spring-security, spnego/kerberos/sso

[imitenmehta]

Hi,

I have win 7 box and debian box.

On debian I have tomcat with web app having spnego (spring-security). I also have kerberos. I have created msm@PRIMESYSTEMS.COM as principal and also HTTP/pinkydebian.primesystems.com. I have copied the HTTP ticket into the web app.

Now on win 7 I login as Miten_Mehta and the network kerberos client is configured to get ticket as msm@PRIMESYSTEMS.COM. I use client to get kerb ticket.

When I open webapp url below from Internet Explorer

http://pinkydebian:8080/jsf-sso/secu...r_teller.xhtml (this is permissioned for ROLE_TELLER and ROLE_SUPERVISOR as per security.xml below)

I am prompted for basic auth. what user / password should I enter here so the it will do kerberos auth for sso ?
I have tried msm, Miten_Mehta, msm@PRIMESYSTEMS.COM but all causes errors where in web app is unable to get authentication done with kdc. I feel from log that it tried to reach to KDC but kdc logs do not show any such request. I guess in web app itself there is issue with credentials encoding.

Here is the catalina.out error.
Oct 04, 2012 5:53:27 PM org.springframework.security.extensions.kerberos.w eb.SpnegoAuthenticationProcessingFilter doFilter
WARNING: Negotiate Header was invalid: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAA AADw==
org.springframework.security.authentication.BadCre dentialsException: Kerberos validation not succesfull
at org.springframework.security.extensions.kerberos.S unJaasKerberosTicketValidator.validateTicket(SunJa asKerberosTicketValidator.java:69)
at org.springframework.security.extensions.kerberos.K erberosServiceAuthenticationProvider.authenticate( KerberosServiceAuthenticationProvider.java:86)
at org.springframework.security.authentication.Provid erManager.doAuthentication(ProviderManager.java:13 0)
at org.springframework.security.authentication.Abstra ctAuthenticationManager.authenticate(AbstractAuthe nticationManager.java:48)
at org.springframework.security.extensions.kerberos.w eb.SpnegoAuthenticationProcessingFilter.doFilter(S pnegoAuthenticationProcessingFilter.java:131)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 381)
at org.springframework.security.web.context.SecurityC ontextPersistenceFilter.doFilter(SecurityContextPe rsistenceFilter.java:79)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 381)
at org.springframework.security.web.FilterChainProxy. doFilter(FilterChainProxy.java:168)
at org.springframework.web.filter.DelegatingFilterPro xy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterPro xy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invo ke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBas e.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(A ccessLogValve.java:929)
at org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.servic e(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.p rocess(AbstractHttp11Processor.java:1002)
at org.apache.coyote.AbstractProtocol$AbstractConnect ionHandler.process(AbstractProtocol.java:585)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProce ssor.run(JIoEndpoint.java:312)
at java.util.concurrent.ThreadPoolExecutor.runWorker( ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)
Caused by: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at org.springframework.security.extensions.kerberos.S unJaasKerberosTicketValidator.validateTicket(SunJa asKerberosTicketValidator.java:67)
... 26 more
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java: 97)
at sun.security.jgss.GSSContextImpl.acceptSecContext( GSSContextImpl.java:306)
at sun.security.jgss.GSSContextImpl.acceptSecContext( GSSContextImpl.java:285)
at org.springframework.security.extensions.kerberos.S unJaasKerberosTicketValidator$KerberosValidateActi on.run(SunJaasKerberosTicketValidator.java:146)
at org.springframework.security.extensions.kerberos.S unJaasKerberosTicketValidator$KerberosValidateActi on.run(SunJaasKerberosTicketValidator.java:136)
... 29 more


I expect that when I open web app it should pickup ticket from win 7 and not prompt for user/pass.
If that is not right then based on auth form user it should send across ticket but not ask for pass.

Here is my security.xml configuration:
<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schem...-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.3.xsd">


<sec:http entry-point-ref="spnegoEntryPoint">

<sec:intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR" />
<sec:intercept-url pattern="/supervisor_teller.xhtml" access="ROLE_TELLER,ROLE_SUPERVISOR"/>
<sec:intercept-url pattern="/authenticated.xhtml" access="IS_AUTHENTICATED_FULLY"/>
<sec:intercept-url pattern="/deny.xhtml" filters="none" />
<!-- <sec:intercept-url pattern="/index.xhtml" access="permitAll" /-->

<sec:custom-filter ref="spnegoAuthenticationProcessingFilter"
position="BASIC_AUTH_FILTER" />
<sec:intercept-url pattern="/secure/**" access="ROLE_TELLER" />
</sec:http>
<bean id="spnegoEntryPoint"
class="org.springframework.security.extensions.ker beros.web.SpnegoEntryPoint" />

<bean id="spnegoAuthenticationProcessingFilter"
class="org.springframework.security.extensions.ker beros.web.SpnegoAuthenticationProcessingFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>

<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider ref="kerberosServiceAuthenticationProvider" />
</sec:authentication-manager>

<bean id="kerberosServiceAuthenticationProvider"
class="org.springframework.security.extensions.ker beros.KerberosServiceAuthenticationProvider">
<property name="ticketValidator">
<bean
class="org.springframework.security.extensions.ker beros.SunJaasKerberosTicketValidator">
<property name="servicePrincipal" value="HTTP/pinkydebian.primesystems.com" />
<property name="keyTabLocation" value="classpath:http-web.keytab" />
</bean>
</property>
<property name="userDetailsService" ref="dummyUserDetailsService" />
</bean>
<bean
class="org.springframework.security.extensions.ker beros.GlobalSunJaasKerberosConfig">
<property name="debug" value="true" />
</bean>
<bean id="dummyUserDetailsService" class="com.primesystems.sso.DummyUserDetailsServic e" />
</beans>


I am not sure how to verify that the http ticket generated is good / bad. Here is my attempt to verify:
command I used to create http ticket:
addprinc -policy service -randkey HTTP/pinkydebian.primesystems.com
ktadd -k /http-web.keytab HTTP/pinkydebian.primesystems.com

verifiy:
root@pinkydebian:/# kinit -k -t /http-web.keytab
kinit: Key table entry not found while getting initial credentials

Here is kerberos log output:
Oct 06 20:00:05 pinkydebian krb5kdc[920](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.1.2: NEEDED_PREAUTH: host/pinkydebian.primesystems.com@PRIMESYSTEMS.COM for krbtgt/PRIMESYSTEMS.COM@PRIMESYSTEMS.COM, Additional pre-authentication required

using ktutil:
root@pinkydebian:/# ktutil
ktutil: rkt /http-web.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 HTTP/pinkydebian.primesystems.com@PRIMESYSTEMS.COM
2 2 HTTP/pinkydebian.primesystems.com@PRIMESYSTEMS.COM
3 2 HTTP/pinkydebian.primesystems.com@PRIMESYSTEMS.COM
4 2 HTTP/pinkydebian.primesystems.com@PRIMESYSTEMS.COM



Let me know if above test has any point that proves I need to generate ticket again or differently.

Regards,

Miten.

[marre90]

Funny, I have exactly the same error...

even the Negotiate Header is (almost) exactly the same.

Code:

WARNUNG: Negotiate Header was invalid: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
org.springframework.security.authentication.BadCredentialsException: Kerberos validation not succesfull
	at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:69)
	at org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:86)
	at org.springframework.security.authentication.ProviderManager.doAuthentication(ProviderManager.java:130)
	at org.springframework.security.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:48)
	at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:131)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:168)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
	at java.lang.Thread.run(Unknown Source)
Caused by: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Unknown Source)
	at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:67)
	... 22 more
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
	at sun.security.jgss.GSSHeader.<init>(Unknown Source)
	at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
	at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
	at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:146)
	at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:136)
	... 25 more

Can this be a coincidence? I don't believe, that the negotiate Headers should be that similar...

[marre90]

Okay, I'm having the strong feeling, that this is problem is caused by a wrong kerberos configuration. So I'm now posting my configuration. Maybe someone can tell me whats wrong with it.

I have a windows 2008 server. This server is the domain controller of the Domain "test.domain". The Name of the Server is WinS8-Basisinst.

Then I have my Application Server. On another machine, of course. It runs Windows XP. The Name of this machine is AppServ. And I don't know if it is relevant, but i'm logging in to this machine with the user "test", which I created via the server manager of my domain controller. I have also created another user "http-appserv.test.domain", which I used for mapping the principal to.

And then there's the Client machine, which also runs Windows XP.The Name of this machine is client.

So, that is it for my configuration. After I had set up this, I created the keytab file with the following command:

Code:

ktpass /out test.keytab /mapuser http-appserv.test.domain@TEST.DOMAIN /princ host/AppServ.test.domain@TEST.DOMAIN  +rndpass

Then I copied this keytab file and tried if it worked. And, well, it didn't, that's why i'm here.

In Firefox I just get a blank page. And if I use IE I get prompted for a username and password. After that (doesn't matter what I typed in) I get a HTTP 500 error Page.

The (at least in my view) relevant part of the "applicationContext.xml" is here:

Code:

	<beans:bean id="kerberosServiceAuthenticationProvider" class="org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider">
		<beans:property name="ticketValidator">
			<beans:bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
				<beans:property name="servicePrincipal" value="host/appserv.test.domain@TEST.DOMAIN" />
				<beans:property name="keyTabLocation" value="file:c:\tst.keytab" />
			</beans:bean>
		</beans:property>
		<beans:property name="userDetailsService" ref="dummyUserDetailsService" />
	</beans:bean>

I would really appreciate your help, I'm stuck here.


EDIT:

Okay, well I thought of everything, but having the wrong login. If anyone else is ever having my problem just look at the login you type in. I tried it with "test3" (which is a user of the domain), but instead I had to use "test3@test.domain".

[Michael-O]

Deducing from your logs guys, everything works as designed. You have failed to understand how Kerberos works. Wireshark is your friend.

[imitenmehta]

Hi,

I made some progress that the auth filters are invoked and protecting pages but am not able to quite understand details as all pages are blocked. I am no longer being prompted for basic auth form.

I do not see valid kerberos ticket being passed from web browser to tomcat. The errors now are in the filter so may be some one can help understand the issue.


