Loading...

XML

Word

Printable

Type: Bug
Resolution: Won't Do
Priority: Major
Fix Version/s: None
Affects Version/s: 7.1.0.ER1
Component/s: Security
Labels:
- eap72

CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

7.2.0.GA
Steps to Reproduce:
Hide

Clone internal TS

git clone git@gitlab.mw.lab.eng.bos.redhat.com:jbossqe-eap/tests-ldap-kerberos.git

Change AbstractKerberosEjbTestCase to not specify java.security.krb5.conf system property

diff --git a/eap71/src/test/java/org/jboss/eapqe/krbldap/eap71/tests/krb/ejb/AbstractKerberosEjbTestCase.java b/eap71/src/test/java/org/jboss/eapqe/krbldap/eap71/tests/krb/ejb/AbstractKerberosEjbTestCase.java index 060a472..ac9ef10 100644 --- a/eap71/src/test/java/org/jboss/eapqe/krbldap/eap71/tests/krb/ejb/AbstractKerberosEjbTestCase.java +++ b/eap71/src/test/java/org/jboss/eapqe/krbldap/eap71/tests/krb/ejb/AbstractKerberosEjbTestCase.java @@ -184,7 +184,7 @@ public abstract class AbstractKerberosEjbTestCase { AddSystemProperty addSystemProperty2 = new AddSystemProperty("com.ibm.security.jgss.debug", "all"); AddSystemProperty addSystemProperty3 = new AddSystemProperty("com.ibm.security.krb5.Krb5Debug", "all"); // workaround for JBEAP-11941 - AddSystemProperty addSystemProperty4 = new AddSystemProperty("java.security.krb5.conf", Utils.escapePath(kerberosServerContext.getKrb5ConfFullPath())); + AddSystemProperty addSystemProperty4 = new AddSystemProperty("XXXXjava.security.krb5.conf", Utils.escapePath(kerberosServerContext.getKrb5ConfFullPath())); AddKerberosSecurityFactory addKerberosSecurityFactory = new AddKerberosSecurityFactory.Builder(KERBEROS_SECURITY_FACTORY) .path(kerberosServerContext.getKeyTabFullPath())

Run KerberosEjbGssapiTestCase SPNEGOSessionTestCase

./build-eap71.sh -Dversion.jboss.bom=7.1.0.GA -Dversion.wildfly.core=3.0.1.Final-redhat-1 -Dmaven.repo.local=/home/mchoma/workspace/eap-versions/7.1.0.CR1/jboss-eap-7.1.0.GA-maven-repository/maven-repository -Djboss.dist.zip=/home/mchoma/workspace/eap-versions/7.1.0.CR1/jboss-eap-7.1.0.CR1.zip -Dmaven.test.failure.ignore=true -Dignore.known.issues -Dtest=KerberosEjbGssapiTestCase,SPNEGOSessionTestCase -DrunOrder=alphabetical
Show
Clone internal TS git clone git@gitlab.mw.lab.eng.bos.redhat.com:jbossqe-eap/tests-ldap-kerberos.git Change AbstractKerberosEjbTestCase to not specify java.security.krb5.conf system property diff --git a/eap71/src/test/java/org/jboss/eapqe/krbldap/eap71/tests/krb/ejb/AbstractKerberosEjbTestCase.java b/eap71/src/test/java/org/jboss/eapqe/krbldap/eap71/tests/krb/ejb/AbstractKerberosEjbTestCase.java index 060a472..ac9ef10 100644 --- a/eap71/src/test/java/org/jboss/eapqe/krbldap/eap71/tests/krb/ejb/AbstractKerberosEjbTestCase.java +++ b/eap71/src/test/java/org/jboss/eapqe/krbldap/eap71/tests/krb/ejb/AbstractKerberosEjbTestCase.java @@ -184,7 +184,7 @@ public abstract class AbstractKerberosEjbTestCase { AddSystemProperty addSystemProperty2 = new AddSystemProperty( "com.ibm.security.jgss.debug" , "all" ); AddSystemProperty addSystemProperty3 = new AddSystemProperty( "com.ibm.security.krb5.Krb5Debug" , "all" ); // workaround for JBEAP-11941 - AddSystemProperty addSystemProperty4 = new AddSystemProperty( "java.security.krb5.conf" , Utils.escapePath(kerberosServerContext.getKrb5ConfFullPath())); + AddSystemProperty addSystemProperty4 = new AddSystemProperty( "XXXXjava.security.krb5.conf" , Utils.escapePath(kerberosServerContext.getKrb5ConfFullPath())); AddKerberosSecurityFactory addKerberosSecurityFactory = new AddKerberosSecurityFactory.Builder(KERBEROS_SECURITY_FACTORY) .path(kerberosServerContext.getKeyTabFullPath()) Run KerberosEjbGssapiTestCase SPNEGOSessionTestCase ./build-eap71.sh -Dversion.jboss.bom=7.1.0.GA -Dversion.wildfly.core=3.0.1.Final-redhat-1 -Dmaven.repo.local=/home/mchoma/workspace/eap-versions/7.1.0.CR1/jboss-eap-7.1.0.GA-maven-repository/maven-repository -Djboss.dist.zip=/home/mchoma/workspace/eap-versions/7.1.0.CR1/jboss-eap-7.1.0.CR1.zip -Dmaven.test.failure.ignore= true -Dignore.known.issues -Dtest=KerberosEjbGssapiTestCase,SPNEGOSessionTestCase -DrunOrder=alphabetical

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

I observe strange behaviour in my testsuite. One test impacting another.

First test does not specify system property java.security.krb5.conf in standalone.xml. Test pass. As I understand that system property is not necessary as far as obtain-kerberos-ticket attribute on kerberos security factory is not true.

Second test specify system property java.security.krb5.conf in standalone.xml, because it is necessary for it. However I get "Cannot locate KDC". So seems to me "something" keeps initiated from first test. And configuration from second test is not applied. However I am not sure what this "something" could be. From stacktrace it seems it could be something on server side.

14:23:06,523 TRACE [org.jboss.remoting.remote.server] (default I/O-5) Unable to create SaslServer: javax.security.sasl.SaslException: ELY05053: [GSSAPI] Callback handler failed for unknown reason [Caused by java.io.IOException: ELY01156: Cannot obtain a credential from a security factory]
	at org.wildfly.security.sasl.gssapi.GssapiServer.<init>(GssapiServer.java:81)
	at org.wildfly.security.sasl.gssapi.GssapiServerFactory.createSaslServer(GssapiServerFactory.java:44)
	at org.wildfly.security.sasl.util.SecurityProviderSaslServerFactory.createSaslServer(SecurityProviderSaslServerFactory.java:83)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslServerFactory.createSaslServer(AbstractDelegatingSaslServerFactory.java:64)
	at org.wildfly.security.sasl.util.MechanismProviderFilteringSaslServerFactory.createSaslServer(MechanismProviderFilteringSaslServerFactory.java:59)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslServerFactory.createSaslServer(AbstractDelegatingSaslServerFactory.java:64)
	at org.wildfly.security.sasl.util.SetMechanismInformationSaslServerFactory.createSaslServer(SetMechanismInformationSaslServerFactory.java:80)
	at org.wildfly.security.sasl.util.PropertiesSaslServerFactory.createSaslServer(PropertiesSaslServerFactory.java:56)
	at org.wildfly.security.sasl.util.FilterMechanismSaslServerFactory.createSaslServer(FilterMechanismSaslServerFactory.java:88)
	at org.wildfly.security.sasl.util.FilterMechanismSaslServerFactory.createSaslServer(FilterMechanismSaslServerFactory.java:88)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslServerFactory.createSaslServer(AbstractDelegatingSaslServerFactory.java:64)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslServerFactory.createSaslServer(AbstractDelegatingSaslServerFactory.java:64)
	at org.wildfly.security.sasl.util.SetMechanismInformationSaslServerFactory.createSaslServer(SetMechanismInformationSaslServerFactory.java:80)
	at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory.createSaslServer(AuthenticationCompleteCallbackSaslServerFactory.java:51)
	at org.wildfly.security.sasl.util.TrustManagerSaslServerFactory.createSaslServer(TrustManagerSaslServerFactory.java:72)
	at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory.createSaslServer(AuthenticationTimeoutSaslServerFactory.java:74)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslServerFactory.createSaslServer(AbstractDelegatingSaslServerFactory.java:64)
	at org.wildfly.security.sasl.util.ServerNameSaslServerFactory.createSaslServer(ServerNameSaslServerFactory.java:48)
	at org.wildfly.security.sasl.util.AbstractDelegatingSaslServerFactory.createSaslServer(AbstractDelegatingSaslServerFactory.java:64)
	at org.wildfly.security.sasl.util.ProtocolSaslServerFactory.createSaslServer(ProtocolSaslServerFactory.java:48)
	at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory.createSaslServer(SecurityIdentitySaslServerFactory.java:51)
	at org.wildfly.security.auth.server.SaslAuthenticationFactory.doCreate(SaslAuthenticationFactory.java:61)
	at org.wildfly.security.auth.server.SaslAuthenticationFactory.doCreate(SaslAuthenticationFactory.java:52)
