Uploaded image for project: 'SX Spring Security Extension'
  1. SX Spring Security Extension
  2. SES-19

Loading keytab from classpath doesn't always work

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: krb-1.0.0.M1
    • Fix Version/s: krb-1.0.0.M2
    • Component/s: kerberos
    • Labels:
      None
    • Environment:
      Weblogic, JBoss AS

      Description

      The JAAS Kerberos Module, which is used inside, has sometimes problems to load the keytab out of the classpath. Esp. in some Java EE containers like Weblogic and JBoss AS. These containers often don't place the classpath directly in the filesystem, and the JAAS Kerberos Module seems to be unable to load from a classpath which is not directly a filesystem path. Spring Security will for example create a URL like: "zip:C:/xxx/_WL_user/spring-security-kerberos-sample-1/bd3bji/war/WEB-INF/lib/_wl_cls_gen.jar!/s-j-xxx.keytab", and passes this to the JAAS Module as the location for the keytab, but the JAAS module will then fail with the message: "Key for the principal [email protected] not available in ..._wl_cls_gen.jar!/s-j-xxx.keytab".

      A solution is, to place the keytab outside of the classpath and specify the direct path in the Spring config, like "file:C:/etc/keytab-test_example_com.keytab". As the keytab is always specific to one host and also needs to have special protection, it shouldn't be placed in the classpath at all.

      The JAAS module also seems to have problems when the path contains whitespaces.

        Attachments

          Activity

            People

            • Assignee:
              mikewiesner Mike Wiesner
              Reporter:
              mikewiesner Mike Wiesner
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: