Bug 1161589 - Kerberos auth for management over HTTP/HTTPS does not work with IBM java
Summary: Kerberos auth for management over HTTP/HTTPS does not work with IBM java
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Domain Management
Version: 6.4.0
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: DR12
: EAP 6.4.0
Assignee: Darran Lofthouse
QA Contact: Pavel Slavicek
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-11-07 12:05 UTC by Ondrej Lukas
Modified: 2019-08-19 12:46 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-19 12:46:19 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker EAP6-253 0 Major Closed Kerberos auth for management over HTTP/HTTPS 2018-08-11 10:09:56 UTC
Red Hat Issue Tracker WFCORE-260 0 Major Resolved Incorrect LoginModule name used for Kerberos with IBM JDK and incorrect case for useKeytab 2018-08-11 10:09:56 UTC

Description Ondrej Lukas 2014-11-07 12:05:42 UTC 
TLTR:
Kerberos auth for management over HTTP/HTTPS does not work with IBM java at all.

Description:
There are severel issues which lead to Kerberos auth for management over HTTP/HTTPS does not work with IBM java. When Kerberos security-realm is set for http-management and Management Console is accessed, following exception is thrown:

ERROR [org.jboss.as.domain.management.security] (HttpManagementService-threads - 2) JBAS015208: Login failed using Keytab for principal 'HTTP/localhost' to handle request for host 'localhost': javax.security.auth.login.LoginException: unable to find LoginModule class: com.sun.security.auth.module.Krb5LoginModule
	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:835) [rt.jar:1.7.0]
	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:211) [rt.jar:1.7.0]
	at javax.security.auth.login.LoginContext$5.run(LoginContext.java:733) [rt.jar:1.7.0]
	at javax.security.auth.login.LoginContext$5.run(LoginContext.java:731) [rt.jar:1.7.0]
	at java.security.AccessController.doPrivileged(AccessController.java:314) [vm.jar:1.7.0]
	at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:730) [rt.jar:1.7.0]
	at javax.security.auth.login.LoginContext.login(LoginContext.java:600) [rt.jar:1.7.0]
	at org.jboss.as.domain.management.security.KeytabService.createSubjectIdentity(KeytabService.java:198) [jboss-as-domain-management-7.5.0.Final-redhat-9.jar:7.5.0.Final-redhat-9]
	at org.jboss.as.domain.management.security.KeytabIdentityFactoryService.getSubjectIdentity(KeytabIdentityFactoryService.java:132) [jboss-as-domain-management-7.5.0.Final-redhat-9.jar:7.5.0.Final-redhat-9]
	at org.jboss.as.domain.management.security.SecurityRealmService.getSubjectIdentity(SecurityRealmService.java:239) [jboss-as-domain-management-7.5.0.Final-redhat-9.jar:7.5.0.Final-redhat-9]
	at org.jboss.as.domain.http.server.security.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:126) [jboss-as-domain-http-interface-7.5.0.Final-redhat-9.jar:7.5.0.Final-redhat-9]
	at org.jboss.sun.net.httpserver.AuthFilter.doFilter(AuthFilter.java:64)
	at org.jboss.com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:81)
	at org.jboss.sun.net.httpserver.ServerImpl$Exchange$LinkHandler.handle(ServerImpl.java:710)
	at org.jboss.com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:78)
	at org.jboss.as.domain.http.server.RealmReadinessFilter.doFilter(RealmReadinessFilter.java:47) [jboss-as-domain-http-interface-7.5.0.Final-redhat-9.jar:7.5.0.Final-redhat-9]
	at org.jboss.as.domain.http.server.DmrFailureReadinessFilter.doFilter(DmrFailureReadinessFilter.java:45) [jboss-as-domain-http-interface-7.5.0.Final-redhat-9.jar:7.5.0.Final-redhat-9]
	at org.jboss.com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:81)
	at org.jboss.sun.net.httpserver.ServerImpl$Exchange.run(ServerImpl.java:682)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1156) [rt.jar:1.7.0]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:626) [rt.jar:1.7.0]
	at java.lang.Thread.run(Thread.java:780) [vm.jar:1.7.0]
	at org.jboss.threads.JBossThread.run(JBossThread.java:122) [jboss-threads-2.1.1.Final-redhat-1.jar:2.1.1.Final-redhat-1]

It is caused by mistake in org.jboss.as.domain.management.security.KeytabService on line 67. Value of field IBMKRB5LoginModule is incorrectly set on ""com.sun.security.auth.module.Krb5LoginModule". It has to be "com.ibm.security.auth.module.Krb5LoginModule".


I also see another issues in this class for IBM java:

1) Line 145: name of Kerberos option is "useKeytab" not "useKeyTab".

2) principal option is missing for this Map. Add options.put("principal", principal); same as in non-IBM java branch.	

There can also be any more issues for IBM java (unable to test it now).
Comment 1 JBoss JIRA Server 2014-11-18 10:23:29 UTC 
Darran Lofthouse <darran.lofthouse> updated the status of jira WFCORE-260 to Coding In Progress
Comment 5 Ondrej Lukas 2014-11-27 13:43:44 UTC 
Verification failed in EAP 6.4.0.DR11.

IBM JDK 7 works fine.

IBM JDK 6 still does not work. It is blocking certification [1] for IBM JDK6. 

During access to Management Console with IBM JDK6 fails with:

ERROR [org.jboss.as.domain.management.security] (HttpManagementService-threads - 3) JBAS015208: Login failed using Keytab for principal 'HTTP/localhost' to handle request for host 'localhost': javax.security.auth.login.LoginException: Bad JAAS configuration: noAddress option not compatible with credsType {0}
	at com.ibm.security.jgss.i18n.I18NException.throwLoginException(I18NException.java:29) [ibmjgssprovider.jar:6.0]
	at com.ibm.security.auth.module.Krb5LoginModule.i(Krb5LoginModule.java:23) [ibmjgssprovider.jar:6.0]
	at com.ibm.security.auth.module.Krb5LoginModule.a(Krb5LoginModule.java:355) [ibmjgssprovider.jar:6.0]
	at com.ibm.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:272) [ibmjgssprovider.jar:6.0]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60) [rt.jar:1.6.0]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37) [rt.jar:1.6.0]
	at java.lang.reflect.Method.invoke(Method.java:611) [rt.jar:1.6.0]
	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:795) [rt.jar:1.6.0]
	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:209) [rt.jar:1.6.0]
	at javax.security.auth.login.LoginContext$5.run(LoginContext.java:732) [rt.jar:1.6.0]
	at java.security.AccessController.doPrivileged(AccessController.java:310) [vm.jar:]
	at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:729) [rt.jar:1.6.0]
	at javax.security.auth.login.LoginContext.login(LoginContext.java:599) [rt.jar:1.6.0]
	at org.jboss.as.domain.management.security.KeytabService.createSubjectIdentity(KeytabService.java:198) [jboss-as-domain-management-7.5.0.Final-redhat-13.jar:7.5.0.Final-redhat-13]
	at org.jboss.as.domain.management.security.KeytabIdentityFactoryService.getSubjectIdentity(KeytabIdentityFactoryService.java:142) [jboss-as-domain-management-7.5.0.Final-redhat-13.jar:7.5.0.Final-redhat-13]
	at org.jboss.as.domain.management.security.SecurityRealmService.getSubjectIdentity(SecurityRealmService.java:240) [jboss-as-domain-management-7.5.0.Final-redhat-13.jar:7.5.0.Final-redhat-13]
	at org.jboss.as.domain.http.server.security.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:155) [jboss-as-domain-http-interface-7.5.0.Final-redhat-13.jar:7.5.0.Final-redhat-13]
	at org.jboss.sun.net.httpserver.AuthFilter.doFilter(AuthFilter.java:64)
	at org.jboss.com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:81)
	at org.jboss.sun.net.httpserver.ServerImpl$Exchange$LinkHandler.handle(ServerImpl.java:710)
	at org.jboss.com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:78)
	at org.jboss.as.domain.http.server.RealmReadinessFilter.doFilter(RealmReadinessFilter.java:48) [jboss-as-domain-http-interface-7.5.0.Final-redhat-13.jar:7.5.0.Final-redhat-13]
	at org.jboss.as.domain.http.server.DmrFailureReadinessFilter.doFilter(DmrFailureReadinessFilter.java:45) [jboss-as-domain-http-interface-7.5.0.Final-redhat-13.jar:7.5.0.Final-redhat-13]
	at org.jboss.com.sun.net.httpserver.Filter$Chain.doFilter(Filter.java:81)
	at org.jboss.sun.net.httpserver.ServerImpl$Exchange.run(ServerImpl.java:682)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:908) [rt.jar:1.6.0]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:931) [rt.jar:1.6.0]
	at java.lang.Thread.run(Thread.java:738) [vm.jar:1.6.0]
	at org.jboss.threads.JBossThread.run(JBossThread.java:122) [jboss-threads-2.1.2.Final-redhat-1.jar:2.1.2.Final-redhat-1]


[1] https://mojo.redhat.com/docs/DOC-48621
Comment 7 Ondrej Lukas 2014-12-08 14:08:46 UTC 
Verified in EAP 6.4.0.DR12.
Comment 8 JBoss JIRA Server 2015-04-28 15:05:47 UTC 
John Doyle <jdoyle> updated the status of jira EAP6-253 to Closed
Note You need to log in before you can comment on or make changes to this bug.