[jboss-jira] [JBoss JIRA] (ELY-1181) Elytron, Unable to authenticate with SPNEGO on IBM java if obtain-kerberos-ticket = true

Darran Lofthouse (JIRA) issues at jboss.org
Fri May 19 14:52:00 EDT 2017 

     [ https://issues.jboss.org/browse/ELY-1181?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse moved WFCORE-2377 to ELY-1181:
-----------------------------------------------

        Project: WildFly Elytron  (was: WildFly Core)
            Key: ELY-1181  (was: WFCORE-2377)
    Component/s: Utils
                     (was: Security)


> Elytron, Unable to authenticate with SPNEGO on IBM java if obtain-kerberos-ticket = true
> ----------------------------------------------------------------------------------------
>
>                 Key: ELY-1181
>                 URL: https://issues.jboss.org/browse/ELY-1181
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: Utils
>            Reporter: Martin Choma
>            Assignee: Darran Lofthouse
>            Priority: Critical
>              Labels: ibm-java, kerberos
>             Fix For: 1.1.0.Beta45
>
>
> On IBM java when obtain-kerberos-ticket is set to true user always get
> {code}
> javax.security.auth.login.LoginException: Bad JAAS configuration: credsType and keytab values are not compatible
> {code}
> According to ibm documentation [1] credsType=initiator and useKeytab are really incompatible.
> This constraint can't be avoided once obtain-kerberos-ticket = true, because keytab path is required in model. 
> {code}
>        "path" => {
> 	    "type" => STRING,
> 	    "description" => "The path of the KeyTab to load to obtain the credential.",
> 	    "attribute-group" => "file",
> 	    "expressions-allowed" => true,
> 	    "required" => true,
> 	    "nillable" => false,
> 	    "min-length" => 1L,
> 	    "max-length" => 2147483647L,
> 	    "access-type" => "read-write",
> 	    "storage" => "configuration",
> 	    "restart-required" => "resource-services"
> 	},
> {code}
> And keytab is always set into Kerberos login module options
> {code:title=GSSCredentialSecurityFactory.java}
>             if (IS_IBM) {
>                 options.put("noAddress", "true");
>                 options.put("credsType", (isServer && !obtainKerberosTicket) ? "acceptor" : "initiator");
>                 options.put("useKeytab", keyTab.toURI().toURL().toString());
>             }
> {code}
> [1] https://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jgssDocs/jaas_login_user.html
> I am not setting to blocker just because I am not sure about importance of obtain-kerberos-ticket. See my question JBEAP-9292.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list