Announcement Announcement Module
Collapse
No announcement yet.
Spring Security Kerberos/SPNEGO Extension Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security Kerberos/SPNEGO Extension

    Hi everybody!

    First of all thanks alot for your efforts concerning the new Kerberos/SPNEGO Extension!
    I played around a little bit with it and it really does work perfectly on Jetty and Tomcat. However I didn't get it to work on a Weblogic 10.3. I couldn't figure out if it is a Weblogic issue or the kerberos/spnego extension isn't ready to run on WLS, yet. For further investigation I added the stacktrace below:

    Creating instance of bean 'org.springframework.security.extensions.kerberos. SunJaasKerberosTicketValidator#170526a'
    Invoking afterPropertiesSet() on bean with name 'org.springframework.security.extensions.kerberos. SunJaasKerberosTicketValidator#170526a'
    Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is zip:C:/userapp/
    bea10.3_sp0/user_projects/domains/Test/servers/AdminServer/tmp/_WL_user/spring-security-kerberos-sample-1/bd3bji/war/WEB-INF/lib/_wl_cls_gen
    .jar!/s-j-xxx.keytab refreshKrb5Config is false principal is HTTP/[email protected] tryFirstPass is false useFirstPass is false storePass
    is false clearPass is false
    Key for the principal HTTP/[email protected] not available in zip:C:/userapp/bea10.3_sp0/user_projects/domains/Test/servers/AdminServer
    /tmp/_WL_user/spring-security-kerberos-sample-1/bd3bji/war/WEB-INF/lib/_wl_cls_gen.jar!/s-j-xxx.keytab
    [Krb5LoginModule] authentication failed
    Unable to obtain password from user

    Destroying singletons in org.springframework.beans.factory.support.DefaultL istableBeanFactory@132e233: defining beans [org.springframework.securi
    ty.web.context.HttpSessionSecurityContextRepositor y#0,org.springframework.security.authentication.Pr oviderManager#0,org.springframework.security.
    web.PortMapperImpl#0,org.springframework.security. web.savedrequest.HttpSessionRequestCache#0,org.spr ingframework.security.web.session.DefaultAuth
    enticatedSessionStrategy#0,org.springframework.sec urity.access.vote.AffirmativeBased#0,org.springfra mework.security.authentication.AnonymousAuthe
    nticationProvider#0,_filterChainProxy,org.springfr amework.security.config.http.UserDetailsServiceInj ectionBeanPostProcessor#0,spnegoEntryPoint,sp
    negoAuthenticationProcessingFilter,_authentication Manager,kerberosServiceAuthenticationProvider,dumm yUserDetailsService,inMemoryUserDetailsServic
    e]; root of factory hierarchy
    Context initialization failed
    org.springframework.beans.factory.BeanCreationExce ption: Error creating bean with name 'org.springframework.security.authentication.Provi derManag
    er#0': Cannot resolve reference to bean '_authenticationManager' while setting bean property 'parent'; nested exception is org.springframework.be
    ans.factory.BeanCreationException: Error creating bean with name '_authenticationManager': Cannot resolve reference to bean 'kerberosServiceAuthe
    nticationProvider' while setting bean property 'providers' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationExce pt
    ion: Error creating bean with name 'kerberosServiceAuthenticationProvider' defined in ServletContext resource [/WEB-INF/security.xml]: Cannot cre
    ate inner bean 'org.springframework.security.extensions.kerberos. SunJaasKerberosTicketValidator#170526a' of type [org.springframework.security.ex
    tensions.kerberos.SunJaasKerberosTicketValidator] while setting bean property 'ticketValidator'; nested exception is org.springframework.beans.fa
    ctory.BeanCreationException: Error creating bean with name 'org.springframework.security.extensions.kerberos. SunJaasKerberosTicketValidator#17052
    6a' defined in ServletContext resource [/WEB-INF/security.xml]: Invocation of init method failed; nested exception is javax.security.auth.login.L
    oginException: Unable to obtain password from user

    at org.springframework.beans.factory.support.BeanDefi nitionValueResolver.resolveReference(BeanDefinitio nValueResolver.java:315)
    at org.springframework.beans.factory.support.BeanDefi nitionValueResolver.resolveValueIfNecessary(BeanDe finitionValueResolver.java:106)
    at org.springframework.beans.factory.support.Abstract AutowireCapableBeanFactory.applyPropertyValues(Abs tractAutowireCapableBeanFactory.ja
    va:1298)
    at org.springframework.beans.factory.support.Abstract AutowireCapableBeanFactory.populateBean(AbstractAu towireCapableBeanFactory.java:1060
    )
    at org.springframework.beans.factory.support.Abstract AutowireCapableBeanFactory.doCreateBean(AbstractAu towireCapableBeanFactory.java:510)

    at org.springframework.beans.factory.support.Abstract AutowireCapableBeanFactory.createBean(AbstractAuto wireCapableBeanFactory.java:449)
    at org.springframework.beans.factory.support.Abstract BeanFactory$1.getObject(AbstractBeanFactory.java:2 89)
    at org.springframework.beans.factory.support.DefaultS ingletonBeanRegistry.getSingleton(DefaultSingleton BeanRegistry.java:222)
    at org.springframework.beans.factory.support.Abstract BeanFactory.doGetBean(AbstractBeanFactory.java:286 )
    at org.springframework.beans.factory.support.Abstract BeanFactory.getBean(AbstractBeanFactory.java:188)
    at org.springframework.beans.factory.support.DefaultL istableBeanFactory.preInstantiateSingletons(Defaul tListableBeanFactory.java:528)
    at org.springframework.context.support.AbstractApplic ationContext.finishBeanFactoryInitialization(Abstr actApplicationContext.java:716)
    at org.springframework.context.support.AbstractApplic ationContext.refresh(AbstractApplicationContext.ja va:383)
    at org.springframework.web.context.ContextLoader.crea teWebApplicationContext(ContextLoader.java:270)
    at org.springframework.web.context.ContextLoader.init WebApplicationContext(ContextLoader.java:197)
    at org.springframework.web.context.ContextLoaderListe ner.contextInitialized(ContextLoaderListener.java: 47)
    at weblogic.servlet.internal.EventsManager$FireContex tListenerAction.run(EventsManager.java:465)
    at weblogic.security.acl.internal.AuthenticatedSubjec t.doAs(AuthenticatedSubject.java:321)
    at weblogic.security.service.SecurityManager.runAs(Un known Source)
    at weblogic.servlet.internal.EventsManager.notifyCont extCreatedEvent(EventsManager.java:175)
    at weblogic.servlet.internal.WebAppServletContext.pre loadResources(WebAppServletContext.java:1784)
    at weblogic.servlet.internal.WebAppServletContext.sta rt(WebAppServletContext.java:2999)
    at weblogic.servlet.internal.WebAppModule.startContex ts(WebAppModule.java:1371)
    at weblogic.servlet.internal.WebAppModule.start(WebAp pModule.java:468)
    at weblogic.application.internal.flow.ModuleStateDriv er$3.next(ModuleStateDriver.java:204)
    at weblogic.application.utils.StateMachineDriver.next State(StateMachineDriver.java:37)
    at weblogic.application.internal.flow.ModuleStateDriv er.start(ModuleStateDriver.java:60)
    at weblogic.application.internal.flow.ScopedModuleDri ver.start(ScopedModuleDriver.java:200)
    at weblogic.application.internal.flow.ModuleListenerI nvoker.start(ModuleListenerInvoker.java:117)
    at weblogic.application.internal.flow.ModuleStateDriv er$3.next(ModuleStateDriver.java:204)
    at weblogic.application.utils.StateMachineDriver.next State(StateMachineDriver.java:37)
    at weblogic.application.internal.flow.ModuleStateDriv er.start(ModuleStateDriver.java:60)
    at weblogic.application.internal.flow.StartModulesFlo w.activate(StartModulesFlow.java:27)
    at weblogic.application.internal.BaseDeployment$2.nex t(BaseDeployment.java:635)
    at weblogic.application.utils.StateMachineDriver.next State(StateMachineDriver.java:37)
    at weblogic.application.internal.BaseDeployment.activ ate(BaseDeployment.java:212)
    at weblogic.application.internal.SingleModuleDeployme nt.activate(SingleModuleDeployment.java:16)
    at weblogic.application.internal.DeploymentStateCheck er.activate(DeploymentStateChecker.java:162)
    at weblogic.deploy.internal.targetserver.AppContainer Invoker.activate(AppContainerInvoker.java:79)
    at weblogic.deploy.internal.targetserver.BasicDeploym ent.activate(BasicDeployment.java:184)
    at weblogic.deploy.internal.targetserver.BasicDeploym ent.activateFromServerLifecycle(BasicDeployment.ja va:361)
    at weblogic.management.deploy.internal.DeploymentAdap ter$1.doActivate(DeploymentAdapter.java:51)
    at weblogic.management.deploy.internal.DeploymentAdap ter.activate(DeploymentAdapter.java:196)
    at weblogic.management.deploy.internal.AppTransition$ 2.transitionApp(AppTransition.java:30)
    at weblogic.management.deploy.internal.ConfiguredDepl oyments.transitionApps(ConfiguredDeployments.java: 233)
    at weblogic.management.deploy.internal.ConfiguredDepl oyments.activate(ConfiguredDeployments.java:169)
    at weblogic.management.deploy.internal.ConfiguredDepl oyments.deploy(ConfiguredDeployments.java:123)
    at weblogic.management.deploy.internal.DeploymentServ erService.resume(DeploymentServerService.java:173)
    at weblogic.management.deploy.internal.DeploymentServ erService.start(DeploymentServerService.java:89)
    at weblogic.t3.srvr.SubsystemRequest.run(SubsystemReq uest.java:64)
    at weblogic.work.ExecuteThread.execute(ExecuteThread. java:201)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java :173)
    Caused by: org.springframework.beans.factory.BeanCreationExce ption: Error creating bean with name '_authenticationManager':

    ...

    Regards,
    Nick

  • #2
    Just like the original poster... I have been successful at getting the extension to work under Glassfish 3, but deploying the app on Weblogic 10.3 fails with the stack trace identical to the one above. Now I get to burn a day figuring out why.

    Comment


    • #3
      Thanks for you response! Can you please create a JIRA issue for that here: https://jira.springsource.org/browse/SES

      Comment


      • #4
        I'm not sure exactly the what/why but if you put your keytab file in another part of the classpath... for example in the domain directory, the security code will find the file.

        You will see in the stack trace that the keytab file is in the jar that Weblogic creates to hold all your app's compiled classes. (Mine was deployed this way as well.) Maybe the security code is unable to read the file out of a jar/zip? I dunno.. but I did get it to work by having the keytab file available somewhere in the classpath _and_ not inside a jar file.

        matt.

        Comment


        • #5
          Unable to obtain password from user - spring security kerberos issue

          Hi,

          I'm running into some issues when i tried to run the sample SSO app from spring security v3. Getting the following exception during the server startup,

          Key for the principal HTTP/[email protected] not available in file:/C:/Program Files/Apache Software Foundation/Tomcat 6.0/webapps/spring-security-kerberos-sample-1.0.0.M1/WEB-INF/classes/http-web.keytab
          [Krb5LoginModule] authentication failed
          Unable to obtain password from user

          I have the web.keytab placed under the above mentioned path and the keytab file was generated in a windows server.

          I'm using Tomcat 6 and JDK 1.6.0_06.

          -TP

          Comment


          • #6
            My first thought is that the entry: HTTP/[email protected] is not in the keytab file.

            Another possibility is that the server name 'uname.company.com' is not what the kerberos server thinks the requestor server name is. You can use wireshark to look at the packets and see what name is being validated on the server side.

            You can use a utility such as kutil to examine the contents of the keytab file.

            matt.

            Comment


            • #7
              @Codepuppet

              1. The keytab file has the entry "HTTP/[email protected]" .

              I verified the keytab contents by using the windows command klist -k keytabfilename and got back the output

              KVNO Principal
              ---- --------------------------------------------------------------------------
              4 HTTP/[email protected]

              2. I checked using wireshark and noticed the following message
              Calling workstation domain: NULL, am i missing something which causes this issue?


              -TP

              Comment


              • #8
                Not sure what to do now.

                I also had this problem and it came down to two things. First, the key in the keytab file, but it looks like you have verified this. Second, my file was not able to be opened.

                If I were you, I'd get the security source and set some break points to verify that it is able to locate and open the keytab file, and it is finding the correct entry.

                matt.

                Comment


                • #9
                  The JAAS Kerberos module also has some problems with loading the keytab file out of the classpath in some containers or loading it from a path which includes whitespaces. I've create a JIRA issue for that: https://jira.springsource.org/browse/SES-19

                  Comment


                  • #10
                    Checksum failed ! Negotiate Header was invalid:

                    Hi I have followed the directions outlined at

                    http://msdn.microsoft.com/en-us/library/ms995329.aspx

                    for setting up the account and keytab for use in the demo app, but I get the following error:

                    Authentication attempt using org.springframework.security.extensions.kerberos.K e
                    rberosServiceAuthenticationProvider
                    Try to validate Kerberos Token
                    Checksum failed !
                    Negotiate Header was invalid:

                    I assume that it is a set up error on the AD side, any pointers as to what could cause this would be very helpful.

                    thanks

                    Comment


                    • #11
                      Make sure your browser and the application [running Spring Sec] are on separate machines, otherwise the browser will try to use NTLM and not SPNEGO.

                      Comment


                      • springcrazy
                        springcrazy commented
                        Editing a comment
                        I have same error and i tried your solution from different machine . is ther any othere suggestion?

                        thanks

                    • #12
                      Spring Kerberos Checksum Failed error

                      Hi
                      I am following the exact steps as mentioned in spring security kerberos tuorial but I seem to get the following error when validating kerberos token:
                      Found key for HTTP/my-key@MYDOMAIN
                      Entered Krb5Context.acceptSecContext with state=STATE_NEW
                      >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
                      Checksum failed !
                      WARN : org.springframework.security.extensions.kerberos.w eb.SpnegoAuthenticationProcessingFilter - Negotiate Header was invalid: Negotiate YIIQs....

                      Any pointers how to resolve this error?

                      Thanks
                      Last edited by akshaybhatia02; Aug 9th, 2010, 11:16 AM.

                      Comment


                      • #13
                        Spring Kerberos Checksum Failed error

                        Hi Everybody
                        I am following the exact steps as mentioned in spring security kerberos tuorial as well but I seem to get the following error when validating kerberos token:
                        Found key for HTTP/my-key@MYDOMAIN
                        Entered Krb5Context.acceptSecContext with state=STATE_NEW
                        >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
                        Checksum failed !
                        WARN : org.springframework.security.extensions.kerberos.w eb.SpnegoAuthenticationProcessingFilter - Negotiate Header was invalid: Negotiate YIIQs....

                        Any pointers how to resolve this error?

                        I am using tomcat as my app server

                        Thanks

                        Comment


                        • #14
                          Does your problem with "Checksum failed" have been resolved?

                          Got the same:
                          >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
                          Checksum failed !

                          The problem appears in IE only. Firefox and Chrome work fine.
                          And also Single Sign-On is not working for me.

                          Comment

                          Working...
                          X