No-cache[\r][\n]"
 12:44:52,457 DEBUG [wire] http-outgoing-0 << "Cache-Control:
no-cache[\r][\n]"
 12:44:52,457 DEBUG [wire] http-outgoing-0 << "Expires: Thu, 01 Jan 1970
01:00:00 GMT+01:00[\r][\n]"
 12:44:52,457 DEBUG [wire] http-outgoing-0 << "WWW-Authenticate:
Negotiate[\r][\n]"
 12:44:52,457 DEBUG [wire] http-outgoing-0 << "Content-Type:
text/html;charset=utf-8[\r][\n]"
 12:44:52,457 DEBUG [wire] http-outgoing-0 << "Content-Length:
996[\r][\n]"
 12:44:52,457 DEBUG [wire] http-outgoing-0 << "Date: Mon, 10 Oct 2016 10:44:52
GMT[\r][\n]"
 12:44:52,457 DEBUG [wire] http-outgoing-0 << "[\r][\n]"
 12:44:52,457 DEBUG [wire] http-outgoing-0 <<
"<html><head><title>JBWEB000065: HTTP Status 401 -
</title><style><!--H1
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
H2
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
H3
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;}
BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color
: black;}A.name {color : black;}HR {color : #525D76;}--></style>
</head><body><h1>JBWEB000065: HTTP Status 401 - </h1><HR
size="1" noshade="noshade"><p><b>JBWEB000309:
type</b> JBWEB000067: Status report</p><p><b>JBWEB000068:
message</b> <u></u></p><p><b>JBWEB000069:
description</b> <u>JBWEB000121: This request requires HTTP
authentication.</u></p><HR size="1"
noshade="noshade"></body></html>"
 12:44:52,459 DEBUG [headers] http-outgoing-0 << HTTP/1.1 401 Unauthorized
 12:44:52,459 DEBUG [headers] http-outgoing-0 << Server: Apache-Coyote/1.1
 12:44:52,459 DEBUG [headers] http-outgoing-0 << Pragma: No-cache
 12:44:52,460 DEBUG [headers] http-outgoing-0 << Cache-Control: no-cache
 12:44:52,460 DEBUG [headers] http-outgoing-0 << Expires: Thu, 01 Jan 1970 01:00:00
GMT+01:00
 12:44:52,460 DEBUG [headers] http-outgoing-0 << WWW-Authenticate: Negotiate
 12:44:52,460 DEBUG [headers] http-outgoing-0 << Content-Type:
text/html;charset=utf-8
 12:44:52,460 DEBUG [headers] http-outgoing-0 << Content-Length: 996
 12:44:52,460 DEBUG [headers] http-outgoing-0 << Date: Mon, 10 Oct 2016 10:44:52
GMT
 {code}
 Response to auth server:
 {code:plain}
