Announcement Announcement Module
Collapse
No announcement yet.
spring-security, spnego/kerberos/sso Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • spring-security, spnego/kerberos/sso

    Hi,

    I have win 7 box and debian box.

    On debian I have tomcat with web app having spnego (spring-security). I also have kerberos. I have created [email protected] as principal and also HTTP/pinkydebian.primesystems.com. I have copied the HTTP ticket into the web app.

    Now on win 7 I login as Miten_Mehta and the network kerberos client is configured to get ticket as [email protected]. I use client to get kerb ticket.

    When I open webapp url below from Internet Explorer

    http://pinkydebian:8080/jsf-sso/secu...r_teller.xhtml (this is permissioned for ROLE_TELLER and ROLE_SUPERVISOR as per security.xml below)

    I am prompted for basic auth. what user / password should I enter here so the it will do kerberos auth for sso ?
    I have tried msm, Miten_Mehta, [email protected] but all causes errors where in web app is unable to get authentication done with kdc. I feel from log that it tried to reach to KDC but kdc logs do not show any such request. I guess in web app itself there is issue with credentials encoding.

    Here is the catalina.out error.
    Oct 04, 2012 5:53:27 PM org.springframework.security.extensions.kerberos.w eb.SpnegoAuthenticationProcessingFilter doFilter
    WARNING: Negotiate Header was invalid: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAA AADw==
    org.springframework.security.authentication.BadCre dentialsException: Kerberos validation not succesfull
    at org.springframework.security.extensions.kerberos.S unJaasKerberosTicketValidator.validateTicket(SunJa asKerberosTicketValidator.java:69)
    at org.springframework.security.extensions.kerberos.K erberosServiceAuthenticationProvider.authenticate( KerberosServiceAuthenticationProvider.java:86)
    at org.springframework.security.authentication.Provid erManager.doAuthentication(ProviderManager.java:13 0)
    at org.springframework.security.authentication.Abstra ctAuthenticationManager.authenticate(AbstractAuthe nticationManager.java:48)
    at org.springframework.security.extensions.kerberos.w eb.SpnegoAuthenticationProcessingFilter.doFilter(S pnegoAuthenticationProcessingFilter.java:131)
    at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 381)
    at org.springframework.security.web.context.SecurityC ontextPersistenceFilter.doFilter(SecurityContextPe rsistenceFilter.java:79)
    at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 381)
    at org.springframework.security.web.FilterChainProxy. doFilter(FilterChainProxy.java:168)
    at org.springframework.web.filter.DelegatingFilterPro xy.invokeDelegate(DelegatingFilterProxy.java:237)
    at org.springframework.web.filter.DelegatingFilterPro xy.doFilter(DelegatingFilterProxy.java:167)
    at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:243)
    at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperValve.java:222)
    at org.apache.catalina.core.StandardContextValve.invo ke(StandardContextValve.java:123)
    at org.apache.catalina.authenticator.AuthenticatorBas e.invoke(AuthenticatorBase.java:472)
    at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:168)
    at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:99)
    at org.apache.catalina.valves.AccessLogValve.invoke(A ccessLogValve.java:929)
    at org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineValve.java:118)
    at org.apache.catalina.connector.CoyoteAdapter.servic e(CoyoteAdapter.java:407)
    at org.apache.coyote.http11.AbstractHttp11Processor.p rocess(AbstractHttp11Processor.java:1002)
    at org.apache.coyote.AbstractProtocol$AbstractConnect ionHandler.process(AbstractProtocol.java:585)
    at org.apache.tomcat.util.net.JIoEndpoint$SocketProce ssor.run(JIoEndpoint.java:312)
    at java.util.concurrent.ThreadPoolExecutor.runWorker( ThreadPoolExecutor.java:1110)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:603)
    at java.lang.Thread.run(Thread.java:722)
    Caused by: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:415)
    at org.springframework.security.extensions.kerberos.S unJaasKerberosTicketValidator.validateTicket(SunJa asKerberosTicketValidator.java:67)
    ... 26 more
    Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
    at sun.security.jgss.GSSHeader.<init>(GSSHeader.java: 97)
    at sun.security.jgss.GSSContextImpl.acceptSecContext( GSSContextImpl.java:306)
    at sun.security.jgss.GSSContextImpl.acceptSecContext( GSSContextImpl.java:285)
    at org.springframework.security.extensions.kerberos.S unJaasKerberosTicketValidator$KerberosValidateActi on.run(SunJaasKerberosTicketValidator.java:146)
    at org.springframework.security.extensions.kerberos.S unJaasKerberosTicketValidator$KerberosValidateActi on.run(SunJaasKerberosTicketValidator.java:136)
    ... 29 more


    I expect that when I open web app it should pickup ticket from win 7 and not prompt for user/pass.
    If that is not right then based on auth form user it should send across ticket but not ask for pass.

    Here is my security.xml configuration:
    <?xml version="1.0" encoding="UTF-8"?>

    <beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:sec="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schem...-beans-3.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">


    <sec:http entry-point-ref="spnegoEntryPoint">

    <sec:intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR" />
    <sec:intercept-url pattern="/supervisor_teller.xhtml" access="ROLE_TELLER,ROLE_SUPERVISOR"/>
    <sec:intercept-url pattern="/authenticated.xhtml" access="IS_AUTHENTICATED_FULLY"/>
    <sec:intercept-url pattern="/deny.xhtml" filters="none" />
    <!-- <sec:intercept-url pattern="/index.xhtml" access="permitAll" /-->

    <sec:custom-filter ref="spnegoAuthenticationProcessingFilter"
    position="BASIC_AUTH_FILTER" />
    <sec:intercept-url pattern="/secure/**" access="ROLE_TELLER" />
    </sec:http>
    <bean id="spnegoEntryPoint"
    class="org.springframework.security.extensions.ker beros.web.SpnegoEntryPoint" />

    <bean id="spnegoAuthenticationProcessingFilter"
    class="org.springframework.security.extensions.ker beros.web.SpnegoAuthenticationProcessingFilter">
    <property name="authenticationManager" ref="authenticationManager" />
    </bean>

    <sec:authentication-manager alias="authenticationManager">
    <sec:authentication-provider ref="kerberosServiceAuthenticationProvider" />
    </sec:authentication-manager>

    <bean id="kerberosServiceAuthenticationProvider"
    class="org.springframework.security.extensions.ker beros.KerberosServiceAuthenticationProvider">
    <property name="ticketValidator">
    <bean
    class="org.springframework.security.extensions.ker beros.SunJaasKerberosTicketValidator">
    <property name="servicePrincipal" value="HTTP/pinkydebian.primesystems.com" />
    <property name="keyTabLocation" value="classpath:http-web.keytab" />
    </bean>
    </property>
    <property name="userDetailsService" ref="dummyUserDetailsService" />
    </bean>
    <bean
    class="org.springframework.security.extensions.ker beros.GlobalSunJaasKerberosConfig">
    <property name="debug" value="true" />
    </bean>
    <bean id="dummyUserDetailsService" class="com.primesystems.sso.DummyUserDetailsServic e" />
    </beans>


    I am not sure how to verify that the http ticket generated is good / bad. Here is my attempt to verify:
    command I used to create http ticket:
    addprinc -policy service -randkey HTTP/pinkydebian.primesystems.com
    ktadd -k /http-web.keytab HTTP/pinkydebian.primesystems.com

    verifiy:
    root@pinkydebian:/# kinit -k -t /http-web.keytab
    kinit: Key table entry not found while getting initial credentials

    Here is kerberos log output:
    Oct 06 20:00:05 pinkydebian krb5kdc[920](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.1.2: NEEDED_PREAUTH: host/[email protected] for krbtgt/[email protected], Additional pre-authentication required

    using ktutil:
    root@pinkydebian:/# ktutil
    ktutil: rkt /http-web.keytab
    ktutil: l
    slot KVNO Principal
    ---- ---- ---------------------------------------------------------------------
    1 2 HTTP/[email protected]
    2 2 HTTP/[email protected]
    3 2 HTTP/[email protected]
    4 2 HTTP/[email protected]



    Let me know if above test has any point that proves I need to generate ticket again or differently.

    Regards,

    Miten.
    Last edited by imitenmehta; Oct 6th, 2012, 09:49 AM. Reason: added kerberos ticket details

  • #2
    Funny, I have exactly the same error...

    even the Negotiate Header is (almost) exactly the same.

    Code:
    WARNUNG: Negotiate Header was invalid: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
    org.springframework.security.authentication.BadCredentialsException: Kerberos validation not succesfull
    	at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:69)
    	at org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:86)
    	at org.springframework.security.authentication.ProviderManager.doAuthentication(ProviderManager.java:130)
    	at org.springframework.security.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:48)
    	at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:131)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
    	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
    	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
    	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:168)
    	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
    	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
    	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
    	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
    	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
    	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)
    	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
    	at java.lang.Thread.run(Unknown Source)
    Caused by: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
    	at java.security.AccessController.doPrivileged(Native Method)
    	at javax.security.auth.Subject.doAs(Unknown Source)
    	at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:67)
    	... 22 more
    Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
    	at sun.security.jgss.GSSHeader.<init>(Unknown Source)
    	at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    	at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    	at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:146)
    	at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:136)
    	... 25 more
    Can this be a coincidence? I don't believe, that the negotiate Headers should be that similar...
    Last edited by marre90; Oct 4th, 2012, 08:44 AM.

    Comment


    • #3
      Okay, I'm having the strong feeling, that this is problem is caused by a wrong kerberos configuration. So I'm now posting my configuration. Maybe someone can tell me whats wrong with it.

      I have a windows 2008 server. This server is the domain controller of the Domain "test.domain". The Name of the Server is WinS8-Basisinst.

      Then I have my Application Server. On another machine, of course. It runs Windows XP. The Name of this machine is AppServ. And I don't know if it is relevant, but i'm logging in to this machine with the user "test", which I created via the server manager of my domain controller. I have also created another user "http-appserv.test.domain", which I used for mapping the principal to.

      And then there's the Client machine, which also runs Windows XP.The Name of this machine is client.

      So, that is it for my configuration. After I had set up this, I created the keytab file with the following command:
      Code:
      ktpass /out test.keytab /mapuser [email protected] /princ host/[email protected]  +rndpass
      Then I copied this keytab file and tried if it worked. And, well, it didn't, that's why i'm here.

      In Firefox I just get a blank page. And if I use IE I get prompted for a username and password. After that (doesn't matter what I typed in) I get a HTTP 500 error Page.

      The (at least in my view) relevant part of the "applicationContext.xml" is here:
      Code:
      	<beans:bean id="kerberosServiceAuthenticationProvider" class="org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider">
      		<beans:property name="ticketValidator">
      			<beans:bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
      				<beans:property name="servicePrincipal" value="host/[email protected]" />
      				<beans:property name="keyTabLocation" value="file:c:\tst.keytab" />
      			</beans:bean>
      		</beans:property>
      		<beans:property name="userDetailsService" ref="dummyUserDetailsService" />
      	</beans:bean>
      I would really appreciate your help, I'm stuck here.


      EDIT:

      Okay, well I thought of everything, but having the wrong login. If anyone else is ever having my problem just look at the login you type in. I tried it with "test3" (which is a user of the domain), but instead I had to use "[email protected]".
      Last edited by marre90; Oct 5th, 2012, 03:00 AM.

      Comment


      • #4
        Deducing from your logs guys, everything works as designed. You have failed to understand how Kerberos works. Wireshark is your friend.

        Comment


        • #5
          Understanding Auth Filters Error

          Hi,

          I made some progress that the auth filters are invoked and protecting pages but am not able to quite understand details as all pages are blocked. I am no longer being prompted for basic auth form.

          I do not see valid kerberos ticket being passed from web browser to tomcat. The errors now are in the filter so may be some one can help understand the issue.


          ==> catalina.out <==
          13:10:34 DEBUG web.FilterChainProxy - Converted URL to lowercase, from: '/supervisor_teller.xhtml'; to: '/supervisor_teller.xhtml'
          13:10:34 DEBUG web.FilterChainProxy - Candidate is: '/supervisor_teller.xhtml'; pattern is /deny.xhtml; matched=false
          13:10:34 DEBUG web.FilterChainProxy - Converted URL to lowercase, from: '/supervisor_teller.xhtml'; to: '/supervisor_teller.xhtml'
          13:10:34 DEBUG web.FilterChainProxy - Candidate is: '/supervisor_teller.xhtml'; pattern is /**; matched=true
          13:10:34 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
          13:10:34 DEBUG context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
          13:10:34 DEBUG context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@ 147c5ee. A new one will be created.
          13:10:34 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 2 of 8 in additional filter chain; firing Filter: 'SpnegoAuthenticationProcessingFilter'
          13:10:34 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 3 of 8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
          13:10:34 DEBUG savedrequest.DefaultSavedRequest - pathInfo: both null (property equals)
          13:10:34 DEBUG savedrequest.DefaultSavedRequest - queryString: both null (property equals)
          13:10:34 DEBUG savedrequest.DefaultSavedRequest - requestURI: arg1=/jsf-sso/authenticated.xhtml; arg2=/jsf-sso/supervisor_teller.xhtml (property not equals)
          13:10:34 DEBUG savedrequest.HttpSessionRequestCache - saved request doesn't match
          13:10:34 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
          13:10:34 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 5 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
          13:10:34 DEBUG authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.Anony mousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.We bAuthenticationDetails@b364: RemoteIpAddress: 192.168.1.225; SessionId: F6FDE089A0B7012F2AAAB4E598F93382; Granted Authorities: ROLE_ANONYMOUS'
          13:10:34 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 6 of 8 in additional filter chain; firing Filter: 'SessionManagementFilter'
          13:10:34 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
          13:10:34 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
          13:10:34 DEBUG intercept.DefaultFilterInvocationSecurityMetadataS ource - Converted URL to lowercase, from: '/supervisor_teller.xhtml'; to: '/supervisor_teller.xhtml'
          13:10:34 DEBUG intercept.DefaultFilterInvocationSecurityMetadataS ource - Candidate is: '/supervisor_teller.xhtml'; pattern is /secure/extreme/**; matched=false
          13:10:34 DEBUG intercept.DefaultFilterInvocationSecurityMetadataS ource - Candidate is: '/supervisor_teller.xhtml'; pattern is /supervisor_teller.xhtml; matched=true
          13:10:34 DEBUG intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /supervisor_teller.xhtml; Attributes: [ROLE_TELLER, ROLE_SUPERVISOR]
          13:10:34 DEBUG intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.Anonym ousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.We bAuthenticationDetails@b364: RemoteIpAddress: 192.168.1.225; SessionId: F6FDE089A0B7012F2AAAB4E598F93382; Granted Authorities: ROLE_ANONYMOUS
          13:10:34 DEBUG vote.AffirmativeBased - Voter: org.springframework.security.access.vote.RoleVoter @185bec1, returned: -1
          13:10:34 DEBUG vote.AffirmativeBased - Voter: org.springframework.security.access.vote.Authentic atedVoter@1ae74c2, returned: 0
          13:10:34 DEBUG access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
          org.springframework.security.access.AccessDeniedEx ception: Access is denied
          at org.springframework.security.access.vote.Affirmati veBased.decide(AffirmativeBased.java:71)
          at org.springframework.security.access.intercept.Abst ractSecurityInterceptor.beforeInvocation(AbstractS ecurityInterceptor.java:204)
          at org.springframework.security.web.access.intercept. FilterSecurityInterceptor.invoke(FilterSecurityInt erceptor.java:106)
          at org.springframework.security.web.access.intercept. FilterSecurityInterceptor.doFilter(FilterSecurityI nterceptor.java:83)
          at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 381)
          at org.springframework.security.web.access.ExceptionT ranslationFilter.doFilter(ExceptionTranslationFilt er.java:97)
          at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 381)
          at org.springframework.security.web.session.SessionMa nagementFilter.doFilter(SessionManagementFilter.ja va:100)
          at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 381)
          at org.springframework.security.web.authentication.An onymousAuthenticationFilter.doFilter(AnonymousAuth enticationFilter.java:78)
          at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 381)
          at org.springframework.security.web.servletapi.Securi tyContextHolderAwareRequestFilter.doFilter(Securit yContextHolderAwareRequestFilter.java:54)
          at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 381)
          at org.springframework.security.web.savedrequest.Requ estCacheAwareFilter.doFilter(RequestCacheAwareFilt er.java:35)
          at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 381)
          at org.springframework.security.extensions.kerberos.w eb.SpnegoAuthenticationProcessingFilter.doFilter(S pnegoAuthenticationProcessingFilter.java:152)
          at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 381)
          at org.springframework.security.web.context.SecurityC ontextPersistenceFilter.doFilter(SecurityContextPe rsistenceFilter.java:79)
          at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 381)
          at org.springframework.security.web.FilterChainProxy. doFilter(FilterChainProxy.java:168)
          at org.springframework.web.filter.DelegatingFilterPro xy.invokeDelegate(DelegatingFilterProxy.java:237)
          at org.springframework.web.filter.DelegatingFilterPro xy.doFilter(DelegatingFilterProxy.java:167)
          at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:243)
          at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:210)
          at org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperValve.java:222)
          at org.apache.catalina.core.StandardContextValve.invo ke(StandardContextValve.java:123)
          at org.apache.catalina.authenticator.AuthenticatorBas e.invoke(AuthenticatorBase.java:472)
          at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:168)
          at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:99)
          at org.apache.catalina.valves.AccessLogValve.invoke(A ccessLogValve.java:929)
          at org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineValve.java:118)
          at org.apache.catalina.connector.CoyoteAdapter.servic e(CoyoteAdapter.java:407)
          at org.apache.coyote.http11.AbstractHttp11Processor.p rocess(AbstractHttp11Processor.java:1002)
          at org.apache.coyote.AbstractProtocol$AbstractConnect ionHandler.process(AbstractProtocol.java:585)
          at org.apache.tomcat.util.net.JIoEndpoint$SocketProce ssor.run(JIoEndpoint.java:310)
          at java.util.concurrent.ThreadPoolExecutor.runWorker( ThreadPoolExecutor.java:1110)
          at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:603)
          at java.lang.Thread.run(Thread.java:722)
          13:10:34 DEBUG savedrequest.HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[http://pinkydebian:8080/jsf-sso/supe..._teller.xhtml]
          13:10:34 DEBUG access.ExceptionTranslationFilter - Calling Authentication entry point.
          13:10:34 DEBUG web.SpnegoEntryPoint - Sending back Negotiate Header for request: http://pinkydebian:8080/jsf-sso/supervisor_teller.xhtml
          13:10:34 DEBUG context.HttpSessionSecurityContextRepository - SecurityContext is empty or anonymous - context will not be stored in HttpSession.
          13:10:34 DEBUG context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed

          ==> localhost_access_log.2012-10-10.txt <==
          192.168.1.225 - - [10/Oct/2012:13:21:34 +0530] "GET /jsf-sso/supervisor_teller.xhtml HTTP/1.1" 401 5




          Regards,

          Miten.

          Comment


          • #6
            SunJaasKerberosTicketValidator fails in KerberosValidateAction

            Hi,

            I have observed that it fails with bad credentials at below native call when I open web app using internet explorer and it shows the catalina logs as mentioned in first post of this thread:
            14:10:42 DEBUG web.SpnegoAuthenticationProcessingFilter - Received Negotiate Header for request http://pinkydebian:8080/jsf-sso/supe..._teller.xhtml: Negotiate YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBg EEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAAGq2 6hhIfnxob/EVRyFsXDRlxjDmiKIkH2BYMUpmtIvOwBXPtjmLghpTPETxh/107QAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kq a6BepAo=
            14:10:42 DEBUG authentication.ProviderManager - Authentication attempt using org.springframework.security.extensions.kerberos.K erberosServiceAuthenticationProvider
            14:10:42 DEBUG kerberos.KerberosServiceAuthenticationProvider - Try to validate Kerberos Token




            The token as byte[] passed to validator has value as below:
            [96, -127, -98, 6, 6, 43, 6, 1, 5, 5, 2, -96, -127, -109, 48, -127, -112, -96, 26, 48, 24, 6, 10, 43, 6, 1, 4, 1, -126, 55, 2, 2, 30, 6, 10, 43, 6, 1, 4, 1, -126, 55, 2, 2, 10, -94, 114, 4, 112, 78, 69, 71, 79, 69, 88, 84, 83, 0, 0, 0, 0, 0, 0, 0, 0, 96, 0, 0, 0, 112, 0, 0, 0, 106, -74, -22, 24, 72, 126, 124, 104, 111, -15, 21, 71, 33, 108, 92, 52, 101, -58, 48, -26, -120, -94, 36, 31, 96, 88, 49, 74, 102, -76, -117, -50, -64, 21, -49, -74, 57, -117, -126, 26, 83, 60, 68, -15, -121, -3, 116, -19, 0, 0, 0, 0, 0, 0, 0, 0, 96, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 69, 114, 124, 50, 50, 69, -117, 72, -65, -39, 42, 107, -96, 94, -92, 10]

            and it generates exception as:
            java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

            at code:
            private static class KerberosValidateAction implements PrivilegedExceptionAction<String> {
            byte[] kerberosTicket;

            public KerberosValidateAction(byte[] kerberosTicket) {
            this.kerberosTicket = kerberosTicket;
            }

            @Override
            public String run() throws Exception {
            GSSContext context = GSSManager.getInstance().createContext((GSSCredent ial) null);
            context.acceptSecContext(kerberosTicket, 0, kerberosTicket.length);
            String user = context.getSrcName().toString();
            context.dispose();
            return user;
            }

            }

            The security.xml validator configured has values as below:
            this SunJaasKerberosTicketValidator (id=55)
            debug true
            keyTabLocation ClassPathResource (id=104)
            servicePrincipal "HTTP/[email protected]" (id=106)
            serviceSubject Subject (id=63)
            Subject:
            Principal: HTTP/[email protected]
            Private Credential: file:/opt/apache-tomcat-7.0.30/webapps/jsf-sso/WEB-INF/classes/http-web.keytab


            is the token fetched from data from browser ? is it supposed to be a service ticket by [email protected] for service ? As such from catalina logs it seems some spnego token being passed and not the kerberos service ticket.

            Regards,

            Miten.



            Regards,

            Miten.

            Comment


            • #7
              Internal Server Error

              Hi,

              Below is the http messages capture for req and resp. As you see the server sends 500 error. I think the spring-security framework should be sending spnego related status instead of server error.

              GET http://pinkydebian:8080/jsf-sso/secu...r_teller.xhtml HTTP/1.1
              Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/msword, application/vnd.ms-excel, application/vnd.ms-powerpoint, */*
              Accept-Language: en-US
              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)
              Accept-Encoding: gzip, deflate
              Connection: Keep-Alive
              Host: pinkydebian:8080
              Cookie: JSESSIONID=1BFB715861CC66D138A14E89C94C3CDC
              Authorization: Negotiate YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBg EEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAAKab hRXWFiTYQEed66HBLmKXVDRPpRJfLt3Spw7F4k1hvMXwjNcDxV ZLD8DVrAgw+QAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIy RYtIv9kqa6BepAo=

              HTTP/1.1 500 Internal Server Error
              Server: Apache-Coyote/1.1
              Date: Sat, 15 Dec 2012 10:58:36 GMT
              Connection: close
              Content-Length: 0



              Regards,

              Miten.

              Comment


              • #8
                Originally posted by marre90 View Post
                Funny, I have exactly the same error...

                even the Negotiate Header is (almost) exactly the same.

                Code:
                WARNUNG: Negotiate Header was invalid: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
                org.springframework.security.authentication.BadCredentialsException: Kerberos validation not succesfull
                at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:69)
                at org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:86)
                at org.springframework.security.authentication.ProviderManager.doAuthentication(ProviderManager.java:130)
                at org.springframework.security.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:48)
                at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:131)
                at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
                at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
                at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
                at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:168)
                at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
                at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
                at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
                at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
                at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
                at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
                at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
                at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
                at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
                at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)
                at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
                at java.lang.Thread.run(Unknown Source)
                Caused by: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
                at java.security.AccessController.doPrivileged(Native Method)
                at javax.security.auth.Subject.doAs(Unknown Source)
                at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:67)
                ... 22 more
                Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
                at sun.security.jgss.GSSHeader.<init>(Unknown Source)
                at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
                at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
                at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:146)
                at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:136)
                ... 25 more
                Can this be a coincidence? I don't believe, that the negotiate Headers should be that similar...

                thanks for sharing codes.
                Last edited by Henry07; Jan 19th, 2014, 11:39 PM.

                Comment


                • #9
                  I am also getting this exception. Can anyone tell me reason behind this issue.Any solution..?

                  Comment

                  Working...
                  X