SX Spring Security Extension
  1. SX Spring Security Extension
  2. SES-19

Loading keytab from classpath doesn't always work

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Won't Fix
    • Affects Version/s: krb-1.0.0.M1
    • Fix Version/s: krb-1.0.0.M2
    • Component/s: kerberos
    • Labels:
      None
    • Environment:
      Weblogic, JBoss AS

      Description

      The JAAS Kerberos Module, which is used inside, has sometimes problems to load the keytab out of the classpath. Esp. in some Java EE containers like Weblogic and JBoss AS. These containers often don't place the classpath directly in the filesystem, and the JAAS Kerberos Module seems to be unable to load from a classpath which is not directly a filesystem path. Spring Security will for example create a URL like: "zip:C:/xxx/_WL_user/spring-security-kerberos-sample-1/bd3bji/war/WEB-INF/lib/_wl_cls_gen.jar!/s-j-xxx.keytab", and passes this to the JAAS Module as the location for the keytab, but the JAAS module will then fail with the message: "Key for the principal xxx@DOMAIN.COM not available in ..._wl_cls_gen.jar!/s-j-xxx.keytab".

      A solution is, to place the keytab outside of the classpath and specify the direct path in the Spring config, like "file:C:/etc/keytab-test_example_com.keytab". As the keytab is always specific to one host and also needs to have special protection, it shouldn't be placed in the classpath at all.

      The JAAS module also seems to have problems when the path contains whitespaces.

        Activity

        Hide
        Mike Wiesner added a comment -

        JAAS only accepts a String which points to the keytab in the filesystem, but sometimes classpath resources aren't directly accessible in the filesystem. In production you normally create this file during deployment and therefore it will most likely not reside in the classpath, but rather under /etc or something else and therefore you won't have any problems there.

        I added a warning during startup if we encounter that the file is in the classpath and also updated the sample with a warning to not put the file in the classpath if you are using a Java EE application server.

        Show
        Mike Wiesner added a comment - JAAS only accepts a String which points to the keytab in the filesystem, but sometimes classpath resources aren't directly accessible in the filesystem. In production you normally create this file during deployment and therefore it will most likely not reside in the classpath, but rather under /etc or something else and therefore you won't have any problems there. I added a warning during startup if we encounter that the file is in the classpath and also updated the sample with a warning to not put the file in the classpath if you are using a Java EE application server.
        Hide
        Kianoosh Raika added a comment -

        FYI for people that are searching as I did, in your security config xml, for a windows path, you can specify the location like so:

        <beans:property name="keyTabLocation" value="file:///D:/path/to/your.keytab" />

        Show
        Kianoosh Raika added a comment - FYI for people that are searching as I did, in your security config xml, for a windows path, you can specify the location like so: <beans:property name="keyTabLocation" value="file:///D:/path/to/your.keytab" />

          People

          • Assignee:
            Mike Wiesner
            Reporter:
            Mike Wiesner
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: