tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Felix Schumacher <felix.schumac...@internetallee.de>
Subject Re: Tomcat7 and SPNEGO configuration questions
Date Tue, 11 Jun 2013 18:17:46 GMT
Am 10.06.2013 23:35, schrieb james.henderson:
> I am in a similar situation to Edward.
>
> My authentication says something like:
>
> principal's key obtained from the keytab
> Acquire TGT using AS Exchange
> default etypes for default_tkt_enctypes: 23 18 17.
>>>> KrbAsReq calling createMessage
>>>> KrbAsReq in createMessage
>>>> KrbKdcReq send: kdc=dev UDP:88, timeout=30000, number of retries =3,
>>>> #bytes=166
>>>> KDCCommunication: kdc=dev UDP:88, timeout=30000,Attempt =1, #bytes=166
>>>> KrbKdcReq send: #bytes read=152
>>>> KrbKdcReq send: #bytes read=152
>>>> KDCRep: init() encoding tag is 126 req type is 11
>>>> KRBError:
>           sTime is Mon Jun 10 17:21:23 EDT 2013 1370899283000
>           suSec is 764076
>           error code is 25
>           error Message is Additional pre-authentication required
>           realm is DEV
>           sname is krbtgt/DEV
>           eData provided.
>           msgType is 30
>>>> Pre-Authentication Data:
>           PA-DATA type = 11
>           PA-ETYPE-INFO etype = 23
>>>> Pre-Authentication Data:
>           PA-DATA type = 2
>           PA-ENC-TIMESTAMP
>>>> Pre-Authentication Data:
>           PA-DATA type = 15
> AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
>>>> KrbAsReq salt is DEVserver.dev
> Pre-Authenticaton: find key for etype = 23
> AS-REQ: Add PA_ENC_TIMESTAMP now
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsReq calling createMessage
>>>> KrbAsReq in createMessage
>>>> KrbKdcReq send: kdc=dev UDP:88, timeout=30000, number of retries =3,
>>>> #bytes=249
>>>> KDCCommunication: kdc=dev UDP:88, timeout=30000,Attempt =1, #bytes=249
>>>> KrbKdcReq send: #bytes read=1384
>>>> KrbKdcReq send: #bytes read=1384
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> KrbAsRep cons in KrbAsReq.getReply HTTP/guedlvwcfv001.dev
> principal is HTTP/guedlvwcfv001.dev@DEV
> EncryptionKey: keyType=23 keyBytes (hex dump)=(omitted)
> Added server's keyKerberos Principal HTTP/server.dev@DEVKey Version 3key
> EncryptionKey: keyType=23 keyBytes (hex dump)=(omitted)
>                  [Krb5LoginModule] added Krb5Principal  HTTP/server.dev@DEV
> to Subject
> Commit Succeeded
>
>
> Found key for HTTP/server.dev@DEV(23)
> Entered Krb5Context.acceptSecContext with state=STATE_NEW
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
> Using builtin default etypes for permitted_enctypes
> default etypes for permitted_enctypes: 3 1 23 16 17 18.
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>>> Config reset default kdc DEV
> object 0: 1370899284091/91026
> object 0: 1370899284091/91026
> replay cache found.
>>>> KrbApReq: authenticate succeed.
> Krb5Context setting peerSeqNumber to: 1400102526
>>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
> Krb5Context setting mySeqNumber to: 909711492
>                  [Krb5LoginModule]: Entering logout
>                  [Krb5LoginModule]: logged out Subject
>
> But the page always returns 401 if I try to use it:
>
> 10.241.162.107 - - [10/Jun/2013:17:21:23 -0400] "GET /webeditors/hello
> HTTP/1.1" 401 951
>
> We have another page that uses spring SPNEGO and it works fine with exactly
> the same user.
>
> My security constraint/login config looks like this:
>
>      <security-constraint>
>          <web-resource-collection>
>              <web-resource-name>Wildcard means whole app requires
> authentication</web-resource-name>
>              <url-pattern>/hello</url-pattern>
>              <http-method>GET</http-method>
>              <http-method>POST</http-method>
>          </web-resource-collection>
>
>          <auth-constraint>
>              <role-name>*</role-name>
>          </auth-constraint>
>
>          <user-data-constraint>
>              
>              <transport-guarantee>NONE</transport-guarantee>
>          </user-data-constraint>
>      </security-constraint>
>
>      <login-config>
>          <auth-method>SPNEGO</auth-method>
>      </login-config>
>
> I would like some idea how to:
>
> a) get tomcat to tell me why it is returning 401 in this case (debug logs?)
You can enable more logging of the realm code by adding 
"org.apache.catalina.realm.level=FINE" to your conf/logging.properties file.
> b) Understand how the windows users/roles are going to map to any used in my
> webapp.  Is it a 1:1 mapping, or does it need some sort of configuration?
SPNego will only do authentication. Authorization is done via the 
configured realm. If your users and roles are stored in an LDAP 
directory (as I suspect it is), you can use the JNDIRealm to configure 
where tomcat will look for your users and their roles. For more info 
look at http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JNDIRealm
> c) get more documentation on how these things are actually supposed to work.
> Most of the information I find is examples, not proper documentation.
If your are not happy with the examples, you can look at the 
configuration docs cunningly hidden 
athttp://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm

Regards,
  Felix
> d) Understand why I get this: init() encoding tag is 126 req type is 11
> error.
>
> Thanks,
>
> James Henderson
>
>
>
>
> --
> View this message in context: http://tomcat.10.x6.nabble.com/Tomcat7-and-SPNEGO-configuration-questions-tp4999666p4999977.html
> Sent from the Tomcat - User mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message