[jboss-jira] [JBoss JIRA] (ELY-1280) GSSAPI only identities credential if we actually have one.
Darran Lofthouse (JIRA)
issues at jboss.org
Fri Jul 21 04:55:02 EDT 2017
[ https://issues.jboss.org/browse/ELY-1280?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Darran Lofthouse resolved ELY-1280.
-----------------------------------
Fix Version/s: 1.1.0.CR3
Resolution: Done
> GSSAPI only identities credential if we actually have one.
> ----------------------------------------------------------
>
> Key: ELY-1280
> URL: https://issues.jboss.org/browse/ELY-1280
> Project: WildFly Elytron
> Issue Type: Bug
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
> Priority: Blocker
> Fix For: 1.1.0.CR3
>
>
> In ER2 kerberos authentication in remoting does not work with IBM java. I see same error in 2 scenarios:
> * Elytron kerberos authentication for management interface - CLI
> * Elytron kerberos authenticaiton for EJB
> This issue (reproducer/description)is based on CLI case. As it seems to me it is caused by same error.
> {code}
> 13:15:25,038 INFO [org.jboss.eapqe.krbldap.utils.CustomCLIExecutor] (main) Command:[/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/../tests/target/dist/jboss-eap/bin/jboss-cli.sh, -Djboss.cli.config=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/../tests/target/dist/jboss-eap/bin/jboss-cli.xml, -c, --controller=remote+http://localhost.localdomain:9990, --timeout=60000, -Djavax.security.auth.useSubjectCredsOnly=false, -Djava.security.krb5.conf=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb5-4030706113084817464.conf, -Dsun.security.krb5.debug=true, -Dcom.ibm.security.jgss.debug=all, -Dcom.ibm.security.krb5.Krb5Debug=all, -Djavax.net.ssl.trustStore=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/KerberosCLITestCase/localhost.keystore, :whoami]
> 13:15:26,352 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Initialized connection from /127.0.0.1:41690 to /127.0.0.1:9990 with options {org.jboss.remoting3.RemotingOptions.SASL_PROTOCOL=>remote}
> 13:15:26,352 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Accepted connection from /127.0.0.1:41690 to localhost.localdomain/127.0.0.1:9990
> 13:15:26,353 TRACE [org.jboss.remoting.remote] (management I/O-1) Setting read listener to org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial at 6a1d77d9
> 13:15:26,353 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Sent 28 bytes
> 13:15:26,353 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Flushed channel
> 13:15:26,375 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) No buffers in queue for message header
> 13:15:26,375 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Allocated fresh buffers
> 13:15:26,375 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Received 56 bytes
> 13:15:26,375 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Received message java.nio.HeapByteBuffer[pos=0 lim=52 cap=8192]
> 13:15:26,375 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Received java.nio.HeapByteBuffer[pos=0 lim=52 cap=8192]
> 13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received capabilities request
> 13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received capability: version 1
> 13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received capability: remote endpoint name "cli-client"
> 13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received capability: message close protocol supported
> 13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received capability: remote version is "5.0.0.CR4-redhat-1"
> 13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received capability: remote channels in is "40"
> 13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received capability: remote channels out is "40"
> 13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received capability: authentication service
> 13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) No EXTERNAL mechanism due to lack of SSL
> 13:15:26,380 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Added mechanism GSSAPI
> 13:15:26,381 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Added mechanism PLAIN
> 13:15:26,381 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Sent 81 bytes
> 13:15:26,381 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Flushed channel
> 13:15:27,194 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) No buffers in queue for message header
> 13:15:27,194 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Allocated fresh buffers
> 13:15:27,194 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Received 583 bytes
> 13:15:27,194 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Received message java.nio.HeapByteBuffer[pos=0 lim=579 cap=8192]
> 13:15:27,194 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Received java.nio.HeapByteBuffer[pos=0 lim=579 cap=8192]
> 13:15:27,194 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received authentication request
> 13:15:27,194 TRACE [org.wildfly.security] (management I/O-1) Handling MechanismInformationCallback type='SASL' name='GSSAPI' host-name='localhost.localdomain' protocol='remote'
> 13:15:27,194 TRACE [org.wildfly.security] (management I/O-1) Handling MechanismInformationCallback type='SASL' name='GSSAPI' host-name='localhost.localdomain' protocol='remote'
> 13:15:27,197 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-1) configuredMaxReceiveBuffer=16777215
> 13:15:27,197 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-1) relaxComplianceChecks=false
> 13:15:27,197 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-1) QOP={AUTH}
> 13:15:27,197 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-1) Obtaining GSSCredential for the service from callback handler...
> 13:15:27,197 TRACE [org.wildfly.security] (management I/O-1) No valid cached credential, obtaining new one...
> 13:15:27,198 TRACE [org.wildfly.security] (management I/O-1) Logging in using LoginContext and subject [Subject:
> ]
> 13:15:27,218 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 JAAS config: debug=true
> 13:15:27,218 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 JAAS config: principal=remote/localhost.localdomain at JBOSS.ORG
> 13:15:27,218 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 JAAS config: credsType=accept only
> 13:15:27,218 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 config: useDefaultCcache=false (default)
> 13:15:27,219 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 config: useCcache=null
> 13:15:27,219 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 config: useDefaultKeytab=false
> 13:15:27,220 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 config: useKeytab=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.4304838673032362747.keytab
> 13:15:27,224 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 JAAS config: forwardable=false (default)
> 13:15:27,224 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 JAAS config: renewable=false (default)
> 13:15:27,224 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 JAAS config: proxiable=false (default)
> 13:15:27,224 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 JAAS config: tryFirstPass=false (default)
> 13:15:27,224 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 JAAS config: useFirstPass=false (default)
> 13:15:27,224 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 JAAS config: moduleBanner=false (default)
> 13:15:27,225 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 JAAS config: interactive login? no
> 13:15:27,225 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 Try keytab for principal=remote/localhost.localdomain at JBOSS.ORG
> 13:15:27,327 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 No Kerberos creds in keytab for principal remote/localhost.localdomain at JBOSS.ORG
> 13:15:27,327 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 Login successful
> 13:15:27,327 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 kprincipal : remote/localhost.localdomain at JBOSS.ORG
> 13:15:27,327 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 remote/localhost.localdomain at JBOSS.ORG added to Subject
> 13:15:27,327 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 KeyTab added to Subject
> 13:15:27,328 INFO [stdout] (management I/O-1) [JGSS_DBG_CRED] management I/O-1 No keys to add to Subject for remote/localhost.localdomain at JBOSS.ORG
> 13:15:27,328 TRACE [org.wildfly.security] (management I/O-1) Logging in using LoginContext and subject [Subject:
> Principal: remote/localhost.localdomain at JBOSS.ORG
> Private Credential: /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.4304838673032362747.keytab for remote/localhost.localdomain at JBOSS.ORG
> ] succeed
> 13:15:27,329 TRACE [org.wildfly.security] (management I/O-1) Creating GSSName for Principal 'remote/localhost.localdomain at JBOSS.ORG'
> 13:15:27,337 TRACE [org.wildfly.security] (management I/O-1) Obtained GSSCredentialCredential [org.wildfly.security.credential.GSSKerberosCredential at b7cba9ed]
> 13:15:27,337 TRACE [org.wildfly.security] (management I/O-1) Handling ServerCredentialCallback: successfully obtained credential type type=class org.wildfly.security.credential.GSSKerberosCredential, algorithm=null, params=null
> 13:15:27,339 TRACE [org.wildfly.security] (management I/O-1) Created SaslServer for mechanism GSSAPI and protocol remote
> 13:15:27,339 TRACE [org.wildfly.security] (management I/O-1) Created SaslServer [org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1 at 7e6923d] for mechanism [GSSAPI]
> 13:15:27,339 TRACE [org.jboss.remoting.endpoint] (management I/O-1) Allocated tick to 9 of endpoint "localhost:MANAGEMENT" <43fd3bb3> (opened org.jboss.remoting3.EndpointImpl$TrackingExecutor at 48dbe42)
> 13:15:27,599 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-6) Negotiated mechanism 1.2.840.113554.1.2.2
> 13:15:27,599 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-6) No response so triggering next state immediately.
> 13:15:27,599 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-6) Not offering a security layer so zero length.