	at org.wildfly.security.auth.server.AbstractMechanismAuthenticationFactory.createMechanism(AbstractMechanismAuthenticationFactory.java:54)
	at org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial.handleEvent(ServerConnectionOpenListener.java:265)
	at org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial.handleEvent(ServerConnectionOpenListener.java:127)
	at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
	at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
	at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
	at org.xnio.nio.WorkerThread.run(WorkerThread.java:571)
Caused by: java.io.IOException: ELY01156: Cannot obtain a credential from a security factory
	at org.wildfly.security.credential.source.CredentialSource$4.getCredential(CredentialSource.java:327)
	at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handleOne(ServerAuthenticationContext.java:929)
	at org.wildfly.security.auth.server.ServerAuthenticationContext$1.handle(ServerAuthenticationContext.java:801)
	at org.wildfly.security.sasl.util.TrustManagerSaslServerFactory.lambda$createSaslServer$0(TrustManagerSaslServerFactory.java:96)
	at org.wildfly.security.sasl.gssapi.GssapiServer.<init>(GssapiServer.java:78)
	... 29 more
Caused by: java.security.GeneralSecurityException: ELY01121: Unable to perform initial JAAS login.
	at org.wildfly.security.auth.util.GSSCredentialSecurityFactory$Builder.createGSSCredential(GSSCredentialSecurityFactory.java:330)
	at org.wildfly.security.auth.util.GSSCredentialSecurityFactory$Builder.lambda$build$0(GSSCredentialSecurityFactory.java:284)
	at org.wildfly.security.auth.util.GSSCredentialSecurityFactory.create(GSSCredentialSecurityFactory.java:99)
	at org.wildfly.security.auth.util.GSSCredentialSecurityFactory.create(GSSCredentialSecurityFactory.java:61)
	at org.wildfly.security.credential.source.CredentialSource$4.getCredential(CredentialSource.java:325)
	... 33 more
Caused by: javax.security.auth.login.LoginException: Cannot locate KDC
	at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
	at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
	at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
	at org.wildfly.security.auth.util.GSSCredentialSecurityFactory$Builder.createGSSCredential(GSSCredentialSecurityFactory.java:295)
	... 37 more
Caused by: KrbException: Cannot locate KDC
	at sun.security.krb5.Config.getKDCList(Config.java:1084)
	at sun.security.krb5.KdcComm.send(KdcComm.java:218)
	at sun.security.krb5.KdcComm.send(KdcComm.java:200)
	at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
	at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
	at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:776)
	... 50 more

However second test is little bit unstandard. It is about identity propagation and this code is run in deployment. So could it be also something from java (GSSManager, GSSContext, something that consume java.security.krb5.conf system property) ?

 GSSManager manager = GSSManager.getInstance();
            gssContext = manager.createContext(manager.createName(spn, null), KERBEROS_V5, gssCredential,
                    GSSContext.DEFAULT_LIFETIME);

            //            gssContext.requestCredDeleg(true);
            gssContext.requestMutualAuth(true);
            gssContext.requestConf(true);
            gssContext.requestInteg(true);

            byte[] token = new byte[0];
            while (!gssContext.isEstablished()) {
                token = gssContext.initSecContext(token, 0, token.length);

simple workaround is to specify java.security.krb5.conf in first test as well, but I would like to know what is going on.

Any thoughts will be appreciated.

Assignee:: Ilia Vassilev

Reporter:: Martin Choma

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2017/07/04 8:59 AM

Updated:: 2021/10/24 6:41 AM

Resolved:: 2017/10/30 3:19 PM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates