hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sebastiaan van Erk <sebs...@sebster.com>
Subject Kerberos authentication issue
Date Fri, 11 Dec 2009 10:00:54 GMT
Hi,

I'm trying to use the new Kerberos authentication in 
httpclient-4.1-alpha1. To start of, I'm simply running the example 
kerberos authentication program for the url 
"http://tunneltest.servoy.com/private" (this is an internal test url, so 
it does not work from the internet). I tested the test url with Firefox 
with Kerberos authentication and it works fine, but with httpclient I'm 
seeing 2 things I don't understand:

1) A ticket request is done for the 
HTTP/tunneltest.servoy.com@SERVOY.COM service even though it's already 
in my ticket cache.
2) The ticket request fails with the error:
Dec 11, 2009 10:40:11 AM 
org.apache.http.client.protocol.RequestTargetAuthentication process
SEVERE: Authentication error: Defective token detected (Mechanism level: 
Defective token detected (Mechanism level: Invalid SPNEGO NegTokenTarg 
token : DerInputStream.getLength(): lengthTag=127, too big.))

First of all, I don't understand why it has to request the ticket for 
the service if it's already in the cache. However, the request is for 
the right service, because I get the following line in my kdc.log:

2009-12-11T10:37:03 TGS-REQ testuser@SERVOY.COM from IPv4:85.147.225.232 
for HTTP/tunneltest.servoy.com@SERVOY.COM

This is slightly different from the line I get when requesting the url 
from firefox, which reads:

2009-12-11T10:49:49 TGS-REQ testuser@SERVOY.COM from IPv4:85.147.225.232 
for HTTP/tunneltest.servoy.com@SERVOY.COM [canonicalize]

Does anybody know what I'm doing wrong? To make sure that I'm not 
withholding any relevant information, below I've posted all the details. 
Especially interesting is the program output...

Thanks in advance,
Sebastiaan

login.conf
------8<------
com.sun.security.jgss.initiate {
   com.sun.security.auth.module.Krb5LoginModule required client=TRUE 
useTicketCache="true" ticketCache="/tmp/krb5cc_1000" debug=true;
};

com.sun.security.jgss.accept {
   com.sun.security.auth.module.Krb5LoginModule required client=TRUE 
useTicketCache="true" ticketCache="/tmp/krb5cc_1000" debug=true;
};
------8<------

krb5.conf
------8<------
[libdefaults]
         default_realm = SERVOY.COM

[realms]
         SERVOY.COM = {
                 kdc = tunneltest.servoy.com
                 kpasswd_server = tunneltest.servoy.com
         }

[domain_realm]
         .servoy.com = SERVOY.COM
------8<------

the main method:
------8<------
	public static void main(String[] args) throws Exception {

		System.setProperty("java.security.auth.login.config", 
"/home/sebster/login.conf");
		System.setProperty("java.security.krb5.conf", "/etc/krb5.conf");
		System.setProperty("sun.security.krb5.debug", "true");
		System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");

		DefaultHttpClient httpclient = new DefaultHttpClient();

		NegotiateSchemeFactory nsf = new NegotiateSchemeFactory();
		// nsf.setStripPort(false);
		// nsf.setSpengoGenerator(new BouncySpnegoTokenGenerator());

		httpclient.getAuthSchemes().register(AuthPolicy.SPNEGO, nsf);

		Credentials use_jaas_creds = new Credentials() {

			public String getPassword() {
				return null;
			}

			public Principal getUserPrincipal() {
				return null;
			}

		};

		httpclient.getCredentialsProvider().setCredentials(new AuthScope(null, 
-1, null), use_jaas_creds);

		HttpUriRequest request = new 
HttpGet("http://tunneltest.servoy.com/private");
		HttpResponse response = httpclient.execute(request);
		HttpEntity entity = response.getEntity();

		System.out.println("----------------------------------------");
		System.out.println(response.getStatusLine());
		System.out.println("----------------------------------------");
		if (entity != null) {
			System.out.println(EntityUtils.toString(entity));
		}
		System.out.println("----------------------------------------");

		// This ensures the connection gets released back to the manager
		if (entity != null) {
			entity.consumeContent();
		}

		// When HttpClient instance is no longer needed,
		// shut down the connection manager to ensure
		// immediate deallocation of all system resources
		httpclient.getConnectionManager().shutdown();
	}
------8<------

the program output:
------8<------
Debug is  true storeKey false useTicketCache true useKeyTab false 
doNotPrompt false ticketCache is /tmp/krb5cc_1000 isInitiator true 
KeyTab is null refreshKrb5Config is false principal is null tryFirstPass 
is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
 >>>DEBUG <CCacheInputStream>  client principal is testuser@SERVOY.COM
 >>>DEBUG <CCacheInputStream> server principal is 
krbtgt/SERVOY.COM@SERVOY.COM
 >>>DEBUG <CCacheInputStream> key type: 16
 >>>DEBUG <CCacheInputStream> auth time: Fri Dec 11 08:23:24 CET 2009
 >>>DEBUG <CCacheInputStream> start time: Fri Dec 11 08:23:24 CET 2009
 >>>DEBUG <CCacheInputStream> end time: Fri Dec 11 18:26:31 CET 2009
 >>>DEBUG <CCacheInputStream> renew_till time: Thu Jan 01 01:00:00 CET 1970
 >>> CCacheInputStream: readFlags()  INITIAL;
 >>>DEBUG <CCacheInputStream>
 >>>DEBUG <CCacheInputStream>  client principal is testuser@SERVOY.COM
 >>>DEBUG <CCacheInputStream> server principal is 
HTTP/tunneltest.servoy.com@SERVOY.COM
 >>>DEBUG <CCacheInputStream> key type: 16
 >>>DEBUG <CCacheInputStream> auth time: Fri Dec 11 08:23:24 CET 2009
 >>>DEBUG <CCacheInputStream> start time: Fri Dec 11 10:49:49 CET 2009
 >>>DEBUG <CCacheInputStream> end time: Fri Dec 11 18:26:31 CET 2009
 >>>DEBUG <CCacheInputStream> renew_till time: Thu Jan 01 01:00:00 CET 1970
 >>> CCacheInputStream: readFlags()
 >>>DEBUG <CCacheInputStream>
Principal is testuser@SERVOY.COM
Commit Succeeded

Found ticket for testuser@SERVOY.COM to go to 
krbtgt/SERVOY.COM@SERVOY.COM expiring on Fri Dec 11 18:26:31 CET 2009
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
 >>> Credentials acquireServiceCreds: same realm
Using builtin default etypes for default_tgs_enctypes
default etypes for default_tgs_enctypes: 3 1 23 16 17.
 >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
 >>> EType: sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType
 >>> KrbKdcReq send: kdc=tunneltest.servoy.com UDP:88, timeout=30000, 
number of retries =3, #bytes=589
 >>> KDCCommunication: kdc=tunneltest.servoy.com UDP:88, 
timeout=30000,Attempt =1, #bytes=589
 >>> KrbKdcReq send: #bytes read=553
 >>> KrbKdcReq send: #bytes read=553
 >>> EType: sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType
 >>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
 >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
Krb5Context setting mySeqNumber to: 97051396
Created InitSecContextToken:
0000: 01 00 6E 82 01 D5 30 82   01 D1 A0 03 02 01 05 A1  ..n...0.........
0010: 03 02 01 0E A2 07 03 05   00 20 00 00 00 A3 82 01  ......... ......
0020: 01 61 81 FE 30 81 FB A0   03 02 01 05 A1 0C 1B 0A  .a..0...........
0030: 53 45 52 56 4F 59 2E 43   4F 4D A2 28 30 26 A0 03  SERVOY.COM.(0&..
0040: 02 01 01 A1 1F 30 1D 1B   04 48 54 54 50 1B 15 74  .....0...HTTP..t
0050: 75 6E 6E 65 6C 74 65 73   74 2E 73 65 72 76 6F 79  unneltest.servoy
0060: 2E 63 6F 6D A3 81 BB 30   81 B8 A0 03 02 01 03 A1  .com...0........
0070: 03 02 01 01 A2 81 AB 04   81 A8 CF 09 B8 16 47 4B  ..............GK
0080: A0 F1 83 49 AA A9 9F EA   25 C2 E0 07 C1 DF E9 5C  ...I....%......\
0090: 82 F6 09 55 F3 3F 35 5C   C6 BE 22 B6 20 23 D0 92  ...U.?5\..". #..
00A0: 2E AF 3B 71 5B 6F 88 5C   D2 33 F7 8B 6B 7C 4C FB  ..;q[o.\.3..k.L.
00B0: 95 F7 D0 22 A3 D1 85 58   B9 CB 40 8C B4 6B B4 51  ..."...X..@..k.Q
00C0: 87 FD 97 AD BC B8 A7 7D   5E 5D 42 78 F2 CC 41 A0  ........^]Bx..A.
00D0: 39 C8 5B 29 86 C4 62 77   3B E8 33 19 69 8F 33 62  9.[)..bw;.3.i.3b
00E0: 0A 14 9F B2 35 B9 04 6C   0D 31 B4 21 66 7B 1F 06  ....5..l.1.!f...
00F0: FA 1F 0C AF 73 E5 57 86   CC D7 46 23 79 B9 4A CB  ....s.W...F#y.J.
0100: 69 13 46 E6 30 18 93 69   91 D6 91 E3 86 DD DE B5  i.F.0..i........
0110: 8A 7C 73 E8 6F 12 F2 21   64 19 F0 9F 21 B3 00 1E  ..s.o..!d...!...
0120: A0 3F A4 81 B6 30 81 B3   A0 03 02 01 03 A2 81 AB  .?...0..........
0130: 04 81 A8 9D 59 DC 23 05   29 7B 79 3E 99 35 30 61  ....Y.#.).y>.50a
0140: EC 59 46 2C F4 0B 82 87   72 9C 36 9F F3 C4 32 55  .YF,....r.6...2U
0150: 67 AA 47 DF 0A 61 A9 41   7C 25 CD F2 32 36 B6 4E  g.G..a.A.%..26.N
0160: 22 5F 3C 60 CA D2 97 15   26 32 E9 4A B6 79 4A 23  "_<`....&2.J.yJ#
0170: F2 15 17 95 FB 87 66 63   8A 93 8D B2 BD 36 E3 D4  ......fc.....6..
0180: 26 75 CD CA 23 3B E1 C5   8B 32 CD E2 70 1D 1A 03  &u..#;...2..p...
0190: DD ED 2B 1B AF 97 AB 19   A9 88 EF 52 87 6A 2D 94  ..+........R.j-.
01A0: DA 84 4E F4 F0 99 CE E6   CF 67 A8 E6 7F CB 7D C5  ..N......g......
01B0: 68 D5 15 57 B5 52 08 F8   AC 24 21 52 B2 9E 55 68  h..W.R...$!R..Uh
01C0: D2 3D FA C2 51 D4 92 5B   CF 60 E4 59 3C A8 85 4E  .=..Q..[.`.Y<..N
01D0: 8F BB EE 39 3B 79 3A AE   06 F4 CC                 ...9;y:....

Dec 11, 2009 10:55:08 AM 
org.apache.http.client.protocol.RequestTargetAuthentication process
SEVERE: Authentication error: Defective token detected (Mechanism level: 
Defective token detected (Mechanism level: Invalid SPNEGO NegTokenTarg 
token : DerInputStream.getLength(): lengthTag=127, too big.))
----------------------------------------
HTTP/1.1 401 Authorization Required
----------------------------------------
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>

----------------------------------------
------8<------

Mime
View raw message