Geronimo
  1. Geronimo
  2. GERONIMO-4865

Login module to enable Kerberos authentication

    Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.1.5, 2.2, 3.0.0
    • Component/s: security
    • Security Level: public (Regular issues)
    • Labels:
      None

      Description

      A new login module for using the kerberos authentication mechanism in geronimo.

      1. KerberosLoginModule.java_initial
        2 kB
        Ashish Jain
      2. KerberosLoginModule.java
        3 kB
        Ashish Jain

        Activity

        Hide
        Ashish Jain added a comment -

        Please find the attached Login module class thanks

        Show
        Ashish Jain added a comment - Please find the attached Login module class thanks
        Hide
        Ashish Jain added a comment -

        Just a history of what all has been done on this:

        Initial trials suggested that there were some unreconganised options being added. The following error was thrown in the very first try

        javax.security.auth.login.LoginException: Bad JAAS configuration: unrecognized option: org.apache.geronimo.security.realm.GenericSecurityRealm.SERVERINFO
        at com.ibm.security.jgss.i18n.I18NException.throwLoginException(I18NException.java:16)
        at com.ibm.security.auth.module.Krb5LoginModule.b(Krb5LoginModule.java:412)
        at com.ibm.security.auth.module.Krb5LoginModule.a(Krb5LoginModule.java:171)
        at com.ibm.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:374)
        at org.apache.geronimo.security.jaas.ClassOptionLoginModule.login(ClassOptionLoginModule.java:60)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:618)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:795)
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:209)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:709)
        at java.security.AccessController.doPrivileged(AccessController.java:246)
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:706)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:603)
        at org.apache.geronimo.security.ContextManager.login(ContextManager.java:76)
        at org.apache.geronimo.tomcat.realm.TomcatGeronimoRealm.authenticate(TomcatGeronimoRealm.java:294)
        at org.apache.geronimo.tomcat.realm.TomcatGeronimoRealm.authenticate(TomcatGeronimoRealm.java:260)
        at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:181)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
        at org.apache.geronimo.tomcat.GeronimoStandardContext$SystemMethodValve.invoke(GeronimoStandardContext.java:406)
        at org.apache.geronimo.tomcat.valve.GeronimoBeforeAfterValve.invoke(GeronimoBeforeAfterValve.java:47)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)

        Similarly errors were thrown for org.apache.geronimo.security.realm.GenericSecurityRealm.KERNEL and org.apache.geronimo.security.realm.GenericSecurityRealm.CLASSLOADER
        so as to overcome this these options were removed by using a custom login module

        Attaching the initial version of the Kerberos Login module with the name KerberosLoginModule.java_initial

        Show
        Ashish Jain added a comment - Just a history of what all has been done on this: Initial trials suggested that there were some unreconganised options being added. The following error was thrown in the very first try javax.security.auth.login.LoginException: Bad JAAS configuration: unrecognized option: org.apache.geronimo.security.realm.GenericSecurityRealm.SERVERINFO at com.ibm.security.jgss.i18n.I18NException.throwLoginException(I18NException.java:16) at com.ibm.security.auth.module.Krb5LoginModule.b(Krb5LoginModule.java:412) at com.ibm.security.auth.module.Krb5LoginModule.a(Krb5LoginModule.java:171) at com.ibm.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:374) at org.apache.geronimo.security.jaas.ClassOptionLoginModule.login(ClassOptionLoginModule.java:60) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:618) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:795) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:209) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:709) at java.security.AccessController.doPrivileged(AccessController.java:246) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:706) at javax.security.auth.login.LoginContext.login(LoginContext.java:603) at org.apache.geronimo.security.ContextManager.login(ContextManager.java:76) at org.apache.geronimo.tomcat.realm.TomcatGeronimoRealm.authenticate(TomcatGeronimoRealm.java:294) at org.apache.geronimo.tomcat.realm.TomcatGeronimoRealm.authenticate(TomcatGeronimoRealm.java:260) at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:181) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491) at org.apache.geronimo.tomcat.GeronimoStandardContext$SystemMethodValve.invoke(GeronimoStandardContext.java:406) at org.apache.geronimo.tomcat.valve.GeronimoBeforeAfterValve.invoke(GeronimoBeforeAfterValve.java:47) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) Similarly errors were thrown for org.apache.geronimo.security.realm.GenericSecurityRealm.KERNEL and org.apache.geronimo.security.realm.GenericSecurityRealm.CLASSLOADER so as to overcome this these options were removed by using a custom login module Attaching the initial version of the Kerberos Login module with the name KerberosLoginModule.java_initial
        Hide
        Ashish Jain added a comment -

        Initial version of kerberos login module

        Show
        Ashish Jain added a comment - Initial version of kerberos login module
        Hide
        David Jencks added a comment -

        We can't include this in standard geronimo because it requires a class found only in the ibm jdk. Similarly I don't think we could include one requiring a sun jdk. Maybe we could have a separate jar? Or, we could work on supplying fewer options.

        Show
        David Jencks added a comment - We can't include this in standard geronimo because it requires a class found only in the ibm jdk. Similarly I don't think we could include one requiring a sun jdk. Maybe we could have a separate jar? Or, we could work on supplying fewer options.
        Hide
        Ashish Jain added a comment -

        This will work with class found in IBM JDK as well as class found in Sun JDK. It depends what is class specified by user in the login module options.
        It can be <log:option name="krb5LoginModuleClass">com.ibm.security.auth.module.Krb5LoginModule</log:option> or
        <log:option name="krb5LoginModuleClass">com.sun.security.auth.module.Krb5LoginModule</log:option.

        Show
        Ashish Jain added a comment - This will work with class found in IBM JDK as well as class found in Sun JDK. It depends what is class specified by user in the login module options. It can be <log:option name="krb5LoginModuleClass">com.ibm.security.auth.module.Krb5LoginModule</log:option> or <log:option name="krb5LoginModuleClass">com.sun.security.auth.module.Krb5LoginModule</log:option.
        Hide
        Kevan Miller added a comment -

        Patch applied. JDK specific configuration (i.e. the kerberos login module class name occurs via configuration). Thanks for the patch Ashish.

        One request – can you help make sure some documentation is added to our wiki so that this is properly documented?

        Show
        Kevan Miller added a comment - Patch applied. JDK specific configuration (i.e. the kerberos login module class name occurs via configuration). Thanks for the patch Ashish. One request – can you help make sure some documentation is added to our wiki so that this is properly documented?
        Hide
        Rex Wang added a comment -

        closing it

        Show
        Rex Wang added a comment - closing it

          People

          • Assignee:
            Ashish Jain
            Reporter:
            Ashish Jain
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development