[jboss-user] [Security & JAAS/JBoss] - JBoss/WinXP/SPNEGO, Kerberos MIT/unix, JGSS question?

neoben do-not-reply at jboss.com
Sat Feb 21 07:45:24 EST 2009



Hello,

I deployed my app in a JBoss server hosted on a Windows XP machine. The Kerberos MIT server is hosted on a Unix machine and I configured the JBoss negotiation module as documented, it worked like a treat!
The app deployed in JBoss is a multi-tier... and therefore my final goal is too achieve kerberos credential delegation. Unfortunately, I am sort of stuck right at the beginning because I can not get anything from the jGSS API and I am not sure I am using it well as I am new to this api...
Anyway, after a successful SPNEGO authentication, I can not get anything more that what is displayed on the Secured Servlet in the jboss-negotiation-toolkit...I tried to get the GSSContext to enable delegation, tried to retrieve a TGT or Credentials.getDefaultCredentials() and none of these things worked.

So if anybody has some code snippets to share, I would be grateful!
For the time being, I copy paste the content of the logs demonstrating a successful authentication in case somebody sees something wrong:


  | 
  | 10:12:56,403 DEBUG [NegotiationAuthenticator] Header - null
  | 10:12:56,403 DEBUG [NegotiationAuthenticator] No Authorization Header, sending 401
  | 10:12:56,543 DEBUG [NegotiationAuthenticator] Header - Negotiate YIICcgYGKwYBBQUCoIICZjCCAmKgHzAdBgkqhkiG9xIBAgIGBSsFAQUCBgkqhkiC9xIBAgKiggI9BIICOWCCAjUGCSqGSIb3EgECAgEAboICJDCCAiCgAwIBBaEDAgEOogcDBQAAAAAAo4IBNGGCATAwggEsoAMCAQWhEBsOSU5GT1JTRU5TRS5ORVSiKTAnoAMCAQOhIDAeGwRIVFRQGxZwY2hldW5nLmluZm9yc2Vuc2UubmV0o4HnMIHkoAMCARChAwIBBKKB1wSB1BykOkLMeW4IHdaVfKqh5SyX5Yt6yk/T0DTJ4r39UXnJKWM6AXj3rgLFDpVkpjDBzkx/ElGQ+ZxhcFpF+bU6hQWmD2rwnxLzXq0kWWsxwrYQdvoXNXPpnZAtRIfqA3WweXD29R1NHcKK0/bIFRh2RtdcE5t1T0NLQD3as2Ig/o/wmKZ/EuA/w0+h3+Uj2DxIVzif81myKBlfB9jKOI7SXJSi64TkWp6ZJHdeXjV0RCtcDAyrpovFv7BLq+zCBY7rw5fQp8Uw+DV8i/PxJ3hLHIMaHTCOpIHSMIHPoAMCARCigccEgcTwOIkWUfDAbBm8j70hqs0bdIOnB2fDUdLoI7Z41ZhZrorJh+37ClGkp+Tq6OirGZbf19bjxKAhUdGozIILrLxE6cNl+NJBYnuEyW9/A7uDgG1sHCsemXuC2ReKqxeTtr4bWOxZkZF34qKdtzCfMyT8DqnhgEcRAB3Kw3/b7ceugqNY3mu0O1zY3jaxK5+sqhUH8mFJzGsXnBiNsqt4Bacuqwq5kP3o4tsauTSfx/LDC4RA28Gl+izgO2+pIVzbQ3Ei+6V5
  | 10:12:56,621 DEBUG [NegotiationAuthenticator] Creating new NegotiationContext
  | 10:12:56,731 DEBUG [SPNEGOLoginModule] serverSecurityDomain=bcoiffe
  | 10:12:56,746 INFO  [STDOUT] Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null KeyTab is C:/ECLIPSE_WORKSPACES/coral_fev2009/Kensington/jboss-4.2.2.GA/server/bcoiffe4.keytab refreshKrb5Config is false principal is HTTP/bcoiffe.company.net at COMPANY.NET tryFirstPass is false useFirstPass is false storePass is false clearPass is false
  | 10:12:56,746 INFO  [STDOUT] principal's key obtained from the keytab
  | 10:12:56,793 INFO  [STDOUT] principal is HTTP/bcoiffe.company.net at COMPANY.NET
  | 10:12:56,840 INFO  [STDOUT] Acquire TGT using AS Exchange
  | 10:12:56,840 INFO  [STDOUT] EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 88 34 EC E5 2B A3 04 3E   0C 63 55 EA 22 FB 28 BE  .4..+..>.cU.".(.
  | 10:12:56,840 INFO  [STDOUT] EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 5D FD 1C DF 6B 01 64 B6   
  | 10:12:56,856 INFO  [STDOUT] EncryptionKey: keyType=16 keyBytes (hex dump)=0000: FB F7 6D 9D C7 0E 8C 9D   29 D3 97 EF FB 91 8A 6B  ..m.....)......k
  | 0010: DC 26 FB A4 04 8F E9 BF   
  | 10:12:56,856 INFO  [STDOUT] Added server's keyKerberos Principal HTTP/bcoiffe.company.net at COMPANY.NETKey Version 4key EncryptionKey: keyType=23 keyBytes (hex dump)=
  | 0000: 88 34 EC E5 2B A3 04 3E   0C 63 55 EA 22 FB 28 BE  .4..+..>.cU.".(.
  | 10:12:56,856 INFO  [STDOUT] 		[Krb5LoginModule] added Krb5Principal  HTTP/bcoiffe.company.net at COMPANY.NET to Subject
  | 10:12:56,856 INFO  [STDOUT] Added server's keyKerberos Principal HTTP/bcoiffe.company.net at COMPANY.NETKey Version 4key EncryptionKey: keyType=1 keyBytes (hex dump)=
  | 0000: 5D FD 1C DF 6B 01 64 B6   
  | 10:12:56,856 INFO  [STDOUT] 		[Krb5LoginModule] added Krb5Principal  HTTP/bcoiffe.company.net at COMPANY.NET to Subject
  | 10:12:56,856 INFO  [STDOUT] Added server's keyKerberos Principal HTTP/bcoiffe.company.net at COMPANY.NETKey Version 4key EncryptionKey: keyType=16 keyBytes (hex dump)=
  | 0000: FB F7 6D 9D C7 0E 8C 9D   29 D3 97 EF FB 91 8A 6B  ..m.....)......k
  | 0010: DC 26 FB A4 04 8F E9 BF   
  | 10:12:56,856 INFO  [STDOUT] 		[Krb5LoginModule] added Krb5Principal  HTTP/bcoiffe.company.net at COMPANY.NET to Subject
  | 10:12:56,856 INFO  [STDOUT] Commit Succeeded 
  | 10:12:56,871 DEBUG [SPNEGOLoginModule] Subject = Subject:
  | 	Principal: HTTP/bcoiffe.company.net at COMPANY.NET
  | 	Private Credential: Ticket (hex) = 
  | 0000: 61 82 01 0A 30 82 01 06   A0 03 02 01 05 A1 10 1B  a...0...........
  | 0010: 0E 49 4E 46 4F 52 53 45   4E 53 45 2E 4E 45 54 A2  .COMPANY.NET.
  | 0020: 23 30 21 A0 03 02 01 00   A1 1A 30 18 1B 06 6B 72  #0!.......0...kr
  | 0030: 62 74 67 74 1B 0E 49 4E   46 4F 52 53 45 4E 53 45  btgt..COMPANY
  | 0040: 2E 4E 45 54 A3 81 C7 30   81 C4 A0 03 02 01 10 A1  .NET...0........
  | 0050: 03 02 01 01 A2 81 B7 04   81 B4 AC B4 8C 41 9E 06  .............A..
  | 0060: 75 FC 42 CC 8E D8 43 92   8E B8 CF C8 3B B2 4B 4B  u.B...C.....;.KK
  | 0070: 59 D1 E0 5B 06 B7 C9 77   99 9D CE 79 2E 2E C0 FD  Y..[...w...y....
  | 0080: 4C 60 4A F4 54 E4 AA 76   E1 F8 AE 97 05 67 7A FD  L`J.T..v.....gz.
  | 0090: E6 EB E5 FF B0 82 A9 47   15 94 47 00 E9 11 8D DE  .......G..G.....
  | 00A0: AB 9F 08 81 28 9F D9 F5   1D 64 3D 33 11 07 2B 46  ....(....d=3..+F
  | 00B0: B1 AC 7E 52 E3 A2 EE 76   79 E1 75 C2 30 40 9C FD  ...R...vy.u.0 at ..
  | 00C0: 76 8A 50 04 A6 9C 1B 3D   53 FF 3F 0F BD 97 1C 22  v.P....=S.?...."
  | 00D0: 22 6D 51 64 68 83 85 BD   4E A8 2B 30 60 3A 87 5F  "mQdh...N.+0`:._
  | 00E0: FB 48 95 FE A2 7B A0 E2   A5 90 AB B7 AE 1A 26 78  .H............&x
  | 00F0: 70 B2 E6 00 51 6B 9C C9   B9 9D E8 ED 07 EF E0 1B  p...Qk..........
  | 0100: 93 A7 24 E7 C1 E7 E5 02   6B 14 8D F6 36 EA 
  | Client Principal = HTTP/bcoiffe.company.net at COMPANY.NET
  | Server Principal = krbtgt/COMPANY.NET at COMPANY.NET
  | Session Key = EncryptionKey: keyType=1 keyBytes (hex dump)=
  | 0000: 13 A4 A4 94 C1 F8 2F 1F   
  | 
  | Forwardable Ticket false
  | Forwarded Ticket false
  | Proxiable Ticket false
  | Proxy Ticket false
  | Postdated Ticket false
  | Renewable Ticket false
  | Initial Ticket false
  | Auth Time = Sat Feb 21 10:12:49 GMT 2009
  | Start Time = Sat Feb 21 10:12:49 GMT 2009
  | End Time = Sat Feb 21 20:12:49 GMT 2009
  | Renew Till = null
  | Client Addresses  Null 
  | 	Private Credential: Kerberos Principal HTTP/bcoiffe.company.net at COMPANY.NETKey Version 4key EncryptionKey: keyType=23 keyBytes (hex dump)=
  | 0000: 88 34 EC E5 2B A3 04 3E   0C 63 55 EA 22 FB 28 BE  .4..+..>.cU.".(.
  | 
  | 
  | 	Private Credential: Kerberos Principal HTTP/bcoiffe.company.net at COMPANY.NETKey Version 4key EncryptionKey: keyType=1 keyBytes (hex dump)=
  | 0000: 5D FD 1C DF 6B 01 64 B6   
  | 
  | 	Private Credential: Kerberos Principal HTTP/bcoiffe.company.net at COMPANY.NETKey Version 4key EncryptionKey: keyType=16 keyBytes (hex dump)=
  | 0000: FB F7 6D 9D C7 0E 8C 9D   29 D3 97 EF FB 91 8A 6B  ..m.....)......k
  | 0010: DC 26 FB A4 04 8F E9 BF   
  | 
  | 
  | 10:12:56,871 DEBUG [SPNEGOLoginModule] Logged in 'bcoiffe' LoginContext
  | 10:12:56,871 DEBUG [SPNEGOLoginModule] Creating new GSSContext.
  | 10:12:56,965 DEBUG [SPNEGOLoginModule] context.getCredDelegState() = false
  | 10:12:56,965 DEBUG [SPNEGOLoginModule] context.getMutualAuthState() = false
  | 10:12:56,965 DEBUG [SPNEGOLoginModule] context.getSrcName() = isense01 at COMPANY.NET
  | 10:12:56,965 DEBUG [SPNEGOLoginModule] Storing username 'isense01 at COMPANY.NET' and empty password
  | 10:12:56,965 INFO  [STDOUT] 		[Krb5LoginModule]: Entering logout
  | 10:12:56,965 INFO  [STDOUT] 		[Krb5LoginModule]: logged out Subject
  | 

View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4212028#4212028

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4212028



More information about the jboss-user mailing list