9 Replies Latest reply: Jan 15, 2013 2:08 PM by Bruno Mateus RSS

EJB3 and SPNego/Kerberos

Anil Saldhana Master
  • 1. EJB3 and SPNego/Kerberos
    schorsch07 Newbie

    Hello Anil,

     

    I tried to use SSO with EJB.

     

    I downloaded the JBoss Server 5.1.0GA and the jboss-negotiation.jar that can be found on the page. As I never worked with JBoss 5.x I copied the jar to [JBOSS]/common/lib and [JBOSS]/server/default/lib. I replaced the existing jar. 

    Then I deployed the EJB that is also on the page.

     

    Then I started the client side java program.

    As I did not start the program from the client folder of JBoss I had to copy many jars into my folder where I put my class file to avoid this error: 

    java.lang.ClassCastException: javax.naming.Reference

     

    Running the program throws an exception on the server side:

     

    08:48:00,487 ERROR[SocketServerInvoker]Thread[AcceptorThread[ServerSocket[addr=/192.168.220.10,port=0,localport=3873]],5,jboss]failedto handle socket

    java.io.IOException: java.lang.NegativeArraySizeException

            at org.jboss.security.negotiation.spnego.net.SPNEGOServerSocket.accept(SPNEGOServerSocket.java:137)

            at org.jboss.remoting.transport.socket.SocketServerInvoker.accept(SocketServerInvoker.java:1109)

            at org.jboss.remoting.transport.socket.SocketServerInvoker.access$200(SocketServerInvoker.java:70)

            at org.jboss.remoting.transport.socket.SocketServerInvoker$AcceptThread.run(SocketServerInvoker.java:1020)

    Caused by: java.lang.NegativeArraySizeException

            at org.jboss.security.negotiation.spnego.net.SPNEGOServerSocket.acceptSocket(SPNEGOServerSocket.java:181)

            at org.jboss.security.negotiation.spnego.net.SPNEGOServerSocket.accept(SPNEGOServerSocket.java:132)

            ... 3 more

     

    The only difference between the configurations is this:

    <module-option name="principal">jboss/mmoyses@EXAMPLE.COM</module-option>

    As I do not know jboss/... I tried this: 

    <module-option name="principal">http/server.example.com@EXAMPLE.COM</module-option>

    and

    <module-option name="principal">host/server.example.com@EXAMPLE.COM</module-option>

  • 2. EJB3 and SPNego/Kerberos
    schorsch07 Newbie

    Changing some classes and the configuration let me go further. But at the end I still do not have success.

     

    Invoking the test client on the server side there is an exception:

    2011-01-12 15:32:10,654 ERROR [org.jboss.security.negotiation.spnego.net.SPNEGOServerSocket] (AcceptorThread[ServerSocket[addr=/192.168.220.10,port=0,localport=3873]]) Error parsing/decoding ticket: Checksum failed

    org.jboss.security.negotiation.NegotiationException: Checksum failed

        at org.jboss.security.negotiation.cipher.ArcFourHmacDecoder.decrypt(ArcFourHmacDecoder.java:78)

        at org.jboss.security.negotiation.cipher.ArcFourHmacDecoder.decrypt(ArcFourHmacDecoder.java:67)

        at org.jboss.security.negotiation.spnego.encoding.TokenParser.decrypt(TokenParser.java:291)

        at org.jboss.security.negotiation.spnego.encoding.TokenParser.handleEncryptedData(TokenParser.java:188)

        at org.jboss.security.negotiation.spnego.encoding.TokenParser.parseToken(TokenParser.java:78)

        at org.jboss.security.negotiation.spnego.net.SPNEGOServerSocket.getClientPrincipal(SPNEGOServerSocket.java:344)

        at org.jboss.security.negotiation.spnego.net.SPNEGOServerSocket.acceptSocket(SPNEGOServerSocket.java:211)

        at org.jboss.security.negotiation.spnego.net.SPNEGOServerSocket.accept(SPNEGOServerSocket.java:132)

        at org.jboss.remoting.transport.socket.SocketServerInvoker.accept(SocketServerInvoker.java:1109)

        at org.jboss.remoting.transport.socket.SocketServerInvoker.access$200(SocketServerInvoker.java:70)

        at org.jboss.remoting.transport.socket.SocketServerInvoker$AcceptThread.run(SocketServerInvoker.java:1020)

    Caused by: java.security.GeneralSecurityException: Checksum failed

        at org.jboss.security.negotiation.cipher.ArcFourHmacDecoder.decrypt(ArcFourHmacDecoder.java:125)

        at org.jboss.security.negotiation.cipher.ArcFourHmacDecoder.decrypt(ArcFourHmacDecoder.java:74)

        ... 10 more

     

    I checked and rechecked the keytab files on the client and server side.

     

    Even there is thrown this exception the loginmodules run successfully. It seems that the loginmodules are invoked two times. The first time when looking up for the bean. Then the userroles are set correctly:

    2011-01-12 15:32:10,670 TRACE[org.jboss.security.auth.spi.UsersRolesLoginModule](AcceptorThread[ServerSocket[addr=/192.168.220.10,port=0,localport=3873]])Checking user: user@EXAMPLE.COM, roles string:JBossAdmin,HttpInvoker,Users

    2011-01-12 15:32:10,670 TRACE[org.jboss.security.auth.spi.UsersRolesLoginModule](AcceptorThread[ServerSocket[addr=/192.168.220.10,port=0,localport=3873]])Adding to Roles: JBossAdmin,HttpInvoker,Users

     

    If the the method is invoked  the SPNEGOLoginModule has lost its NegotiationContext or has never created one.

     

    Now I am not sure where my error is. Is it only a configuration error - and what should be done to get it working.

     

    What I changed:

     

    1. InitSPNEGOContextAction.java

        GSSName serverName = manager.createName("jboss/mmoyses", null);

        --> Changed the nameString (just to test if this helps)

     

    2. ejb3-connectory-jboss-beans.xml

         As the socketFactory parameter never run I added also a socketFactoryClassName=...

     

    Thank you,

    Georg

  • 3. EJB3 and SPNego/Kerberos
    Craig Duerr Newbie

    Hi Anil,

     

    This very cool stuff - I am thrilled you are working on it.

     

    I have a webStart application that uses jboss remoting (and JBoss 4.2.2) and the Http:univoker for SSL and port 8080 Firewall friendly access. What are your thoughts on Spnego/Kerberos and EJB3 with Jboss remoting over the Unified Invoker? Is this going to be a configuration task or is there some technical barrier to getting it accomplished?

     

    Thanks,

     

    Craig

  • 4. Re: EJB3 and SPNego/Kerberos
    Jan Snelders Newbie

    Some feedback as requested by Anil (I tried this on JBoss 6.0.0 with JBoss Negotiation 2.1.0):

     

    I ran into the same error as Georg mentioned.

     

    I just finished a successful implementation of a custom SSO kerberos login module for Glassfish to acces EJB3s from a Swing client so I'm sure my kerberos/windows AD configuration, keytab etc are correct.

     

    16:21:07,121 ERROR [org.jboss.security.negotiation.net.SPNEGOServerSocket] Error parsing/decoding ticket: Checksum failed: org.jboss.security.negotiation.NegotiationException: Checksum failed

            at org.jboss.security.negotiation.cipher.ArcFourHmacDecoder.decrypt(ArcFourHmacDecoder.java:78) [:2.1.0.GA]

            at org.jboss.security.negotiation.cipher.ArcFourHmacDecoder.decrypt(ArcFourHmacDecoder.java:67) [:2.1.0.GA]

            at org.jboss.security.negotiation.spnego.encoding.TokenParser.decrypt(TokenParser.java:291) [:2.1.0.GA]

            at org.jboss.security.negotiation.spnego.encoding.TokenParser.handleEncryptedData(TokenParser.java:188) [:2.1.0.GA]

            at org.jboss.security.negotiation.spnego.encoding.TokenParser.parseToken(TokenParser.java:78) [:2.1.0.GA]

            at org.jboss.security.negotiation.net.SPNEGOServerSocket.getClientPrincipal(SPNEGOServerSocket.java:344) [:2.1.0.GA]

            at org.jboss.security.negotiation.net.SPNEGOServerSocket.acceptSocket(SPNEGOServerSocket.java:211) [:2.1.0.GA]

            at org.jboss.security.negotiation.net.SPNEGOServerSocket.accept(SPNEGOServerSocket.java:132) [:2.1.0.GA]

            at org.jboss.remoting.transport.socket.SocketServerInvoker.accept(SocketServerInvoker.java:1145) [:6.0.0.Final]

            at org.jboss.remoting.transport.socket.SocketServerInvoker.access$200(SocketServerInvoker.java:69) [:6.0.0.Final]

            at org.jboss.remoting.transport.socket.SocketServerInvoker$AcceptThread.run(SocketServerInvoker.java:1056) [:6.0.0.Final]

    Caused by: java.security.GeneralSecurityException: Checksum failed

            at org.jboss.security.negotiation.cipher.ArcFourHmacDecoder.decrypt(ArcFourHmacDecoder.java:125) [:2.1.0.GA]

            at org.jboss.security.negotiation.cipher.ArcFourHmacDecoder.decrypt(ArcFourHmacDecoder.java:74) [:2.1.0.GA]

            ... 10 more

     

     

    Would love to receive some directions to solve this or hear some experiences from other users.

     

     

    I think there is one typo in the original article:

     

    <parameter>socket:.....SPNEGOSocketFactory&useAllSocketFactoryParams=true</parameter>

     

    Should be ("&" should be "&amp;")

     

    <parameter>socket:.....SPNEGOSocketFactory&amp;useAllSocketFactoryParams=true</parameter>

  • 5. Re: EJB3 and SPNego/Kerberos
    lauerc Newbie

    Hi Georg,

     

    im currently stuck at the NegativeArraySize problem too. Do you know what you've changed to get further?

    Did you also solve the "Checksum failed" - problem in the meantime?

     

    Thanks in advance for your help

    Christian

  • 6. Re: EJB3 and SPNego/Kerberos
    schorsch07 Newbie

    Hi Christian,

     

    as I mentioned above I only changed the class InitSPNEGOContextAction.java and the ejb3-connectory-jboss-beans.xml as Jan also mentioned. But I gave up using SSO with JBoss 4.2.3. As I never could solve the "Checksum failded" problem.

     

    Hope this helps - good luck,

    Georg

  • 7. Re: EJB3 and SPNego/Kerberos
    lauerc Newbie

    Hi Georg,

     

    I've put a breakpoint at the line you've mentioned, but this one is never reached.

    Also this class is used by the SPNEGOSocket class, but the NegativeArraySizeException occurs in the SPNEGOServerSocket class.

     

    I'm trying to use this stuff in JBoss AS 5.1.0.GA. Now I'd triyed it again after setting up a clean Kerberos configuration but the NegativeArraySizeException problem remained.

     

    I've changed the code a bit and have found out that the client for my test always sends an int of -1393754107 for the first 4 bytes (0xac, 0xed, 0x00, 0x05) that are processed by the server code which causes the problem.

     

    I suspect that something else needs to be configured at the client side, as I've checked the steps in the description over and over. Any Ideas?

     

    Kind regards

    Christian

  • 8. Re: EJB3 and SPNego/Kerberos
    sylvain decout Newbie

    Hi,

     

    This tutorial is very interesting, but it leads me to the same problem as Christian, even though I've been using Jboss AS 6.1.0 and Negotiation 2.1.0 (GA):

    17:37:40,953 ERROR [org.jboss.remoting.transport.socket.SocketServerInvoker] Thread[AcceptorThread[ServerSocket[addr=/127.0.0.1,port=0,localport=3873]],5,jboss] failed to handle socket: java.io.IOException: java.lang.NegativeArraySizeException

      at org.jboss.security.negotiation.net.SPNEGOServerSocket.accept(SPNEGOServerSocket.java:137) [:2.1.0.GA]

      at org.jboss.remoting.transport.socket.SocketServerInvoker.accept(SocketServerInvoker.java:1169) [:6.1.0.Final]

      at org.jboss.remoting.transport.socket.SocketServerInvoker.access$200(SocketServerInvoker.java:69) [:6.1.0.Final]

      at org.jboss.remoting.transport.socket.SocketServerInvoker$AcceptThread.run(SocketServerInvoker.java:1080) [:6.1.0.Final]

    Caused by: java.lang.NegativeArraySizeException

      at org.jboss.security.negotiation.net.SPNEGOServerSocket.acceptSocket(SPNEGOServerSocket.java:181) [:2.1.0.GA]

      at org.jboss.security.negotiation.net.SPNEGOServerSocket.accept(SPNEGOServerSocket.java:132) [:2.1.0.GA]

      ... 3 more

     

    Do you have any idea about the cause of this problem and how to solve it? Thanks.

  • 9. Re: EJB3 and SPNego/Kerberos
    Bruno Mateus Newbie

    Hi all,

     

    Can anyone help me to setup EJB3 authentication when using JBoss Negotiation 2.1.1 on JBoss 4.2.3? JBoss Negotiaton is really a nice solution but I'm having some problems detailed on https://community.jboss.org/thread/219727?tstart=0

     

    Thanks in advance.