2 Replies Latest reply: Aug 31, 2006 3:50 AM by Bo Friis RSS

Help with kerberos, Active Directory & LoginModules

Shai Bentin Newbie

I'm using the jcifs spnego solution (I got the info from the WIKI http://wiki.jboss.org/wiki/Wiki.jsp?page=NegotiateKerberos, and

http://lists.samba.org/archive/jcifs/2004-June/003497.html on the jboss site). I configured JBoss in the following way:

login-config.xml:

<application-policy name="SPNEGO">
 <authentication>
 <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
 <module-option name="useTicketCache">true</module-option>
 <module-option name="doNotPrompt">true</module-option>
 <module-option name="debug">true</module-option>
 </login-module>
 </authentication>
 </application-policy>


I have a small war and within it the following:

web.xml

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
 PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
 "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
 <filter>
 <filter-name>auth</filter-name>
 <filter-class>jcifs.http.AuthenticationFilter</filter-class>

 <init-param>
 <param-name>java.security.auth.login.config</param-name>
 <param-value>/WEB-INF/login.conf</param-value>
 </init-param>

 <!--
 <init-param>
 <param-name>javax.security.auth.useSubjectCredsOnly</param-name>
 <param-value>false</param-value>
 </init-param>
 -->
 <init-param>
 <param-name>jcifs.spnego.servicePrincipal</param-name>
 <param-value>HTTP/emi34.emi.com@EMI.COM</param-value>
 </init-param>
 <init-param>
 <param-name>jcifs.spnego.servicePassword</param-name>
 <param-value>Qwer4321</param-value>
 </init-param>
 <init-param>
 <param-name>sun.security.krb5.debug</param-name>
 <param-value>true</param-value>
 </init-param>
 <!--
 <init-param>
 <param-name>java.security.krb5.conf</param-name>
 <param-value>/WEB-INF/krb5.conf</param-value>
 </init-param>
 -->
 <init-param>
 <param-name>java.security.krb5.realm</param-name>
 <param-value>EMI.COM</param-value>
 </init-param>
 <init-param>
 <param-name>java.security.krb5.kdc</param-name>
 <param-value>dc02.emi.com</param-value>
 </init-param>
 <init-param>
 <param-name>jcifs.smb.client.domain</param-name>
 <param-value>EMI</param-value>
 </init-param>
 <init-param>
 <param-name>jcifs.http.enableNegotiate</param-name>
 <param-value>true</param-value>
 </init-param>
 <init-param>
 <param-name>jcifs.http.basicRealm</param-name>
 <param-value>EMI.COM</param-value>
 </init-param>
 <init-param>
 <param-name>jcifs.http.domainController</param-name>
 <param-value>DC02.emi.com</param-value>
 </init-param>
 </filter>
 <filter-mapping>
 <filter-name>auth</filter-name>
 <url-pattern>/*</url-pattern>
 </filter-mapping>
</web-app>


and Jboss-web.xml
<?xml version='1.0' encoding='UTF-8' ?>

<!DOCTYPE jboss-web
 PUBLIC "-//JBoss//DTD Web Application 2.3V2//EN"
 "http://www.jboss.org/j2ee/dtd/jboss-web_3_2.dtd">
<jboss-web>
 <security-domain>java:/jaas/SPNEGO</security-domain>
</jboss-web>


when I try to reach the index.jsp in the war I can see in the trace that the authentication filter is activated, I can see that I get the Token and login is invoked on the loginContext. However I get the following exception
18:52:58,757 TRACE [WebAppClassLoader] filter name=org.jboss.security.auth.spi.UsersRolesLoginModule, exclude=false
18:52:58,797 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
 at org.jboss.security.auth.spi.Util.loadProperties(Util.java:268)
 at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:171)
 at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:185)
 at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:112)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:585)
 at javax.security.auth.login.LoginContext.invoke(LoginContext.java:756)
 at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
 at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
 at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:585)
 at jcifs.spnego.Authentication.processKerberos(Authentication.java:401)
 at jcifs.spnego.Authentication.processSpnego(Authentication.java:325)
 at jcifs.spnego.Authentication.process(Authentication.java:224)
 at jcifs.http.Negotiate.authenticate(Negotiate.java:45)
 at jcifs.http.AuthenticationFilter.doFilter(AuthenticationFilter.java:193)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
 at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
 at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
 at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
 at org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:39)
 at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:159)
 at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
 at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
 at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
 at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
 at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
 at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
 at java.lang.Thread.run(Thread.java:595)
18:52:58,807 INFO [STDOUT] jcifs.spnego.AuthenticationException: Error performing Kerberos authentication: java.lang.re
flect.InvocationTargetException


My question is why is the 'org.jboss.security.auth.spi.UsersRolesLoginModule' being called and not my Kerberso loginModule defined in SPNEGO in the login-config.xml. As I understand by putting the jboss-web as I did I telling tomcat that the application should use the SPNEGO dedined loginModule?

I've been trying all sorts of configurations to have SSO with Active Directory and my JBoss application this seemed the most promissing but still no luck. I will gladly accept other solutions that will work with kerberos and Active Directory and SPNEGO.

Thanks