[jboss-user] [Security & JAAS/JBoss] - NegotiateKerberos and JbossAdmin Group issue

adrien.loyat do-not-reply at jboss.com
Tue Mar 4 06:32:37 EST 2008


Hello

I tried to use the NTLM authentification as described here http://wiki.jboss.org/wiki/Wiki.jsp?page=NegotiateKerberos. 
I'm using jboss AS 4.2.2 GA. 
I'm using the test case found on the wiki page. 

 My Activ Directory server traces my authentification. But jboss (or whatever it is) gives me the roles of JBossAdmin. In the AD, I'm not part of any group named like this. Thus if in the web.xml file of the test case I change JBossAdmin by one the the group I am a member of, I cannot access the ressources (code 403).

So my question is, where dose such a group come from ?



anonymous wrote : 
  | 2008-03-03 17:03:26,857 TRACE [org.jboss.security.plugins.JaasSecurityManager.SPNEGO] defaultLogin,   principal=1204560206854
  | 2008-03-03 17:03:26,857 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(SPNEGO), size=9
  | 2008-03-03 17:03:26,857 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(SPNEGO), authInfo=AppConfigurationEntry[]:
  | [0]
  | LoginModule Class: org.jboss.security.auth.NegotiateLoginModule
  | ControlFlag: LoginModuleControlFlag : required
  | Options:name=defaultDomain, value=CIG.local
  | name=domainController, value=srv-cig.cigidf1.local
  | name=loadBalance, value=false
  | 
  | 2008-03-03 17:03:26,858 TRACE [org.jboss.security.auth.NegotiateLoginModule] initialize,   instance=@22758614
  | 2008-03-03 17:03:26,858 TRACE [org.jboss.security.auth.NegotiateLoginModule] Security domain: SPNEGO
  | 2008-03-03 17:03:26,868 TRACE [org.jboss.security.auth.NegotiateLoginModule] commit, loginOk=true
  | 2008-03-03 17:03:26,868 TRACE [org.jboss.security.plugins.JaasSecurityManager.SPNEGO] defaultLogin, lc=javax.security.auth.login.LoginContext at 1044daf, subject=Subject(25701656).principals=jcifs.smb.NtlmPasswordAuthentication at 6207304(TOTO\loyat)org.jboss.
  | security.SimpleGroup at 5440318(Roles(members:JBossAdmin(members:TOTO\loyat)))
  | 2008-03-03 17:03:26,869 TRACE [org.jboss.security.plugins.JaasSecurityManager.SPNEGO] updateCache, inputSubject=Subject(25701656).principals=jcifs.smb.NtlmPasswordAuthentication at 6207304(TOTO\loyat)
  | org.jboss.security.SimpleGroup at 5440318(Roles(members:JBossAdmin(members:TOTO\loyat))), cacheSubject=Subject(21533658).principals=jcifs.smb.NtlmPasswordAuthentication at 6207304(TOTO\loyat)
  | org.jboss.security.SimpleGroup at 5440318(Roles(members:JBossAdmin(members:TOTO\loyat)))
  | 2008-03-03 17:03:26,869 TRACE [org.jboss.security.plugins.JaasSecurityManager.SPNEGO] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo at 1e30857[Subject(21533658).principals=
  | jcifs.smb.NtlmPasswordAuthentication at 6207304(TOTO\loyat)org.jboss.security.SimpleGroup at 5440318
  | (Roles(members:JBossAdmin(members:TOTO\loyat))),credential.class=java.lang.String at 12759798,
  | expirationTime=1204561961713]
  | 2008-03-03 17:03:26,869 TRACE [org.jboss.security.plugins.JaasSecurityManager.SPNEGO] End isValid, true
  | 2008-03-03 17:03:26,870 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] User: 1204560206854 is authenticated
  | 2008-03-03 17:03:26,870 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Objet :
  |         Principal : TOTO\loyat
  |         Principal : Roles(members:JBossAdmin(members:TOTO\loyat))
  | , sc=org.jboss.security.SecurityAssociation$SubjectContext at 389922{principal=1204560206854,subject=30255134}
  | 2008-03-03 17:03:26,871 TRACE [org.jboss.security.plugins.JaasSecurityManager.SPNEGO] getPrincipal, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo at 1e30857[Subject(21533658).principals=jcifs.smb.NtlmPasswordAuthentication at 6207304
  | (TOTO\loyat)org.jboss.security.SimpleGroup at 5440318(Roles(members:JBossAdmin(members:TOTO\loyat))),credential.class=java.lang.String@
  | 12759798,expirationTime=1204561961713]
  | 



Thanks for your answers.
Adrien

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4133853#4133853

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4133853



More information about the jboss-user mailing list