==> catalina.out <==
13:10:34 DEBUG web.FilterChainProxy - Converted URL to lowercase, from: '/supervisor_teller.xhtml'; to: '/supervisor_teller.xhtml'
13:10:34 DEBUG web.FilterChainProxy - Candidate is: '/supervisor_teller.xhtml'; pattern is /deny.xhtml; matched=false
13:10:34 DEBUG web.FilterChainProxy - Converted URL to lowercase, from: '/supervisor_teller.xhtml'; to: '/supervisor_teller.xhtml'
13:10:34 DEBUG web.FilterChainProxy - Candidate is: '/supervisor_teller.xhtml'; pattern is /**; matched=true
13:10:34 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
13:10:34 DEBUG context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
13:10:34 DEBUG context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@ 147c5ee. A new one will be created.
13:10:34 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 2 of 8 in additional filter chain; firing Filter: 'SpnegoAuthenticationProcessingFilter'
13:10:34 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 3 of 8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
13:10:34 DEBUG savedrequest.DefaultSavedRequest - pathInfo: both null (property equals)
13:10:34 DEBUG savedrequest.DefaultSavedRequest - queryString: both null (property equals)
13:10:34 DEBUG savedrequest.DefaultSavedRequest - requestURI: arg1=/jsf-sso/authenticated.xhtml; arg2=/jsf-sso/supervisor_teller.xhtml (property not equals)
13:10:34 DEBUG savedrequest.HttpSessionRequestCache - saved request doesn't match
13:10:34 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
13:10:34 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 5 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
13:10:34 DEBUG authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.Anony mousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.We bAuthenticationDetails@b364: RemoteIpAddress: 192.168.1.225; SessionId: F6FDE089A0B7012F2AAAB4E598F93382; Granted Authorities: ROLE_ANONYMOUS'
13:10:34 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 6 of 8 in additional filter chain; firing Filter: 'SessionManagementFilter'
13:10:34 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
13:10:34 DEBUG web.FilterChainProxy - /supervisor_teller.xhtml at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
13:10:34 DEBUG intercept.DefaultFilterInvocationSecurityMetadataS ource - Converted URL to lowercase, from: '/supervisor_teller.xhtml'; to: '/supervisor_teller.xhtml'
13:10:34 DEBUG intercept.DefaultFilterInvocationSecurityMetadataS ource - Candidate is: '/supervisor_teller.xhtml'; pattern is /secure/extreme/**; matched=false
13:10:34 DEBUG intercept.DefaultFilterInvocationSecurityMetadataS ource - Candidate is: '/supervisor_teller.xhtml'; pattern is /supervisor_teller.xhtml; matched=true
13:10:34 DEBUG intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /supervisor_teller.xhtml; Attributes: [ROLE_TELLER, ROLE_SUPERVISOR]
13:10:34 DEBUG intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.Anonym ousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.We bAuthenticationDetails@b364: RemoteIpAddress: 192.168.1.225; SessionId: F6FDE089A0B7012F2AAAB4E598F93382; Granted Authorities: ROLE_ANONYMOUS
13:10:34 DEBUG vote.AffirmativeBased - Voter: org.springframework.security.access.vote.RoleVoter @185bec1, returned: -1
13:10:34 DEBUG vote.AffirmativeBased - Voter: org.springframework.security.access.vote.Authentic atedVoter@1ae74c2, returned: 0
13:10:34 DEBUG access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedEx ception: Access is denied
at org.springframework.security.access.vote.Affirmati veBased.decide(AffirmativeBased.java:71)
at org.springframework.security.access.intercept.Abst ractSecurityInterceptor.beforeInvocation(AbstractS ecurityInterceptor.java:204)
at org.springframework.security.web.access.intercept. FilterSecurityInterceptor.invoke(FilterSecurityInt erceptor.java:106)
at org.springframework.security.web.access.intercept. FilterSecurityInterceptor.doFilter(FilterSecurityI nterceptor.java:83)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 381)
at org.springframework.security.web.access.ExceptionT ranslationFilter.doFilter(ExceptionTranslationFilt er.java:97)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 381)
at org.springframework.security.web.session.SessionMa nagementFilter.doFilter(SessionManagementFilter.ja va:100)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 381)
at org.springframework.security.web.authentication.An onymousAuthenticationFilter.doFilter(AnonymousAuth enticationFilter.java:78)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 381)
at org.springframework.security.web.servletapi.Securi tyContextHolderAwareRequestFilter.doFilter(Securit yContextHolderAwareRequestFilter.java:54)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 381)
at org.springframework.security.web.savedrequest.Requ estCacheAwareFilter.doFilter(RequestCacheAwareFilt er.java:35)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 381)
at org.springframework.security.extensions.kerberos.w eb.SpnegoAuthenticationProcessingFilter.doFilter(S pnegoAuthenticationProcessingFilter.java:152)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 381)
at org.springframework.security.web.context.SecurityC ontextPersistenceFilter.doFilter(SecurityContextPe rsistenceFilter.java:79)
at org.springframework.security.web.FilterChainProxy$ VirtualFilterChain.doFilter(FilterChainProxy.java: 381)
at org.springframework.security.web.FilterChainProxy. doFilter(FilterChainProxy.java:168)
at org.springframework.web.filter.DelegatingFilterPro xy.invokeDelegate(DelegatingFilterProxy.java:237)
at org.springframework.web.filter.DelegatingFilterPro xy.doFilter(DelegatingFilterProxy.java:167)
at org.apache.catalina.core.ApplicationFilterChain.in ternalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.do Filter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invo ke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invo ke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBas e.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke( StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke (ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(A ccessLogValve.java:929)
at org.apache.catalina.core.StandardEngineValve.invok e(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.servic e(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.p rocess(AbstractHttp11Processor.java:1002)
at org.apache.coyote.AbstractProtocol$AbstractConnect ionHandler.process(AbstractProtocol.java:585)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProce ssor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor.runWorker( ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)
13:10:34 DEBUG savedrequest.HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[http://pinkydebian:8080/jsf-sso/supe..._teller.xhtml]
13:10:34 DEBUG access.ExceptionTranslationFilter - Calling Authentication entry point.
13:10:34 DEBUG web.SpnegoEntryPoint - Sending back Negotiate Header for request: http://pinkydebian:8080/jsf-sso/supervisor_teller.xhtml
13:10:34 DEBUG context.HttpSessionSecurityContextRepository - SecurityContext is empty or anonymous - context will not be stored in HttpSession.
13:10:34 DEBUG context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed

==> localhost_access_log.2012-10-10.txt <==
192.168.1.225 - - [10/Oct/2012:13:21:34 +0530] "GET /jsf-sso/supervisor_teller.xhtml HTTP/1.1" 401 5




Regards,

Miten.

[imitenmehta]

Hi,

I have observed that it fails with bad credentials at below native call when I open web app using internet explorer and it shows the catalina logs as mentioned in first post of this thread:
14:10:42 DEBUG web.SpnegoAuthenticationProcessingFilter - Received Negotiate Header for request http://pinkydebian:8080/jsf-sso/supe..._teller.xhtml: Negotiate YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBg EEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAAGq2 6hhIfnxob/EVRyFsXDRlxjDmiKIkH2BYMUpmtIvOwBXPtjmLghpTPETxh/107QAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kq a6BepAo=
14:10:42 DEBUG authentication.ProviderManager - Authentication attempt using org.springframework.security.extensions.kerberos.K erberosServiceAuthenticationProvider
14:10:42 DEBUG kerberos.KerberosServiceAuthenticationProvider - Try to validate Kerberos Token




The token as byte[] passed to validator has value as below:
[96, -127, -98, 6, 6, 43, 6, 1, 5, 5, 2, -96, -127, -109, 48, -127, -112, -96, 26, 48, 24, 6, 10, 43, 6, 1, 4, 1, -126, 55, 2, 2, 30, 6, 10, 43, 6, 1, 4, 1, -126, 55, 2, 2, 10, -94, 114, 4, 112, 78, 69, 71, 79, 69, 88, 84, 83, 0, 0, 0, 0, 0, 0, 0, 0, 96, 0, 0, 0, 112, 0, 0, 0, 106, -74, -22, 24, 72, 126, 124, 104, 111, -15, 21, 71, 33, 108, 92, 52, 101, -58, 48, -26, -120, -94, 36, 31, 96, 88, 49, 74, 102, -76, -117, -50, -64, 21, -49, -74, 57, -117, -126, 26, 83, 60, 68, -15, -121, -3, 116, -19, 0, 0, 0, 0, 0, 0, 0, 0, 96, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 69, 114, 124, 50, 50, 69, -117, 72, -65, -39, 42, 107, -96, 94, -92, 10]

and it generates exception as:
java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

at code:
private static class KerberosValidateAction implements PrivilegedExceptionAction<String> {
byte[] kerberosTicket;

public KerberosValidateAction(byte[] kerberosTicket) {
this.kerberosTicket = kerberosTicket;
}

@Override
public String run() throws Exception {
GSSContext context = GSSManager.getInstance().createContext((GSSCredent ial) null);
context.acceptSecContext(kerberosTicket, 0, kerberosTicket.length);
String user = context.getSrcName().toString();
context.dispose();
return user;
}

}

The security.xml validator configured has values as below:
this SunJaasKerberosTicketValidator (id=55)
debug true
keyTabLocation ClassPathResource (id=104)
servicePrincipal "HTTP/pinkydebian.primesystems.com@PRIMESYSTEMS.COM" (id=106)
serviceSubject Subject (id=63)
Subject:
Principal: HTTP/pinkydebian.primesystems.com@PRIMESYSTEMS.COM
Private Credential: file:/opt/apache-tomcat-7.0.30/webapps/jsf-sso/WEB-INF/classes/http-web.keytab


is the token fetched from data from browser ? is it supposed to be a service ticket by msm@PRIMESYSTEMS.COM for service ? As such from catalina logs it seems some spnego token being passed and not the kerberos service ticket.

Regards,

Miten.



Regards,

Miten.

[imitenmehta]

Hi,

Below is the http messages capture for req and resp. As you see the server sends 500 error. I think the spring-security framework should be sending spnego related status instead of server error.

GET http://pinkydebian:8080/jsf-sso/secu...r_teller.xhtml HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/msword, application/vnd.ms-excel, application/vnd.ms-powerpoint, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: pinkydebian:8080
Cookie: JSESSIONID=1BFB715861CC66D138A14E89C94C3CDC
Authorization: Negotiate YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBg EEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAAKab hRXWFiTYQEed66HBLmKXVDRPpRJfLt3Spw7F4k1hvMXwjNcDxV ZLD8DVrAgw+QAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIy RYtIv9kqa6BepAo=

HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Date: Sat, 15 Dec 2012 10:58:36 GMT
Connection: close
Content-Length: 0



Regards,

Miten.

[Henry07]

Funny, I have exactly the same error...

even the Negotiate Header is (almost) exactly the same.

Code:

WARNUNG: Negotiate Header was invalid: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==
org.springframework.security.authentication.BadCredentialsException: Kerberos validation not succesfull
	at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:69)
	at org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:86)
	at org.springframework.security.authentication.ProviderManager.doAuthentication(ProviderManager.java:130)
	at org.springframework.security.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:48)
	at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:131)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:381)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:168)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
	at java.lang.Thread.run(Unknown Source)
Caused by: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Unknown Source)
	at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:67)
	... 22 more
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
	at sun.security.jgss.GSSHeader.<init>(Unknown Source)
	at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
	at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
	at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:146)
	at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:136)
	... 25 more

Can this be a coincidence? I don't believe, that the negotiate Headers should be that similar...

thanks for sharing codes.