Comments (10)
Please, any update?
from spring-security-kerberos.
Stefan Grinsted said:
Hey Guys
I wanted to use Kerberos on an IBM WebSphere server, so I tried to implement an IBM edition of the SunJassKerberosTicketValidator called IbmJaasKerberosTicketValidator. (See the attached file)
Besides some added logging statements, the only thing I changed from the Sun-edition is the inner class LoginConfig, which looks like this:
private static class LoginConfig extends Configuration {
private String keyTabUrl;
private String servicePrincipalName;
private boolean debug;
public LoginConfig(URL keyTabUrl, String servicePrincipalName, boolean debug) {
this.keyTabUrl = keyTabUrl.toExternalForm();
this.servicePrincipalName = servicePrincipalName;
this.debug = debug;
}
@Override
public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
HashMap<String, Object> options = new HashMap<String, Object>();
options.put("useKeytab", this.keyTabUrl);
options.put("principal", this.servicePrincipalName);
options.put("credsType", "acceptor");
if (this.debug) {
options.put("debug", "true");
}
return new AppConfigurationEntry[] { new AppConfigurationEntry("com.ibm.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options), };
}
}
However, the server gives this strange error:
Caused by: java.security.PrivilegedActionException: org.ietf.jgss.GSSException, major code: 13, minor code: 0
major string: Invalid credentials
minor string: Cannot obtain mechanism credential for mechanism 1.3.6.1.5.5.2
at com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NException.java:31)
at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:495)
at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:382)
at org.springframework.security.extensions.kerberos.IbmJaasKerberosTicketValidator$KerberosValidateAction.run(IbmJaasKerberosTicketValidator.java:140)
at org.springframework.security.extensions.kerberos.IbmJaasKerberosTicketValidator$KerberosValidateAction.run(IbmJaasKerberosTicketValidator.java:1)
at java.security.AccessController.doPrivileged(AccessController.java:284)
When I tried the configuration on a JBoss with a Sun JVM (using the provided Sun-validator of cause), everything works like it should.
Can any of you Kerberos experts see anything wrong with this IBM implementation?
Any help would be appreciated. Thanks.
Regards, Stefan Grinsted
PS. Below, I provide some additional info from logs and debugging.
(Info found on the com.ibm.*.GSSContextImpl when debugging on WAS)
--- GSSCredential ---
Number of mehanism credentials: 1
[1] Kerberos credential, mechanism: 1.2.840.113554.1.2.2
Owner: HTTP/[email protected]
Usage: accept only
StartTime: 2/2/10 12:57 PM
InitLifeTime: unknown
AcceptLifeTime: indefinite
Krb5Client: HTTP/[email protected]
Krb5Server: unknown
--- End of GSSCredential ---
(Info returned from logging statements)
... IbmJaasKerberosTicketValidator validateTicket Trying to validate token with 1567 bytes
... IbmJaasKerberosTicketValidator$KerberosValidateAction run KerberosValidateAction getting GSSManager: com.ibm.security.jgss.GSSManagerImpl@19c919c9
... IbmJaasKerberosTicketValidator$KerberosValidateAction run KerberosValidateAction created context with null credentials:
--- GSSContext ---
Owner:HTTP/[email protected]
Peer:unknown
State:uninitialized
Lifetime:expired or unknown
Ready:no
Flags:
Confidentialityoff
Delegationoff
Integrityoff
MutualAuthnoff
ReplayDetectionoff
SequenceDetectionoff
DelegatedCred:unknown
--- End of GSSContext ---
from spring-security-kerberos.
Nicholas Irving said:
I managed to get this working for WebSphere 5.1 (yes old and unsupported but I am doing the best with what I have.
I had to use the attached IBMJaasKerberosTicketValidator.java, which has the updated KerberosValidateAction which seems to be the supported way for Kerberos under a IBM JVM.
Plus I had to make the following addition to jre/lib/security/java.policy
security.provider.6=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
so that it would pick up the correct methods.
from spring-security-kerberos.
Nicholas Irving said:
This seems to work very well for me and WebSphere 5.1, may not be required for 6.1+, and I assume that since 6.0 is based on 1.4.2 that it is needed there.
from spring-security-kerberos.
Nicholas Irving said:
Sorry forgot to mention that I had to backport this to use SpringSecurity 2.0.5 to make it work with WebSphere 5.1
from spring-security-kerberos.
Ryan Ransford said:
My attempts at getting this working with WAS 7. I have done quite a bit of java 6-ifying the code and added some documentation and debug logging.
It is currently not correctly implemented (fails at line 165 for me). Please take a look. See if this meets your needs or if you can provide some help with the terminology/implementation.
from spring-security-kerberos.
V Kumar said:
Ryan, did you ever get this to work?
from spring-security-kerberos.
Joseph Bagnes said:
Hi,
I just want to share that I managed to get this IBM classes working on my application.
I used the jvm inside WAS7.0 which I believe is java version 6.
My attachments:
IbmJaasKerberosTicketValidator_NEW.java
IbmJaasKerberosClient_NEW.java
Credits to original authors are still in the comment sections. Hope it helps.
from spring-security-kerberos.
Mike Wiesner said:
This is definitely something we wanted to include, but we need some more time to have a solution which works in all of the commonly used IBM environments.
The highest priority is currently to release a RC with the current feature set, plus some smaller improvements. Therefore, this is moved now to 1.1.
from spring-security-kerberos.
@hanusto the code linked in the comments above works.
from spring-security-kerberos.
Related Issues (20)
- Issue after Spring Boot upgrade to 3.0 HOT 1
- spring-security-kerberos not compatable for jakarta HOT 2
- Any road map to make it compatible with Jakarta HOT 1
- Reboot project with boot 3.x HOT 6
- Migrate docs to antora
- Upgrade gradle 8.x
- Conditional tests when krb env required
- Can we expect a tentative release of 2.0.0 HOT 2
- NTLM token sent from client after enabling AES HOT 4
- Getting error when using keytab-file for spnego HOT 9
- Migrate kdc testing
- Align sample code in docs
- Upgrade spring-security 6.1.0
- NotSerializableException on JaasSubjectHolder HOT 4
- Circular view path problem in sample sec-server-win-auth
- what is default username and password for the samples?
- What is the difference between actualToken and token in the getTokenValue method, and why does the value I pass in keep returning null
- Appendix E: chrome configuration with deprecated policies
- SpnegoAuthenticationProcessingFilter does not save the SecurityContext in the Session HOT 1
- Migrate samples to spring-security 6.x
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spring-security-kerberos.