Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1541

local-kerberos CredentialSource does not work with IBM java

    XMLWordPrintable

Details

    • Bug
    • Resolution: Not a Bug
    • Major
    • None
    • 1.2.3.Final
    • Credentials
    • Hide

      Configure kerberos authentication by https://hkalina.github.io/2018/01/02/kerberos/ and try to login into CLI - works for Oracle JDK but fails for IBM JDK:

      JAVA_HOME=/opt/ibm-java-x86_64-80 bin/jboss-cli.sh -c -Dwildfly.config.url=../kerberos-using-apacheds/wildfly-config.xml --no-local-auth -Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.krb5.conf=.../kerberos-using-apacheds/krb5.conf :whoami
      Show
      Configure kerberos authentication by https://hkalina.github.io/2018/01/02/kerberos/ and try to login into CLI - works for Oracle JDK but fails for IBM JDK: JAVA_HOME=/opt/ibm-java-x86_64-80 bin/jboss-cli.sh -c -Dwildfly.config.url=../kerberos-using-apacheds/wildfly-config.xml --no-local-auth -Djavax.security.auth.useSubjectCredsOnly= false -Djava.security.krb5.conf=.../kerberos-using-apacheds/krb5.conf :whoami

    Description

      When trying to connect as with Oracle JDK, following error occure:

      Failed to connect to the controller: Unable to authenticate against controller at localhost:9990: ELY05053: Callback handler failed for unknown reason: java.lang.reflect.UndeclaredThrowableException: org.ietf.jgss.GSSException, major code: 11, minor code: 0
	major string: General failure, unspecified at GSSAPI level
	minor string: Cannot get credential for principal default principal

      This is probably related to missing useDefaultCcache JAAS config (false by default):
      https://www.ibm.com/support/knowledgecenter/en/SSYKE2_6.0.0/com.ibm.java.security.component.60.doc/security-component/jgssDocs/jaas_login_user.html

      Attachments

        Issue Links

          is related to

          Task - Represents a small unit of work that is not end-user facing. ELY-1565 local-kerberos can be removed/deprecated from authentication client

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              jkalina@redhat.com Jan Kalina (Inactive)
              jkalina@redhat.com Jan Kalina (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: