Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10861

Unable to authenticate with Subject.doAs to EJB secured by Elytron

    XMLWordPrintable

Details

    • Documentation (Ref Guide, User Guide, etc.)
    • Hide

      Reproducer is basically description of test https://gitlab.mw.lab.eng.bos.redhat.com/jbossqe-eap/tests-ldap-kerberos/blob/7.x/eap71/src/test/java/org/jboss/eapqe/krbldap/eap71/tests/krb/ejb/KerberosEjbTestCase.java

      1. Client configuration

              Properties props = new Properties();
        props.put("org.jboss.ejb.client.scoped.context", true);
        props.put(Context.INITIAL_CONTEXT_FACTORY, "org.wildfly.naming.client.WildFlyInitialContextFactory");
        props.put(Context.PROVIDER_URL, "http-remoting://"+hostname+":8080");
        if (timeout != null) {
            props.put("remote.connection.main.connect.timeout", timeout);
        }
        props.put("remote.connection.main.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");
        //props.put("remote.connection.main.connect.options.org.jboss.remoting3.RemotingOptions.SASL_PROTOCOL", "remote");
        props.put("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "false");
        return props;

      2. Server configuration

      /subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=ALL)
/subsystem=logging/logger=org.jboss.security:add(level=ALL)
/subsystem=logging/logger=org.jboss.as.security:add(level=ALL)
/subsystem=logging/logger=org.picketbox:add(level=ALL)
/subsystem=logging/logger=org.apache.catalina.authenticator:add(level=ALL)
/subsystem=logging/logger=org.jboss.as.web.security:add(level=ALL)
/subsystem=logging/logger=org.jboss.as.domain.management.security:add(level=ALL)
/subsystem=logging/logger=org.wildfly.security:add(level=ALL)
/subsystem=logging/logger=org.wildfly.elytron:add(level=ALL)
/subsystem=logging/logger=org.jboss.sasl:add(level=ALL)
/subsystem=logging/logger=org.jboss.as.ejb3:add(level=ALL)
/subsystem=logging/logger=org.jboss.as.remoting:add(level=ALL)
/subsystem=logging/logger=org.jboss.remoting3:add(level=ALL)
/subsystem=logging/logger=org.jboss.remoting:add(level=ALL)
/subsystem=logging/logger=org.jboss.naming.remote:add(level=ALL

/subsystem=elytron/filesystem-realm=fileSystemRealm/identity=hnelson:add()
/subsystem=elytron/filesystem-realm=fileSystemRealm/identity=hnelson:add-attribute(name=Roles, value=["Users"])
/subsystem=elytron/filesystem-realm=fileSystemRealm/identity=admin:add()
/subsystem=elytron/filesystem-realm=fileSystemRealm/identity=admin:set-password(clear={password="admin"})

/subsystem=elytron/configurable-sasl-server-factory=configured:list-add(name=filters, value={pattern-filter=GSSAPI})
/subsystem=elytron/configurable-sasl-server-factory=configured:list-add(name=filters, value={pattern-filter=PLAIN})
/system-property=sun.security.krb5.debug:add(value=true)
/subsystem=remoting/http-connector=http-remoting-connector:write-attribute(name=sasl-authentication-factory,value=SaslAuthenticationFactory
/subsystem=ejb3/application-security-domain=securityDomain:add(security-domain=securityDomain)

      3. TODO
      ...

      Show
      Reproducer is basically description of test https://gitlab.mw.lab.eng.bos.redhat.com/jbossqe-eap/tests-ldap-kerberos/blob/7.x/eap71/src/test/java/org/jboss/eapqe/krbldap/eap71/tests/krb/ejb/KerberosEjbTestCase.java 1. Client configuration Properties props = new Properties(); props.put( "org.jboss.ejb.client.scoped.context" , true ); props.put(Context.INITIAL_CONTEXT_FACTORY, "org.wildfly.naming.client.WildFlyInitialContextFactory" ); props.put(Context.PROVIDER_URL, "http-remoting: //" +hostname+ ":8080" ); if (timeout != null ) { props.put( "remote.connection.main.connect.timeout" , timeout); } props.put( "remote.connection.main.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT" , " false " ); //props.put( "remote.connection.main.connect.options.org.jboss.remoting3.RemotingOptions.SASL_PROTOCOL" , "remote" ); props.put( "remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED" , " false " ); return props; 2. Server configuration /subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=ALL) /subsystem=logging/logger=org.jboss.security:add(level=ALL) /subsystem=logging/logger=org.jboss.as.security:add(level=ALL) /subsystem=logging/logger=org.picketbox:add(level=ALL) /subsystem=logging/logger=org.apache.catalina.authenticator:add(level=ALL) /subsystem=logging/logger=org.jboss.as.web.security:add(level=ALL) /subsystem=logging/logger=org.jboss.as.domain.management.security:add(level=ALL) /subsystem=logging/logger=org.wildfly.security:add(level=ALL) /subsystem=logging/logger=org.wildfly.elytron:add(level=ALL) /subsystem=logging/logger=org.jboss.sasl:add(level=ALL) /subsystem=logging/logger=org.jboss.as.ejb3:add(level=ALL) /subsystem=logging/logger=org.jboss.as.remoting:add(level=ALL) /subsystem=logging/logger=org.jboss.remoting3:add(level=ALL) /subsystem=logging/logger=org.jboss.remoting:add(level=ALL) /subsystem=logging/logger=org.jboss.naming.remote:add(level=ALL /subsystem=elytron/filesystem-realm=fileSystemRealm/identity=hnelson:add() /subsystem=elytron/filesystem-realm=fileSystemRealm/identity=hnelson:add-attribute(name=Roles, value=[ "Users" ]) /subsystem=elytron/filesystem-realm=fileSystemRealm/identity=admin:add() /subsystem=elytron/filesystem-realm=fileSystemRealm/identity=admin:set-password(clear={password= "admin" }) /subsystem=elytron/configurable-sasl-server-factory=configured:list-add(name=filters, value={pattern-filter=GSSAPI}) /subsystem=elytron/configurable-sasl-server-factory=configured:list-add(name=filters, value={pattern-filter=PLAIN}) /system-property=sun.security.krb5.debug:add(value= true ) /subsystem=remoting/http-connector=http-remoting-connector:write-attribute(name=sasl-authentication-factory,value=SaslAuthenticationFactory /subsystem=ejb3/application-security-domain=securityDomain:add(security-domain=securityDomain) 3. TODO ...

    Description

      Problem seems to be that test use Subject.doAs and kerberos ticket passed in this way further to client is not picked up correctly.

                  final String krbHello = Subject.doAs(lc.getSubject(), new PrivilegedExceptionAction<String>() {
                @Override
                public String run() throws Exception {
                    final SimpleBeanRemote krbBean = (SimpleBeanRemote) krbCtx.lookup(finalBeanLookupName);
                    return krbBean.hello();
                }
            });

      Hipchat discussion:

      • Although relying on Subject could be problematic, note likely to be compatible with the AuthenticationConfiguration matching for connection sharing
      • Remoting has dropped caching the AccessControlContext and using it for creating SASL mechanisms, can you post the full client side of the call on one of the Jiras and we can have a look at what options there are.
      Debug is  true storeKey false useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is true principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
Java config name: /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb5-6864003339300337062.conf
Loaded from Java config
>>> KdcAccessibility: reset
		[Krb5LoginModule] user entered username: hnelsonc6fd1923-0c94-41d6-85ee-a6c3a7ac1367@JBOSS.ORG

default etypes for default_tkt_enctypes: 17.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=localhost.localdomain UDP:11088, timeout=5000, number of retries =3, #bytes=168
>>> KDCCommunication: kdc=localhost.localdomain UDP:11088, timeout=5000,Attempt =1, #bytes=168
14:32:46,629 DEBUG [org.apache.mina.filter.codec.ProtocolCodecFilter] (NioDatagramAcceptor-3) Processing a MESSAGE_RECEIVED for session 17
>>> KrbKdcReq send: #bytes read=610
>>> KdcAccessibility: remove localhost.localdomain:11088
>>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply hnelsonc6fd1923-0c94-41d6-85ee-a6c3a7ac1367
principal is hnelsonc6fd1923-0c94-41d6-85ee-a6c3a7ac1367@JBOSS.ORG
Commit Succeeded 

14:32:49,117 TRACE [org.wildfly.security] (main) getAuthenticationConfiguration uri=http-remoting://localhost.localdomain:8080, protocolDefaultPort=-1, abstractType=jndi, abstractTypeAuthority=jboss, purpose=operate, MatchRule=[], AuthenticationConfiguration=[AuthenticationConfiguration:principal=anonymous,set-host=localhost.localdomain,set-port=8080,providers-supplier=org.wildfly.security.auth.client.ElytronXmlParser$DeferredSupplier@420745d7,sasl-mechanism-selector=(true),mechanism-properties={wildfly.sasl.local-user.quiet-auth=true}]
14:32:49,729 TRACE [org.jboss.remoting.endpoint] (main) Allocated tick to 8 of endpoint (anonymous) <91a1005> (opened Connection to http-remoting://localhost.localdomain:8080)
14:32:49,731 TRACE [org.jboss.remoting.remote] (main) Attempting to connect to "http-remoting://localhost.localdomain:8080" with options {}
14:32:49,732 TRACE [org.xnio.nio.selector] (XNIO-1 I/O-1) Selected on sun.nio.ch.EPollSelectorImpl@8097d0b
14:32:49,732 TRACE [org.xnio.nio] (XNIO-1 I/O-1) Running task org.xnio.nio.WorkerThread$SynchTask@4e869bb0
14:32:49,732 TRACE [org.xnio.nio.selector] (XNIO-1 I/O-1) Beginning select on sun.nio.ch.EPollSelectorImpl@8097d0b
14:32:49,732 TRACE [org.xnio.nio.selector] (XNIO-1 I/O-1) Selected on sun.nio.ch.EPollSelectorImpl@8097d0b
14:32:49,732 TRACE [org.xnio.nio.selector] (XNIO-1 I/O-1) Beginning select on sun.nio.ch.EPollSelectorImpl@8097d0b
14:32:49,732 TRACE [org.xnio.nio.selector] (XNIO-1 I/O-1) Selected on sun.nio.ch.EPollSelectorImpl@8097d0b
14:32:49,732 TRACE [org.xnio.nio.selector] (XNIO-1 I/O-1) Selected key sun.nio.ch.SelectionKeyImpl@594c66c3 for java.nio.channels.SocketChannel[connection-pending local=/0.0.0.0:41374 remote=localhost.localdomain/127.0.0.1:8080]
14:32:49,732 TRACE [org.xnio.nio] (XNIO-1 I/O-1) Running task org.xnio.AbstractIoFuture$NotifierRunnable@3bab6053
14:32:49,733 TRACE [org.jboss.remoting.endpoint] (XNIO-1 I/O-1) Allocated tick to 9 of endpoint (anonymous) <91a1005> (opened org.jboss.remoting3.EndpointImpl$TrackingExecutor@63ea6f43)
14:32:49,733 TRACE [org.jboss.remoting.endpoint] (XNIO-1 task-10) Resource closed count 00000008 of endpoint (anonymous) <91a1005> (closed org.jboss.remoting3.EndpointImpl$TrackingExecutor@63ea6f43)
14:32:49,734 TRACE [org.xnio.nio.selector] (XNIO-1 I/O-1) Beginning select on sun.nio.ch.EPollSelectorImpl@8097d0b
14:32:49,734 TRACE [org.xnio.nio.selector] (XNIO-1 I/O-1) Selected on sun.nio.ch.EPollSelectorImpl@8097d0b
14:32:49,734 TRACE [org.xnio.nio.selector] (XNIO-1 I/O-1) Selected key sun.nio.ch.SelectionKeyImpl@594c66c3 for java.nio.channels.SocketChannel[connected local=/127.0.0.1:41374 remote=localhost.localdomain/127.0.0.1:8080]
14:32:49,734 TRACE [org.xnio.listener] (XNIO-1 I/O-1) Invoking listener org.xnio.http.HttpUpgrade$HttpUpgradeState$UpgradeResultListener@3ffe7feb on channel org.xnio.conduits.ConduitStreamSourceChannel@45df28bf
14:32:49,734 TRACE [org.jboss.remoting.endpoint] (XNIO-1 I/O-1) Allocated tick to 9 of endpoint (anonymous) <91a1005> (opened org.jboss.remoting3.EndpointImpl$TrackingExecutor@4665b8f5)
14:32:49,734 TRACE [org.xnio.listener] (XNIO-1 I/O-1) Invoking listener org.jboss.remoting3.remote.HttpUpgradeConnectionProvider$UpgradeListener$$Lambda$160/1377571612@251661af on channel org.xnio.ssl.JsseSslStreamConnection@15b69239
14:32:49,734 TRACE [org.xnio.listener] (XNIO-1 I/O-1) Invoking listener org.jboss.remoting3.remote.RemoteConnectionProvider$3@59fba643 on channel org.xnio.ssl.JsseSslStreamConnection@15b69239
14:32:49,734 TRACE [org.jboss.remoting.endpoint] (XNIO-1 task-11) Resource closed count 00000008 of endpoint (anonymous) <91a1005> (closed org.jboss.remoting3.EndpointImpl$TrackingExecutor@4665b8f5)
14:32:49,734 TRACE [org.jboss.remoting.remote.connection] (XNIO-1 I/O-1) Initialized connection from localhost.localdomain/127.0.0.1:8080 to /127.0.0.1:41374 with options {}
14:32:49,734 TRACE [org.jboss.remoting.remote] (XNIO-1 I/O-1) Setting read listener to org.jboss.remoting3.remote.ClientConnectionOpenListener$Greeting@655df713
14:32:49,734 TRACE [org.xnio.nio.selector] (XNIO-1 I/O-1) Beginning select on sun.nio.ch.EPollSelectorImpl@8097d0b
14:32:49,735 TRACE [org.xnio.nio.selector] (XNIO-1 I/O-1) Selected on sun.nio.ch.EPollSelectorImpl@8097d0b
14:32:49,735 TRACE [org.xnio.nio.selector] (XNIO-1 I/O-1) Selected key sun.nio.ch.SelectionKeyImpl@594c66c3 for java.nio.channels.SocketChannel[connected local=/127.0.0.1:41374 remote=localhost.localdomain/127.0.0.1:8080]
14:32:49,734 TRACE [org.jboss.remoting.remote.connection] (default I/O-7) Initialized connection from /127.0.0.1:41374 to /127.0.0.1:8080 with options {org.jboss.remoting3.RemotingOptions.SASL_PROTOCOL=>remote,org.xnio.Options.REUSE_ADDRESSES=>true,org.xni14:32:49,735 TRACE [org.xnio.listener] (XNIO-1 I/O-1) Invoking listener org.jboss.remoting3.remote.ClientConnectionOpenListener$Greeting@655df713 on channel org.xnio.conduits.ConduitStreamSourceChannel@45df28bf
o.Options.TCP_NODELAY=>true}
14:32:49,735 TRACE [org.jboss.remoting.remote.connection] (default I/O-7) Accepted connection from /127.0.0.1:41374 to localhost.localdomain/127.0.0.1:8080
�[014:32:49,735 TRACE [org.jboss.remoting.remote.connection] (XNIO-1 I/O-1) No buffers in queue for message header
m14:32:49,735 TRACE [org.jboss.remoting.remote] (default I/O-7) Setting read listener to org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial@2798d8c7
14:32:49,735 TRACE [org.jboss.remoting.remote.connection] (default I/O-7) Sent 28 bytes
14:32:49,735 TRACE [org.jboss.remoting.remote.connection] (default I/O-7) Flushed channel
14:32:49,735 TRACE [org.jboss.remoting.remote.connection] (XNIO-1 I/O-1) Allocated fresh buffers
14:32:49,735 TRACE [org.jboss.remoting.remote.connection] (XNIO-1 I/O-1) Received 28 bytes
14:32:49,735 TRACE [org.jboss.remoting.remote.connection] (XNIO-1 I/O-1) Received message java.nio.HeapByteBuffer[pos=0 lim=24 cap=8192]
14:32:49,735 TRACE [org.jboss.remoting.remote.client] (XNIO-1 I/O-1) Received java.nio.HeapByteBuffer[pos=0 lim=24 cap=8192]
14:32:49,735 TRACE [org.jboss.remoting.remote.client] (XNIO-1 I/O-1) Client received greeting
14:32:49,735 TRACE [org.jboss.remoting.remote.client] (XNIO-1 I/O-1) Client received server name: localhost.localdomain
14:32:49,735 TRACE [org.jboss.remoting.remote.client] (XNIO-1 I/O-1) Client sending capabilities request
14:32:49,735 TRACE [org.jboss.remoting.remote] (XNIO-1 I/O-1) Setting read listener to org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities@7350e90e
14:32:49,735 TRACE [org.xnio.nio] (XNIO-1 I/O-1) Running task org.jboss.remoting3.remote.RemoteConnection$RemoteWriteListener$$Lambda$78/1469644111@52568a07
14:32:49,735 TRACE [org.xnio.nio.selector] (XNIO-1 I/O-1) Beginning select on sun.nio.ch.EPollSelectorImpl@8097d0b
14:32:49,735 TRACE [org.xnio.nio.selector] (XNIO-1 I/O-1) Selected on sun.nio.ch.EPollSelectorImpl@8097d0b
14:32:49,735 TRACE [org.xnio.nio.selector] (XNIO-1 I/O-1) Selected key sun.nio.ch.SelectionKeyImpl@594c66c3 for java.nio.channels.SocketChannel[connected local=/127.0.0.1:41374 remote=localhost.localdomain/127.0.0.1:8080]
14:32:49,735 TRACE [org.xnio.listener] (XNIO-1 I/O-1) Invoking listener org.jboss.remoting3.remote.RemoteConnection$RemoteWriteListener@569be7b0 on channel org.xnio.conduits.ConduitStreamSinkChannel@5c74771f
14:32:49,735 TRACE [org.jboss.remoting.remote.connection] (XNIO-1 I/O-1) Sent 47 bytes
14:32:49,735 TRACE [org.jboss.remoting.remote.connection] (XNIO-1 I/O-1) Flushed channel
14:32:49,735 TRACE [org.jboss.remoting.remote.connection] (default I/O-7) No buffers in queue for message header
14:32:49,735 TRACE [org.jboss.remoting.remote.connection] (default I/O-7) Allocated fresh buffer14:32:49,735 TRACE [org.xnio.nio.selector] (XNIO-1 I/O-1) Beginning select on sun.nio.ch.EPollSelectorImpl@8097d0b
s
14:32:49,735 TRACE [org.jboss.remoting.remote.connection] (default I/O-7) Received 47 bytes
14:32:49,735 TRACE [org.jboss.remoting.remote.connection] (default I/O-7) Received message java.nio.HeapByteBuffer[pos=0 lim=43 cap=8192]
14:32:49,735 TRACE [org.jboss.remoting.remote.server] (default I/O-7) Received java.nio.HeapByteBuffer[pos=0 lim=43 cap=8192]
14:32:49,735 TRACE [org.jboss.remoting.remote.server] (default I/O-7) Server received capabilities request
14:32:49,735 TRACE [org.jboss.remoting.remote.server] (default I/O-7) Server received capability: version 1
14:32:49,735 TRACE [org.jboss.remoting.remote.server] (default I/O-7) Server received capability: message close protocol supported
14:32:49,735 TRACE [org.jboss.remoting.remote.server] (default I/O-7) Server received capability: remote version is "5.0.0.Beta22-redhat-1"
14:32:49,736 TRACE [org.jboss.remoting.remote.server] (default I/O-7) Server received capability: remote channels in is "40"
14:32:49,736 TRACE [org.jboss.remoting.remote.server] (default I/O-7) Server received capability: remote channels out is "40"
14:32:49,736 TRACE [org.jboss.remoting.remote.server] (default I/O-7) Server received capability: authentication service
14:32:49,736 TRACE [org.jboss.remoting.remote.server] (default I/O-7) No EXTERNAL mechanism due to lack of SSL
14:32:49,736 TRACE [org.jboss.remoting.remote.server] (default I/O-7) Added mechanism GSSAPI
14:32:49,736 TRACE [org.jboss.remoting.remote.server] (default I/O-7) Added mechanism PLAIN
14:32:49,736 TRACE [org.xnio.nio.selector] (XNIO-1 I/O-1) Selected on sun.nio.ch.EPollSelectorImpl@8097d0b
14:32:49,736 TRACE [org.xnio.nio.selector] (XNIO-1 I/O-1) Selected key sun.nio.ch.SelectionKeyImpl@594c66c3 for java.nio.channels.SocketChannel[connected local=/127.0.0.1:41374 remote=localhost.localdomain/127.0.0.1:8080]
14:32:49,736 TRACE [org.xnio.listener] (XNIO-1 I/O-1) Invoking listener org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities@7350e90e on channel org.xnio.conduits.ConduitStreamSourceChannel@45df28bf
14:32:49,736 TRACE [org.jboss.remoting.remote.connection] (XNIO-1 I/O-1) No buffers in queue for message header
14:32:49,736 TRACE [org.jboss.remoting.remote.connection] (default I/O-7) Sent 73 bytes
14:32:49,736 TRACE [org.jboss.remoting.remote.connection] (XNIO-1 I/O-1) Allocated fresh buffers
14:32:49,736 TRACE [org.jboss.remoting.remote.connection] (default I/O-7) Flushed channel
14:32:49,736 TRACE [org.jboss.remoting.remote.connection] (XNIO-1 I/O-1) Received 73 bytes
14:32:49,736 TRACE [org.jboss.remoting.remote.connection] (XNIO-1 I/O-1) Received message java.nio.HeapByteBuffer[pos=0 lim=69 cap=8192]
14:32:49,736 TRACE [org.jboss.remoting.remote.client] (XNIO-1 I/O-1) Client received capabilities response
14:32:49,736 TRACE [org.jboss.remoting.remote.client] (XNIO-1 I/O-1) Client received capability: version 1
14:32:49,737 TRACE [org.jboss.remoting.remote.client] (XNIO-1 I/O-1) Client received capability: remote endpoint name "localhost"
14:32:49,737 TRACE [org.jboss.remoting.remote.client] (XNIO-1 I/O-1) Client received capability: SASL mechanism GSSAPI
14:32:49,737 TRACE [org.jboss.remoting.remote.client] (XNIO-1 I/O-1) SASL mechanism GSSAPI added to allowed set
14:32:49,737 TRACE [org.jboss.remoting.remote.client] (XNIO-1 I/O-1) Client received capability: SASL mechanism PLAIN
14:32:49,737 TRACE [org.jboss.remoting.remote.client] (XNIO-1 I/O-1) SASL mechanism PLAIN added to allowed set
14:32:49,737 TRACE [org.jboss.remoting.remote.client] (XNIO-1 I/O-1) Client received capability: message close protocol supported
14:32:49,737 TRACE [org.jboss.remoting.remote.client] (XNIO-1 I/O-1) Client received capability: remote version is "5.0.0.Beta22-redhat-1"
14:32:49,737 TRACE [org.jboss.remoting.remote.client] (XNIO-1 I/O-1) Client received capability: remote channels in is "40"
14:32:49,737 TRACE [org.jboss.remoting.remote.client] (XNIO-1 I/O-1) Client received capability: remote channels out is "40"
14:32:49,737 TRACE [org.jboss.remoting.remote.client] (XNIO-1 I/O-1) Client received capability: authentication service
14:32:49,738 TRACE [org.wildfly.security.sasl.gssapi.client] (XNIO-1 I/O-1) configuredMaxReceiveBuffer=16777215
14:32:49,738 TRACE [org.wildfly.security.sasl.gssapi.client] (XNIO-1 I/O-1) relaxComplianceChecks=false
14:32:49,738 TRACE [org.wildfly.security.sasl.gssapi.client] (XNIO-1 I/O-1) QOP={AUTH}
14:32:49,738 TRACE [org.wildfly.security.sasl.gssapi.client] (XNIO-1 I/O-1) Acceptor Name 'remote@localhost.localdomain'
14:32:49,739 TRACE [org.wildfly.security.sasl.gssapi.client] (XNIO-1 I/O-1) Delegating credential = false
14:32:49,739 TRACE [org.wildfly.security.sasl.gssapi.client] (XNIO-1 I/O-1) Setting requering mutual authentication to false
14:32:49,739 TRACE [org.jboss.remoting.remote.client] (XNIO-1 I/O-1) Client initiating authentication using mechanism GSSAPI
14:32:49,739 TRACE [org.jboss.remoting.endpoint] (XNIO-1 I/O-1) Allocated tick to 9 of endpoint (anonymous) <91a1005> (opened org.jboss.remoting3.EndpointImpl$TrackingExecutor@4665b8f5)
14:32:49,739 TRACE [org.xnio.nio.selector] (XNIO-1 I/O-1) Beginning select on sun.nio.ch.EPollSelectorImpl@8097d0b
14:32:49,739 TRACE [org.jboss.remoting.remote.client] (XNIO-1 task-12) Client authentication failed: javax.security.sasl.SaslException: ELY05108: [GSSAPI] Unable to create response token [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
14:32:49,739 TRACE [org.wildfly.security.sasl.gssapi.client] (XNIO-1 task-12) dispose
14:32:49,739 TRACE [org.jboss.remoting.remote.client] (XNIO-1 task-12) Client sending capabilities request
14:32:49,739 TRACE [org.jboss.remoting.remote] (XNIO-1 task-12) Setting read listener to org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities@61e3649a
14:32:49,740 TRACE [org.jboss.remoting.endpoint] (XNIO-1 task-12) Resource closed count 00000008 of endpoint (anonymous) <91a1005> (closed org.jboss.remoting3.EndpointImpl$TrackingExecutor@4665b8f5)
14:32:49,740 TRACE [org.xnio.nio.selector] (XNIO-1 I/O-1) Selected on sun.nio.ch.EPollSelectorImpl@8097d0b
14:32:49,740 TRACE [org.xnio.nio] (XNIO-1 I/O-1) Running task org.jboss.remoting3.remote.RemoteConnection$RemoteWriteListener$$Lambda$78/1469644111@2818ed06
14:32:49,740 TRACE [org.xnio.nio.selector] (XNIO-1 I/O-1) Beginning select on sun.nio.ch.EPollSelectorImpl@8097d0b
14:32:49,740 TRACE [org.xnio.nio.selector] (XNIO-1 I/O-1) Selected on sun.nio.ch.EPollSelectorImpl@8097d0b
14:32:49,740 TRACE [org.xnio.nio.selector] (XNIO-1 I/O-1) Selected key sun.nio.ch.SelectionKeyImpl@594c66c3 for java.nio.channels.SocketChannel[connected local=/127.0.0.1:41374 remote=localhost.localdomain/127.0.0.1:8080]
14:32:49,740 TRACE [org.xnio.listener] (XNIO-1 I/O-1) Invoking listener org.jboss.remoting3.remote.RemoteConnection$RemoteWriteListener@569be7b0 on channel org.xnio.conduits.ConduitStreamSinkChannel@5c74771f
14:32:49,740 TRACE [org.jboss.remoting.remote.connection] (XNIO-1 I/O-1) Sent 47 bytes
14:32:49,740 TRACE [org.jboss.remoting.remote.connection] (XNIO-1 I/O-1) Flushed channel
14:32:49,740 TRACE [org.xnio.nio.selector] (XNIO-1 I/O-1) Beginning select on sun.nio.ch.EPollSelectorImpl@8097d0b
14:32:49,740 TRACE [org.jboss.remoting.remote.connection] (default I/O-7) No buffers in queue for message header
14:32:49,740 TRACE [org.jboss.remoting.remote.connection] (default I/O-7) Allocated fresh buffers
14:32:49,740 TRACE [org.jboss.remoting.remote.connection] (default I/O-7) Received 47 bytes
14:32:49,740 TRACE [org.jboss.remoting.remote.connection] (default I/O-7) Received message java.nio.HeapByteBuffer[pos=0 lim=43 cap=8192]
14:32:49,740 TRACE [org.jboss.remoting.remote.server] (default I/O-7) Received java.nio.HeapByteBuffer[pos=0 lim=43 cap=8192]
14:32:49,740 TRACE [org.jboss.remoting.remote.server] (default I/O-7) Server received capabilities request
14:32:49,740 TRACE [org.jboss.remoting.remote.server] (default I/O-7) Server received capability: version 1
14:32:49,740 TRACE [org.jboss.remoting.remote.server] (default I/O-7) Server received capability: message close protocol supported
14:32:49,740 TRACE [org.jboss.remoting.remote.server] (default I/O-7) Server received capability: remote version is "5.0.0.Beta22-redhat-1"
14:32:49,740 TRACE [org.jboss.remoting.remote.server] (default I/O-7) Server received capability: remote channels in is "40"
14:32:49,740 TRACE [org.jboss.remoting.remote.server] (default I/O-7) Server received capability: remote channels out is "40"
14:32:49,740 TRACE [org.jboss.remoting.remote.server] (default I/O-7) Server received capability: authentication service
14:32:49,740 TRACE [org.xnio.nio.selector] (XNIO-1 I/O-1) Selected on sun.nio.ch.EPollSelectorImpl@8097d0b
14:32:49,740 TRACE [org.jboss.remoting.remote.connection] (default I/O-7) Sent 73 bytes
14:32:49,740 TRACE [org.jboss.remoting.remote.connection] (default I/O-7) Flushed channel
14:32:49,740 TRACE [org.xnio.nio.selector] (XNIO-1 I/O-1) Selected key sun.nio.ch.SelectionKeyImpl@594c66c3 for java.nio.channels.SocketChannel[connected local=/127.0.0.1:41374 remote=localhost.localdomain/127.0.0.1:8080]
14:32:49,740 TRACE [org.xnio.listener] (XNIO-1 I/O-1) Invoking listener org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities@61e3649a on channel org.xnio.conduits.ConduitStreamSourceChannel@45df28bf
14:32:49,740 TRACE [org.jboss.remoting.remote.connection] (XNIO-1 I/O-1) No buffers in queue for message header
14:32:49,740 TRACE [org.jboss.remoting.remote.connection] (XNIO-1 I/O-1) Allocated fresh buffers
14:32:49,741 TRACE [org.jboss.remoting.remote.connection] (XNIO-1 I/O-1) Received 73 bytes
14:32:49,741 TRACE [org.jboss.remoting.remote.connection] (XNIO-1 I/O-1) Received message java.nio.HeapByteBuffer[pos=0 lim=69 cap=8192]
14:32:49,741 TRACE [org.jboss.remoting.remote.client] (XNIO-1 I/O-1) Client received capabilities response
14:32:49,741 TRACE [org.jboss.remoting.remote.client] (XNIO-1 I/O-1) Client received capability: version 1
14:32:49,741 TRACE [org.jboss.remoting.remote.client] (XNIO-1 I/O-1) Client received capability: remote endpoint name "localhost"
14:32:49,741 TRACE [org.jboss.remoting.remote.client] (XNIO-1 I/O-1) Client received capability: SASL mechanism GSSAPI
14:32:49,741 TRACE [org.jboss.remoting.remote.client] (XNIO-1 I/O-1) Client received capability: SASL mechanism PLAIN
14:32:49,741 TRACE [org.jboss.remoting.remote.client] (XNIO-1 I/O-1) SASL mechanism PLAIN added to allowed set
14:32:49,741 TRACE [org.jboss.remoting.remote.client] (XNIO-1 I/O-1) Client received capability: message close protocol supported
14:32:49,741 TRACE [org.jboss.remoting.remote.client] (XNIO-1 I/O-1) Client received capability: remote version is "5.0.0.Beta22-redhat-1"
14:32:49,741 TRACE [org.jboss.remoting.remote.client] (XNIO-1 I/O-1) Client received capability: remote channels in is "40"
14:32:49,741 TRACE [org.jboss.remoting.remote.client] (XNIO-1 I/O-1) Client received capability: remote channels out is "40"
14:32:49,741 TRACE [org.jboss.remoting.remote.client] (XNIO-1 I/O-1) Client received capability: authentication service
14:32:49,741 TRACE [org.jboss.remoting.remote.connection] (XNIO-1 I/O-1) Connection error detail: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed:
   GSSAPI: javax.security.sasl.SaslException: ELY05108: [GSSAPI] Unable to create response token [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
	at org.jboss.remoting3.remote.ClientConnectionOpenListener.allMechanismsFailed(ClientConnectionOpenListener.java:113)
	at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:440)
	at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:246)
	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
	at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
	at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
	at org.xnio.nio.WorkerThread.run(WorkerThread.java:567)
	Suppressed: javax.security.sasl.SaslException: ELY05108: [GSSAPI] Unable to create response token [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
		at org.wildfly.security.sasl.gssapi.GssapiClient.evaluateMessage(GssapiClient.java:223)
		at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180)
		at org.wildfly.security.sasl.gssapi.GssapiClient.evaluateChallenge(GssapiClient.java:197)
		at org.wildfly.security.manager.WildFlySecurityManager$5.run(WildFlySecurityManager.java:1466)
		at java.security.AccessController.doPrivileged(Native Method)
		at org.wildfly.security.manager.WildFlySecurityManager.doPrivilegedWithParameter(WildFlySecurityManager.java:1565)
		at org.wildfly.security.sasl.util.PrivilegedSaslClient.evaluateChallenge(PrivilegedSaslClient.java:57)
		at org.wildfly.security.sasl.util.AbstractDelegatingSaslClient.evaluateChallenge(AbstractDelegatingSaslClient.java:54)
		at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.lambda$handleEvent$1(ClientConnectionOpenListener.java:454)
		at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:897)
		at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
		at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
		at java.lang.Thread.run(Thread.java:745)
	Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
		at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
		at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122)
		at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)
		at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:224)
		at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
		at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
		at org.wildfly.security.sasl.gssapi.GssapiClient.evaluateMessage(GssapiClient.java:212)
		... 12 more

14:32:49,741 DEBUG [org.jboss.remoting.remote.connection] (XNIO-1 I/O-1) JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed:
   GSSAPI: javax.security.sasl.SaslException: ELY05108: [GSSAPI] Unable to create response token [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
14:32:49,741 TRACE [org.xnio.safe-close] (XNIO-1 I/O-1) Closing resource org.xnio.ssl.JsseSslStreamConnection@15b69239
14:32:49,741 TRACE [org.xnio.nio] (XNIO-1 I/O-1) Cancelling key sun.nio.ch.SelectionKeyImpl@594c66c3 of java.nio.channels.SocketChannel[connected local=/127.0.0.1:41374 remote=localhost.localdomain/127.0.0.1:8080] (same thread)
14:32:49,742 TRACE [org.xnio.listener] (XNIO-1 I/O-1) Invoking listener org.jboss.remoting3.remote.RemoteConnectionProvider$6$$Lambda$73/968240296@3864cfc2 on channel org.xnio.nio.NioSocketStreamConnection@577b7515
14:32:49,742 TRACE [org.jboss.remoting.remote.connection] (default I/O-7) No buffers in queue for message header
14:32:49,742 TRACE [org.xnio.safe-close] (XNIO-1 I/O-1) Closing resource org.xnio.ssl.JsseSslStreamConnection@15b69239
14:32:49,742 TRACE [org.jboss.remoting.remote.connection] (default I/O-7) Allocated fresh buffers
14:32:49,742 TRACE [org.jboss.remoting.remote.connection] (default I/O-7) Received EOF
14:32:49,742 TRACE [org.jboss.remoting.remote] (default I/O-7) Received connection end-of-stream
14:32:49,742 TRACE [org.jboss.remoting.endpoint] (XNIO-1 I/O-1) Registered exception result: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed:
   GSSAPI: javax.security.sasl.SaslException: ELY05108: [GSSAPI] Unable to create response token [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
	at org.jboss.remoting3.remote.ClientConnectionOpenListener.allMechanismsFailed(ClientConnectionOpenListener.java:113)
	at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:440)
	at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:246)
	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
	at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
	at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
	at org.xnio.nio.WorkerThread.run(WorkerThread.java:567)
	Suppressed: javax.security.sasl.SaslException: ELY05108: [GSSAPI] Unable to create response token [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]
		at org.wildfly.security.sasl.gssapi.GssapiClient.evaluateMessage(GssapiClient.java:223)
		at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180)
		at org.wildfly.security.sasl.gssapi.GssapiClient.evaluateChallenge(GssapiClient.java:197)
		at org.wildfly.security.manager.WildFlySecurityManager$5.run(WildFlySecurityManager.java:1466)
		at java.security.AccessController.doPrivileged(Native Method)
		at org.wildfly.security.manager.WildFlySecurityManager.doPrivilegedWithParameter(WildFlySecurityManager.java:1565)
		at org.wildfly.security.sasl.util.PrivilegedSaslClient.evaluateChallenge(PrivilegedSaslClient.java:57)
		at org.wildfly.security.sasl.util.AbstractDelegatingSaslClient.evaluateChallenge(AbstractDelegatingSaslClient.java:54)
		at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.lambda$handleEvent$1(ClientConnectionOpenListener.java:454)
		at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:897)
		at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
		at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
		at java.lang.Thread.run(Thread.java:745)
	Caused by: GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
		at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:147)
		at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122)
		at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187)
		at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:224)
		at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212)
		at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
		at org.wildfly.security.sasl.gssapi.GssapiClient.evaluateMessage(GssapiClient.java:212)
		... 12 more

14:32:49,742 TRACE [org.jboss.remoting.endpoint] (XNIO-1 I/O-1) Resource closed count 00000007 of endpoint (anonymous) <91a1005> (closed a failed connection (2))
14:32:49,742 TRACE [org.jboss.remoting.endpoint] (XNIO-1 I/O-1) Allocated tick to 8 of endpoint (anonymous) <91a1005> (opened org.jboss.remoting3.EndpointImpl$TrackingExecutor@5b6abe86)
14:32:49,742 TRACE [org.xnio.nio.selector] (XNIO-1 I/O-1) Beginning select on sun.nio.ch.EPollSelectorImpl@8097d0b
14:32:49,742 TRACE [org.jboss.remoting.endpoint] (XNIO-1 task-14) Allocated tick to 9 of endpoint (anonymous) <91a1005> (opened org.jboss.remoting3.EndpointImpl$TrackingExecutor@b23ee46)
14:32:49,742 TRACE [org.jboss.remoting.endpoint] (XNIO-1 task-14) Resource closed count 00000008 of endpoint (anonymous) <91a1005> (closed org.jboss.remoting3.EndpointImpl$TrackingExecutor@5b6abe86)
14:32:49,742 TRACE [org.jboss.remoting.endpoint] (XNIO-1 task-15) Resource closed count 00000007 of endpoint (anonymous) <91a1005> (closed org.jboss.remoting3.EndpointImpl$TrackingExecutor@b23ee46)

      It was confirmed manually it is possible to configure EJB with Kerberos authentication.
      Used EJB client is org.jboss:jboss-ejb-client:jar:4.0.0.Beta25-redhat-1:compile

      Attachments

        Issue Links

          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-10845 (7.1.0) Upgrade to WildFly Core to 3.0.0.Beta23

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified
          is related to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-8118 Unable to authenticate with kerberos ticket to EJB (remoting) secured by legacy security realm

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Verified

          Activity

            People

              darran.lofthouse@redhat.com Darran Lofthouse
              mchoma@redhat.com Martin Choma
              Martin Choma Martin Choma
              Martin Choma Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: