Spring Security Kerberos/SPNEGO Extension

[smithers]

Hi everybody!

First of all thanks alot for your efforts concerning the new Kerberos/SPNEGO Extension!
I played around a little bit with it and it really does work perfectly on Jetty and Tomcat. However I didn't get it to work on a Weblogic 10.3. I couldn't figure out if it is a Weblogic issue or the kerberos/spnego extension isn't ready to run on WLS, yet. For further investigation I added the stacktrace below:

Creating instance of bean 'org.springframework.security.extensions.kerberos. SunJaasKerberosTicketValidator#170526a'
Invoking afterPropertiesSet() on bean with name 'org.springframework.security.extensions.kerberos. SunJaasKerberosTicketValidator#170526a'
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is zip:C:/userapp/
bea10.3_sp0/user_projects/domains/Test/servers/AdminServer/tmp/_WL_user/spring-security-kerberos-sample-1/bd3bji/war/WEB-INF/lib/_wl_cls_gen
.jar!/s-j-xxx.keytab refreshKrb5Config is false principal is HTTP/xxx.domain.com@DOMAIN.COM tryFirstPass is false useFirstPass is false storePass
is false clearPass is false
Key for the principal HTTP/xxx.domain.com@DOMAIN.COM not available in zip:C:/userapp/bea10.3_sp0/user_projects/domains/Test/servers/AdminServer
/tmp/_WL_user/spring-security-kerberos-sample-1/bd3bji/war/WEB-INF/lib/_wl_cls_gen.jar!/s-j-xxx.keytab
[Krb5LoginModule] authentication failed
Unable to obtain password from user

Destroying singletons in org.springframework.beans.factory.support.DefaultL istableBeanFactory@132e233: defining beans [org.springframework.securi
ty.web.context.HttpSessionSecurityContextRepositor y#0,org.springframework.security.authentication.Pr oviderManager#0,org.springframework.security.
web.PortMapperImpl#0,org.springframework.security. web.savedrequest.HttpSessionRequestCache#0,org.spr ingframework.security.web.session.DefaultAuth
enticatedSessionStrategy#0,org.springframework.sec urity.access.vote.AffirmativeBased#0,org.springfra mework.security.authentication.AnonymousAuthe
nticationProvider#0,_filterChainProxy,org.springfr amework.security.config.http.UserDetailsServiceInj ectionBeanPostProcessor#0,spnegoEntryPoint,sp
negoAuthenticationProcessingFilter,_authentication Manager,kerberosServiceAuthenticationProvider,dumm yUserDetailsService,inMemoryUserDetailsServic
e]; root of factory hierarchy
Context initialization failed
org.springframework.beans.factory.BeanCreationExce ption: Error creating bean with name 'org.springframework.security.authentication.Provi derManag
er#0': Cannot resolve reference to bean '_authenticationManager' while setting bean property 'parent'; nested exception is org.springframework.be
ans.factory.BeanCreationException: Error creating bean with name '_authenticationManager': Cannot resolve reference to bean 'kerberosServiceAuthe
nticationProvider' while setting bean property 'providers' with key [0]; nested exception is org.springframework.beans.factory.BeanCreationExce pt
ion: Error creating bean with name 'kerberosServiceAuthenticationProvider' defined in ServletContext resource [/WEB-INF/security.xml]: Cannot cre
ate inner bean 'org.springframework.security.extensions.kerberos. SunJaasKerberosTicketValidator#170526a' of type [org.springframework.security.ex
tensions.kerberos.SunJaasKerberosTicketValidator] while setting bean property 'ticketValidator'; nested exception is org.springframework.beans.fa
ctory.BeanCreationException: Error creating bean with name 'org.springframework.security.extensions.kerberos. SunJaasKerberosTicketValidator#17052
6a' defined in ServletContext resource [/WEB-INF/security.xml]: Invocation of init method failed; nested exception is javax.security.auth.login.L
oginException: Unable to obtain password from user

at org.springframework.beans.factory.support.BeanDefi nitionValueResolver.resolveReference(BeanDefinitio nValueResolver.java:315)
at org.springframework.beans.factory.support.BeanDefi nitionValueResolver.resolveValueIfNecessary(BeanDe finitionValueResolver.java:106)
at org.springframework.beans.factory.support.Abstract AutowireCapableBeanFactory.applyPropertyValues(Abs tractAutowireCapableBeanFactory.ja
va:1298)
at org.springframework.beans.factory.support.Abstract AutowireCapableBeanFactory.populateBean(AbstractAu towireCapableBeanFactory.java:1060
)
at org.springframework.beans.factory.support.Abstract AutowireCapableBeanFactory.doCreateBean(AbstractAu towireCapableBeanFactory.java:510)

at org.springframework.beans.factory.support.Abstract AutowireCapableBeanFactory.createBean(AbstractAuto wireCapableBeanFactory.java:449)
at org.springframework.beans.factory.support.Abstract BeanFactory$1.getObject(AbstractBeanFactory.java:2 89)
at org.springframework.beans.factory.support.DefaultS ingletonBeanRegistry.getSingleton(DefaultSingleton BeanRegistry.java:222)
at org.springframework.beans.factory.support.Abstract BeanFactory.doGetBean(AbstractBeanFactory.java:286 )
at org.springframework.beans.factory.support.Abstract BeanFactory.getBean(AbstractBeanFactory.java:188)
at org.springframework.beans.factory.support.DefaultL istableBeanFactory.preInstantiateSingletons(Defaul tListableBeanFactory.java:528)
at org.springframework.context.support.AbstractApplic ationContext.finishBeanFactoryInitialization(Abstr actApplicationContext.java:716)
at org.springframework.context.support.AbstractApplic ationContext.refresh(AbstractApplicationContext.ja va:383)
at org.springframework.web.context.ContextLoader.crea teWebApplicationContext(ContextLoader.java:270)
at org.springframework.web.context.ContextLoader.init WebApplicationContext(ContextLoader.java:197)
at org.springframework.web.context.ContextLoaderListe ner.contextInitialized(ContextLoaderListener.java: 47)
at weblogic.servlet.internal.EventsManager$FireContex tListenerAction.run(EventsManager.java:465)
at weblogic.security.acl.internal.AuthenticatedSubjec t.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(Un known Source)
at weblogic.servlet.internal.EventsManager.notifyCont extCreatedEvent(EventsManager.java:175)
at weblogic.servlet.internal.WebAppServletContext.pre loadResources(WebAppServletContext.java:1784)
at weblogic.servlet.internal.WebAppServletContext.sta rt(WebAppServletContext.java:2999)
at weblogic.servlet.internal.WebAppModule.startContex ts(WebAppModule.java:1371)
at weblogic.servlet.internal.WebAppModule.start(WebAp pModule.java:468)
at weblogic.application.internal.flow.ModuleStateDriv er$3.next(ModuleStateDriver.java:204)
at weblogic.application.utils.StateMachineDriver.next State(StateMachineDriver.java:37)
at weblogic.application.internal.flow.ModuleStateDriv er.start(ModuleStateDriver.java:60)
at weblogic.application.internal.flow.ScopedModuleDri ver.start(ScopedModuleDriver.java:200)
at weblogic.application.internal.flow.ModuleListenerI nvoker.start(ModuleListenerInvoker.java:117)
at weblogic.application.internal.flow.ModuleStateDriv er$3.next(ModuleStateDriver.java:204)
at weblogic.application.utils.StateMachineDriver.next State(StateMachineDriver.java:37)
at weblogic.application.internal.flow.ModuleStateDriv er.start(ModuleStateDriver.java:60)
at weblogic.application.internal.flow.StartModulesFlo w.activate(StartModulesFlow.java:27)
at weblogic.application.internal.BaseDeployment$2.nex t(BaseDeployment.java:635)
at weblogic.application.utils.StateMachineDriver.next State(StateMachineDriver.java:37)
at weblogic.application.internal.BaseDeployment.activ ate(BaseDeployment.java:212)
at weblogic.application.internal.SingleModuleDeployme nt.activate(SingleModuleDeployment.java:16)
at weblogic.application.internal.DeploymentStateCheck er.activate(DeploymentStateChecker.java:162)
at weblogic.deploy.internal.targetserver.AppContainer Invoker.activate(AppContainerInvoker.java:79)
at weblogic.deploy.internal.targetserver.BasicDeploym ent.activate(BasicDeployment.java:184)
at weblogic.deploy.internal.targetserver.BasicDeploym ent.activateFromServerLifecycle(BasicDeployment.ja va:361)
at weblogic.management.deploy.internal.DeploymentAdap ter$1.doActivate(DeploymentAdapter.java:51)
at weblogic.management.deploy.internal.DeploymentAdap ter.activate(DeploymentAdapter.java:196)
at weblogic.management.deploy.internal.AppTransition$ 2.transitionApp(AppTransition.java:30)
at weblogic.management.deploy.internal.ConfiguredDepl oyments.transitionApps(ConfiguredDeployments.java: 233)
at weblogic.management.deploy.internal.ConfiguredDepl oyments.activate(ConfiguredDeployments.java:169)
at weblogic.management.deploy.internal.ConfiguredDepl oyments.deploy(ConfiguredDeployments.java:123)
at weblogic.management.deploy.internal.DeploymentServ erService.resume(DeploymentServerService.java:173)
at weblogic.management.deploy.internal.DeploymentServ erService.start(DeploymentServerService.java:89)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemReq uest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread. java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java :173)
Caused by: org.springframework.beans.factory.BeanCreationExce ption: Error creating bean with name '_authenticationManager':

...

Regards,
Nick

[codepuppet]

Just like the original poster... I have been successful at getting the extension to work under Glassfish 3, but deploying the app on Weblogic 10.3 fails with the stack trace identical to the one above. Now I get to burn a day figuring out why.

[mikewiesner]

Thanks for you response! Can you please create a JIRA issue for that here: https://jira.springsource.org/browse/SES

[codepuppet]

I'm not sure exactly the what/why but if you put your keytab file in another part of the classpath... for example in the domain directory, the security code will find the file.

You will see in the stack trace that the keytab file is in the jar that Weblogic creates to hold all your app's compiled classes. (Mine was deployed this way as well.) Maybe the security code is unable to read the file out of a jar/zip? I dunno.. but I did get it to work by having the keytab file available somewhere in the classpath _and_ not inside a jar file.

matt.

[TPub]

Hi,

I'm running into some issues when i tried to run the sample SSO app from spring security v3. Getting the following exception during the server startup,

Key for the principal HTTP/uname.company.com@COMPANY.COM not available in file:/C:/Program Files/Apache Software Foundation/Tomcat 6.0/webapps/spring-security-kerberos-sample-1.0.0.M1/WEB-INF/classes/http-web.keytab
[Krb5LoginModule] authentication failed
Unable to obtain password from user

I have the web.keytab placed under the above mentioned path and the keytab file was generated in a windows server.

I'm using Tomcat 6 and JDK 1.6.0_06.

-TP

[codepuppet]

My first thought is that the entry: HTTP/uname.company.com@COMPANY.COM is not in the keytab file.

Another possibility is that the server name 'uname.company.com' is not what the kerberos server thinks the requestor server name is. You can use wireshark to look at the packets and see what name is being validated on the server side.

You can use a utility such as kutil to examine the contents of the keytab file.

matt.

[TPub]

@Codepuppet

1. The keytab file has the entry "HTTP/uname.company.com@COMPANY.COM" .

I verified the keytab contents by using the windows command klist -k keytabfilename and got back the output

KVNO Principal
---- --------------------------------------------------------------------------
4 HTTP/uname.company.com@COMPANY.COM

2. I checked using wireshark and noticed the following message
Calling workstation domain: NULL, am i missing something which causes this issue?


-TP

[codepuppet]

Not sure what to do now.

I also had this problem and it came down to two things. First, the key in the keytab file, but it looks like you have verified this. Second, my file was not able to be opened.

If I were you, I'd get the security source and set some break points to verify that it is able to locate and open the keytab file, and it is finding the correct entry.

matt.

[mikewiesner]

The JAAS Kerberos module also has some problems with loading the keytab file out of the classpath in some containers or loading it from a path which includes whitespaces. I've create a JIRA issue for that: https://jira.springsource.org/browse/SES-19

[petefc]

Hi I have followed the directions outlined at

http://msdn.microsoft.com/en-us/library/ms995329.aspx

for setting up the account and keytab for use in the demo app, but I get the following error:

Authentication attempt using org.springframework.security.extensions.kerberos.K e
rberosServiceAuthenticationProvider
Try to validate Kerberos Token
Checksum failed !
Negotiate Header was invalid:

I assume that it is a set up error on the AD side, any pointers as to what could cause this would be very helpful.

thanks