1179710 – Kerberos authentication for EJB Client does not work with OracleJDK 1.6

Bug 1179710 - Kerberos authentication for EJB Client does not work with OracleJDK 1.6

Summary: Kerberos authentication for EJB Client does not work with OracleJDK 1.6

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Domain Management, EJB
Sub Component:
Version:	6.4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Target Release:	---
Assignee:	Darran Lofthouse
QA Contact:	Ondrej Lukas
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-01-07 11:41 UTC by Ondrej Lukas
Modified:	2015-04-28 15:05 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2015-01-09 10:54:24 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1180520	unspecified	CLOSED	[Doc Bug Fix] Configuration of EJB Client for Kerberos authentication with OracleJDK 1.6	2021-02-22 00:41:40 UTC
Red Hat Bugzilla	1189141	unspecified	CLOSED	Clean-up tests which use Kerberos in the EAP testsuite	2021-02-22 00:41:40 UTC
Red Hat Issue Tracker	EAP6-174	Major	Closed	Kerberos based authentication for Remoting	2016-10-06 18:35:19 UTC

Internal Links: 1180520 1189141

Description Ondrej Lukas 2015-01-07 11:41:56 UTC

In case when kerberos authentication is correctly configured in security realm for remoting and EJB Client which runs with Oracle JDK 1.6 tries to invoke EJB method then following exception is thrown:

java.lang.SecurityException: Unable to locate a login configuration
	at com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:93)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
	at java.lang.Class.newInstance0(Class.java:357)
	at java.lang.Class.newInstance(Class.java:310)
	at javax.security.auth.login.Configuration$3.run(Configuration.java:247)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.login.Configuration.getConfiguration(Configuration.java:242)
	at sun.security.jgss.LoginConfigImpl$1.run(LoginConfigImpl.java:47)
	at sun.security.jgss.LoginConfigImpl$1.run(LoginConfigImpl.java:45)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.jgss.LoginConfigImpl.<init>(LoginConfigImpl.java:44)
	at sun.security.jgss.GSSUtil.login(GSSUtil.java:244)
	at sun.security.jgss.krb5.Krb5Util.getTicket(Krb5Util.java:136)
	at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:328)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:325)
	at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:128)
	at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:106)
	at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:172)
	at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:209)
	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:195)
	at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
	at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:175)
	at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities$2$1.run(ClientConnectionOpenListener.java:463)
	at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities$2$1.run(ClientConnectionOpenListener.java:459)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities$2.run(ClientConnectionOpenListener.java:459)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
	at java.lang.Thread.run(Thread.java:662)
Caused by: java.io.IOException: Unable to locate a login configuration
	at com.sun.security.auth.login.ConfigFile.init(ConfigFile.java:250)
	at com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:91)
	... 32 more

It is probably same issue as BZ#1168918.

It does not matter which java is used for server.

I request blocker flag since this issue is blocking certification [1] for Oracle JDK6. 

[1] https://mojo.redhat.com/docs/DOC-48621

Comment 1 Darran Lofthouse 2015-01-09 09:23:14 UTC

We did need to fix this for the CLI but in the case of the CLI it was a client we were entirely in control of so it was possible for us to override global JAAS configuration within our own process.

For the EJB client this is not the case, instead users are going to need to provide a minimal JAAS config and reference it from the command line, the settings used in the CLI fix should be sufficient: -

https://github.com/jbossas/jboss-eap/pull/2128/files#diff-c929deeb25b1e0886f6c256907ea7c44R1598

For that reason I am going to put a dev NACK.

Comment 2 Ondrej Lukas 2015-01-09 10:54:24 UTC

I close this issue as WONTFIX for reason which Darran mentioned in comment#1. This issue has to be documented, I filled new documentation bz for this issue. See BZ#1180520.

Comment 3 JBoss JIRA Server 2015-04-28 15:05:39 UTC

John Doyle <jdoyle> updated the status of jira EAP6-174 to Closed

Note You need to log in before you can comment on or make changes to this bug.