Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1280

GSSAPI only identities credential if we actually have one.

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Blocker
    • 1.1.0.CR3
    • None
    • None
    • None
    • Hide
      Show
      Follow steps in https://access.qa.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1.beta/html-single/how_to_set_up_sso_with_kerberos/#configure-krb-management-interfaces Or run test from internal TS git clone git@gitlab.mw.lab.eng.bos.redhat.com:jbossqe-eap/tests-ldap-kerberos.git cd tests-ldap-kerberos ./build-eap71.sh -Dversion.jboss.bom=7.1.0.GA -Dversion.wildfly.core=3.0.0.Beta28-redhat-1 -Dmaven.repo.local=/home/mchoma/workspace/eap-versions/7.1.0.ER2/jboss-eap-7.1.0.GA-maven-repository/maven-repository -Djboss.dist.zip=/home/mchoma/workspace/eap-versions/7.1.0.ER2/jboss-eap-7.1.0.ER2.2.zip -Dmaven.test.failure.ignore= true -Dtest=KerberosCLITestCase#testValidKerberosTicketRemoteHttpProtocol -DtestLogToFile= false

    Description

      In ER2 kerberos authentication in remoting does not work with IBM java. I see same error in 2 scenarios:

      • Elytron kerberos authentication for management interface - CLI
      • Elytron kerberos authenticaiton for EJB

      This issue (reproducer/description)is based on CLI case. As it seems to me it is caused by same error.

      13:15:25,038 INFO  [org.jboss.eapqe.krbldap.utils.CustomCLIExecutor] (main) Command:[/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/../tests/target/dist/jboss-eap/bin/jboss-cli.sh, -Djboss.cli.config=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/../tests/target/dist/jboss-eap/bin/jboss-cli.xml, -c, --controller=remote+http://localhost.localdomain:9990, --timeout=60000, -Djavax.security.auth.useSubjectCredsOnly=false, -Djava.security.krb5.conf=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb5-4030706113084817464.conf, -Dsun.security.krb5.debug=true, -Dcom.ibm.security.jgss.debug=all, -Dcom.ibm.security.krb5.Krb5Debug=all, -Djavax.net.ssl.trustStore=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/KerberosCLITestCase/localhost.keystore, :whoami]
13:15:26,352 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Initialized connection from /127.0.0.1:41690 to /127.0.0.1:9990 with options {org.jboss.remoting3.RemotingOptions.SASL_PROTOCOL=>remote}
13:15:26,352 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Accepted connection from /127.0.0.1:41690 to localhost.localdomain/127.0.0.1:9990
13:15:26,353 TRACE [org.jboss.remoting.remote] (management I/O-1) Setting read listener to org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial@6a1d77d9
13:15:26,353 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Sent 28 bytes
13:15:26,353 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Flushed channel
13:15:26,375 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) No buffers in queue for message header
13:15:26,375 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Allocated fresh buffers
13:15:26,375 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Received 56 bytes
13:15:26,375 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Received message java.nio.HeapByteBuffer[pos=0 lim=52 cap=8192]
13:15:26,375 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Received java.nio.HeapByteBuffer[pos=0 lim=52 cap=8192]
13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received capabilities request
13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received capability: version 1
13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received capability: remote endpoint name "cli-client"
13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received capability: message close protocol supported
13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received capability: remote version is "5.0.0.CR4-redhat-1"
13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received capability: remote channels in is "40"
13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received capability: remote channels out is "40"
13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received capability: authentication service
13:15:26,376 TRACE [org.jboss.remoting.remote.server] (management I/O-1) No EXTERNAL mechanism due to lack of SSL
13:15:26,380 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Added mechanism GSSAPI
13:15:26,381 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Added mechanism PLAIN
13:15:26,381 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Sent 81 bytes
13:15:26,381 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Flushed channel
13:15:27,194 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) No buffers in queue for message header
13:15:27,194 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Allocated fresh buffers
13:15:27,194 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Received 583 bytes
13:15:27,194 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Received message java.nio.HeapByteBuffer[pos=0 lim=579 cap=8192]
13:15:27,194 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Received java.nio.HeapByteBuffer[pos=0 lim=579 cap=8192]
13:15:27,194 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received authentication request
13:15:27,194 TRACE [org.wildfly.security] (management I/O-1) Handling MechanismInformationCallback type='SASL' name='GSSAPI' host-name='localhost.localdomain' protocol='remote'
13:15:27,194 TRACE [org.wildfly.security] (management I/O-1) Handling MechanismInformationCallback type='SASL' name='GSSAPI' host-name='localhost.localdomain' protocol='remote'
13:15:27,197 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-1) configuredMaxReceiveBuffer=16777215
13:15:27,197 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-1) relaxComplianceChecks=false
13:15:27,197 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-1) QOP={AUTH}
13:15:27,197 TRACE [org.wildfly.security.sasl.gssapi.server] (management I/O-1) Obtaining GSSCredential for the service from callback handler...
13:15:27,197 TRACE [org.wildfly.security] (management I/O-1) No valid cached credential, obtaining new one...
13:15:27,198 TRACE [org.wildfly.security] (management I/O-1) Logging in using LoginContext and subject [Subject:
]
13:15:27,218 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 JAAS config: debug=true
13:15:27,218 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 JAAS config: principal=remote/localhost.localdomain@JBOSS.ORG
13:15:27,218 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 JAAS config: credsType=accept only
13:15:27,218 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 config: useDefaultCcache=false (default)
13:15:27,219 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 config: useCcache=null
13:15:27,219 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 config: useDefaultKeytab=false
13:15:27,220 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 config: useKeytab=/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.4304838673032362747.keytab
13:15:27,224 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 JAAS config: forwardable=false (default)
13:15:27,224 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 JAAS config: renewable=false (default)
13:15:27,224 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 JAAS config: proxiable=false (default)
13:15:27,224 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 JAAS config: tryFirstPass=false (default)
13:15:27,224 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 JAAS config: useFirstPass=false (default)
13:15:27,224 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 JAAS config: moduleBanner=false (default)
13:15:27,225 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 JAAS config: interactive login? no
13:15:27,225 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 Try keytab for principal=remote/localhost.localdomain@JBOSS.ORG
13:15:27,327 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 No Kerberos creds in keytab for principal remote/localhost.localdomain@JBOSS.ORG
13:15:27,327 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 Login successful
13:15:27,327 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 kprincipal : remote/localhost.localdomain@JBOSS.ORG
13:15:27,327 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 remote/localhost.localdomain@JBOSS.ORG added to Subject
13:15:27,327 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 KeyTab added to Subject
13:15:27,328 INFO  [stdout] (management I/O-1) [JGSS_DBG_CRED]  management I/O-1 No keys to add to Subject for remote/localhost.localdomain@JBOSS.ORG
13:15:27,328 TRACE [org.wildfly.security] (management I/O-1) Logging in using LoginContext and subject [Subject:
	Principal: remote/localhost.localdomain@JBOSS.ORG
	Private Credential: /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.4304838673032362747.keytab for remote/localhost.localdomain@JBOSS.ORG
] succeed
13:15:27,329 TRACE [org.wildfly.security] (management I/O-1) Creating GSSName for Principal 'remote/localhost.localdomain@JBOSS.ORG'
13:15:27,337 TRACE [org.wildfly.security] (management I/O-1) Obtained GSSCredentialCredential [org.wildfly.security.credential.GSSKerberosCredential@b7cba9ed]
13:15:27,337 TRACE [org.wildfly.security] (management I/O-1) Handling ServerCredentialCallback: successfully obtained credential type type=class org.wildfly.security.credential.GSSKerberosCredential, algorithm=null, params=null
13:15:27,339 TRACE [org.wildfly.security] (management I/O-1) Created SaslServer for mechanism GSSAPI and protocol remote
13:15:27,339 TRACE [org.wildfly.security] (management I/O-1) Created SaslServer [org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1@7e6923d] for mechanism [GSSAPI]
13:15:27,339 TRACE [org.jboss.remoting.endpoint] (management I/O-1) Allocated tick to 9 of endpoint "localhost:MANAGEMENT" <43fd3bb3> (opened org.jboss.remoting3.EndpointImpl$TrackingExecutor@48dbe42)
13:15:27,599 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-6) Negotiated mechanism 1.2.840.113554.1.2.2
13:15:27,599 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-6) No response so triggering next state immediately.
13:15:27,599 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-6) Not offering a security layer so zero length.
13:15:27,601 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-6) Transitioning to receive chosen security layer from client
13:15:27,601 TRACE [org.jboss.remoting.remote.server] (management task-6) Server sending authentication challenge
13:15:27,601 TRACE [org.jboss.remoting.remote] (management task-6) Setting read listener to org.jboss.remoting3.remote.ServerConnectionOpenListener$Authentication@aa1379f
13:15:27,601 TRACE [org.jboss.remoting.endpoint] (management task-6) Resource closed count 00000008 of endpoint "localhost:MANAGEMENT" <43fd3bb3> (closed org.jboss.remoting3.EndpointImpl$TrackingExecutor@48dbe42)
13:15:27,601 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Sent 37 bytes
13:15:27,601 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Flushed channel
13:15:27,608 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) No buffers in queue for message header
13:15:27,608 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Allocated fresh buffers
13:15:27,608 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Received 37 bytes
13:15:27,608 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Received message java.nio.HeapByteBuffer[pos=0 lim=33 cap=8192]
13:15:27,608 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Received java.nio.HeapByteBuffer[pos=0 lim=33 cap=8192]
13:15:27,608 TRACE [org.jboss.remoting.remote.server] (management I/O-1) Server received authentication response
13:15:27,608 TRACE [org.jboss.remoting.endpoint] (management I/O-1) Allocated tick to 9 of endpoint "localhost:MANAGEMENT" <43fd3bb3> (opened org.jboss.remoting3.EndpointImpl$TrackingExecutor@48dbe42)
13:15:27,609 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-7) Client selected security layer AUTH, with maxBuffer of 0
13:15:27,610 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-7) Authentication ID=jdukec4c36a8b-173f-41e7-af5b-7492f91a404c@JBOSS.ORG,  Authorization ID=jdukec4c36a8b-173f-41e7-af5b-7492f91a404c@JBOSS.ORG
13:15:27,610 TRACE [org.wildfly.security] (management task-7) Principal assigning: [jdukec4c36a8b-173f-41e7-af5b-7492f91a404c@JBOSS.ORG], pre-realm rewritten: [jdukec4c36a8b-173f-41e7-af5b-7492f91a404c], realm name: [fileSystemRealm], post-realm rewritten: [jdukec4c36a8b-173f-41e7-af5b-7492f91a404c], realm rewritten: [jdukec4c36a8b-173f-41e7-af5b-7492f91a404c]
13:15:27,611 TRACE [org.wildfly.security] (management task-7) Role mapping: principal [jdukec4c36a8b-173f-41e7-af5b-7492f91a404c] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles []
13:15:27,611 TRACE [org.wildfly.security] (management task-7) Authorizing principal jdukec4c36a8b-173f-41e7-af5b-7492f91a404c.
13:15:27,611 TRACE [org.wildfly.security] (management task-7) Authorizing against the following attributes: [] => []
13:15:27,611 TRACE [org.wildfly.security] (management task-7) Permission mapping: identity [jdukec4c36a8b-173f-41e7-af5b-7492f91a404c] with roles [] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true
13:15:27,611 TRACE [org.wildfly.security] (management task-7) Authorization succeed
13:15:27,611 TRACE [org.wildfly.security] (management task-7) RunAs authorization succeed - the same identity
13:15:27,611 TRACE [org.wildfly.security] (management task-7) Handling AuthorizeCallback: authenticationID = jdukec4c36a8b-173f-41e7-af5b-7492f91a404c@JBOSS.ORG  authorizationID = jdukec4c36a8b-173f-41e7-af5b-7492f91a404c@JBOSS.ORG  authorized = true
13:15:27,613 TRACE [org.jboss.remoting.remote.server] (management task-7) Server sending authentication rejected: java.lang.IllegalArgumentException: Parameter 'gssCredential' may not be null
	at org.wildfly.common.Assert.checkNotNullParamChecked(Assert.java:70)
	at org.wildfly.common.Assert.checkNotNullParam(Assert.java:48)
	at org.wildfly.security.credential.GSSKerberosCredential.<init>(GSSKerberosCredential.java:53)
	at org.wildfly.security.credential.GSSKerberosCredential.<init>(GSSKerberosCredential.java:43)
	at org.wildfly.security.sasl.gssapi.GssapiServer.evaluateMessage(GssapiServer.java:284)
	at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180)
	at org.wildfly.security.sasl.gssapi.GssapiServer.evaluateResponse(GssapiServer.java:122)
	at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
	at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
	at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:57)
	at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)
	at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)
	at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:468)
	at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:898)
	at org.jboss.remoting3.EndpointImpl$TrackingExecutor$$Lambda$905.00000000201F9C40.run(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1153)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.lang.Thread.run(Thread.java:785)

13:15:27,614 TRACE [org.wildfly.security.sasl.gssapi.server] (management task-7) dispose
13:15:27,614 TRACE [org.wildfly.security] (management task-7) Handling AuthenticationCompleteCallback: fail
13:15:27,614 TRACE [org.jboss.remoting.remote] (management task-7) Setting read listener to org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial@18fce815
13:15:27,614 TRACE [org.jboss.remoting.endpoint] (management task-7) Resource closed count 00000008 of endpoint "localhost:MANAGEMENT" <43fd3bb3> (closed org.jboss.remoting3.EndpointImpl$TrackingExecutor@48dbe42)
13:15:27,614 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Sent 5 bytes
13:15:27,614 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Flushed channel
13:15:27,615 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) No buffers in queue for message header
13:15:27,615 TRACE [org.jboss.remoting.remote.connection] (management I/O-1) Alloca

      Test pass just fine on Oracle/OpenJDK JDK

      In stacktrace there is involved code introduced by https://github.com/wildfly-security/wildfly-elytron/commit/faf1aff340c3a2d88dc6aa1fb39a9991e9ff3057 .

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-12049 Regression against ER1, kerberos for remoting does not work with IBM java

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Activity

            People

              darran.lofthouse@redhat.com Darran Lofthouse
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: