Help with kerberos, Active Directory & LoginModules
bentins Apr 10, 2006 12:33 PMI'm using the jcifs spnego solution (I got the info from the WIKI http://wiki.jboss.org/wiki/Wiki.jsp?page=NegotiateKerberos, and
http://lists.samba.org/archive/jcifs/2004-June/003497.html on the jboss site). I configured JBoss in the following way:
login-config.xml:
<application-policy name="SPNEGO"> <authentication> <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required"> <module-option name="useTicketCache">true</module-option> <module-option name="doNotPrompt">true</module-option> <module-option name="debug">true</module-option> </login-module> </authentication> </application-policy>
I have a small war and within it the following:
web.xml
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd"> <web-app> <filter> <filter-name>auth</filter-name> <filter-class>jcifs.http.AuthenticationFilter</filter-class> <init-param> <param-name>java.security.auth.login.config</param-name> <param-value>/WEB-INF/login.conf</param-value> </init-param> <!-- <init-param> <param-name>javax.security.auth.useSubjectCredsOnly</param-name> <param-value>false</param-value> </init-param> --> <init-param> <param-name>jcifs.spnego.servicePrincipal</param-name> <param-value>HTTP/emi34.emi.com@EMI.COM</param-value> </init-param> <init-param> <param-name>jcifs.spnego.servicePassword</param-name> <param-value>Qwer4321</param-value> </init-param> <init-param> <param-name>sun.security.krb5.debug</param-name> <param-value>true</param-value> </init-param> <!-- <init-param> <param-name>java.security.krb5.conf</param-name> <param-value>/WEB-INF/krb5.conf</param-value> </init-param> --> <init-param> <param-name>java.security.krb5.realm</param-name> <param-value>EMI.COM</param-value> </init-param> <init-param> <param-name>java.security.krb5.kdc</param-name> <param-value>dc02.emi.com</param-value> </init-param> <init-param> <param-name>jcifs.smb.client.domain</param-name> <param-value>EMI</param-value> </init-param> <init-param> <param-name>jcifs.http.enableNegotiate</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>jcifs.http.basicRealm</param-name> <param-value>EMI.COM</param-value> </init-param> <init-param> <param-name>jcifs.http.domainController</param-name> <param-value>DC02.emi.com</param-value> </init-param> </filter> <filter-mapping> <filter-name>auth</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> </web-app>
and Jboss-web.xml
<?xml version='1.0' encoding='UTF-8' ?> <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 2.3V2//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_3_2.dtd"> <jboss-web> <security-domain>java:/jaas/SPNEGO</security-domain> </jboss-web>
when I try to reach the index.jsp in the war I can see in the trace that the authentication filter is activated, I can see that I get the Token and login is invoked on the loginContext. However I get the following exception
18:52:58,757 TRACE [WebAppClassLoader] filter name=org.jboss.security.auth.spi.UsersRolesLoginModule, exclude=false 18:52:58,797 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found at org.jboss.security.auth.spi.Util.loadProperties(Util.java:268) at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:171) at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:185) at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:112) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:756) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:579) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at jcifs.spnego.Authentication.processKerberos(Authentication.java:401) at jcifs.spnego.Authentication.processSpnego(Authentication.java:325) at jcifs.spnego.Authentication.process(Authentication.java:224) at jcifs.http.Negotiate.authenticate(Negotiate.java:45) at jcifs.http.AuthenticationFilter.doFilter(AuthenticationFilter.java:193) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178) at org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:39) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:159) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527) at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112) at java.lang.Thread.run(Thread.java:595) 18:52:58,807 INFO [STDOUT] jcifs.spnego.AuthenticationException: Error performing Kerberos authentication: java.lang.re flect.InvocationTargetException
My question is why is the 'org.jboss.security.auth.spi.UsersRolesLoginModule' being called and not my Kerberso loginModule defined in SPNEGO in the login-config.xml. As I understand by putting the jboss-web as I did I telling tomcat that the application should use the SPNEGO dedined loginModule?
I've been trying all sorts of configurations to have SSO with Active Directory and my JBoss application this seemed the most promissing but still no luck. I will gladly accept other solutions that will work with kerberos and Active Directory and SPNEGO.
Thanks