[jboss-user] [Security & JAAS/JBoss] - Error 401 in jboss Negotiation war for the secured test
ellis2323
do-not-reply at jboss.com
Sat Feb 28 20:48:54 EST 2009
Hello,
My full story with FreeIPA and jboss negotiation could be found on my blog: ellis2323.blogspot.com
To do short:
- i have installed to VM with Fedora Core 10
- i have installed FreeIPA on the first
- i have installed a server on the second
Kerberos is working. I can use ssh without prompting ssh!!!
My goal: build a webservice to browse a filesystem. I have already done it with python with "root" access. Now i want use impersonation with JAAS and Delegation with Kerberos to use the SSH service to access a filesystem.
Now i have installed jboss and jboss-negotiation-toolkit.war (2.0.3GA).
But i can't have the third test working. I have search during 3 days but
no idea. The message is a checksum error :
| 2:20:21,919 INFO [BasicNegotiationServlet] No Authorization Header, sending 401
| 02:20:22,027 INFO [BasicNegotiationServlet] Authorization header received - decoding token.
| 02:20:37,558 INFO [STDOUT] Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /usr/java/jboss/server/default/conf/test.keytab refreshKrb5Config is false principal is host/server1.scigems.org at SCIGEMS.ORG tryFirstPass is false useFirstPass is false storePass is false clearPass is false
| 02:20:37,582 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG
| 02:20:37,583 INFO [STDOUT] >>> KeyTabInputStream, readName(): HTTP
| 02:20:37,583 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org
| 02:20:37,585 INFO [STDOUT] >>> KeyTab: load() entry length: 87; type: 18
| 02:20:37,585 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG
| 02:20:37,586 INFO [STDOUT] >>> KeyTabInputStream, readName(): HTTP
| 02:20:37,586 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org
| 02:20:37,586 INFO [STDOUT] >>> KeyTab: load() entry length: 71; type: 17
| 02:20:37,587 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG
| 02:20:37,588 INFO [STDOUT] >>> KeyTabInputStream, readName(): HTTP
| 02:20:37,588 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org
| 02:20:37,588 INFO [STDOUT] >>> KeyTab: load() entry length: 79; type: 16
| 02:20:37,589 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG
| 02:20:37,589 INFO [STDOUT] >>> KeyTabInputStream, readName(): HTTP
| 02:20:37,589 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org
| 02:20:37,590 INFO [STDOUT] >>> KeyTab: load() entry length: 71; type: 23
| 02:20:37,590 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG
| 02:20:37,590 INFO [STDOUT] >>> KeyTabInputStream, readName(): HTTP
| 02:20:37,590 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org
| 02:20:37,591 INFO [STDOUT] >>> KeyTab: load() entry length: 63; type: 1
| 02:20:37,591 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG
| 02:20:37,591 INFO [STDOUT] >>> KeyTabInputStream, readName(): host
| 02:20:37,591 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org
| 02:20:37,593 INFO [STDOUT] >>> KeyTab: load() entry length: 87; type: 18
| 02:20:37,593 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG
| 02:20:37,605 INFO [STDOUT] >>> KeyTabInputStream, readName(): host
| 02:20:37,605 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org
| 02:20:37,606 INFO [STDOUT] >>> KeyTab: load() entry length: 71; type: 17
| 02:20:37,607 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG
| 02:20:37,607 INFO [STDOUT] >>> KeyTabInputStream, readName(): host
| 02:20:37,608 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org
| 02:20:37,609 INFO [STDOUT] >>> KeyTab: load() entry length: 79; type: 16
| 02:20:37,609 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG
| 02:20:37,611 INFO [STDOUT] >>> KeyTabInputStream, readName(): host
| 02:20:37,611 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org
| 02:20:37,611 INFO [STDOUT] >>> KeyTab: load() entry length: 71; type: 23
| 02:20:37,612 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG
| 02:20:37,612 INFO [STDOUT] >>> KeyTabInputStream, readName(): host
| 02:20:37,613 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org
| 02:20:37,613 INFO [STDOUT] >>> KeyTab: load() entry length: 63; type: 1
| 02:20:37,621 INFO [STDOUT] Added key: 1version: 10
| 02:20:37,623 INFO [STDOUT] Added key: 23version: 10
| 02:20:37,623 INFO [STDOUT] Added key: 16version: 10
| 02:20:37,623 INFO [STDOUT] Added key: 17version: 10
| 02:20:37,624 INFO [STDOUT] Added key: 18version: 10
| 02:20:37,624 INFO [STDOUT] Ordering keys wrt default_tkt_enctypes list
| 02:20:37,630 INFO [STDOUT] Using builtin default etypes for default_tkt_enctypes
| 02:20:37,631 INFO [STDOUT] default etypes for default_tkt_enctypes:
| 02:20:37,631 INFO [STDOUT] 3
| 02:20:37,631 INFO [STDOUT] 1
| 02:20:37,632 INFO [STDOUT] 23
| 02:20:37,632 INFO [STDOUT] 16
| 02:20:37,632 INFO [STDOUT] 17
| 02:20:37,633 INFO [STDOUT] 18
| 02:20:37,633 INFO [STDOUT] .
| 02:20:37,634 INFO [STDOUT] principal's key obtained from the keytab
| 02:20:37,635 INFO [STDOUT] Acquire TGT using AS Exchange
| 02:20:37,643 INFO [STDOUT] Using builtin default etypes for default_tkt_enctypes
| 02:20:37,645 INFO [STDOUT] default etypes for default_tkt_enctypes:
| 02:20:37,646 INFO [STDOUT] 3
| 02:20:37,646 INFO [STDOUT] 1
| 02:20:37,647 INFO [STDOUT] 23
| 02:20:37,648 INFO [STDOUT] 16
| 02:20:37,648 INFO [STDOUT] 17
| 02:20:37,649 INFO [STDOUT] 18
| 02:20:37,650 INFO [STDOUT] .
| 02:20:37,650 INFO [STDOUT] >>> KrbAsReq calling createMessage
| 02:20:37,650 INFO [STDOUT] >>> KrbAsReq in createMessage
| 02:20:37,664 INFO [STDOUT] >>> KrbKdcReq send: kdc=ks.scigems.org UDP:88, timeout=30000, number of retries =3, #bytes=169
| 02:20:37,741 INFO [STDOUT] >>> KDCCommunication: kdc=ks.scigems.org UDP:88, timeout=30000,Attempt =1, #bytes=169
| 02:20:37,753 INFO [STDOUT] >>> KrbKdcReq send: #bytes read=274
| 02:20:37,754 INFO [STDOUT] >>> KrbKdcReq send: #bytes read=274
| 02:20:37,755 INFO [STDOUT] >>> KDCRep: init() encoding tag is 126 req type is 11
| 02:20:37,759 INFO [STDOUT] >>>KRBError:
| 02:20:37,760 INFO [STDOUT] cTime is Sun Sep 05 03:53:02 CEST 1976 210736382000
| 02:20:37,760 INFO [STDOUT] sTime is Sun Mar 01 02:20:37 CET 2009 1235870437000
| 02:20:37,760 INFO [STDOUT] suSec is 902837
| 02:20:37,761 INFO [STDOUT] error code is 25
| 02:20:37,763 INFO [STDOUT] error Message is Additional pre-authentication required
| 02:20:37,763 INFO [STDOUT] crealm is SCIGEMS.ORG
| 02:20:37,764 INFO [STDOUT] cname is host/server1.scigems.org
| 02:20:37,764 INFO [STDOUT] realm is SCIGEMS.ORG
| 02:20:37,765 INFO [STDOUT] sname is krbtgt/SCIGEMS.ORG
| 02:20:37,765 INFO [STDOUT] eData provided.
| 02:20:37,765 INFO [STDOUT] msgType is 30
| 02:20:37,767 INFO [STDOUT] >>>Pre-Authentication Data:
| 02:20:37,767 INFO [STDOUT] PA-DATA type = 2
| 02:20:37,767 INFO [STDOUT] PA-ENC-TIMESTAMP
| 02:20:37,769 INFO [STDOUT] >>>Pre-Authentication Data:
| 02:20:37,769 INFO [STDOUT] PA-DATA type = 19
| 02:20:37,770 INFO [STDOUT] PA-ETYPE-INFO2 etype = 18
| 02:20:37,770 INFO [STDOUT] >>>Pre-Authentication Data:
| 02:20:37,771 INFO [STDOUT] PA-DATA type = 13
| 02:20:37,771 INFO [STDOUT] KRBError received: NEEDED_PREAUTH
| 02:20:37,772 INFO [STDOUT] AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
| 02:20:37,772 INFO [STDOUT] >>>KrbAsReq salt is SCIGEMS.ORGhostserver1.scigems.org
| 02:20:37,772 INFO [STDOUT] Pre-Authenticaton: find key for etype = 18
| 02:20:37,774 INFO [STDOUT] AS-REQ: Add PA_ENC_TIMESTAMP now
| 02:20:37,775 INFO [STDOUT] >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
| 02:20:38,016 INFO [STDOUT] >>> KrbAsReq calling createMessage
| 02:20:38,017 INFO [STDOUT] >>> KrbAsReq in createMessage
| 02:20:38,017 INFO [STDOUT] >>> KrbKdcReq send: kdc=ks.scigems.org UDP:88, timeout=30000, number of retries =3, #bytes=241
| 02:20:38,018 INFO [STDOUT] >>> KDCCommunication: kdc=ks.scigems.org UDP:88, timeout=30000,Attempt =1, #bytes=241
| 02:20:38,027 INFO [STDOUT] >>> KrbKdcReq send: #bytes read=609
| 02:20:38,029 INFO [STDOUT] >>> KrbKdcReq send: #bytes read=609
| 02:20:38,031 INFO [STDOUT] >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
| 02:20:38,035 INFO [STDOUT] >>> KrbAsRep cons in KrbAsReq.getReply host/server1.scigems.org
| 02:20:38,072 INFO [STDOUT] principal is host/server1.scigems.org at SCIGEMS.ORG
| 02:20:38,073 INFO [STDOUT] EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 16 EA 98 02 F2 C4 51 9E
| 02:20:38,074 INFO [STDOUT] EncryptionKey: keyType=23 keyBytes (hex dump)=0000: EE CF CF 55 CD 38 50 00 3E 4E 6A 7A E5 44 24 96 ...U.8P.>Njz.D$.
| 02:20:38,075 INFO [STDOUT] EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 68 A7 70 31 31 01 45 3D AB 08 83 F2 20 67 EA 15 h.p11.E=.... g..
| 0010: 64 FB EF 1A 97 45 4A B0
| 02:20:38,075 INFO [STDOUT] EncryptionKey: keyType=17 keyBytes (hex dump)=0000: D8 C3 7C 67 C3 C7 60 60 56 43 31 96 67 3E 4A 53 ...g..``VC1.g>JS
| 02:20:38,076 INFO [STDOUT] EncryptionKey: keyType=18 keyBytes (hex dump)=0000: 7C 7F 21 2C E9 3C 08 E7 8A 8B 36 F3 44 D6 2C 1A ..!,.<....6.D.,.
| 0010: 96 16 75 46 62 04 60 22 C8 33 3E CD 15 6C 3E D7 ..uFb.`".3>..l>.
| 02:20:38,115 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org at SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=1 keyBytes (hex dump)=
| 0000: 16 EA 98 02 F2 C4 51 9E
| 02:20:38,122 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org at SCIGEMS.ORG to Subject
| 02:20:38,123 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org at SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=23 keyBytes (hex dump)=
| 0000: EE CF CF 55 CD 38 50 00 3E 4E 6A 7A E5 44 24 96 ...U.8P.>Njz.D$.
| 02:20:38,125 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org at SCIGEMS.ORG to Subject
| 02:20:38,126 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org at SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=16 keyBytes (hex dump)=
| 0000: 68 A7 70 31 31 01 45 3D AB 08 83 F2 20 67 EA 15 h.p11.E=.... g..
| 0010: 64 FB EF 1A 97 45 4A B0
| 02:20:38,126 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org at SCIGEMS.ORG to Subject
| 02:20:38,127 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org at SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=17 keyBytes (hex dump)=
| 0000: D8 C3 7C 67 C3 C7 60 60 56 43 31 96 67 3E 4A 53 ...g..``VC1.g>JS
| 02:20:38,127 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org at SCIGEMS.ORG to Subject
| 02:20:38,129 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org at SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=18 keyBytes (hex dump)=
| 0000: 7C 7F 21 2C E9 3C 08 E7 8A 8B 36 F3 44 D6 2C 1A ..!,.<....6.D.,.
| 0010: 96 16 75 46 62 04 60 22 C8 33 3E CD 15 6C 3E D7 ..uFb.`".3>..l>.
| 02:20:38,135 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org at SCIGEMS.ORG to Subject
| 02:20:38,136 INFO [STDOUT] Commit Succeeded
| 02:20:38,263 INFO [STDOUT] Found key for host/server1.scigems.org at SCIGEMS.ORG(18)
| 02:20:38,264 INFO [STDOUT] Found key for host/server1.scigems.org at SCIGEMS.ORG(1)
| 02:20:38,264 INFO [STDOUT] Found key for host/server1.scigems.org at SCIGEMS.ORG(23)
| 02:20:38,264 INFO [STDOUT] Found key for host/server1.scigems.org at SCIGEMS.ORG(16)
| 02:20:38,265 INFO [STDOUT] Found key for host/server1.scigems.org at SCIGEMS.ORG(17)
| 02:20:38,296 INFO [STDOUT] Entered Krb5Context.acceptSecContext with state=STATE_NEW
| 02:20:38,301 INFO [STDOUT] >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
| 02:20:38,306 ERROR [STDERR] Checksum failed !
| 02:20:38,311 ERROR [SPNEGOLoginModule] Unable to authenticate
| GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
| at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:757)
| at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:341)
| at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
| at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:294)
| at java.security.AccessController.doPrivileged(Native Method)
| at javax.security.auth.Subject.doAs(Subject.java:357)
| at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:118)
| at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
| at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
| at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
| at java.lang.reflect.Method.invoke(Method.java:616)
| at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
| at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
| at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
| at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
| at java.security.AccessController.doPrivileged(Native Method)
| at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
| at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
| at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
| at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
| at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
| at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
| at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384)
| at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127)
| at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
| at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
| at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
| at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
| at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
| at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
| at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
| at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
| at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
| at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828)
| at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
| at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
| at java.lang.Thread.run(Thread.java:636)
| Caused by: KrbException: Checksum failed
| at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:102)
| at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:94)
| at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:176)
| at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
| at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:145)
| at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:103)
| at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:740)
| ... 36 more
| Caused by: java.security.GeneralSecurityException: Checksum failed
| at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:446)
| at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:269)
| at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:76)
| at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:100)
| ... 42 more
| 02:20:38,316 INFO [STDOUT] [Krb5LoginModule]: Entering logout
| 02:20:38,317 INFO [STDOUT] [Krb5LoginModule]: logged out Subject
|
View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4213977#4213977
Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4213977
More information about the jboss-user
mailing list