Negotiation Fails? Second call from browser never arrives?

[swissfraser]

Dear all, hope you can help a newbie before I lose my mind.

I'm attempting to run the sample application from the excellent post by Mike Wiesner http://blog.springsource.com/2009/09...rity-kerberos/

My issue is that the browser seems to connect, the application writes the header telling the browser that it should 'negotiate' and all seems good in the world. However when the browser makes the request again, this time including a kerberos ticket, it never seems to actually arrive on my server. Basically the "doFilter" function of the SpnegoAuthenticationProcessingFilter never receives a request with an 'Authorization' section although using Fiddler on the client computer, I can see that this call is definitely made but with the result "ReadResponse() failed: The server did not return a response for this request."

Any ideas or suggestions? Here's the log:

Converted URL to lowercase, from: '/secure/index.jsp'; to: '/secure/index.jsp'
Candidate is: '/secure/index.jsp'; pattern is /**; matched=true
/secure/index.jsp at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
No HttpSession currently exists
No SecurityContext was available from the HttpSession: null. A new one will be created.
/secure/index.jsp at position 2 of 8 in additional filter chain; firing Filter: 'SpnegoAuthenticationProcessingFilter'
/secure/index.jsp at position 3 of 8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
/secure/index.jsp at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
/secure/index.jsp at position 5 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.Anony mousAuthenticationToken@9055286a: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.We bAuthenticationDetails@59b2: RemoteIpAddress: 159.103.202.82; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
/secure/index.jsp at position 6 of 8 in additional filter chain; firing Filter: 'SessionManagementFilter'
Requested session IDAFEDE706FE068613AC8E16EA2ED19CDE is invalid.
/secure/index.jsp at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
/secure/index.jsp at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
Converted URL to lowercase, from: '/secure/index.jsp'; to: '/secure/index.jsp'
Candidate is: '/secure/index.jsp'; pattern is /secure/**; matched=true
Secure object: FilterInvocation: URL: /secure/index.jsp; Attributes: [IS_AUTHENTICATED_FULLY]
Previously Authenticated: org.springframework.security.authentication.Anonym ousAuthenticationToken@9055286a: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.We bAuthenticationDetails@59b2: RemoteIpAddress: 159.103.202.82; SessionId: null; Granted Authorities: ROLE_ANONYMOUS
Voter: org.springframework.security.access.vote.RoleVoter @260657, returned: 0
Voter: org.springframework.security.access.vote.Authentic atedVoter@6a4209, returned: -1
Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedEx ception: Access is denied
at org.springframework.security.access.vote.Affirmati veBased.decide(AffirmativeBased.java:71)
at org.springframework.security.access.intercept.Abst ractSecurityInterceptor.beforeInvocation(AbstractS ecurityInterceptor.java:203)
at org.springframework.security.web.access.intercept. FilterSecurityInterceptor.invoke(FilterSecurityInt erceptor.java:106)
at org.springframework.security.web.access.intercept. FilterSecurityInterceptor.doFilter(FilterSecurityI nterceptor.java:83)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 380)
at org.springframework.security.web.access.ExceptionT ranslationFilter.doFilter(ExceptionTranslationFilt er.java:97)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 380)
at org.springframework.security.web.session.SessionMa nagementFilter.doFilter(SessionManagementFilter.ja va:100)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 380)
at org.springframework.security.web.authentication.An onymousAuthenticationFilter.doFilter(AnonymousAuth enticationFilter.java:78)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 380)
at org.springframework.security.web.servletapi.Securi tyContextHolderAwareRequestFilter.doFilter(Securit yContextHolderAwareRequestFilter.java:54)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 380)
at org.springframework.security.web.savedrequest.Requ estCacheAwareFilter.doFilter(RequestCacheAwareFilt er.java:35)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 380)
at org.springframework.security.extensions.kerberos.w eb.SpnegoAuthenticationProcessingFilter.doFilter(S pnegoAuthenticationProcessingFilter.java:152)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 380)
at org.springframework.security.web.context.SecurityC ontextPersistenceFilter.doFilter(SecurityContextPe rsistenceFilter.java:79)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 380)
at org.springframework.security.web.FilterChainProxy. doFilter(FilterChainProxy.java:169)
at org.springframework.web.filter.DelegatingFilterPro xy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterPro xy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invo ke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.servic e(CoyoteAdapter.java:286)
at org.apache.coyote.http11.Http11Processor.process(H ttp11Processor.java:845)
at org.apache.coyote.http11.Http11Protocol$Http11Conn ectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run( JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
DefaultSavedRequest added to Session: DefaultSavedRequest[http://wsp11066wn:15555/spring-secur...ure/index.jsp]
Calling Authentication entry point.
Sending back Negotiate Header for request: http://wsp11066wn:15555/spring-secur...cure/index.jsp
SecurityContext is empty or anonymous - context will not be stored in HttpSession.
SecurityContextHolder now cleared, as request processing completed

[swissfraser]

Well, problem solved. I'll provide the solution here in the hope that anyone googling the above error will hopefully get some help.

The issue for me was nothing to do with Spring and nothing to do with Kerberos either (well, almost nothing).

I was running Tomcat 6.0 under eclipse and the issue was that the default max header size is 4k. This causes problems when your kerberos tickets are > 8k. Simple solution is to increase maxHttpHeaderSize for your Connector settings in server.xml

Hope this helps somebody somewhere...