[jboss-jira] [JBoss JIRA] (ELY-271) EJB authentication via Kerberos does not work with wildfly-security-api

Ondrej Lukas (JIRA) issues at jboss.org
Thu Sep 8 05:12:01 EDT 2016 

     [ https://issues.jboss.org/browse/ELY-271?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ondrej Lukas updated ELY-271:
-----------------------------
    Priority: Critical  (was: Minor)


> EJB authentication via Kerberos does not work with wildfly-security-api
> -----------------------------------------------------------------------
>
>                 Key: ELY-271
>                 URL: https://issues.jboss.org/browse/ELY-271
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: SASL
>    Affects Versions: 1.0.0.Alpha3
>            Reporter: Ondrej Lukas
>            Assignee: Darran Lofthouse
>            Priority: Critical
>             Fix For: 1.1.0.CR1
>
>         Attachments: client.zip, server.jar
>
>
> EJB authentication via Kerberos does not work for projects using EJB Client with dependency on org.wildfly:wildfly-security-api. EJB invocation failed with exception:
> {noformat}
> java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed:
>    GSSAPI: javax.security.sasl.SaslException: ELY05108: [GSSAPI] Unable to create response token [Caused by javax.security.sasl.SaslException: ELY05127: [GSSAPI] No security layer supported by server but maximum message size received: "65536"]
> 	at org.jboss.ejb.client.remoting.IoFutureHelper.get(IoFutureHelper.java:92)
> 	at org.jboss.ejb.client.remoting.ConnectionPool.getConnection(ConnectionPool.java:80)
> 	at org.jboss.ejb.client.remoting.RemotingConnectionManager.getConnection(RemotingConnectionManager.java:51)
> 	at org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector.setupEJBReceivers(ConfigBasedEJBClientContextSelector.java:158)
> 	at org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector.getCurrent(ConfigBasedEJBClientContextSelector.java:115)
> 	at org.jboss.ejb.client.naming.ejb.EjbNamingContext.createIdentifiableEjbClientContext(EjbNamingContext.java:258)
> 	at org.jboss.ejb.client.naming.ejb.EjbNamingContext.setupScopedEjbClientContextIfNeeded(EjbNamingContext.java:123)
> 	at org.jboss.ejb.client.naming.ejb.EjbNamingContext.<init>(EjbNamingContext.java:98)
> 	at org.jboss.ejb.client.naming.ejb.ejbURLContextFactory.getObjectInstance(ejbURLContextFactory.java:38)
> 	at javax.naming.spi.NamingManager.getURLObject(NamingManager.java:601)
> 	at javax.naming.spi.NamingManager.getURLContext(NamingManager.java:550)
> 	at javax.naming.InitialContext.getURLOrDefaultInitCtx(InitialContext.java:345)
> 	at javax.naming.InitialContext.lookup(InitialContext.java:417)
> 	at client.Client.main(Client.java:19)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> 	at java.lang.reflect.Method.invoke(Method.java:483)
> 	at org.codehaus.mojo.exec.ExecJavaMojo$1.run(ExecJavaMojo.java:297)
> 	at java.lang.Thread.run(Thread.java:745)
> Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed:
>    GSSAPI: javax.security.sasl.SaslException: ELY05108: [GSSAPI] Unable to create response token [Caused by javax.security.sasl.SaslException: ELY05127: [GSSAPI] No security layer supported by server but maximum message size received: "65536"]
> 	at org.jboss.remoting3.remote.ClientConnectionOpenListener.allMechanismsFailed(ClientConnectionOpenListener.java:114)
> 	at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:393)
> 	at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:243)
> 	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
> 	at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:199)
> 	at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:113)
> 	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
> 	at org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092)
> 	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
> 	at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
> 	at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)
> 	at org.xnio.nio.WorkerThread.run(WorkerThread.java:539)
> 	at ...asynchronous invocation...(Unknown Source)
> 	at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:272)
> 	at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:388)
> 	at org.jboss.ejb.client.remoting.EndpointPool$PooledEndpoint.connect(EndpointPool.java:192)
> 	at org.jboss.ejb.client.remoting.NetworkUtil.connect(NetworkUtil.java:153)
> 	at org.jboss.ejb.client.remoting.NetworkUtil.connect(NetworkUtil.java:133)
> 	at org.jboss.ejb.client.remoting.ConnectionPool.getConnection(ConnectionPool.java:78)
> 	... 18 more
> {noformat}
> Note:
> Dependency org.wildfly:wildfly-security-api has transitive dependency on org.wildfly.security:wildfly-elytron. Artifact wildfly-elytron using service org.wildfly.security.sasl.gssapi.GssapiClientFactory which is added via Java SPI as javax.security.sasl.SaslClientService. Adding this service causes that Kerberos authentication is handled by org.wildfly.security.sasl.gssapi.GssapiClient which leads to authentication failures.



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list