SES-15: Support IBM JVM about spring-security-kerberos HOT 10 OPEN

Please, any update?

from spring-security-kerberos.

Stefan Grinsted said:

Hey Guys

I wanted to use Kerberos on an IBM WebSphere server, so I tried to implement an IBM edition of the SunJassKerberosTicketValidator called IbmJaasKerberosTicketValidator. (See the attached file)

Besides some added logging statements, the only thing I changed from the Sun-edition is the inner class LoginConfig, which looks like this:

private static class LoginConfig extends Configuration {
    private String keyTabUrl;
    private String servicePrincipalName;
    private boolean debug;
    public LoginConfig(URL keyTabUrl, String servicePrincipalName, boolean debug) {
        this.keyTabUrl = keyTabUrl.toExternalForm();
        this.servicePrincipalName = servicePrincipalName;
        this.debug = debug;
    }
    @Override
    public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
        HashMap<String, Object> options = new HashMap<String, Object>();
        options.put("useKeytab", this.keyTabUrl);
        options.put("principal", this.servicePrincipalName);
        options.put("credsType", "acceptor");
        if (this.debug) {
            options.put("debug", "true");
        }
        return new AppConfigurationEntry[] { new AppConfigurationEntry("com.ibm.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options), };
    }
}

However, the server gives this strange error:

Caused by: java.security.PrivilegedActionException: org.ietf.jgss.GSSException, major code: 13, minor code: 0
major string: Invalid credentials
minor string: Cannot obtain mechanism credential for mechanism 1.3.6.1.5.5.2
at com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NException.java:31)
at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:495)
at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:382)
at org.springframework.security.extensions.kerberos.IbmJaasKerberosTicketValidator$KerberosValidateAction.run(IbmJaasKerberosTicketValidator.java:140)
at org.springframework.security.extensions.kerberos.IbmJaasKerberosTicketValidator$KerberosValidateAction.run(IbmJaasKerberosTicketValidator.java:1)
at java.security.AccessController.doPrivileged(AccessController.java:284)

When I tried the configuration on a JBoss with a Sun JVM (using the provided Sun-validator of cause), everything works like it should.

Can any of you Kerberos experts see anything wrong with this IBM implementation?
Any help would be appreciated. Thanks.

Regards, Stefan Grinsted

PS. Below, I provide some additional info from logs and debugging.

(Info found on the com.ibm.*.GSSContextImpl when debugging on WAS)
--- GSSCredential ---
Number of mehanism credentials: 1

[1] Kerberos credential, mechanism: 1.2.840.113554.1.2.2
Owner: HTTP/[email protected]
Usage: accept only
StartTime: 2/2/10 12:57 PM
InitLifeTime: unknown
AcceptLifeTime: indefinite
Krb5Client: HTTP/[email protected]
Krb5Server: unknown
--- End of GSSCredential ---

(Info returned from logging statements)

... IbmJaasKerberosTicketValidator validateTicket Trying to validate token with 1567 bytes
... IbmJaasKerberosTicketValidator$KerberosValidateAction run KerberosValidateAction getting GSSManager: com.ibm.security.jgss.GSSManagerImpl@19c919c9
... IbmJaasKerberosTicketValidator$KerberosValidateAction run KerberosValidateAction created context with null credentials:
--- GSSContext ---
Owner:HTTP/[email protected]
Peer:unknown
State:uninitialized
Lifetime:expired or unknown
Ready:no
Flags:
Confidentialityoff
Delegationoff
Integrityoff
MutualAuthnoff
ReplayDetectionoff
SequenceDetectionoff
DelegatedCred:unknown
--- End of GSSContext ---

from spring-security-kerberos.

Nicholas Irving said:

I managed to get this working for WebSphere 5.1 (yes old and unsupported but I am doing the best with what I have.

I had to use the attached IBMJaasKerberosTicketValidator.java, which has the updated KerberosValidateAction which seems to be the supported way for Kerberos under a IBM JVM.

Plus I had to make the following addition to jre/lib/security/java.policy
security.provider.6=com.ibm.security.jgss.mech.spnego.IBMSPNEGO

so that it would pick up the correct methods.

from spring-security-kerberos.

Nicholas Irving said:

This seems to work very well for me and WebSphere 5.1, may not be required for 6.1+, and I assume that since 6.0 is based on 1.4.2 that it is needed there.

from spring-security-kerberos.

Nicholas Irving said:

Sorry forgot to mention that I had to backport this to use SpringSecurity 2.0.5 to make it work with WebSphere 5.1

from spring-security-kerberos.

Ryan Ransford said:

My attempts at getting this working with WAS 7. I have done quite a bit of java 6-ifying the code and added some documentation and debug logging.

It is currently not correctly implemented (fails at line 165 for me). Please take a look. See if this meets your needs or if you can provide some help with the terminology/implementation.

from spring-security-kerberos.

V Kumar said:

Ryan, did you ever get this to work?

from spring-security-kerberos.

Joseph Bagnes said:

Hi,

I just want to share that I managed to get this IBM classes working on my application.
I used the jvm inside WAS7.0 which I believe is java version 6.

My attachments:
IbmJaasKerberosTicketValidator_NEW.java
IbmJaasKerberosClient_NEW.java

Credits to original authors are still in the comment sections. Hope it helps.

from spring-security-kerberos.

Mike Wiesner said:

This is definitely something we wanted to include, but we need some more time to have a solution which works in all of the commonly used IBM environments.

The highest priority is currently to release a RC with the current feature set, plus some smaller improvements. Therefore, this is moved now to 1.1.

from spring-security-kerberos.

@hanusto the code linked in the comments above works.

from spring-security-kerberos.