 Found ticket for dv(a)EXAMPLE.COM to go to krbtgt/EXAMPLE.COM(a)EXAMPLE.COM expiring on Mon
Oct 10 20:44:52 CEST 2016
 Entered Krb5Context.initSecContext with state=STATE_NEW
 Service ticket not found in the subject
 12:44:52,846 DEBUG [SPNegoScheme] Sending response
'YIIEjgYGKwYBBQUCoIIEgjCCBH6gDTALBgkqhkiG9xIBAgKhBAMCAfaiggRlBIIEYWCCBF0GCSqGSIb3EgECAgEAboIETDCCBEigAwIBBaEDAgEOogcDBQAgAAAAo4IBBmGCAQIwgf+gAwIBBaEbGxlNVy5MQUIuRU5HLkJPUy5SRURIQVQuQ09NohwwGqADAgEAoRMwERsESFRUUBsJbG9jYWxob3N0o4G8MIG5oAMCARGhAwIBBKKBrASBqdJuL2wF7+W0MD1qISt66VAyhitq77SR6vLKWJnpc/Yx60ch80GepVlYdoYxee0qW+d4u6aw3p0BaOWSgSMRoDnr9bSUn+tQXNevIfKE+oUM+5lC4afhAF0PB4dcJC7z6/wLZ9drDImvyhntm9lq/yv5LW76gSbVd9SjO58ZvD3cYRJnuF3CaFhm5ol0ce84ojZdX5mVvVBUU3+Vo1rh6SSEKda+xoBkK/ykggMnMIIDI6ADAgERooIDGgSCAxaG8huKFUf6vR0wVfeI1caKfIPtGC9rDSw5DYTz1dz43F8GI9we3YG9NC6kEi1zPdA4A2dxfBqgUl+/YkBdQco4udBCwLXNmziHCS5ypypBJsFdgFzRi/9hXukmqofSGIlKVJWH3ap1ap+37Amfm6LxZuQFDyY526onGXdWoAB0Jbcpsi74Ti5x3sRGZqoF5FTwUqI0pQYI+hLDh2GeBNXBNOHqdMXNfnLFOr+LpnNhl7ROxkWsBxNPv/4MmRLPsF/cGrc924L6R4PQvP7qVjGKUxayEoBPP/go5xb2b2z+TjruspzbJ5dw1wKAOH2RGlDJ5om0PUSqaxe0h2WhL9rXBOGVONTSv7lYQ2pcgaOqR6FutB5PZGP0B73ekwhbRfrt6zxLpHzZFnrSeV9lz1U4r8Bkyxuze3cuQGcL/cNTBbhE83cbNY8VJlu4E+6LmZ9ll3vpjNq3735S6gFArsOJ38FcLO0Kqj1rZr7/r9TRsV9f8agDnWusc5lQzZc+4H0BIeAPD34ApJxGogA63/8yF1Pl3uc1Rp+a6blQHLLCRZthIpi8LVF8rSizTkTDWUrTw+X5wGDunjslrUmClW25qzGeLTZpELrJXkKFstUnL4blaPboyPk8qDecaRed+dIjteVS9CgF51AtHrO9vhWgrr41TL+H8akHfjI6Q9GIgravWLSkNrVMsrNyVAlc1hdUAovLXJFfxS3Mg0OugjG3rJhSCiQqLCuhIRL8OB4Fz4Pa24fpBG0G/Rv1RrhuQaKoxNsZxuR67zzF+v7+4PRKK39y0cqFWBf95YV4SWz7qzXmZYcaDcVhrFzp723ecWunVa6Qt5YUZ3+pkKV+NGGb95PjS7HtvXZo4ko5tJX1QI+ke4I3j3cThrWlV5y3rNC2IKiE8eRNI6rKRGdvpYLwkL0B5AkJleqGjdiqZVy6Q2w/YdHN2oTOs8qUgIVgPHJMyRLUTT872ZOWdmmHWJuIe3sVkr1RLFDV2csmYggSZCbjCczFvlmKrcn6OLqVRGN3sNm6a9Q45wZimLvIkxePHag3vvtp'
back to the auth server
 12:44:52,846 DEBUG [MainClientExec] Proxy auth state: UNCHALLENGED
 12:44:52,846 DEBUG [headers] http-outgoing-0 >> GET
/odata4/kerberos_teiid/BQT1/smalla HTTP/1.1
 12:44:52,846 DEBUG [headers] http-outgoing-0 >> Host: localhost:8080
 12:44:52,846 DEBUG [headers] http-outgoing-0 >> Connection: Keep-Alive
