Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1181

Elytron, Unable to authenticate with SPNEGO on IBM java if obtain-kerberos-ticket = true

    XMLWordPrintable

Details

    Description

      On IBM java when obtain-kerberos-ticket is set to true user always get

      javax.security.auth.login.LoginException: Bad JAAS configuration: credsType and keytab values are not compatible

      According to ibm documentation [1] credsType=initiator and useKeytab are really incompatible.

      This constraint can't be avoided once obtain-kerberos-ticket = true, because keytab path is required in model. 

             "path" => {
	    "type" => STRING,
	    "description" => "The path of the KeyTab to load to obtain the credential.",
	    "attribute-group" => "file",
	    "expressions-allowed" => true,
	    "required" => true,
	    "nillable" => false,
	    "min-length" => 1L,
	    "max-length" => 2147483647L,
	    "access-type" => "read-write",
	    "storage" => "configuration",
	    "restart-required" => "resource-services"
	},

      And keytab is always set into Kerberos login module options

      GSSCredentialSecurityFactory.java
                  if (IS_IBM) {
                options.put("noAddress", "true");
                options.put("credsType", (isServer && !obtainKerberosTicket) ? "acceptor" : "initiator");
                options.put("useKeytab", keyTab.toURI().toURL().toString());
            }

      [1] https://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jgssDocs/jaas_login_user.html

      I am not setting to blocker just because I am not sure about importance of obtain-kerberos-ticket. See my question JBEAP-9292.

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-9309 Elytron, Unable to authenticate with SPNEGO on IBM java if obtain-kerberos-ticket = true

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Activity

            People

              darran.lofthouse@redhat.com Darran Lofthouse
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: