Announcement Announcement Module
Collapse
No announcement yet.
SPNEGO Authentication, am I missing something? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • SPNEGO Authentication, am I missing something?

    I am trying to get the SPNEGO sample (http://blog.springsource.org/2009/09...rity-kerberos/) up and running, but when I try to run the project I get the below error.
    Code:
    Caused by: java.lang.IllegalArgumentException: Could not load configuration from SCDynamicStore
    	at javax.security.auth.kerberos.KerberosPrincipal.<init>(KerberosPrincipal.java:108)
    	at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.afterPropertiesSet(SunJaasKerberosTicketValidator.java:122)
    	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1477)
    	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1417)
    As well as this error:

    Code:
    java[14113:f603] Unable to load realm info from SCDynamicStore
    I think I have to set up my domain information somewhere. I don't quite know how to do this. I saw this in the comments but I am not clear on how to go about doing so:
    Here's what worked for me (it took me 2.5 days to sort this out!).

    1. Use Mike's config exactly as it is (except, obviously, changing domain names, etc) especially wrt capitalisation and using FQDN.
    2. Use Mike's example of ktpass exactly as it is. You can specify /ptype KRB5_NT_PRINCIPAL if you like, but trying any value for /crypto just didn't work for me.
    3. Set up the Java System properties java.security.krb5.kdc AND java.security.krb5.realm to be the fully-qualified name of your Domain Controller and your domain (fully-qualified) in captials.
    4. Make sure Internet Explorer in your client thinks that the server is in its Intranet! Don't use the server as a client!
    5. For your Service Principal and any users you want to authenticate, in the Account options, disable 'Use Kerberos DES…', enable 'This account supports Kerberos AES 128 bit…', enable 'This account supports Kerberos AES 256 bit…' and disable 'Do not require Kerberos preauthentication'.
    6. If you are outside the US, you may need to download the full support for AES 256-bit encryption. Look it up.

    In the test system I set up, the domain was vbis.security.local. The Windows Server 2008 machine was called chekov. So the values for the properties were:

    java.security.krb5.kdc=chekov.vbis.security.local
    java.security.krb5.realm=VBIS.SECURITY.LOCAL
    Any help would be greatly appreciated.

  • #2
    OK I figured out how to pass a parameter when starting the server...my solution was to set -Djava.security.krb5.conf=/path/to/krb5.conf

    Comment


    • #3
      Hmm, it looks like something isn't working. The request goes through and this is what I see in the log. I don't see any Kerberos logging even though I have it turned on, even though the Spnego filter is getting hit.

      Code:
      14:50:44.213 [http-bio-8080-exec-10] DEBUG o.s.security.web.FilterChainProxy - Converted URL to lowercase, from: '/secure/index.jsp'; to: '/secure/index.jsp'
      14:50:44.213 [http-bio-8080-exec-10] DEBUG o.s.security.web.FilterChainProxy - Candidate is: '/secure/index.jsp'; pattern is /**; matched=true
      14:50:44.213 [http-bio-8080-exec-10] DEBUG o.s.security.web.FilterChainProxy - /secure/index.jsp at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
      14:50:44.213 [http-bio-8080-exec-10] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
      14:50:44.213 [http-bio-8080-exec-10] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@634a988. A new one will be created.
      14:50:44.213 [http-bio-8080-exec-10] DEBUG o.s.security.web.FilterChainProxy - /secure/index.jsp at position 2 of 8 in additional filter chain; firing Filter: 'SpnegoAuthenticationProcessingFilter'
      14:50:44.213 [http-bio-8080-exec-10] DEBUG o.s.security.web.FilterChainProxy - /secure/index.jsp at position 3 of 8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
      14:50:44.213 [http-bio-8080-exec-10] DEBUG o.s.s.w.s.DefaultSavedRequest - pathInfo: both null (property equals)
      14:50:44.213 [http-bio-8080-exec-10] DEBUG o.s.s.w.s.DefaultSavedRequest - queryString: both null (property equals)
      14:50:44.213 [http-bio-8080-exec-10] DEBUG o.s.s.w.s.DefaultSavedRequest - requestURI: arg1=/fs-server/secure/index.jsp; arg2=/fs-server/secure/index.jsp (property equals)
      14:50:44.213 [http-bio-8080-exec-10] DEBUG o.s.s.w.s.DefaultSavedRequest - serverPort: arg1=8080; arg2=8080 (property equals)
      14:50:44.213 [http-bio-8080-exec-10] DEBUG o.s.s.w.s.DefaultSavedRequest - requestURL: arg1=http://localhost:8080/fs-server/secure/index.jsp; arg2=http://localhost:8080/fs-server/secure/index.jsp (property equals)
      14:50:44.213 [http-bio-8080-exec-10] DEBUG o.s.s.w.s.DefaultSavedRequest - scheme: arg1=http; arg2=http (property equals)
      14:50:44.213 [http-bio-8080-exec-10] DEBUG o.s.s.w.s.DefaultSavedRequest - serverName: arg1=localhost; arg2=localhost (property equals)
      14:50:44.213 [http-bio-8080-exec-10] DEBUG o.s.s.w.s.DefaultSavedRequest - contextPath: arg1=/fs-server; arg2=/fs-server (property equals)
      14:50:44.213 [http-bio-8080-exec-10] DEBUG o.s.s.w.s.DefaultSavedRequest - servletPath: arg1=/secure/index.jsp; arg2=/secure/index.jsp (property equals)
      14:50:44.213 [http-bio-8080-exec-10] DEBUG o.s.s.w.s.HttpSessionRequestCache - Removing DefaultSavedRequest from session if present
      14:50:44.214 [http-bio-8080-exec-10] DEBUG o.s.security.web.FilterChainProxy - /secure/index.jsp at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
      14:50:44.214 [http-bio-8080-exec-10] DEBUG o.s.security.web.FilterChainProxy - /secure/index.jsp at position 5 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
      14:50:44.214 [http-bio-8080-exec-10] DEBUG o.s.s.w.a.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@6faa6108: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff10d0: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: 16A1BE45C067C99F32E9BE6E900B43C7; Granted Authorities: ROLE_ANONYMOUS'
      14:50:44.214 [http-bio-8080-exec-10] DEBUG o.s.security.web.FilterChainProxy - /secure/index.jsp at position 6 of 8 in additional filter chain; firing Filter: 'SessionManagementFilter'
      14:50:44.214 [http-bio-8080-exec-10] DEBUG o.s.security.web.FilterChainProxy - /secure/index.jsp at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
      14:50:44.214 [http-bio-8080-exec-10] DEBUG o.s.security.web.FilterChainProxy - /secure/index.jsp at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
      14:50:44.214 [http-bio-8080-exec-10] DEBUG o.s.s.w.a.i.DefaultFilterInvocationSecurityMetadataSource - Converted URL to lowercase, from: '/secure/index.jsp'; to: '/secure/index.jsp'
      14:50:44.214 [http-bio-8080-exec-10] DEBUG o.s.s.w.a.i.DefaultFilterInvocationSecurityMetadataSource - Candidate is: '/secure/index.jsp'; pattern is /secure/**; matched=true
      14:50:44.214 [http-bio-8080-exec-10] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /secure/index.jsp; Attributes: [IS_AUTHENTICATED_FULLY]
      14:50:44.214 [http-bio-8080-exec-10] DEBUG o.s.s.w.a.i.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken@6faa6108: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff10d0: RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: 16A1BE45C067C99F32E9BE6E900B43C7; Granted Authorities: ROLE_ANONYMOUS
      14:50:44.214 [http-bio-8080-exec-10] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.RoleVoter@c0e1c69, returned: 0
      14:50:44.214 [http-bio-8080-exec-10] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: [email protected]7ad, returned: -1
      14:50:44.215 [http-bio-8080-exec-10] DEBUG o.s.s.w.a.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
      org.springframework.security.access.AccessDeniedException: Access is denied
      	at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:71) ~[spring-security-core.jar:3.0.7.RELEASE]
      	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:204) ~[spring-security-core.jar:3.0.7.RELEASE]
      	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:106) ~[spring-security-web.jar:3.0.7.RELEASE]
      	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83) ~[spring-security-web.jar:3.0.7.RELEASE]
      	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381) [spring-security-web.jar:3.0.7.RELEASE]
       (rest of stack omitted)
      14:50:44.215 [http-bio-8080-exec-10] DEBUG o.s.s.w.s.HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[http://localhost:8080/fs-server/secure/index.jsp]
      14:50:44.215 [http-bio-8080-exec-10] DEBUG o.s.s.w.a.ExceptionTranslationFilter - Calling Authentication entry point.
      14:50:44.215 [http-bio-8080-exec-10] DEBUG o.s.s.e.k.web.SpnegoEntryPoint - Sending back Negotiate Header for request: http://localhost:8080/fs-server/secure/index.jsp
      14:50:44.215 [http-bio-8080-exec-10] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - SecurityContext is empty or anonymous - context will not be stored in HttpSession. 
      14:50:44.215 [http-bio-8080-exec-10] DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
      This is my spnego.xml:
      Code:
      	<sec:http entry-point-ref="spnegoEntryPoint">
      		<sec:intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_FULLY" />
      		<sec:custom-filter ref="spnegoAuthenticationProcessingFilter"
      			position="BASIC_AUTH_FILTER" />
      	</sec:http>
      
      	<bean id="spnegoEntryPoint"
      		class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint" />
      
      	<bean id="spnegoAuthenticationProcessingFilter"
      		class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter">
      		<property name="authenticationManager" ref="authenticationManager" />
      	</bean>
      
      	<sec:authentication-manager alias="authenticationManager">
      		<sec:authentication-provider ref="kerberosServiceAuthenticationProvider" />
      	</sec:authentication-manager>
      
      	<bean id="kerberosServiceAuthenticationProvider"
      		class="org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider">
      		<property name="ticketValidator">
      			<bean
      				class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
      				<property name="servicePrincipal" value="HTTP/tomcat_server" />
      				<property name="keyTabLocation" value="file:/path/to/http-web.keytab" />
      				<property name="debug" value="true" />
      			</bean>
      		</property>
      		<property name="userDetailsService" ref="fsUserDetailsService" />
      	</bean>
      	<bean
      		class="org.springframework.security.extensions.kerberos.GlobalSunJaasKerberosConfig">
      		<property name="debug" value="true" />
      	</bean>
      
      	<bean id="fsUserDetailsService" class="com.fs.security.UserDetailsService" />
      
      </beans>

      Comment


      • #4
        Originally posted by Osman View Post
        Hmm, it looks like something isn't working. The request goes through and this is what I see in the log. I don't see any Kerberos logging even though I have it turned on, even though the Spnego filter is getting hit.
        When debugging SpnegoAuthenticationProcessingFilter, request.getHeader("Authorization") is returning null and so the filter isn't doing anything. Can someone help me figure out why this is null? I am hitting the page on a mac in Firefox.

        Comment

        Working...
        X