[jboss-jira] [JBoss JIRA] (WFLY-5719) Using Kerberos as login module results in LoginException: unable to find LoginModule class

Darran Lofthouse (JIRA) issues at jboss.org
Fri Nov 20 13:07:00 EST 2015 

    [ https://issues.jboss.org/browse/WFLY-5719?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13132295#comment-13132295 ] 

Darran Lofthouse commented on WFLY-5719:
----------------------------------------

Thanks, I see where the problem is.

The problem is not that our classloading has changed - the problem is that we have switched which LoginModule is used when 'Kerberos' is specified as the login module.  Previously we just mapped to the Sun/Oracle implementation - however now we map to our own module which wraps the JDK supplied implementation after detecting which one is available (IBM is a different fully qualified class name) and also we have a couple of additional configuration options.

For the error you are experiencing there are two options really: -
1 - Specify the fully qualified class name of the login module in the security domain configuration.
2 - Add a jboss-deployment-structure.xml to your deployment and also define a dependency on the "org.jboss.security.negotiation" module.

Unfortunately the APIs and SPIs around JAAS config do not give us an option to take control of class loading and specifying the classloader when the LoginContext is created directly by an application.


> Using Kerberos as login module results in LoginException: unable to find LoginModule class
> ------------------------------------------------------------------------------------------
>
>                 Key: WFLY-5719
>                 URL: https://issues.jboss.org/browse/WFLY-5719
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 9.0.2.Final, 10.0.0.CR4
>         Environment: Windows Server 2012 R2, Java 8 update 40
>            Reporter: Brett Prucha
>            Assignee: Darran Lofthouse
>
> When using <login-module code="Kerberos" flag="required">, the following exception is thrown:
> javax.security.auth.login.LoginException: unable to find LoginModule class: org.jboss.security.negotiation.KerberosLoginModule
> When replacing the login module with the one provided by the JVM:
> <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
> no exception is thrown and authentication works as expected.
> The Kerberos login module works in Wildfly 8.2.0. It appears the class loading or something similar has changed in 9.x onwards to cause this to stop working.



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list