[jboss-jira] [JBoss JIRA] (WFLY-5719) Using Kerberos as login module results in LoginException: unable to find LoginModule class
Brett Prucha (JIRA)
issues at jboss.org
Fri Nov 20 12:51:00 EST 2015
[ https://issues.jboss.org/browse/WFLY-5719?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13132286#comment-13132286 ]
Brett Prucha commented on WFLY-5719:
------------------------------------
The error code is being thrown inside the UnboundID LDAP SDK (https://www.ldap.com/unboundid-ldap-sdk-for-java) being called from within an Adobe ColdFusion tag. It uses Kerberos to authenticate to the domain controller using the ticket from the account Wildfly is running under. Here's the full stack trace:
{code:java}
LDAPException(resultCode=82 (local error), errorMessage='An error occurred while attempting to initialize the JAAS login context for GSSAPI authentication: javax.security.auth.login.LoginException: unable to find LoginModule class: org.jboss.security.negotiation.KerberosLoginModule')
at com.unboundid.ldap.sdk.GSSAPIBindRequest.process(GSSAPIBindRequest.java:1105)
at com.unboundid.ldap.sdk.LDAPConnection.bind(LDAPConnection.java:1893)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at coldfusion.runtime.java.JavaProxy.invoke(JavaProxy.java:99)
at coldfusion.runtime.CfJspPage._invoke(CfJspPage.java:2272)
at cfscrldap2ecfm213466081.runPage(##################)
at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:196)
at coldfusion.filter.CFVariablesScopeFilter.invoke(CFVariablesScopeFilter.java:63)
at coldfusion.tagext.lang.ModuleTag.doStartTag(ModuleTag.java:280)
at coldfusion.runtime.CfJspPage._emptyTcfTag(CfJspPage.java:2661)
at cfldap2ecfm1253390187.runPage(##################)
at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:196)
at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:370)
at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65)
at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:288)
at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48)
at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40)
at coldfusion.filter.PathFilter.invoke(PathFilter.java:86)
at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70)
at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28)
at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38)
at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46)
at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38)
at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22)
at coldfusion.CfmServlet.service(CfmServlet.java:198)
at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42)
at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:198)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:788)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.security.auth.login.LoginException: unable to find LoginModule class: org.jboss.security.negotiation.KerberosLoginModule
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:794)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at com.unboundid.ldap.sdk.GSSAPIBindRequest.process(GSSAPIBindRequest.java:1099)
... 61 more
{code}
Here's the full security domain definition:
{code:java}
<security-domain name="GSSAPIBindRequest" cache-type="default">
<authentication>
<login-module code="Kerberos" flag="required">
<module-option name="useTicketCache" value="true"/>
<module-option name="client" value="true"/>
</login-module>
</authentication>
</security-domain>
{code}
I can build a generic JSP webapp to make the LDAP query if that will help.
> Using Kerberos as login module results in LoginException: unable to find LoginModule class
> ------------------------------------------------------------------------------------------
>
> Key: WFLY-5719
> URL: https://issues.jboss.org/browse/WFLY-5719
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 9.0.2.Final, 10.0.0.CR4
> Environment: Windows Server 2012 R2, Java 8 update 40
> Reporter: Brett Prucha
> Assignee: Darran Lofthouse
>
> When using <login-module code="Kerberos" flag="required">, the following exception is thrown:
> javax.security.auth.login.LoginException: unable to find LoginModule class: org.jboss.security.negotiation.KerberosLoginModule
> When replacing the login module with the one provided by the JVM:
> <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
> no exception is thrown and authentication works as expected.
> The Kerberos login module works in Wildfly 8.2.0. It appears the class loading or something similar has changed in 9.x onwards to cause this to stop working.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list