 12:44:52,846 DEBUG [headers] http-outgoing-0 >> User-Agent: Apache-HttpClient/4.5.2
(Java/1.8.0_51)
 12:44:52,846 DEBUG [headers] http-outgoing-0 >> Accept-Encoding: gzip,deflate
 12:44:52,846 DEBUG [headers] http-outgoing-0 >> Authorization: Negotiate
YIIEjgYGKwYBBQUCoIIEgjCCBH6gDTALBgkqhkiG9xIBAgKhBAMCAfaiggRlBIIEYWCCBF0GCSqGSIb3EgECAgEAboIETDCCBEigAwIBBaEDAgEOogcDBQAgAAAAo4IBBmGCAQIwgf+gAwIBBaEbGxlNVy5MQUIuRU5HLkJPUy5SRURIQVQuQ09NohwwGqADAgEAoRMwERsESFRUUBsJbG9jYWxob3N0o4G8MIG5oAMCARGhAwIBBKKBrASBqdJuL2wF7+W0MD1qISt66VAyhitq77SR6vLKWJnpc/Yx60ch80GepVlYdoYxee0qW+d4u6aw3p0BaOWSgSMRoDnr9bSUn+tQXNevIfKE+oUM+5lC4afhAF0PB4dcJC7z6/wLZ9drDImvyhntm9lq/yv5LW76gSbVd9SjO58ZvD3cYRJnuF3CaFhm5ol0ce84ojZdX5mVvVBUU3+Vo1rh6SSEKda+xoBkK/ykggMnMIIDI6ADAgERooIDGgSCAxaG8huKFUf6vR0wVfeI1caKfIPtGC9rDSw5DYTz1dz43F8GI9we3YG9NC6kEi1zPdA4A2dxfBqgUl+/YkBdQco4udBCwLXNmziHCS5ypypBJsFdgFzRi/9hXukmqofSGIlKVJWH3ap1ap+37Amfm6LxZuQFDyY526onGXdWoAB0Jbcpsi74Ti5x3sRGZqoF5FTwUqI0pQYI+hLDh2GeBNXBNOHqdMXNfnLFOr+LpnNhl7ROxkWsBxNPv/4MmRLPsF/cGrc924L6R4PQvP7qVjGKUxayEoBPP/go5xb2b2z+TjruspzbJ5dw1wKAOH2RGlDJ5om0PUSqaxe0h2WhL9rXBOGVONTSv7lYQ2pcgaOqR6FutB5PZGP0B73ekwhbRfrt6zxLpHzZFnrSeV9lz1U4r8Bkyxuze3cuQGcL/cNTBbhE83cbNY8VJlu4E+6LmZ9ll3vpjNq3735S6gFArsOJ38FcLO0Kqj1rZr7/r9TRsV9f8agDnWusc5lQzZc+4H0BIeAPD34ApJxGogA63/8yF1Pl3uc1Rp+a6blQHLLCRZthIpi8LVF8rSizTkTDWUrTw+X5wGDunjslrUmClW25qzGeLTZpELrJXkKFstUnL4blaPboyPk8qDecaRed+dIjteVS9CgF51AtHrO9vhWgrr41TL+H8akHfjI6Q9GIgravWLSkNrVMsrNyVAlc1hdUAovLXJFfxS3Mg0OugjG3rJhSCiQqLCuhIRL8OB4Fz4Pa24fpBG0G/Rv1RrhuQaKoxNsZxuR67zzF+v7+4PRKK39y0cqFWBf95YV4SWz7qzXmZYcaDcVhrFzp723ecWunVa6Qt5YUZ3+pkKV+NGGb95PjS7HtvXZo4ko5tJX1QI+ke4I3j3cThrWlV5y3rNC2IKiE8eRNI6rKRGdvpYLwkL0B5AkJleqGjdiqZVy6Q2w/YdHN2oTOs8qUgIVgPHJMyRLUTT872ZOWdmmHWJuIe3sVkr1RLFDV2csmYggSZCbjCczFvlmKrcn6OLqVRGN3sNm6a9Q45wZimLvIkxePHag3vvtp
 12:44:52,846 DEBUG [wire] http-outgoing-0 >> "GET
/odata4/kerberos_teiid/BQT1/smalla HTTP/1.1[\r][\n]"
 12:44:52,846 DEBUG [wire] http-outgoing-0 >> "Host:
localhost:8080[\r][\n]"
 12:44:52,847 DEBUG [wire] http-outgoing-0 >> "Connection:
Keep-Alive[\r][\n]"
 12:44:52,847 DEBUG [wire] http-outgoing-0 >> "User-Agent:
Apache-HttpClient/4.5.2 (Java/1.8.0_51)[\r][\n]"
 12:44:52,847 DEBUG [wire] http-outgoing-0 >> "Accept-Encoding:
gzip,deflate[\r][\n]"
 12:44:52,847 DEBUG [wire] http-outgoing-0 >> "Authorization: Negotiate
YIIEjgYGKwYBBQUCoIIEgjCCBH6gDTALBgkqhkiG9xIBAgKhBAMCAfaiggRlBIIEYWCCBF0GCSqGSIb3EgECAgEAboIETDCCBEigAwIBBaEDAgEOogcDBQAgAAAAo4IBBmGCAQIwgf+gAwIBBaEbGxlNVy5MQUIuRU5HLkJPUy5SRURIQVQuQ09NohwwGqADAgEAoRMwERsESFRUUBsJbG9jYWxob3N0o4G8MIG5oAMCARGhAwIBBKKBrASBqdJuL2wF7+W0MD1qISt66VAyhitq77SR6vLKWJnpc/Yx60ch80GepVlYdoYxee0qW+d4u6aw3p0BaOWSgSMRoDnr9bSUn+tQXNevIfKE+oUM+5lC4afhAF0PB4dcJC7z6/wLZ9drDImvyhntm9lq/yv5LW76gSbVd9SjO58ZvD3cYRJnuF3CaFhm5ol0ce84ojZdX5mVvVBUU3+Vo1rh6SSEKda+xoBkK/ykggMnMIIDI6ADAgERooIDGgSCAxaG8huKFUf6vR0wVfeI1caKfIPtGC9rDSw5DYTz1dz43F8GI9we3YG9NC6kEi1zPdA4A2dxfBqgUl+/YkBdQco4udBCwLXNmziHCS5ypypBJsFdgFzRi/9hXukmqofSGIlKVJWH3ap1ap+37Amfm6LxZuQFDyY526onGXdWoAB0Jbcpsi74Ti5x3sRGZqoF5FTwUqI0pQYI+hLDh2GeBNXBNOHqdMXNfnLFOr+LpnNhl7ROxkWsBxNPv/4MmRLPsF/cGrc924L6R4PQvP7qVjGKUxayEoBPP/go5xb2b2z+TjruspzbJ5dw1wKAOH2RGlDJ5om0PUSqaxe0h2WhL9rXBOGVONTSv7lYQ2pcgaOqR6FutB5PZGP0B73ekwhbRfrt6zxLpHzZFnrSeV9lz1U4r8Bkyxuze3cuQGcL/cNTBbhE83cbNY8VJlu4E+6LmZ9ll3vpjNq3735S6gFArsOJ38FcLO0Kqj1rZr7/r9TRsV9f8agDnWusc5lQzZc+4H0BIeAPD34ApJxGogA63/8yF1Pl3uc1Rp+a6blQHLLCRZthIpi8LVF8rSizTkTDWUrTw+X5wGDunjslrUmClW25qzGeLTZpELrJXkKFstUnL4blaPboyPk8qDecaRed+dIjteVS9CgF51AtHrO9vhWgrr41TL+H8akHfjI6Q9GIgravWLSkNrVMsrNyVAlc1hdUAovLXJFfxS3Mg0OugjG3rJhSCiQqLCuhIRL8OB4Fz4Pa24fpBG0G/Rv1RrhuQaKoxNsZxuR67zzF+v7+4PRKK39y0cqFWBf95YV4SWz7qzXmZYcaDcVhrFzp723ecWunVa6Qt5YUZ3+pkKV+NGGb95PjS7HtvXZo4ko5tJX1QI+ke4I3j3cThrWlV5y3rNC2IKiE8eRNI6rKRGdvpYLwkL0B5AkJleqGjdiqZVy6Q2w/YdHN2oTOs8qUgIVgPHJMyRLUTT872ZOWdmmHWJuIe3sVkr1RLFDV2csmYggSZCbjCczFvlmKrcn6OLqVRGN3sNm6a9Q45wZimLvIkxePHag3vvtp[\r][\n]"
 12:44:52,847 DEBUG [wire] http-outgoing-0 >> "[\r][\n]"
 {code}
 Last server logs before error:
 {code:plain}
 11:44:53,246 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule]
(http-127.0.0.1:8080-1) Logged in 'host' LoginContext
 11:44:53,247 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule]
(http-127.0.0.1:8080-1) Creating new GSSContext.
 11:44:53,283 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule]
(http-127.0.0.1:8080-1) context.getCredDelegState() = true
 11:44:53,284 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule]
(http-127.0.0.1:8080-1) context.getMutualAuthState() = true
 11:44:53,284 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule]
(http-127.0.0.1:8080-1) context.getSrcName() = dv(a)EXAMPLE.COM
 11:44:53,284 INFO  [stdout] (http-127.0.0.1:8080-1) 		[Krb5LoginModule]: Entering logout
 11:44:53,285 INFO  [stdout] (http-127.0.0.1:8080-1) 		[Krb5LoginModule]: logged out
Subject
 11:44:53,285 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule]
(http-127.0.0.1:8080-1) Storing username &#39;dv(a)EXAMPLE.COM&#39; and empty password
 11:44:53,304 DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator]
(http-127.0.0.1:8080-1) authenticated principal =
GenericPrincipal[5tV-f1mRV7tGghx2rk4krdFH_1476096292858(odata,user,)]
 {code}
 VDB used:
 {code:xml}
 <vdb name="kerberos_teiid" version="1">
 	<property name="security-domain" value="EXAMPLE.COM"/>
 	<property name="authentication-type" value="GSS"/>
 .
 .
 .
 </vdb>
 {code}
 Request URL:
 {code:plain}
 http://localhost:8080/odata4/kerberos_teiid/BQT1/smalla
 {code}
 Server configuration:
 {code:xml}
 <security-domain name="host">
     <authentication>
         <login-module code="Kerberos" flag="required"
module="org.jboss.security.negotiation">
             <module-option name="storeKey" value="true"/>
             <module-option name="useKeyTab" value="true"/>
             <module-option name="keyTab"
value="${jboss.home.dir}/HTTP_localhost"/>
             <module-option name="principal"
value=&quot;HTTP/localhost(a)EXAMPLE.COM&quot;/&gt;
             <module-option name="doNotPrompt" value="true"/>
             <module-option name="useTicketCache"
value="true"/>
             <module-option name="debug" value="true"/>
             <module-option name="refreshKrb5Config"
value="false"/>
             <module-option name="isInitiator" value="true"/>
             <module-option name="addGSSCredential"
value="true"/>
             <module-option name="delegationCredential"
value="USE"/>
             <module-option name="ticketCache"
value="/tmp/krb5cc_1000"/>
         </login-module>
     </authentication>
 </security-domain>
 <security-domain name="EXAMPLE.COM">
     <authentication>
         <login-module code="SPNEGO" flag="requisite"
module="org.jboss.security.negotiation">
             <module-option name="password-stacking"
value="useFirstPass"/>
             <module-option name="serverSecurityDomain"
value="host"/>
         </login-module>
     </authentication>
     <mapping>
         <mapping-module code="SimpleRoles" type="role">
             <module-option name=&quot;dv(a)EXAMPLE.COM&quot;
value="user,odata"/>
         </mapping-module>
     </mapping>
 </security-domain>
 {code}
 Kerberos client configuration:
 {code:plain}
 ClientDV {
   com.sun.security.auth.module.Krb5LoginModule required
   storeKey="true"
   useKeyTab="true"
   keyTab="${dv.test.krb.dir}/dv.keytab"
   principal=&quot;dv(a)EXAMPLE.COM&quot;
   doNotPrompt="true"
   refreshKrb5Config="false"
   useTicketCache="true"
   ticketCache="/tmp/krb5cc_1000"
   debug="true";
 };
 {code}
 KRB5 configuration file is passed to server by setting system-property
java.security.krb5.conf:
 {code:xml}
     <system-properties>
         <property name="java.security.krb5.conf"
value="${jboss.home.dir}/krb5.conf"/>
         <property name="java.security.krb5.debug"
value="true"/>
     </system-properties>
 {code} 


--
This message was sent by Atlassian JIRA
(v7.2.2#72004)

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009