[GERONIMO-4865] Login module to enable Kerberos authentication - ASF JIRA

Details

Type: New Feature
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.1.5, 2.2, 3.0.0
Component/s: security
Security Level: public (Regular issues)
Labels:
None

Description

A new login module for using the kerberos authentication mechanism in geronimo.

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending

Attachments

KerberosLoginModule.java_initial

11/Sep/09 12:43

2 kB

Ashish Jain
KerberosLoginModule.java

11/Sep/09 05:34

3 kB

Ashish Jain

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Ashish Jain added a comment - 11/Sep/09 05:34

Please find the attached Login module class thanks

Show

Ashish Jain added a comment - 11/Sep/09 05:34 Please find the attached Login module class thanks

Hide

Permalink

Ashish Jain added a comment - 11/Sep/09 12:42

Just a history of what all has been done on this:

Initial trials suggested that there were some unreconganised options being added. The following error was thrown in the very first try

javax.security.auth.login.LoginException: Bad JAAS configuration: unrecognized option: org.apache.geronimo.security.realm.GenericSecurityRealm.SERVERINFO
at com.ibm.security.jgss.i18n.I18NException.throwLoginException(I18NException.java:16)
at com.ibm.security.auth.module.Krb5LoginModule.b(Krb5LoginModule.java:412)
at com.ibm.security.auth.module.Krb5LoginModule.a(Krb5LoginModule.java:171)
at com.ibm.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:374)
at org.apache.geronimo.security.jaas.ClassOptionLoginModule.login(ClassOptionLoginModule.java:60)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:618)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:795)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:209)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:709)
at java.security.AccessController.doPrivileged(AccessController.java:246)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:706)
at javax.security.auth.login.LoginContext.login(LoginContext.java:603)
at org.apache.geronimo.security.ContextManager.login(ContextManager.java:76)
at org.apache.geronimo.tomcat.realm.TomcatGeronimoRealm.authenticate(TomcatGeronimoRealm.java:294)
at org.apache.geronimo.tomcat.realm.TomcatGeronimoRealm.authenticate(TomcatGeronimoRealm.java:260)
at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:181)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
at org.apache.geronimo.tomcat.GeronimoStandardContext$SystemMethodValve.invoke(GeronimoStandardContext.java:406)
at org.apache.geronimo.tomcat.valve.GeronimoBeforeAfterValve.invoke(GeronimoBeforeAfterValve.java:47)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)

Similarly errors were thrown for org.apache.geronimo.security.realm.GenericSecurityRealm.KERNEL and org.apache.geronimo.security.realm.GenericSecurityRealm.CLASSLOADER
so as to overcome this these options were removed by using a custom login module

Attaching the initial version of the Kerberos Login module with the name KerberosLoginModule.java_initial

Show

Ashish Jain added a comment - 11/Sep/09 12:42 Just a history of what all has been done on this: Initial trials suggested that there were some unreconganised options being added. The following error was thrown in the very first try javax.security.auth.login.LoginException: Bad JAAS configuration: unrecognized option: org.apache.geronimo.security.realm.GenericSecurityRealm.SERVERINFO at com.ibm.security.jgss.i18n.I18NException.throwLoginException(I18NException.java:16) at com.ibm.security.auth.module.Krb5LoginModule.b(Krb5LoginModule.java:412) at com.ibm.security.auth.module.Krb5LoginModule.a(Krb5LoginModule.java:171) at com.ibm.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:374) at org.apache.geronimo.security.jaas.ClassOptionLoginModule.login(ClassOptionLoginModule.java:60) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:618) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:795) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:209) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:709) at java.security.AccessController.doPrivileged(AccessController.java:246) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:706) at javax.security.auth.login.LoginContext.login(LoginContext.java:603) at org.apache.geronimo.security.ContextManager.login(ContextManager.java:76) at org.apache.geronimo.tomcat.realm.TomcatGeronimoRealm.authenticate(TomcatGeronimoRealm.java:294) at org.apache.geronimo.tomcat.realm.TomcatGeronimoRealm.authenticate(TomcatGeronimoRealm.java:260) at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:181) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491) at org.apache.geronimo.tomcat.GeronimoStandardContext$SystemMethodValve.invoke(GeronimoStandardContext.java:406) at org.apache.geronimo.tomcat.valve.GeronimoBeforeAfterValve.invoke(GeronimoBeforeAfterValve.java:47) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) Similarly errors were thrown for org.apache.geronimo.security.realm.GenericSecurityRealm.KERNEL and org.apache.geronimo.security.realm.GenericSecurityRealm.CLASSLOADER so as to overcome this these options were removed by using a custom login module Attaching the initial version of the Kerberos Login module with the name KerberosLoginModule.java_initial

Hide

Permalink

Ashish Jain added a comment - 11/Sep/09 12:43

Initial version of kerberos login module

Show

Ashish Jain added a comment - 11/Sep/09 12:43 Initial version of kerberos login module

Hide

Permalink

David Jencks added a comment - 29/Oct/09 21:04

We can't include this in standard geronimo because it requires a class found only in the ibm jdk. Similarly I don't think we could include one requiring a sun jdk. Maybe we could have a separate jar? Or, we could work on supplying fewer options.

Show

David Jencks added a comment - 29/Oct/09 21:04 We can't include this in standard geronimo because it requires a class found only in the ibm jdk. Similarly I don't think we could include one requiring a sun jdk. Maybe we could have a separate jar? Or, we could work on supplying fewer options.

Hide

Permalink

Ashish Jain added a comment - 12/Nov/09 14:58

This will work with class found in IBM JDK as well as class found in Sun JDK. It depends what is class specified by user in the login module options.
It can be <log:option name="krb5LoginModuleClass">com.ibm.security.auth.module.Krb5LoginModule</log:option> or
<log:option name="krb5LoginModuleClass">com.sun.security.auth.module.Krb5LoginModule</log:option.

Show

Ashish Jain added a comment - 12/Nov/09 14:58 This will work with class found in IBM JDK as well as class found in Sun JDK. It depends what is class specified by user in the login module options. It can be <log:option name="krb5LoginModuleClass">com.ibm.security.auth.module.Krb5LoginModule</log:option> or <log:option name="krb5LoginModuleClass">com.sun.security.auth.module.Krb5LoginModule</log:option.

Hide

Permalink

Kevan Miller added a comment - 18/Nov/09 04:30

Patch applied. JDK specific configuration (i.e. the kerberos login module class name occurs via configuration). Thanks for the patch Ashish.

One request – can you help make sure some documentation is added to our wiki so that this is properly documented?

Show

Kevan Miller added a comment - 18/Nov/09 04:30 Patch applied. JDK specific configuration (i.e. the kerberos login module class name occurs via configuration). Thanks for the patch Ashish. One request – can you help make sure some documentation is added to our wiki so that this is properly documented?

Hide

Permalink

Rex Wang added a comment - 02/Apr/10 02:40

closing it

Show

Rex Wang added a comment - 02/Apr/10 02:40 closing it

People

Assignee:

Ashish Jain

Reporter:

Ashish Jain

Votes:

0 Vote for this issue

Watchers:

0 Start watching this issue

Dates

Created:

11/Sep/09 05:33

Updated:

02/Apr/10 02:40

Resolved:

18/Nov/09 04:30

Development

Agile

View on Board