[jboss-user] [Security & JAAS/JBoss] - JBoss/WinXP/SPNEGO, Kerberos MIT/unix, JGSS question?

Sat, 21 Feb 2009 04:46:48 -0800 


Hello,

I deployed my app in a JBoss server hosted on a Windows XP machine. The 
Kerberos MIT server is hosted on a Unix machine and I configured the JBoss 
negotiation module as documented, it worked like a treat!
The app deployed in JBoss is a multi-tier... and therefore my final goal is too 
achieve kerberos credential delegation. Unfortunately, I am sort of stuck right 
at the beginning because I can not get anything from the jGSS API and I am not 
sure I am using it well as I am new to this api...
Anyway, after a successful SPNEGO authentication, I can not get anything more 
that what is displayed on the Secured Servlet in the 
jboss-negotiation-toolkit...I tried to get the GSSContext to enable delegation, 
tried to retrieve a TGT or Credentials.getDefaultCredentials() and none of 
these things worked.

So if anybody has some code snippets to share, I would be grateful!
For the time being, I copy paste the content of the logs demonstrating a 
successful authentication in case somebody sees something wrong:


  | 
  | 10:12:56,403 DEBUG [NegotiationAuthenticator] Header - null
  | 10:12:56,403 DEBUG [NegotiationAuthenticator] No Authorization Header, 
sending 401
  | 10:12:56,543 DEBUG [NegotiationAuthenticator] Header - Negotiate 
YIICcgYGKwYBBQUCoIICZjCCAmKgHzAdBgkqhkiG9xIBAgIGBSsFAQUCBgkqhkiC9xIBAgKiggI9BIICOWCCAjUGCSqGSIb3EgECAgEAboICJDCCAiCgAwIBBaEDAgEOogcDBQAAAAAAo4IBNGGCATAwggEsoAMCAQWhEBsOSU5GT1JTRU5TRS5ORVSiKTAnoAMCAQOhIDAeGwRIVFRQGxZwY2hldW5nLmluZm9yc2Vuc2UubmV0o4HnMIHkoAMCARChAwIBBKKB1wSB1BykOkLMeW4IHdaVfKqh5SyX5Yt6yk/T0DTJ4r39UXnJKWM6AXj3rgLFDpVkpjDBzkx/ElGQ+ZxhcFpF+bU6hQWmD2rwnxLzXq0kWWsxwrYQdvoXNXPpnZAtRIfqA3WweXD29R1NHcKK0/bIFRh2RtdcE5t1T0NLQD3as2Ig/o/wmKZ/EuA/w0+h3+Uj2DxIVzif81myKBlfB9jKOI7SXJSi64TkWp6ZJHdeXjV0RCtcDAyrpovFv7BLq+zCBY7rw5fQp8Uw+DV8i/PxJ3hLHIMaHTCOpIHSMIHPoAMCARCigccEgcTwOIkWUfDAbBm8j70hqs0bdIOnB2fDUdLoI7Z41ZhZrorJh+37ClGkp+Tq6OirGZbf19bjxKAhUdGozIILrLxE6cNl+NJBYnuEyW9/A7uDgG1sHCsemXuC2ReKqxeTtr4bWOxZkZF34qKdtzCfMyT8DqnhgEcRAB3Kw3/b7ceugqNY3mu0O1zY3jaxK5+sqhUH8mFJzGsXnBiNsqt4Bacuqwq5kP3o4tsauTSfx/LDC4RA28Gl+izgO2+pIVzbQ3Ei+6V5
  | 10:12:56,621 DEBUG [NegotiationAuthenticator] Creating new 
NegotiationContext
  | 10:12:56,731 DEBUG [SPNEGOLoginModule] serverSecurityDomain=bcoiffe
  | 10:12:56,746 INFO  [STDOUT] Debug is  true storeKey true useTicketCache 
false useKeyTab true doNotPrompt true ticketCache is null KeyTab is 
C:/ECLIPSE_WORKSPACES/coral_fev2009/Kensington/jboss-4.2.2.GA/server/bcoiffe4.keytab
 refreshKrb5Config is false principal is HTTP/bcoiffe.company....@company.net 
tryFirstPass is false useFirstPass is false storePass is false clearPass is 
false
  | 10:12:56,746 INFO  [STDOUT] principal's key obtained from the keytab
  | 10:12:56,793 INFO  [STDOUT] principal is 
HTTP/bcoiffe.company....@company.net
  | 10:12:56,840 INFO  [STDOUT] Acquire TGT using AS Exchange
  | 10:12:56,840 INFO  [STDOUT] EncryptionKey: keyType=23 keyBytes (hex 
dump)=0000: 88 34 EC E5 2B A3 04 3E   0C 63 55 EA 22 FB 28 BE  .4..+..>.cU.".(.
  | 10:12:56,840 INFO  [STDOUT] EncryptionKey: keyType=1 keyBytes (hex 
dump)=0000: 5D FD 1C DF 6B 01 64 B6   
  | 10:12:56,856 INFO  [STDOUT] EncryptionKey: keyType=16 keyBytes (hex 
dump)=0000: FB F7 6D 9D C7 0E 8C 9D   29 D3 97 EF FB 91 8A 6B  ..m.....)......k
  | 0010: DC 26 FB A4 04 8F E9 BF   
  | 10:12:56,856 INFO  [STDOUT] Added server's keyKerberos Principal 
HTTP/bcoiffe.company....@company.netkey Version 4key EncryptionKey: keyType=23 
keyBytes (hex dump)=
  | 0000: 88 34 EC E5 2B A3 04 3E   0C 63 55 EA 22 FB 28 BE  .4..+..>.cU.".(.
  | 10:12:56,856 INFO  [STDOUT]                 [Krb5LoginModule] added 
Krb5Principal  HTTP/bcoiffe.company....@company.net to Subject
  | 10:12:56,856 INFO  [STDOUT] Added server's keyKerberos Principal 
HTTP/bcoiffe.company....@company.netkey Version 4key EncryptionKey: keyType=1 
keyBytes (hex dump)=
  | 0000: 5D FD 1C DF 6B 01 64 B6   
  | 10:12:56,856 INFO  [STDOUT]                 [Krb5LoginModule] added 
Krb5Principal  HTTP/bcoiffe.company....@company.net to Subject
  | 10:12:56,856 INFO  [STDOUT] Added server's keyKerberos Principal 
HTTP/bcoiffe.company....@company.netkey Version 4key EncryptionKey: keyType=16 
keyBytes (hex dump)=
  | 0000: FB F7 6D 9D C7 0E 8C 9D   29 D3 97 EF FB 91 8A 6B  ..m.....)......k
  | 0010: DC 26 FB A4 04 8F E9 BF   
  | 10:12:56,856 INFO  [STDOUT]                 [Krb5LoginModule] added 
Krb5Principal  HTTP/bcoiffe.company....@company.net to Subject
  | 10:12:56,856 INFO  [STDOUT] Commit Succeeded 
  | 10:12:56,871 DEBUG [SPNEGOLoginModule] Subject = Subject:
  |     Principal: HTTP/bcoiffe.company....@company.net
  |     Private Credential: Ticket (hex) = 
  | 0000: 61 82 01 0A 30 82 01 06   A0 03 02 01 05 A1 10 1B  a...0...........
  | 0010: 0E 49 4E 46 4F 52 53 45   4E 53 45 2E 4E 45 54 A2  .COMPANY.NET.
  | 0020: 23 30 21 A0 03 02 01 00   A1 1A 30 18 1B 06 6B 72  #0!.......0...kr
  | 0030: 62 74 67 74 1B 0E 49 4E   46 4F 52 53 45 4E 53 45  btgt..COMPANY
  | 0040: 2E 4E 45 54 A3 81 C7 30   81 C4 A0 03 02 01 10 A1  .NET...0........
  | 0050: 03 02 01 01 A2 81 B7 04   81 B4 AC B4 8C 41 9E 06  .............A..
  | 0060: 75 FC 42 CC 8E D8 43 92   8E B8 CF C8 3B B2 4B 4B  u.B...C.....;.KK
  | 0070: 59 D1 E0 5B 06 B7 C9 77   99 9D CE 79 2E 2E C0 FD  Y..[...w...y....
  | 0080: 4C 60 4A F4 54 E4 AA 76   E1 F8 AE 97 05 67 7A FD  L`J.T..v.....gz.
  | 0090: E6 EB E5 FF B0 82 A9 47   15 94 47 00 E9 11 8D DE  .......G..G.....
  | 00A0: AB 9F 08 81 28 9F D9 F5   1D 64 3D 33 11 07 2B 46  ....(....d=3..+F
  | 00B0: B1 AC 7E 52 E3 A2 EE 76   79 E1 75 C2 30 40 9C FD  ...r...vy....@..
  | 00C0: 76 8A 50 04 A6 9C 1B 3D   53 FF 3F 0F BD 97 1C 22  v.P....=S.?...."
  | 00D0: 22 6D 51 64 68 83 85 BD   4E A8 2B 30 60 3A 87 5F  "mQdh...N.+0`:._
  | 00E0: FB 48 95 FE A2 7B A0 E2   A5 90 AB B7 AE 1A 26 78  .H............&x
  | 00F0: 70 B2 E6 00 51 6B 9C C9   B9 9D E8 ED 07 EF E0 1B  p...Qk..........
  | 0100: 93 A7 24 E7 C1 E7 E5 02   6B 14 8D F6 36 EA 
  | Client Principal = HTTP/bcoiffe.company....@company.net
  | Server Principal = krbtgt/company....@company.net
  | Session Key = EncryptionKey: keyType=1 keyBytes (hex dump)=
  | 0000: 13 A4 A4 94 C1 F8 2F 1F   
  | 
  | Forwardable Ticket false
  | Forwarded Ticket false
  | Proxiable Ticket false
  | Proxy Ticket false
  | Postdated Ticket false
  | Renewable Ticket false
  | Initial Ticket false
  | Auth Time = Sat Feb 21 10:12:49 GMT 2009
  | Start Time = Sat Feb 21 10:12:49 GMT 2009
  | End Time = Sat Feb 21 20:12:49 GMT 2009
  | Renew Till = null
  | Client Addresses  Null 
  |     Private Credential: Kerberos Principal 
HTTP/bcoiffe.company....@company.netkey Version 4key EncryptionKey: keyType=23 
keyBytes (hex dump)=
  | 0000: 88 34 EC E5 2B A3 04 3E   0C 63 55 EA 22 FB 28 BE  .4..+..>.cU.".(.
  | 
  | 
  |     Private Credential: Kerberos Principal 
HTTP/bcoiffe.company....@company.netkey Version 4key EncryptionKey: keyType=1 
keyBytes (hex dump)=
  | 0000: 5D FD 1C DF 6B 01 64 B6   
  | 
  |     Private Credential: Kerberos Principal 
HTTP/bcoiffe.company....@company.netkey Version 4key EncryptionKey: keyType=16 
keyBytes (hex dump)=
  | 0000: FB F7 6D 9D C7 0E 8C 9D   29 D3 97 EF FB 91 8A 6B  ..m.....)......k
  | 0010: DC 26 FB A4 04 8F E9 BF   
  | 
  | 
  | 10:12:56,871 DEBUG [SPNEGOLoginModule] Logged in 'bcoiffe' LoginContext
  | 10:12:56,871 DEBUG [SPNEGOLoginModule] Creating new GSSContext.
  | 10:12:56,965 DEBUG [SPNEGOLoginModule] context.getCredDelegState() = false
  | 10:12:56,965 DEBUG [SPNEGOLoginModule] context.getMutualAuthState() = false
  | 10:12:56,965 DEBUG [SPNEGOLoginModule] context.getSrcName() = 
isens...@company.net
  | 10:12:56,965 DEBUG [SPNEGOLoginModule] Storing username 
'isens...@company.net' and empty password
  | 10:12:56,965 INFO  [STDOUT]                 [Krb5LoginModule]: Entering 
logout
  | 10:12:56,965 INFO  [STDOUT]                 [Krb5LoginModule]: logged out 
Subject
  | 

View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4212028#4212028

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4212028
_______________________________________________
jboss-user mailing list
jboss-user@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/jboss-user

Reply via email to