> 13:15:27,601 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-6) Transitioning to receive chosen security layer from client
> 13:15:27,601 TRACE [org.jboss.remoting.remote.server] (management task-6) Server sending authentication challenge
> 13:15:27,601 TRACE [org.jboss.remoting.remote] (management task-6) Setting read listener to org.jboss.remoting3.remote.ServerConnectionOpenListener$Authentication at aa1379f
> 13:15:27,601 TRACE [org.jboss.remoting.endpoint] (management task-6) Resource closed count 00000008 of endpoint "localhost:MANAGEMENT" <43fd3bb3> (closed org.jboss.remoting3.EndpointImpl$TrackingExecutor at 48dbe42)
> 13:15:27,601 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Sent 37 bytes
> 13:15:27,601 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Flushed channel
> 13:15:27,608 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) No buffers in queue for message header
> 13:15:27,608 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Allocated fresh buffers
> 13:15:27,608 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Received 37 bytes
> 13:15:27,608 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Received message java.nio.HeapByteBuffer[pos=0 lim=33 cap=8192]
> 13:15:27,608 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Received java.nio.HeapByteBuffer[pos=0 lim=33 cap=8192]
> 13:15:27,608 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received authentication response
> 13:15:27,608 TRACE [org.jboss.remoting.endpoint] (management I/O-1) Allocated tick to 9 of endpoint "localhost:MANAGEMENT" <43fd3bb3> (opened org.jboss.remoting3.EndpointImpl$TrackingExecutor at 48dbe42)
> 13:15:27,609 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-7) Client selected security layer AUTH, with maxBuffer of 0
> 13:15:27,610 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-7) Authentication ID=jdukec4c36a8b-173f-41e7-af5b-7492f91a404c at JBOSS.ORG, Authorization ID=jdukec4c36a8b-173f-41e7-af5b-7492f91a404c at JBOSS.ORG
> 13:15:27,610 TRACE [org.wildfly.security] (management task-7) Principal assigning: [jdukec4c36a8b-173f-41e7-af5b-7492f91a404c at JBOSS.ORG], pre-realm rewritten: [jdukec4c36a8b-173f-41e7-af5b-7492f91a404c], realm name: [fileSystemRealm], post-realm rewritten: [jdukec4c36a8b-173f-41e7-af5b-7492f91a404c], realm rewritten: [jdukec4c36a8b-173f-41e7-af5b-7492f91a404c]
> 13:15:27,611 TRACE [org.wildfly.security] (management task-7) Role mapping: principal [jdukec4c36a8b-173f-41e7-af5b-7492f91a404c] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles []
> 13:15:27,611 TRACE [org.wildfly.security] (management task-7) Authorizing principal jdukec4c36a8b-173f-41e7-af5b-7492f91a404c.
> 13:15:27,611 TRACE [org.wildfly.security] (management task-7) Authorizing against the following attributes: [] => []
> 13:15:27,611 TRACE [org.wildfly.security] (management task-7) Permission mapping: identity [jdukec4c36a8b-173f-41e7-af5b-7492f91a404c] with roles [] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true
> 13:15:27,611 TRACE [org.wildfly.security] (management task-7) Authorization succeed
> 13:15:27,611 TRACE [org.wildfly.security] (management task-7) RunAs authorization succeed - the same identity
> 13:15:27,611 TRACE [org.wildfly.security] (management task-7) Handling AuthorizeCallback: authenticationID = jdukec4c36a8b-173f-41e7-af5b-7492f91a404c at JBOSS.ORG authorizationID = jdukec4c36a8b-173f-41e7-af5b-7492f91a404c at JBOSS.ORG authorized = true
> 13:15:27,613 TRACE [org.jboss.remoting.remote.server] (management task-7) Server sending authentication rejected: java.lang.IllegalArgumentException: Parameter 'gssCredential' may not be null
> at org.wildfly.common.Assert.checkNotNullParamChecked(Assert.java:70)
> at org.wildfly.common.Assert.checkNotNullParam(Assert.java:48)
> at org.wildfly.security.credential.GSSKerberosCredential.<init>(GSSKerberosCredential.java:53)
> at org.wildfly.security.credential.GSSKerberosCredential.<init>(GSSKerberosCredential.java:43)
> at org.wildfly.security.sasl.gssapi.GssapiServer.evaluateMessage(GssapiServer.java:284)
> at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180)
> at org.wildfly.security.sasl.gssapi.GssapiServer.evaluateResponse(GssapiServer.java:122)
> at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
> at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
> at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:57)
> at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)
> at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)
> at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:468)
> at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:898)
> at org.jboss.remoting3.EndpointImpl$TrackingExecutor$$Lambda$905.00000000201F9C40.run(Unknown Source)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1153)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
> at java.lang.Thread.run(Thread.java:785)
> 13:15:27,614 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-7) dispose
> 13:15:27,614 TRACE [org.wildfly.security] (management task-7) Handling AuthenticationCompleteCallback: fail
> 13:15:27,614 TRACE [org.jboss.remoting.remote] (management task-7) Setting read listener to org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial at 18fce815
> 13:15:27,614 TRACE [org.jboss.remoting.endpoint] (management task-7) Resource closed count 00000008 of endpoint "localhost:MANAGEMENT" <43fd3bb3> (closed org.jboss.remoting3.EndpointImpl$TrackingExecutor at 48dbe42)
> 13:15:27,614 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Sent 5 bytes
> 13:15:27,614 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Flushed channel
> 13:15:27,615 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) No buffers in queue for message header
> 13:15:27,615 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Alloca
> {code}
> Test pass just fine on Oracle/OpenJDK JDK
> In stacktrace there is involved code introduced by https://github.com/wildfly-security/wildfly-elytron/commit/faf1aff340c3a2d88dc6aa1fb39a9991e9ff3057 .
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list