[jboss-jira] [JBoss JIRA] (WFCORE-2377) Elytron, Unable to authenticate with SPNEGO on IBM java if obtain-kerberos-ticket = true

Darran Lofthouse (JIRA) issues at jboss.org
Tue Mar 7 13:16:18 EST 2017 

     [ https://issues.jboss.org/browse/WFCORE-2377?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse moved WFLY-8295 to WFCORE-2377:
------------------------------------------------

        Project: WildFly Core  (was: WildFly)
            Key: WFCORE-2377  (was: WFLY-8295)
    Component/s: Security
                     (was: Security)


> Elytron, Unable to authenticate with SPNEGO on IBM java if obtain-kerberos-ticket = true
> ----------------------------------------------------------------------------------------
>
>                 Key: WFCORE-2377
>                 URL: https://issues.jboss.org/browse/WFCORE-2377
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Security
>            Reporter: Martin Choma
>            Assignee: Darran Lofthouse
>            Priority: Critical
>              Labels: ibm-java, kerberos
>
> On IBM java when obtain-kerberos-ticket is set to true user always get
> {code}
> javax.security.auth.login.LoginException: Bad JAAS configuration: credsType and keytab values are not compatible
> {code}
> According to ibm documentation [1] credsType=initiator and useKeytab are really incompatible.
> This constraint can't be avoided once obtain-kerberos-ticket = true, because keytab path is required in model. 
> {code}
>        "path" => {
> 	    "type" => STRING,
> 	    "description" => "The path of the KeyTab to load to obtain the credential.",
> 	    "attribute-group" => "file",
> 	    "expressions-allowed" => true,
> 	    "required" => true,
> 	    "nillable" => false,
> 	    "min-length" => 1L,
> 	    "max-length" => 2147483647L,
> 	    "access-type" => "read-write",
> 	    "storage" => "configuration",
> 	    "restart-required" => "resource-services"
> 	},
> {code}
> And keytab is always set into Kerberos login module options
> {code:title=GSSCredentialSecurityFactory.java}
>             if (IS_IBM) {
>                 options.put("noAddress", "true");
>                 options.put("credsType", (isServer && !obtainKerberosTicket) ? "acceptor" : "initiator");
>                 options.put("useKeytab", keyTab.toURI().toURL().toString());
>             }
> {code}
> [1] https://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jgssDocs/jaas_login_user.html
> I am not setting to blocker just because I am not sure about importance of obtain-kerberos-ticket. See my question JBEAP-9292.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list