[jboss-user] [Security & JAAS/JBoss] - Issues with JBoss Negotiation
danielmesser
do-not-reply at jboss.com
Wed Feb 11 23:18:47 EST 2009
I am having some serious configuration
issues when trying to run the toolkit. I am running out of ideas and time to make it work so maybe you could point me to
some directions on how to fix my problems.
I am running security-negotiation-2.0.3.Beta2 with Jboss 4.2.3.GA on a Linux X86_64 machine.
On the client side, I am using Firefox 2.0.0.7 on a Linux i686 desktop
- I enabled GSSAPI:
network.negotiate-auth.allow-proxies: true
network.negotiate-auth.delegation-uris:
network.negotiate-auth.gsslib:
network.negotiate-auth.trusted-uris: http://
network.negotiate-auth.using-native-gsslib: true
- Security Domain test works fine
- Basic negotiation fails with the following error:
=============================================================
HTTP Status 500 -
type Exception report
message
description The server encountered an internal error () that prevented it from fulfilling this request.
exception
javax.servlet.ServletException: Unable to writeHeaderDetail
org.jboss.security.negotiation.toolkit.BasicNegotiationServlet.doGet(BasicNegotiationServlet.java:106)
javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
root cause
java.io.IOException: Unexpected message type
org.jboss.security.negotiation.spnego.encoding.NegTokenInitDecoder.decodeNegTokenInitSequence(NegTokenInitDecoder.java:112)
org.jboss.security.negotiation.spnego.encoding.NegTokenInitDecoder.decode(NegTokenInitDecoder.java:144)
org.jboss.security.negotiation.toolkit.BasicNegotiationServlet.writeHeaderDetail(BasicNegotiationServlet.java:137)
org.jboss.security.negotiation.toolkit.BasicNegotiationServlet.doGet(BasicNegotiationServlet.java:96)
javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
note The full stack trace of the root cause is available in the JBossWeb/2.0.1.GA logs.
============================================================
On the server side the log shows:
============================================================
2009-01-21 10:18:38,645 INFO [org.jboss.security.negotiation.toolkit.BasicNegotiationServlet] No Authorization Header, sending 401
2009-01-21 10:18:38,655 INFO [org.jboss.security.negotiation.toolkit.BasicNegotiationServlet] Authorization header received - formatting web page response.
2009-01-21 10:18:38,656 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/jboss-negotiation-toolkit].[BasicNegotiation]] Servlet.service() for ser
vlet BasicNegotiation threw exception java.io.IOException: Unexpected message type
at org.jboss.security.negotiation.spnego.encoding.NegTokenInitDecoder.decodeNegTokenInitSequence(NegTokenInitDecoder.java:112)
at org.jboss.security.negotiation.spnego.encoding.NegTokenInitDecoder.decode(NegTokenInitDecoder.java:144)
:
:
============================================================
The request header is:
============================================================
Host lnx.americas.sgi.com:8080
User-Agent Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7
Accept text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language en-us,en;q=0.5
Accept-Encoding gzip,deflate
Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive 300
Connection keep-alive
Referer http://lnx.americas.sgi.com:8080/jboss-negotiation-toolkit/
Cookie s_vi=[CS]v1|492193040000758D-A0208550000349F[CE]; SGISESSION=WeAsHAJ9%2FOd8g
Authorization Negotiate
YIICEAYJKoZIhvcSAQICAQBuggH/MIIB+6ADAgEFoQMCAQ6iBwMFAAAAAACjggEXYYIBEzCCAQ+gAwIBBaENGwtTTEMuU0dJLkNPTaInMCWgAwIBA6EeMBwbBEhUVFAbFGxueC5hbWVyaWNhcy5zZ2kuY29to4HPMIHMoAMCARChAwIBA6KBvwSBvAfti47NDZfzU6P4XcpFttlXz2aLrjg8Xgb3Ab002NJx47A+cWqDUivWpvpxWECH8x1ZbHEURHPkxtblWJ5W+xij/oMJnOg4Ywizb9C+7ICxwIMm3LGo+RnPrRPROaZH/ikyalhcYFKCFbXxh7wdTkLQHsgz2w5kGB7ajex7nutjzCNeERo0Kb0I6GWQaStAmJpVqjO/CQrkTvCNn3dA8tiPxmnVxWBrdYYKq2TldxZGvkrXCY14cSheOV3/pIHKMIHHoAMCARCigb8EgbwZYMcdmOpCrJjuwL4NA6MfET8SQ4lRz4BpPf0/DkKJOTdrqhf6M8yO6Z+79LSwFYSbOOusNTiZu+Ixy3wNNbotCZK2Lnl1J6E+TZr5YLm/VIgnC6PT0PA176Os/m19m5fyG9Dj/9UJaFU3QaAb3BXYbZTVGz1+8nh086tpzWnoOOec/lQWFgwsGp+Y51wlOT3RbIEnopH0pAOhOAqe+wIw8WEjDu5DT7e6LDSrFq8wNcTF7Ec8dlAKvAD1iQ==
===========================================================
The login-config.xml configuration is:
===========================================================
<application-policy name="host">
<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
<module-option name="storeKey">true</module-option>
<module-option name="useKeyTab">true</module-option>
<module-option name="principal">host/lnx.americas.sgi.com at SLC.SGI.COM</module-option>
<module-option name="keyTab">/etc/krb5.keytab</module-option>
<module-option name="doNotPrompt">true</module-option>
<module-option name="debug">true</module-option>
</login-module>
</application-policy>
<application-policy name="SPNEGO">
<login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="requisite">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="serverSecurityDomain">host</module-option>
</login-module>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="usersProperties">props/spnego-users.properties</module-option>
<module-option name="rolesProperties">props/spnego-roles.properties</module-option>
</login-module>
</application-policy>
===============================================================
- I got the tickets on the client side through kinit -p -f:
klist -e
Ticket cache: FILE:/tmp/krb5cc_10002
Default principal: daniel at SLC.SGI.COM
Valid starting Expires Service principal
01/21/09 08:24:34 01/22/09 08:24:34 krbtgt/SLC.SGI.COM at SLC.SGI.COM
Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1
01/21/09 08:24:52 01/22/09 08:24:34 HTTP/lnx.americas.sgi.com at SLC.SGI.COM
Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1
01/21/09 08:47:26 01/22/09 08:24:34 host/lnx.americas.sgi.com at SLC.SGI.COM
Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1
Kerberos 4 ticket cache: /tmp/tkt10002
klist: You have no tickets cached
- On the server side the tickets are:
# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root at SLC.SGI.COM
Valid starting Expires Service principal
01/20/09 17:18:14 01/21/09 17:18:13 krbtgt/SLC.SGI.COM at SLC.SGI.COM
Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1
01/20/09 17:18:24 01/21/09 17:18:13 host/aphelion.americas.sgi.com at SLC.SGI.COM
Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
- the kerberos configuration on the client side is:
=========================================================
[libdefaults]
default_realm = SLC.SGI.COM
forwardable = 1
[realms]
SLC.SGI.COM = {
default_domain = SLC.SGI.COM
kdc = depot.americas.sgi.com:88
kdc = aphelion.americas.sgi.com:88
kdc = feanor.americas.sgi.com:88
admin_server = depot.americas.sgi.com:749
}
[domain_realm]
.americas.sgi.com = SLC.SGI.COM
americas.sgi.com = SLC.SGI.COM
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
============================================================
- on the server side, the kerberos configuration is
============================================================
[libdefaults]
default_realm = SLC.SGI.COM
forwardable = 1
[realms]
SLC.SGI.COM = {
default_domain = SLC.SGI.COM
kdc = depot.americas.sgi.com:88
kdc = aphelion.americas.sgi.com:88
kdc = feanor.americas.sgi.com:88
admin_server = depot.americas.sgi.com:749
}
[domain_realm]
.americas.sgi.com = SLC.SGI.COM
americas.sgi.com = SLC.SGI.COM
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
===========================================================
Please let me know if you need more information.
Your help would be greatly appreciated.
Daniel
View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4209331#4209331
Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4209331
More information about the jboss-user
mailing list