[jboss-user] [Security & JAAS/JBoss] - JBoss/WinXP/SPNEGO, Kerberos MIT/unix, JGSS question?
neoben
do-not-reply at jboss.com
Sat Feb 21 07:45:24 EST 2009
Hello,
I deployed my app in a JBoss server hosted on a Windows XP machine. The Kerberos MIT server is hosted on a Unix machine and I configured the JBoss negotiation module as documented, it worked like a treat!
The app deployed in JBoss is a multi-tier... and therefore my final goal is too achieve kerberos credential delegation. Unfortunately, I am sort of stuck right at the beginning because I can not get anything from the jGSS API and I am not sure I am using it well as I am new to this api...
Anyway, after a successful SPNEGO authentication, I can not get anything more that what is displayed on the Secured Servlet in the jboss-negotiation-toolkit...I tried to get the GSSContext to enable delegation, tried to retrieve a TGT or Credentials.getDefaultCredentials() and none of these things worked.
So if anybody has some code snippets to share, I would be grateful!
For the time being, I copy paste the content of the logs demonstrating a successful authentication in case somebody sees something wrong:
|
| 10:12:56,403 DEBUG [NegotiationAuthenticator] Header - null
| 10:12:56,403 DEBUG [NegotiationAuthenticator] No Authorization Header, sending 401
| 10:12:56,543 DEBUG [NegotiationAuthenticator] Header - Negotiate YIICcgYGKwYBBQUCoIICZjCCAmKgHzAdBgkqhkiG9xIBAgIGBSsFAQUCBgkqhkiC9xIBAgKiggI9BIICOWCCAjUGCSqGSIb3EgECAgEAboICJDCCAiCgAwIBBaEDAgEOogcDBQAAAAAAo4IBNGGCATAwggEsoAMCAQWhEBsOSU5GT1JTRU5TRS5ORVSiKTAnoAMCAQOhIDAeGwRIVFRQGxZwY2hldW5nLmluZm9yc2Vuc2UubmV0o4HnMIHkoAMCARChAwIBBKKB1wSB1BykOkLMeW4IHdaVfKqh5SyX5Yt6yk/T0DTJ4r39UXnJKWM6AXj3rgLFDpVkpjDBzkx/ElGQ+ZxhcFpF+bU6hQWmD2rwnxLzXq0kWWsxwrYQdvoXNXPpnZAtRIfqA3WweXD29R1NHcKK0/bIFRh2RtdcE5t1T0NLQD3as2Ig/o/wmKZ/EuA/w0+h3+Uj2DxIVzif81myKBlfB9jKOI7SXJSi64TkWp6ZJHdeXjV0RCtcDAyrpovFv7BLq+zCBY7rw5fQp8Uw+DV8i/PxJ3hLHIMaHTCOpIHSMIHPoAMCARCigccEgcTwOIkWUfDAbBm8j70hqs0bdIOnB2fDUdLoI7Z41ZhZrorJh+37ClGkp+Tq6OirGZbf19bjxKAhUdGozIILrLxE6cNl+NJBYnuEyW9/A7uDgG1sHCsemXuC2ReKqxeTtr4bWOxZkZF34qKdtzCfMyT8DqnhgEcRAB3Kw3/b7ceugqNY3mu0O1zY3jaxK5+sqhUH8mFJzGsXnBiNsqt4Bacuqwq5kP3o4tsauTSfx/LDC4RA28Gl+izgO2+pIVzbQ3Ei+6V5
| 10:12:56,621 DEBUG [NegotiationAuthenticator] Creating new NegotiationContext
| 10:12:56,731 DEBUG [SPNEGOLoginModule] serverSecurityDomain=bcoiffe
| 10:12:56,746 INFO [STDOUT] Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null KeyTab is C:/ECLIPSE_WORKSPACES/coral_fev2009/Kensington/jboss-4.2.2.GA/server/bcoiffe4.keytab refreshKrb5Config is false principal is HTTP/bcoiffe.company.net at COMPANY.NET tryFirstPass is false useFirstPass is false storePass is false clearPass is false
| 10:12:56,746 INFO [STDOUT] principal's key obtained from the keytab
| 10:12:56,793 INFO [STDOUT] principal is HTTP/bcoiffe.company.net at COMPANY.NET
| 10:12:56,840 INFO [STDOUT] Acquire TGT using AS Exchange
| 10:12:56,840 INFO [STDOUT] EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 88 34 EC E5 2B A3 04 3E 0C 63 55 EA 22 FB 28 BE .4..+..>.cU.".(.
| 10:12:56,840 INFO [STDOUT] EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 5D FD 1C DF 6B 01 64 B6
| 10:12:56,856 INFO [STDOUT] EncryptionKey: keyType=16 keyBytes (hex dump)=0000: FB F7 6D 9D C7 0E 8C 9D 29 D3 97 EF FB 91 8A 6B ..m.....)......k
| 0010: DC 26 FB A4 04 8F E9 BF
| 10:12:56,856 INFO [STDOUT] Added server's keyKerberos Principal HTTP/bcoiffe.company.net at COMPANY.NETKey Version 4key EncryptionKey: keyType=23 keyBytes (hex dump)=
| 0000: 88 34 EC E5 2B A3 04 3E 0C 63 55 EA 22 FB 28 BE .4..+..>.cU.".(.
| 10:12:56,856 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal HTTP/bcoiffe.company.net at COMPANY.NET to Subject
| 10:12:56,856 INFO [STDOUT] Added server's keyKerberos Principal HTTP/bcoiffe.company.net at COMPANY.NETKey Version 4key EncryptionKey: keyType=1 keyBytes (hex dump)=
| 0000: 5D FD 1C DF 6B 01 64 B6
| 10:12:56,856 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal HTTP/bcoiffe.company.net at COMPANY.NET to Subject
| 10:12:56,856 INFO [STDOUT] Added server's keyKerberos Principal HTTP/bcoiffe.company.net at COMPANY.NETKey Version 4key EncryptionKey: keyType=16 keyBytes (hex dump)=
| 0000: FB F7 6D 9D C7 0E 8C 9D 29 D3 97 EF FB 91 8A 6B ..m.....)......k
| 0010: DC 26 FB A4 04 8F E9 BF
| 10:12:56,856 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal HTTP/bcoiffe.company.net at COMPANY.NET to Subject
| 10:12:56,856 INFO [STDOUT] Commit Succeeded
| 10:12:56,871 DEBUG [SPNEGOLoginModule] Subject = Subject:
| Principal: HTTP/bcoiffe.company.net at COMPANY.NET
| Private Credential: Ticket (hex) =
| 0000: 61 82 01 0A 30 82 01 06 A0 03 02 01 05 A1 10 1B a...0...........
| 0010: 0E 49 4E 46 4F 52 53 45 4E 53 45 2E 4E 45 54 A2 .COMPANY.NET.
| 0020: 23 30 21 A0 03 02 01 00 A1 1A 30 18 1B 06 6B 72 #0!.......0...kr
| 0030: 62 74 67 74 1B 0E 49 4E 46 4F 52 53 45 4E 53 45 btgt..COMPANY
| 0040: 2E 4E 45 54 A3 81 C7 30 81 C4 A0 03 02 01 10 A1 .NET...0........
| 0050: 03 02 01 01 A2 81 B7 04 81 B4 AC B4 8C 41 9E 06 .............A..
| 0060: 75 FC 42 CC 8E D8 43 92 8E B8 CF C8 3B B2 4B 4B u.B...C.....;.KK
| 0070: 59 D1 E0 5B 06 B7 C9 77 99 9D CE 79 2E 2E C0 FD Y..[...w...y....
| 0080: 4C 60 4A F4 54 E4 AA 76 E1 F8 AE 97 05 67 7A FD L`J.T..v.....gz.
| 0090: E6 EB E5 FF B0 82 A9 47 15 94 47 00 E9 11 8D DE .......G..G.....
| 00A0: AB 9F 08 81 28 9F D9 F5 1D 64 3D 33 11 07 2B 46 ....(....d=3..+F
| 00B0: B1 AC 7E 52 E3 A2 EE 76 79 E1 75 C2 30 40 9C FD ...R...vy.u.0 at ..
| 00C0: 76 8A 50 04 A6 9C 1B 3D 53 FF 3F 0F BD 97 1C 22 v.P....=S.?...."
| 00D0: 22 6D 51 64 68 83 85 BD 4E A8 2B 30 60 3A 87 5F "mQdh...N.+0`:._
| 00E0: FB 48 95 FE A2 7B A0 E2 A5 90 AB B7 AE 1A 26 78 .H............&x
| 00F0: 70 B2 E6 00 51 6B 9C C9 B9 9D E8 ED 07 EF E0 1B p...Qk..........
| 0100: 93 A7 24 E7 C1 E7 E5 02 6B 14 8D F6 36 EA
| Client Principal = HTTP/bcoiffe.company.net at COMPANY.NET
| Server Principal = krbtgt/COMPANY.NET at COMPANY.NET
| Session Key = EncryptionKey: keyType=1 keyBytes (hex dump)=
| 0000: 13 A4 A4 94 C1 F8 2F 1F
|
| Forwardable Ticket false
| Forwarded Ticket false
| Proxiable Ticket false
| Proxy Ticket false
| Postdated Ticket false
| Renewable Ticket false
| Initial Ticket false
| Auth Time = Sat Feb 21 10:12:49 GMT 2009
| Start Time = Sat Feb 21 10:12:49 GMT 2009
| End Time = Sat Feb 21 20:12:49 GMT 2009
| Renew Till = null
| Client Addresses Null
| Private Credential: Kerberos Principal HTTP/bcoiffe.company.net at COMPANY.NETKey Version 4key EncryptionKey: keyType=23 keyBytes (hex dump)=
| 0000: 88 34 EC E5 2B A3 04 3E 0C 63 55 EA 22 FB 28 BE .4..+..>.cU.".(.
|
|
| Private Credential: Kerberos Principal HTTP/bcoiffe.company.net at COMPANY.NETKey Version 4key EncryptionKey: keyType=1 keyBytes (hex dump)=
| 0000: 5D FD 1C DF 6B 01 64 B6
|
| Private Credential: Kerberos Principal HTTP/bcoiffe.company.net at COMPANY.NETKey Version 4key EncryptionKey: keyType=16 keyBytes (hex dump)=
| 0000: FB F7 6D 9D C7 0E 8C 9D 29 D3 97 EF FB 91 8A 6B ..m.....)......k
| 0010: DC 26 FB A4 04 8F E9 BF
|
|
| 10:12:56,871 DEBUG [SPNEGOLoginModule] Logged in 'bcoiffe' LoginContext
| 10:12:56,871 DEBUG [SPNEGOLoginModule] Creating new GSSContext.
| 10:12:56,965 DEBUG [SPNEGOLoginModule] context.getCredDelegState() = false
| 10:12:56,965 DEBUG [SPNEGOLoginModule] context.getMutualAuthState() = false
| 10:12:56,965 DEBUG [SPNEGOLoginModule] context.getSrcName() = isense01 at COMPANY.NET
| 10:12:56,965 DEBUG [SPNEGOLoginModule] Storing username 'isense01 at COMPANY.NET' and empty password
| 10:12:56,965 INFO [STDOUT] [Krb5LoginModule]: Entering logout
| 10:12:56,965 INFO [STDOUT] [Krb5LoginModule]: logged out Subject
|
View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4212028#4212028
Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4212028
More information about the jboss-user
mailing list