James,
Regarding your question a), HTTP 401 is a tangle of both "not authenticated"
and "not authorized". You're at least getting through authentication of the
end user. At least that's my interpretation of Krb5Context logging of
"KrbApReq: authenticate succeed." and logged values for mySeqNumber and
peerSeqNumber. (In my case I'm not getting even this far.)
On your b), Felix's example for debugging a jmeter issue uses an LDAP call to
check for group membership. This is configured within a <realm /> in
server.xml, leveraging the "the user's delegated credentials via a request
attribute so applications can make use of them" [presumably for more
fine-grained authorization control]. Anyway, this seems to be an application
level augmentation of SPNEGO vice a contradiction of the patch comment for the
initial SPNEGO support in Tomcat-7.0.12. ("48685: Add initial support for
SPNEGO/Kerberos authentication also referred to as integrated Windows
authentication. This includes user authentication, authorisation via the
directory using the user's delegated credentials and exposing the user's
delegated credentials via a request attribute so applications can make use of
them to impersonate the current user when accessing third-party systems that
use a compatible authentication mechanism. Based on a patch provided by Michael
Osipov. (markt).") There doesn't seem to be documentation that expands
"authorisation via the directory using the user's delegated credentials" into a
configuration option. As written the comment for 48685 says SPNEGO support
doesn't stop at authentication; it [somehow] handles authorization, too.
On c), absent documentation, the details in
https://issues.apache.org/bugzilla/show_bug.cgi?id=48685
might help explain the developers' sense of the intended working order, provide
some clues on the JAAS and SPNEGO configuration requirements. At least that's
what I'm reading through.
On d), you might already know this, but "KDCRep: init() encoding tag is 126 req
type is 11" translates to "exception: Asn1Exception - if an error occurs while
decoding an ASN1 encoded data." The actual text is from
sun.security.krb5.internal.KDCRep:
116 /**
117 * Initializes an KDCRep object.
118 *
119 * @param encoding a single DER-encoded value.
120 * @param req_type reply message type.
121 * @exception Asn1Exception if an error occurs while decoding an ASN1
encoded data.
122 * @exception IOException if an I/O error occurs while reading encoded
data.
123 * @exception RealmException if an error occurs while constructing
124 * a Realm object from DER-encoded data.
125 * @exception KrbApErrException if the value read from the DER-encoded
126 * data stream does not match the pre-defined value.
127 *
128 */
129 protected void init(DerValue encoding, int req_type)
130 throws Asn1Exception, RealmException, IOException,
131 KrbApErrException {
132 DerValue der, subDer;
133 if ((encoding.getTag() & 0x1F) != req_type) {
134 if (DEBUG) {
135 System.out.println(">>> KDCRep: init() " +
136 "encoding tag is " +
137 encoding.getTag() +
138 " req type is " + req_type);
139 }
140 throw new Asn1Exception(Krb5.ASN1_BAD_ID);
141 }
This snippet is from openjdk;
http://cr.openjdk.java.net/~weijun/6966259/webrev.01/src/share/classes/sun/security/krb5/internal/KDCRep.java.html.
There's also Oracle's
http://www.docjar.com/html/api/sun/security/krb5/internal/KDCReq.java.html. It
doesn't have the actual logging line, though.
Edward
________________________________________
From: james.henderson [[email protected]]
Sent: Monday, June 10, 2013 5:35 PM
To: [email protected]
Subject: RE: Tomcat7 and SPNEGO configuration questions
I am in a similar situation to Edward.
My authentication says something like:
principal's key obtained from the keytab
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 23 18 17.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=dev UDP:88, timeout=30000, number of retries =3,
>>> #bytes=166
>>> KDCCommunication: kdc=dev UDP:88, timeout=30000,Attempt =1, #bytes=166
>>> KrbKdcReq send: #bytes read=152
>>> KrbKdcReq send: #bytes read=152
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Mon Jun 10 17:21:23 EDT 2013 1370899283000
suSec is 764076
error code is 25
error Message is Additional pre-authentication required
realm is DEV
sname is krbtgt/DEV
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 15
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
>>>KrbAsReq salt is DEVserver.dev
Pre-Authenticaton: find key for etype = 23
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=dev UDP:88, timeout=30000, number of retries =3,
>>> #bytes=249
>>> KDCCommunication: kdc=dev UDP:88, timeout=30000,Attempt =1, #bytes=249
>>> KrbKdcReq send: #bytes read=1384
>>> KrbKdcReq send: #bytes read=1384
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/guedlvwcfv001.dev
principal is HTTP/guedlvwcfv001.dev@DEV
EncryptionKey: keyType=23 keyBytes (hex dump)=(omitted)
Added server's keyKerberos Principal HTTP/server.dev@DEVKey Version 3key
EncryptionKey: keyType=23 keyBytes (hex dump)=(omitted)
[Krb5LoginModule] added Krb5Principal HTTP/server.dev@DEV
to Subject
Commit Succeeded
Found key for HTTP/server.dev@DEV(23)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 3 1 23 16 17 18.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> Config reset default kdc DEV
object 0: 1370899284091/91026
object 0: 1370899284091/91026
replay cache found.
>>> KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 1400102526
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 909711492
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
But the page always returns 401 if I try to use it:
10.241.162.107 - - [10/Jun/2013:17:21:23 -0400] "GET /webeditors/hello
HTTP/1.1" 401 951
We have another page that uses spring SPNEGO and it works fine with exactly
the same user.
My security constraint/login config looks like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>Wildcard means whole app requires
authentication</web-resource-name>
<url-pattern>/hello</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>SPNEGO</auth-method>
</login-config>
I would like some idea how to:
a) get tomcat to tell me why it is returning 401 in this case (debug logs?)
b) Understand how the windows users/roles are going to map to any used in my
webapp. Is it a 1:1 mapping, or does it need some sort of configuration?
c) get more documentation on how these things are actually supposed to work.
Most of the information I find is examples, not proper documentation.
d) Understand why I get this: init() encoding tag is 126 req type is 11
error.
Thanks,
James Henderson
--
View this message in context:
http://tomcat.10.x6.nabble.com/Tomcat7-and-SPNEGO-configuration-questions-tp4999666p4999977.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
