Details

    • Type: New Feature New Feature
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: krb-1.0.0.M1
    • Fix Version/s: krb-1.1.0.M1
    • Component/s: kerberos
    • Labels:
      None

      Description

      Kerberos/SPNEGO support should also be available on an IBM JVM.

      1. IbmJaasKerberosClient_NEW.java
        5 kB
        Joseph Bagnes
      2. IbmJaasKerberosTicketValidator_NEW.java
        14 kB
        Joseph Bagnes
      3. IbmJaasKerberosTicketValidator.java
        8 kB
        Stefan Grinsted
      4. IBMJaasKerberosTicketValidator.java
        14 kB
        Ryan Ransford
      5. IBMJaasKerberosTicketValidator.java
        7 kB
        Nicholas Irving

        Activity

        Hide
        Stefan Grinsted added a comment -

        Hey Guys

        I wanted to use Kerberos on an IBM WebSphere server, so I tried to implement an IBM edition of the SunJassKerberosTicketValidator called IbmJaasKerberosTicketValidator. (See the attached file)

        Besides some added logging statements, the only thing I changed from the Sun-edition is the inner class LoginConfig, which looks like this:

        ------
        private static class LoginConfig extends Configuration {
        private String keyTabUrl;
        private String servicePrincipalName;
        private boolean debug;
        public LoginConfig(URL keyTabUrl, String servicePrincipalName, boolean debug)

        { this.keyTabUrl = keyTabUrl.toExternalForm(); this.servicePrincipalName = servicePrincipalName; this.debug = debug; }

        @Override
        public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
        HashMap<String, Object> options = new HashMap<String, Object>();
        options.put("useKeytab", this.keyTabUrl);
        options.put("principal", this.servicePrincipalName);
        options.put("credsType", "acceptor");
        if (this.debug)

        { options.put("debug", "true"); }

        return new AppConfigurationEntry[]

        { new AppConfigurationEntry("com.ibm.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options), }

        ;
        }
        }

        -------

        However, the server gives this strange error:

        Caused by: java.security.PrivilegedActionException: org.ietf.jgss.GSSException, major code: 13, minor code: 0
        major string: Invalid credentials
        minor string: Cannot obtain mechanism credential for mechanism 1.3.6.1.5.5.2
        at com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NException.java:31)
        at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:495)
        at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:382)
        at org.springframework.security.extensions.kerberos.IbmJaasKerberosTicketValidator$KerberosValidateAction.run(IbmJaasKerberosTicketValidator.java:140)
        at org.springframework.security.extensions.kerberos.IbmJaasKerberosTicketValidator$KerberosValidateAction.run(IbmJaasKerberosTicketValidator.java:1)
        at java.security.AccessController.doPrivileged(AccessController.java:284)

        When I tried the configuration on a JBoss with a Sun JVM (using the provided Sun-validator of cause), everything works like it should.

        Can any of you Kerberos experts see anything wrong with this IBM implementation?
        Any help would be appreciated. Thanks.

        Regards, Stefan Grinsted

        PS. Below, I provide some additional info from logs and debugging.

        (Info found on the com.ibm.*.GSSContextImpl when debugging on WAS)
        — GSSCredential —
        Number of mehanism credentials: 1

        [1] Kerberos credential, mechanism: 1.2.840.113554.1.2.2
        Owner: HTTP/myhostname@my.domain
        Usage: accept only
        StartTime: 2/2/10 12:57 PM
        InitLifeTime: unknown
        AcceptLifeTime: indefinite
        Krb5Client: HTTP/myhostname@my.domain
        Krb5Server: unknown
        — End of GSSCredential —

        (Info returned from logging statements)

        ... IbmJaasKerberosTicketValidator validateTicket Trying to validate token with 1567 bytes
        ... IbmJaasKerberosTicketValidator$KerberosValidateAction run KerberosValidateAction getting GSSManager: com.ibm.security.jgss.GSSManagerImpl@19c919c9
        ... IbmJaasKerberosTicketValidator$KerberosValidateAction run KerberosValidateAction created context with null credentials:
        — GSSContext —
        Owner:HTTP/myhostname@my.domain
        Peer:unknown
        State:uninitialized
        Lifetime:expired or unknown
        Ready:no
        Flags:
        Confidentialityoff
        Delegationoff
        Integrityoff
        MutualAuthnoff
        ReplayDetectionoff
        SequenceDetectionoff
        DelegatedCred:unknown
        — End of GSSContext —

        Show
        Stefan Grinsted added a comment - Hey Guys I wanted to use Kerberos on an IBM WebSphere server, so I tried to implement an IBM edition of the SunJassKerberosTicketValidator called IbmJaasKerberosTicketValidator. (See the attached file) Besides some added logging statements, the only thing I changed from the Sun-edition is the inner class LoginConfig, which looks like this: ------ private static class LoginConfig extends Configuration { private String keyTabUrl; private String servicePrincipalName; private boolean debug; public LoginConfig(URL keyTabUrl, String servicePrincipalName, boolean debug) { this.keyTabUrl = keyTabUrl.toExternalForm(); this.servicePrincipalName = servicePrincipalName; this.debug = debug; } @Override public AppConfigurationEntry[] getAppConfigurationEntry(String name) { HashMap<String, Object> options = new HashMap<String, Object>(); options.put("useKeytab", this.keyTabUrl); options.put("principal", this.servicePrincipalName); options.put("credsType", "acceptor"); if (this.debug) { options.put("debug", "true"); } return new AppConfigurationEntry[] { new AppConfigurationEntry("com.ibm.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options), } ; } } ------- However, the server gives this strange error: Caused by: java.security.PrivilegedActionException: org.ietf.jgss.GSSException, major code: 13, minor code: 0 major string: Invalid credentials minor string: Cannot obtain mechanism credential for mechanism 1.3.6.1.5.5.2 at com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NException.java:31) at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:495) at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:382) at org.springframework.security.extensions.kerberos.IbmJaasKerberosTicketValidator$KerberosValidateAction.run(IbmJaasKerberosTicketValidator.java:140) at org.springframework.security.extensions.kerberos.IbmJaasKerberosTicketValidator$KerberosValidateAction.run(IbmJaasKerberosTicketValidator.java:1) at java.security.AccessController.doPrivileged(AccessController.java:284) When I tried the configuration on a JBoss with a Sun JVM (using the provided Sun-validator of cause), everything works like it should. Can any of you Kerberos experts see anything wrong with this IBM implementation? Any help would be appreciated. Thanks. Regards, Stefan Grinsted PS. Below, I provide some additional info from logs and debugging. (Info found on the com.ibm.*.GSSContextImpl when debugging on WAS) — GSSCredential — Number of mehanism credentials: 1 [1] Kerberos credential, mechanism: 1.2.840.113554.1.2.2 Owner: HTTP/myhostname@my.domain Usage: accept only StartTime: 2/2/10 12:57 PM InitLifeTime: unknown AcceptLifeTime: indefinite Krb5Client: HTTP/myhostname@my.domain Krb5Server: unknown — End of GSSCredential — (Info returned from logging statements) ... IbmJaasKerberosTicketValidator validateTicket Trying to validate token with 1567 bytes ... IbmJaasKerberosTicketValidator$KerberosValidateAction run KerberosValidateAction getting GSSManager: com.ibm.security.jgss.GSSManagerImpl@19c919c9 ... IbmJaasKerberosTicketValidator$KerberosValidateAction run KerberosValidateAction created context with null credentials: — GSSContext — Owner:HTTP/myhostname@my.domain Peer:unknown State:uninitialized Lifetime:expired or unknown Ready:no Flags: Confidentialityoff Delegationoff Integrityoff MutualAuthnoff ReplayDetectionoff SequenceDetectionoff DelegatedCred:unknown — End of GSSContext —
        Hide
        Nicholas Irving added a comment -

        I managed to get this working for WebSphere 5.1 (yes old and unsupported but I am doing the best with what I have.

        I had to use the attached IBMJaasKerberosTicketValidator.java, which has the updated KerberosValidateAction which seems to be the supported way for Kerberos under a IBM JVM.

        Plus I had to make the following addition to jre/lib/security/java.policy
        security.provider.6=com.ibm.security.jgss.mech.spnego.IBMSPNEGO

        so that it would pick up the correct methods.

        Show
        Nicholas Irving added a comment - I managed to get this working for WebSphere 5.1 (yes old and unsupported but I am doing the best with what I have. I had to use the attached IBMJaasKerberosTicketValidator.java, which has the updated KerberosValidateAction which seems to be the supported way for Kerberos under a IBM JVM. Plus I had to make the following addition to jre/lib/security/java.policy security.provider.6=com.ibm.security.jgss.mech.spnego.IBMSPNEGO so that it would pick up the correct methods.
        Hide
        Nicholas Irving added a comment -

        This seems to work very well for me and WebSphere 5.1, may not be required for 6.1+, and I assume that since 6.0 is based on 1.4.2 that it is needed there.

        Show
        Nicholas Irving added a comment - This seems to work very well for me and WebSphere 5.1, may not be required for 6.1+, and I assume that since 6.0 is based on 1.4.2 that it is needed there.
        Hide
        Nicholas Irving added a comment -

        Sorry forgot to mention that I had to backport this to use SpringSecurity 2.0.5 to make it work with WebSphere 5.1

        Show
        Nicholas Irving added a comment - Sorry forgot to mention that I had to backport this to use SpringSecurity 2.0.5 to make it work with WebSphere 5.1
        Hide
        Ryan Ransford added a comment -

        My attempts at getting this working with WAS 7. I have done quite a bit of java 6-ifying the code and added some documentation and debug logging.

        It is currently not correctly implemented (fails at line 165 for me). Please take a look. See if this meets your needs or if you can provide some help with the terminology/implementation.

        Show
        Ryan Ransford added a comment - My attempts at getting this working with WAS 7. I have done quite a bit of java 6-ifying the code and added some documentation and debug logging. It is currently not correctly implemented (fails at line 165 for me). Please take a look. See if this meets your needs or if you can provide some help with the terminology/implementation.
        Hide
        V Kumar added a comment -

        Ryan, did you ever get this to work?

        Show
        V Kumar added a comment - Ryan, did you ever get this to work?
        Hide
        Joseph Bagnes added a comment - - edited

        Hi,

        I just want to share that I managed to get this IBM classes working on my application.
        I used the jvm inside WAS7.0 which I believe is java version 6.

        My attachments:
        IbmJaasKerberosTicketValidator_NEW.java
        IbmJaasKerberosClient_NEW.java

        Credits to original authors are still in the comment sections. Hope it helps.

        Show
        Joseph Bagnes added a comment - - edited Hi, I just want to share that I managed to get this IBM classes working on my application. I used the jvm inside WAS7.0 which I believe is java version 6. My attachments: IbmJaasKerberosTicketValidator_NEW.java IbmJaasKerberosClient_NEW.java Credits to original authors are still in the comment sections. Hope it helps.
        Hide
        Mike Wiesner added a comment -

        This is definitely something we wanted to include, but we need some more time to have a solution which works in all of the commonly used IBM environments.

        The highest priority is currently to release a RC with the current feature set, plus some smaller improvements. Therefore, this is moved now to 1.1.

        Show
        Mike Wiesner added a comment - This is definitely something we wanted to include, but we need some more time to have a solution which works in all of the commonly used IBM environments. The highest priority is currently to release a RC with the current feature set, plus some smaller improvements. Therefore, this is moved now to 1.1.

          People

          • Assignee:
            Mike Wiesner
            Reporter:
            Mike Wiesner
          • Votes:
            9 Vote for this issue
            Watchers:
            13 Start watching this issue

            Dates

            • Created:
              Updated: