Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-11941

java.security.krb5.conf in standalone.xml not applied

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Do
    • Major
    • None
    • 7.1.0.ER1
    • Security
    • Hide
      • Clone internal TS 
        git clone git@gitlab.mw.lab.eng.bos.redhat.com:jbossqe-eap/tests-ldap-kerberos.git
      • Change AbstractKerberosEjbTestCase to not specify java.security.krb5.conf system property 
        diff --git a/eap71/src/test/java/org/jboss/eapqe/krbldap/eap71/tests/krb/ejb/AbstractKerberosEjbTestCase.java b/eap71/src/test/java/org/jboss/eapqe/krbldap/eap71/tests/krb/ejb/AbstractKerberosEjbTestCase.java
index 060a472..ac9ef10 100644
--- a/eap71/src/test/java/org/jboss/eapqe/krbldap/eap71/tests/krb/ejb/AbstractKerberosEjbTestCase.java
+++ b/eap71/src/test/java/org/jboss/eapqe/krbldap/eap71/tests/krb/ejb/AbstractKerberosEjbTestCase.java
@@ -184,7 +184,7 @@ public abstract class AbstractKerberosEjbTestCase {
         AddSystemProperty addSystemProperty2 = new AddSystemProperty("com.ibm.security.jgss.debug", "all");
         AddSystemProperty addSystemProperty3 = new AddSystemProperty("com.ibm.security.krb5.Krb5Debug", "all");
         // workaround for JBEAP-11941
-        AddSystemProperty addSystemProperty4 = new AddSystemProperty("java.security.krb5.conf", Utils.escapePath(kerberosServerContext.getKrb5ConfFullPath()));
+        AddSystemProperty addSystemProperty4 = new AddSystemProperty("XXXXjava.security.krb5.conf", Utils.escapePath(kerberosServerContext.getKrb5ConfFullPath()));
 
         AddKerberosSecurityFactory addKerberosSecurityFactory = new AddKerberosSecurityFactory.Builder(KERBEROS_SECURITY_FACTORY)
                 .path(kerberosServerContext.getKeyTabFullPath())

      Run KerberosEjbGssapiTestCase SPNEGOSessionTestCase 

      • ./build-eap71.sh -Dversion.jboss.bom=7.1.0.GA -Dversion.wildfly.core=3.0.1.Final-redhat-1 -Dmaven.repo.local=/home/mchoma/workspace/eap-versions/7.1.0.CR1/jboss-eap-7.1.0.GA-maven-repository/maven-repository -Djboss.dist.zip=/home/mchoma/workspace/eap-versions/7.1.0.CR1/jboss-eap-7.1.0.CR1.zip -Dmaven.test.failure.ignore=true -Dignore.known.issues -Dtest=KerberosEjbGssapiTestCase,SPNEGOSessionTestCase -DrunOrder=alphabetical
      Show
      Clone internal TS git clone git@gitlab.mw.lab.eng.bos.redhat.com:jbossqe-eap/tests-ldap-kerberos.git Change AbstractKerberosEjbTestCase to not specify java.security.krb5.conf system property diff --git a/eap71/src/test/java/org/jboss/eapqe/krbldap/eap71/tests/krb/ejb/AbstractKerberosEjbTestCase.java b/eap71/src/test/java/org/jboss/eapqe/krbldap/eap71/tests/krb/ejb/AbstractKerberosEjbTestCase.java index 060a472..ac9ef10 100644 --- a/eap71/src/test/java/org/jboss/eapqe/krbldap/eap71/tests/krb/ejb/AbstractKerberosEjbTestCase.java +++ b/eap71/src/test/java/org/jboss/eapqe/krbldap/eap71/tests/krb/ejb/AbstractKerberosEjbTestCase.java @@ -184,7 +184,7 @@ public abstract class AbstractKerberosEjbTestCase { AddSystemProperty addSystemProperty2 = new AddSystemProperty( "com.ibm.security.jgss.debug" , "all" ); AddSystemProperty addSystemProperty3 = new AddSystemProperty( "com.ibm.security.krb5.Krb5Debug" , "all" ); // workaround for JBEAP-11941 - AddSystemProperty addSystemProperty4 = new AddSystemProperty( "java.security.krb5.conf" , Utils.escapePath(kerberosServerContext.getKrb5ConfFullPath())); + AddSystemProperty addSystemProperty4 = new AddSystemProperty( "XXXXjava.security.krb5.conf" , Utils.escapePath(kerberosServerContext.getKrb5ConfFullPath())); AddKerberosSecurityFactory addKerberosSecurityFactory = new AddKerberosSecurityFactory.Builder(KERBEROS_SECURITY_FACTORY) .path(kerberosServerContext.getKeyTabFullPath()) Run KerberosEjbGssapiTestCase SPNEGOSessionTestCase ./build-eap71.sh -Dversion.jboss.bom=7.1.0.GA -Dversion.wildfly.core=3.0.1.Final-redhat-1 -Dmaven.repo.local=/home/mchoma/workspace/eap-versions/7.1.0.CR1/jboss-eap-7.1.0.GA-maven-repository/maven-repository -Djboss.dist.zip=/home/mchoma/workspace/eap-versions/7.1.0.CR1/jboss-eap-7.1.0.CR1.zip -Dmaven.test.failure.ignore= true -Dignore.known.issues -Dtest=KerberosEjbGssapiTestCase,SPNEGOSessionTestCase -DrunOrder=alphabetical

    Description

      I observe strange behaviour in my testsuite. One test impacting another.

      First test does not specify system property java.security.krb5.conf in standalone.xml. Test pass. As I understand that system property is not necessary as far as obtain-kerberos-ticket attribute on kerberos security factory is not true.

      Second test specify system property java.security.krb5.conf in standalone.xml, because it is necessary for it. However I get "Cannot locate KDC". So seems to me "something" keeps initiated from first test. And configuration from second test is not applied. However I am not sure what this "something" could be. From stacktrace it seems it could be something on server side.

      14:23:06,523 TRACE [org.jboss.remoting.remote.server] (default I/O-5) Unable to create SaslServer: javax.security.sasl.SaslException: ELY05053: [GSSAPI] Callback handler failed for unknown reason [Caused by java.io.IOException: ELY01156: Cannot obtain a credential from a security factory]
	at org.wildfly.security.sasl.gssapi.GssapiServer.<init>(GssapiServer.java:81)
	at org.wildfly.security.sasl.gssapi.GssapiServerFactory.createSaslServer(GssapiServerFactory.java:44)
	at org.wildfly.security.sasl.util.SecurityProviderSaslServerFactory.createSaslServer(SecurityProviderSaslServerFactory.java:83)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslServerFactory.createSaslServer(AbstractDelegatingSaslServerFactory.java:64)
	at org.wildfly.security.sasl.util.MechanismProviderFilteringSaslServerFactory.createSaslServer(MechanismProviderFilteringSaslServerFactory.java:59)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslServerFactory.createSaslServer(AbstractDelegatingSaslServerFactory.java:64)
	at org.wildfly.security.sasl.util.SetMechanismInformationSaslServerFactory.createSaslServer(SetMechanismInformationSaslServerFactory.java:80)
	at org.wildfly.security.sasl.util.PropertiesSaslServerFactory.createSaslServer(PropertiesSaslServerFactory.java:56)
	at org.wildfly.security.sasl.util.FilterMechanismSaslServerFactory.createSaslServer(FilterMechanismSaslServerFactory.java:88)
	at org.wildfly.security.sasl.util.FilterMechanismSaslServerFactory.createSaslServer(FilterMechanismSaslServerFactory.java:88)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslServerFactory.createSaslServer(AbstractDelegatingSaslServerFactory.java:64)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslServerFactory.createSaslServer(AbstractDelegatingSaslServerFactory.java:64)
	at org.wildfly.security.sasl.util.SetMechanismInformationSaslServerFactory.createSaslServer(SetMechanismInformationSaslServerFactory.java:80)
	at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory.createSaslServer(AuthenticationCompleteCallbackSaslServerFactory.java:51)
	at org.wildfly.security.sasl.util.TrustManagerSaslServerFactory.createSaslServer(TrustManagerSaslServerFactory.java:72)
	at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory.createSaslServer(AuthenticationTimeoutSaslServerFactory.java:74)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslServerFactory.createSaslServer(AbstractDelegatingSaslServerFactory.java:64)
	at org.wildfly.security.sasl.util.ServerNameSaslServerFactory.createSaslServer(ServerNameSaslServerFactory.java:48)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslServerFactory.createSaslServer(AbstractDelegatingSaslServerFactory.java:64)
	at org.wildfly.security.sasl.util.ProtocolSaslServerFactory.createSaslServer(ProtocolSaslServerFactory.java:48)
	at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory.createSaslServer(SecurityIdentitySaslServerFactory.java:51)
	at org.wildfly.security.auth.server.SaslAuthenticationFactory.doCreate(SaslAuthenticationFactory.java:61)
	at org.wildfly.security.auth.server.SaslAuthenticationFactory.doCreate(SaslAuthenticationFactory.java:52)
	at org.wildfly.security.auth.server.AbstractMechanismAuthenticationFactory.createMechanism(AbstractMechanismAuthenticationFactory.java:54)
	at org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial.handleEvent(ServerConnectionOpenListener.java:265)
	at org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial.handleEvent(ServerConnectionOpenListener.java:127)
	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
	at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
	at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
	at org.xnio.nio.WorkerThread.run(WorkerThread.java:571)
Caused by: java.io.IOException: ELY01156: Cannot obtain a credential from a security factory
	at org.wildfly.security.credential.source.CredentialSource$4.getCredential(CredentialSource.java:327)
	at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:929)
	at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:801)
	at org.wildfly.security.sasl.util.TrustManagerSaslServerFactory.lambda$createSaslServer$0(TrustManagerSaslServerFactory.java:96)
	at org.wildfly.security.sasl.gssapi.GssapiServer.<init>(GssapiServer.java:78)
	... 29 more
Caused by: java.security.GeneralSecurityException: ELY01121: Unable to perform initial JAAS login.
	at org.wildfly.security.auth.util.GSSCredentialSecurityFactory$Builder.createGSSCredential(GSSCredentialSecurityFactory.java:330)
	at org.wildfly.security.auth.util.GSSCredentialSecurityFactory$Builder.lambda$build$0(GSSCredentialSecurityFactory.java:284)
	at org.wildfly.security.auth.util.GSSCredentialSecurityFactory.create(GSSCredentialSecurityFactory.java:99)
	at org.wildfly.security.auth.util.GSSCredentialSecurityFactory.create(GSSCredentialSecurityFactory.java:61)
	at org.wildfly.security.credential.source.CredentialSource$4.getCredential(CredentialSource.java:325)
	... 33 more
Caused by: javax.security.auth.login.LoginException: Cannot locate KDC
	at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
	at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
	at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
	at org.wildfly.security.auth.util.GSSCredentialSecurityFactory$Builder.createGSSCredential(GSSCredentialSecurityFactory.java:295)
	... 37 more
Caused by: KrbException: Cannot locate KDC
	at sun.security.krb5.Config.getKDCList(Config.java:1084)
	at sun.security.krb5.KdcComm.send(KdcComm.java:218)
	at sun.security.krb5.KdcComm.send(KdcComm.java:200)
	at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
	at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
	at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:776)
	... 50 more

      However second test is little bit unstandard. It is about identity propagation and this code is run in deployment. So could it be also something from java (GSSManager, GSSContext, something that consume java.security.krb5.conf system property) ?

       GSSManager manager = GSSManager.getInstance();
            gssContext = manager.createContext(manager.createName(spn, null), KERBEROS_V5, gssCredential,
                    GSSContext.DEFAULT_LIFETIME);

            //            gssContext.requestCredDeleg(true);
            gssContext.requestMutualAuth(true);
            gssContext.requestConf(true);
            gssContext.requestInteg(true);

            byte[] token = new byte[0];
            while (!gssContext.isEstablished()) {
                token = gssContext.initSecContext(token, 0, token.length);

      simple workaround is to specify java.security.krb5.conf in first test as well, but I would like to know what is going on.

      Any thoughts will be appreciated.

      Attachments

        Activity

          People

            rhn-support-ivassile Ilia Vassilev
            mchoma@redhat.com Martin Choma
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: