[jboss-jira] [JBoss JIRA] (WFLY-8295) Elytron, Unable to authenticate with SPNEGO on IBM java if obtain-kerberos-ticket = true
Martin Choma (JIRA)
issues at jboss.org
Mon Mar 6 03:45:00 EST 2017
Martin Choma created WFLY-8295:
----------------------------------
Summary: Elytron, Unable to authenticate with SPNEGO on IBM java if obtain-kerberos-ticket = true
Key: WFLY-8295
URL: https://issues.jboss.org/browse/WFLY-8295
Project: WildFly
Issue Type: Bug
Components: Security
Reporter: Martin Choma
Assignee: Darran Lofthouse
Priority: Critical
On IBM java when obtain-kerberos-ticket is set to true user always get
{code}
javax.security.auth.login.LoginException: Bad JAAS configuration: credsType and keytab values are not compatible
{code}
According to ibm documentation [1] credsType=initiator and useKeytab are really incompatible.
This constraint can't be avoided once obtain-kerberos-ticket = true, because keytab path is required in model.
{code}
"path" => {
"type" => STRING,
"description" => "The path of the KeyTab to load to obtain the credential.",
"attribute-group" => "file",
"expressions-allowed" => true,
"required" => true,
"nillable" => false,
"min-length" => 1L,
"max-length" => 2147483647L,
"access-type" => "read-write",
"storage" => "configuration",
"restart-required" => "resource-services"
},
{code}
And keytab is always set into Kerberos login module options
{code:title=GSSCredentialSecurityFactory.java}
if (IS_IBM) {
options.put("noAddress", "true");
options.put("credsType", (isServer && !obtainKerberosTicket) ? "acceptor" : "initiator");
options.put("useKeytab", keyTab.toURI().toURL().toString());
}
{code}
[1] https://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jgssDocs/jaas_login_user.html
I am not setting to blocker just because I am not sure about importance of obtain-kerberos-ticket. See my question JBEAP-9292.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list