Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1181

Elytron, Unable to authenticate with SPNEGO on IBM java if obtain-kerberos-ticket = true

XMLWordPrintable

      On IBM java when obtain-kerberos-ticket is set to true user always get

      javax.security.auth.login.LoginException: Bad JAAS configuration: credsType and keytab values are not compatible

      According to ibm documentation [1] credsType=initiator and useKeytab are really incompatible.

      This constraint can't be avoided once obtain-kerberos-ticket = true, because keytab path is required in model. 

             "path" => {
	    "type" => STRING,
	    "description" => "The path of the KeyTab to load to obtain the credential.",
	    "attribute-group" => "file",
	    "expressions-allowed" => true,
	    "required" => true,
	    "nillable" => false,
	    "min-length" => 1L,
	    "max-length" => 2147483647L,
	    "access-type" => "read-write",
	    "storage" => "configuration",
	    "restart-required" => "resource-services"
	},

      And keytab is always set into Kerberos login module options

      GSSCredentialSecurityFactory.java
                  if (IS_IBM) {
                options.put("noAddress", "true");
                options.put("credsType", (isServer && !obtainKerberosTicket) ? "acceptor" : "initiator");
                options.put("useKeytab", keyTab.toURI().toURL().toString());
            }

      [1] https://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jgssDocs/jaas_login_user.html

      I am not setting to blocker just because I am not sure about importance of obtain-kerberos-ticket. See my question JBEAP-9292.

              darran.lofthouse@redhat.com Darran Lofthouse
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: