Hi,
I'm running Tomcat 7.0.32 on jdk1.6.0_06 and am having problems with
client browser (IE8) SPNEGO authentication.
I referred to this page when checking the browser configuration, which
runs on Windows XP.
http://www.oracle.com/technetwork/articles/idm/weblogic-sso-kerberos-161
9890.html
With debug switched on in com.sun.security.auth.module.Krb5LoginModule I
see this:
25-Sep-2013 14:53:44 org.apache.catalina.authenticator.AuthenticatorBase
invoke
FINE: Security checking request GET /myapp/
25-Sep-2013 14:53:44 org.apache.catalina.realm.RealmBase
findSecurityConstraints
FINE: Checking constraint
'SecurityConstraint[BasicAuthSimpleTestServlet, MY Application]' against
GET / --> true
25-Sep-2013 14:53:44 org.apache.catalina.authenticator.AuthenticatorBase
invoke
FINE: Calling hasUserDataPermission()
25-Sep-2013 14:53:44 org.apache.catalina.realm.RealmBase
hasUserDataPermission
FINE: User data constraint has no restrictions
25-Sep-2013 14:53:44 org.apache.catalina.authenticator.AuthenticatorBase
invoke
FINE: Calling authenticate()
25-Sep-2013 14:53:44
org.apache.catalina.authenticator.SpnegoAuthenticator authenticate
FINE: No authorization header sent by client
25-Sep-2013 14:53:44 org.apache.catalina.authenticator.AuthenticatorBase
invoke
FINE: Failed authenticate() test
Here is the sequence of HTTP exchanges giving the above:
GET /myapp/ HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg,
application/x-shockwave-flash, application/x-ms-application, a
pplication/x-ms-xbap, application/vnd.ms-xpsdocument,
application/xaml+xml, application/vnd.ms-excel, application/vnd.m
s-powerpoint, application/msword, */*
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;
Trident/4.0; GTB7.5; .NET CLR 1.1.4322; .NET CLR 2.0.507
27; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; .NET4.0C;
.NET4.0E)
Accept-Encoding: gzip, deflate
Host: sold6:8030
Connection: Keep-Alive
HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
Cache-Control: private
Expires: Thu, 01 Jan 1970 01:00:00 GMT
WWW-Authenticate: Negotiate
Content-Type: text/html;charset=utf-8
Content-Length: 951
Date: Wed, 25 Sep 2013 11:26:31 GMT
<html><head><title>Apache Tomcat/7.0.32
....
GET /myapp/ HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg,
application/x-shockwave-flash, application/x-ms-application, a
pplication/x-ms-xbap, application/vnd.ms-xpsdocument,
application/xaml+xml, application/vnd.ms-excel, application/vnd.m
s-powerpoint, application/msword, */*
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;
Trident/4.0; GTB7.5; .NET CLR 1.1.4322; .NET CLR 2.0.507
27; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; .NET4.0C;
.NET4.0E)
Accept-Encoding: gzip, deflate
Host: sold6:8030
Connection: Keep-Alive
Authorization: Negotiate YIJJiQ...[lots of data]...
HTTP/1.1 400 Bad Request
Server: Apache-Coyote/1.1
Transfer-Encoding: chunked
Date: Wed, 25 Sep 2013 11:26:33 GMT
Connection: close
It looks like SpnegoAuthenticator is rejecting the request because the
"authorization" header is malformed or missing in the repeated GET,
although it does appear to provided by the client browser. The same
error also occurs with the Firefox v23.0.1 browser.
Any suggestions or guidance will be gratefully received.
Kind regards,
Geoff
Mitsubishi UFJ Securities International plc ("MUSI") is registered in England,
company number 1698498, registered office at Ropemaker Place, 25 Ropemaker
Street, London, EC2Y 9AJ, and is part of the Mitsubishi UFJ Financial Group.
MUSI is authorised by the Prudential Regulation Authority and regulated by the
Financial Conduct Authority ("FCA") and Prudential Regulation Authority ("PRA")
in the UK. This email and any attachments may be confidential. If it was sent
to you in error, you must not copy, duplicate, distribute or take any action in
reliance on it. Please contact the sender if you believe you have received this
email in error and delete it and any attachments. Unless expressly indicated,
information sent to you is not to be construed as an offer or solicitation to
buy or sell any security, instrument, investment, financial product or an
official confirmation of any transaction. The information in or attached to
this email may not be accurate or complete. This email or information is not to
be viewed as a 'personal recommendation' within the meaning of the FCA rules.
MUSI or any affiliated company may have an interest, position, or effect
transactions, in any investment mentioned. Any opinions expressed are solely
those of the author and are subject to change without notice. Neither MUSI nor
any of its affiliates accept any liability whatsoever for any direct or
consequential loss arising from any use of information or material contained in
any electronic communication.
