[jira] [Created] (SLING-7774) Integrate Kerberos into Apache Sling

Georg Weber (JIRA) Tue, 10 Jul 2018 08:21:07 -0700

Georg Weber created SLING-7774:
----------------------------------

             Summary: Integrate Kerberos into Apache Sling
                 Key: SLING-7774
                 URL: https://issues.apache.org/jira/browse/SLING-7774
             Project: Sling
          Issue Type: Bug
          Components: Authentication
            Reporter: Georg Weber



Probably this is not a bug but we tried to enable Kerberos authentication in 
Sling but were not able to accomplish it. Documentation also gives us no hint 
how to do that.

What would be the correct way to add Kerberos authentication to Sling?

This is what we did:

First of all we changed all default JAAS entries in the "Apache Felix JAAS 
Configuration Factory" to "Control Flag"="sufficient".

Then we added a JAAS Kerberos configuration with "Ranking"=0, "Class 
Name"="com.sun.security.auth.module.Krb5LoginModule", an empty "Realm" and the 
following options:

 
{code:java}
doNotPrompt=true
principal="http/dnsname@windows_domain_name"
useKeyTab=true
keyTab="/opt/sling/krb5.keytab"
storeKey=true{code}
 

 

When running a `curl -u : --negotiate` against the web server, we get the 
following error:

 
{code:java}
> GET /bin/browser.html HTTP/1.1
> Host: dnsname
> User-Agent: curl/7.59.0
> Accept: */*
>
< HTTP/1.1 500 Server Error
< Server: nginx/1.13.8
< Date: Tue, 10 Jul 2018 15:05:12 GMT
< Content-Type: text/html;charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>500 Internal Server Error</title>
</head>
<body>
<h1>Internal Server Error (500)</h1>
<p>The requested URL /bin/browser.html resulted in an error in 
com.composum.sling.nodes.browser.BrowserServlet.</p>
<h3>Exception:</h3>
<pre>
java.lang.NullPointerException
 at com.composum.sling.core.util.LinkUtil.getExtension(LinkUtil.java:342)
 at com.composum.sling.core.util.LinkUtil.getExtension(LinkUtil.java:299)
 at com.composum.sling.core.util.LinkUtil.getUrl(LinkUtil.java:136)
 at com.composum.sling.core.util.LinkUtil.getUrl(LinkUtil.java:94)
 at com.composum.sling.core.util.LinkUtil.getUrl(LinkUtil.java:45)
 at 
com.composum.sling.core.servlet.AbstractConsoleServlet.doGet(AbstractConsoleServlet.java:80)
 at 
org.apache.sling.api.servlets.SlingSafeMethodsServlet.mayService(SlingSafeMethodsServlet.java:266)
 at 
org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:342)
 at 
org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:374)
 at 
org.apache.sling.engine.impl.request.RequestData.service(RequestData.java:552)
 at 
org.apache.sling.engine.impl.filter.SlingComponentFilterChain.render(SlingComponentFilterChain.java:44)
 at 
org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:77)
 at 
org.apache.sling.engine.impl.SlingRequestProcessorImpl.processComponent(SlingRequestProcessorImpl.java:282)
 at 
org.apache.sling.engine.impl.filter.RequestSlingFilterChain.render(RequestSlingFilterChain.java:49)
 at 
org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:77)
 at 
org.apache.sling.engine.impl.debug.RequestProgressTrackerLogFilter.doFilter(RequestProgressTrackerLogFilter.java:107)
 at 
org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:68)
 at org.apache.sling.i18n.impl.I18NFilter.doFilter(I18NFilter.java:131)
 at 
org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:68)
 at 
org.apache.sling.engine.impl.SlingRequestProcessorImpl.doProcessRequest(SlingRequestProcessorImpl.java:151)
 at 
org.apache.sling.engine.impl.SlingMainServlet.service(SlingMainServlet.java:234)
 at 
org.apache.felix.http.base.internal.handler.ServletHandler.handle(ServletHandler.java:120)
 at 
org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:86)
 at 
org.apache.felix.http.sslfilter.internal.SslFilter.doFilter(SslFilter.java:96)
 at 
org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:135)
 at 
org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:81)
 at org.apache.sling.i18n.impl.I18NFilter.doFilter(I18NFilter.java:131)
 at 
org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:135)
 at 
org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:81)
 at 
org.apache.sling.engine.impl.log.RequestLoggerFilter.doFilter(RequestLoggerFilter.java:72)
 at 
org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:135)
 at 
org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:81)
 at 
org.apache.sling.engine.impl.parameters.RequestParameterSupportConfigurer.doFilter(RequestParameterSupportConfigurer.java:63)
 at 
org.apache.felix.http.base.internal.handler.FilterHandler.handle(FilterHandler.java:135)
 at 
org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:81)
 at 
org.apache.felix.http.base.internal.dispatch.Dispatcher$1.doFilter(Dispatcher.java:146)
 at 
org.apache.felix.http.base.internal.whiteboard.WhiteboardManager.invokePreprocessors(WhiteboardManager.java:1000)
 at 
org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:91)
 at 
org.apache.felix.http.base.internal.dispatch.DispatcherServlet.service(DispatcherServlet.java:49)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
 at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:864)
 at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:535)
 at 
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
 at 
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)
 at 
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
 at 
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253)
 at 
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
 at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)
 at 
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)
 at 
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
 at 
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155)
 at 
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
 at 
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:219)
 at 
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
 at org.eclipse.jetty.server.Server.handle(Server.java:531)
 at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:352)
 at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
 at 
org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:281)
 at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102)
 at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
 at 
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:319)
 at 
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:175)
 at 
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:133)
 at 
org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
 at 
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:754)
 at 
org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:672)
 at java.lang.Thread.run(Thread.java:748)
</pre>
<h3>Request Progress:</h3>
<pre>
 0 TIMER_START{Request Processing}
 1 COMMENT timer_end format is {&lt;elapsed microseconds&gt;,&lt;timer 
name&gt;} &lt;optional message&gt;
 7 LOG Method=GET, PathInfo=null
 9 TIMER_START{handleSecurity}
 935 TIMER_END{924,handleSecurity} authenticator 
org.apache.sling.auth.core.impl.SlingAuthenticator@135b75c4 returns true
 1688 TIMER_START{ResourceResolution}
 1774 TIMER_END{83,ResourceResolution} URI=/bin/browser.html resolves to 
Resource=ServletResource, 
servlet=com.composum.sling.nodes.browser.BrowserServlet, path=/bin/browser
 1790 LOG Resource Path Info: SlingRequestPathInfo: 
path=&apos;/bin/browser&apos;, selectorString=&apos;null&apos;, 
extension=&apos;html&apos;, suffix=&apos;null&apos;
 1790 TIMER_START{ServletResolution}
 1794 TIMER_START{resolveServlet(/bin/browser)}
 1806 TIMER_END{11,resolveServlet(/bin/browser)} Using servlet 
com.composum.sling.nodes.browser.BrowserServlet
 1808 TIMER_END{17,ServletResolution} URI=/bin/browser.html handled by 
Servlet=com.composum.sling.nodes.browser.BrowserServlet
 1811 LOG Applying Requestfilters
 1818 LOG Calling filter: org.apache.sling.i18n.impl.I18NFilter
 1822 LOG Calling filter: 
org.apache.sling.engine.impl.debug.RequestProgressTrackerLogFilter
 1828 LOG Applying Componentfilters
 1836 TIMER_START{com.composum.sling.nodes.browser.BrowserServlet#0}
 2150 TIMER_END{313,com.composum.sling.nodes.browser.BrowserServlet#0}
 2194 LOG Filter timing: 
filter=org.apache.sling.engine.impl.debug.RequestProgressTrackerLogFilter, 
inner=0, total=0, outer=0
 2707 LOG Applying Error filters
 2710 LOG Calling filter: org.apache.sling.i18n.impl.I18NFilter
 2718 TIMER_START{handleError:throwable=java.lang.NullPointerException}
 3386 TIMER_END{667,handleError:throwable=java.lang.NullPointerException} Using 
handler 
org.apache.sling.servlets.resolver.internal.defaults.DefaultErrorHandlerServlet
 4113 TIMER_END{4112,Request Processing} Dumping SlingRequestProgressTracker 
Entries
</pre>
<hr>
<address>ApacheSling/2.6 (jetty/9.4.9.v20180320, OpenJDK 64-Bit Server VM 
1.8.0_151, Linux 4.4.0-119-generic amd64)</address>
</body>
</html>


{code}
 

When doing the same against /system/console/bundles the reply is
{code:java}
< HTTP/1.1 401 Unauthorized
< Server: nginx/1.13.8
< Date: Tue, 10 Jul 2018 15:18:30 GMT
< Content-Length: 0
< Connection: keep-alive
< WWW-Authenticate: Basic realm="OSGi Management Console"
<{code}
Here we are missing the "WWW-Authenticate: Negotiate" header.

 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Created] (SLING-7774) Integrate Kerberos into Apache Sling

Reply via email to