tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Edward Siewick <esiew...@ementum.com>
Subject RE: Tomcat7 and SPNEGO configuration questions
Date Tue, 11 Jun 2013 15:48:59 GMT
James,

Regarding your question a), HTTP 401 is a tangle of both "not authenticated" and "not authorized".
 You're at least getting through authentication of the end user. At least that's my interpretation
of Krb5Context logging of "KrbApReq: authenticate succeed." and logged values for mySeqNumber
and peerSeqNumber. (In my case I'm not getting even this far.)

On your b), Felix's example for debugging a jmeter issue uses an LDAP call to check for group
membership. This is configured within a <realm /> in server.xml, leveraging the "the
user's delegated credentials via a request attribute so applications can make use of them"
[presumably for more fine-grained authorization control]. Anyway, this seems to be an application
level augmentation of SPNEGO vice a contradiction of the patch comment for the initial SPNEGO
support in Tomcat-7.0.12.  ("48685: Add initial support for SPNEGO/Kerberos authentication
also referred to as integrated Windows authentication. This includes user authentication,
authorisation via the directory using the user's delegated credentials and exposing the user's
delegated credentials via a request attribute so applications can make use of them to impersonate
the current user when accessing third-party systems that use a compatible authentication mechanism.
Based on a patch provided by Michael Osipov. (markt).") There doesn't seem to be documentation
that expands "authorisation via the directory using the user's delegated credentials" into
a configuration option. As written the comment for 48685 says SPNEGO support doesn't stop
at authentication; it [somehow] handles authorization, too.

On c), absent documentation, the details in 
https://issues.apache.org/bugzilla/show_bug.cgi?id=48685
might help explain the developers' sense of the intended working order, provide some clues
on the JAAS and SPNEGO configuration requirements. At least that's what I'm reading through.

On d), you might already know this, but "KDCRep: init() encoding tag is 126 req type is 11"
translates to "exception: Asn1Exception - if an error occurs while decoding an ASN1 encoded
data." The actual text is from sun.security.krb5.internal.KDCRep:

 116     /**
 117      * Initializes an KDCRep object.
 118      *
 119      * @param encoding a single DER-encoded value.
 120      * @param req_type reply message type.
 121      * @exception Asn1Exception if an error occurs while decoding an ASN1 encoded data.
 122      * @exception IOException if an I/O error occurs while reading encoded data.
 123      * @exception RealmException if an error occurs while constructing
 124      * a Realm object from DER-encoded data.
 125      * @exception KrbApErrException if the value read from the DER-encoded
 126      * data stream does not match the pre-defined value.
 127      *
 128      */
129     protected void init(DerValue encoding, int req_type)
 130             throws Asn1Exception, RealmException, IOException,
 131             KrbApErrException {
 132         DerValue der, subDer;
 133         if ((encoding.getTag() & 0x1F) != req_type) {
 134             if (DEBUG) {
 135                 System.out.println(">>> KDCRep: init() " +
 136                         "encoding tag is " +
 137                         encoding.getTag() +
 138                         " req type is " + req_type);
 139             }
 140             throw new Asn1Exception(Krb5.ASN1_BAD_ID);
 141         }

This snippet is from openjdk; http://cr.openjdk.java.net/~weijun/6966259/webrev.01/src/share/classes/sun/security/krb5/internal/KDCRep.java.html.
There's also Oracle's http://www.docjar.com/html/api/sun/security/krb5/internal/KDCReq.java.html.
It doesn't have the actual logging line, though.

Edward

________________________________________
From: james.henderson [james.henderson@rbc.com]
Sent: Monday, June 10, 2013 5:35 PM
To: users@tomcat.apache.org
Subject: RE: Tomcat7 and SPNEGO configuration questions

I am in a similar situation to Edward.

My authentication says something like:

principal's key obtained from the keytab
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 23 18 17.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=dev UDP:88, timeout=30000, number of retries =3,
>>> #bytes=166
>>> KDCCommunication: kdc=dev UDP:88, timeout=30000,Attempt =1, #bytes=166
>>> KrbKdcReq send: #bytes read=152
>>> KrbKdcReq send: #bytes read=152
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
         sTime is Mon Jun 10 17:21:23 EDT 2013 1370899283000
         suSec is 764076
         error code is 25
         error Message is Additional pre-authentication required
         realm is DEV
         sname is krbtgt/DEV
         eData provided.
         msgType is 30
>>>Pre-Authentication Data:
         PA-DATA type = 11
         PA-ETYPE-INFO etype = 23
>>>Pre-Authentication Data:
         PA-DATA type = 2
         PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
         PA-DATA type = 15
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
>>>KrbAsReq salt is DEVserver.dev
Pre-Authenticaton: find key for etype = 23
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=dev UDP:88, timeout=30000, number of retries =3,
>>> #bytes=249
>>> KDCCommunication: kdc=dev UDP:88, timeout=30000,Attempt =1, #bytes=249
>>> KrbKdcReq send: #bytes read=1384
>>> KrbKdcReq send: #bytes read=1384
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/guedlvwcfv001.dev
principal is HTTP/guedlvwcfv001.dev@DEV
EncryptionKey: keyType=23 keyBytes (hex dump)=(omitted)
Added server's keyKerberos Principal HTTP/server.dev@DEVKey Version 3key
EncryptionKey: keyType=23 keyBytes (hex dump)=(omitted)
                [Krb5LoginModule] added Krb5Principal  HTTP/server.dev@DEV
to Subject
Commit Succeeded


Found key for HTTP/server.dev@DEV(23)
Entered Krb5Context.acceptSecContext with state=STATE_NEW
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 3 1 23 16 17 18.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> Config reset default kdc DEV
object 0: 1370899284091/91026
object 0: 1370899284091/91026
replay cache found.
>>> KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 1400102526
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 909711492
                [Krb5LoginModule]: Entering logout
                [Krb5LoginModule]: logged out Subject

But the page always returns 401 if I try to use it:

10.241.162.107 - - [10/Jun/2013:17:21:23 -0400] "GET /webeditors/hello
HTTP/1.1" 401 951

We have another page that uses spring SPNEGO and it works fine with exactly
the same user.

My security constraint/login config looks like this:

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Wildcard means whole app requires
authentication</web-resource-name>
            <url-pattern>/hello</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>

        <auth-constraint>
            <role-name>*</role-name>
        </auth-constraint>

        <user-data-constraint>

            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

    <login-config>
        <auth-method>SPNEGO</auth-method>
    </login-config>

I would like some idea how to:

a) get tomcat to tell me why it is returning 401 in this case (debug logs?)
b) Understand how the windows users/roles are going to map to any used in my
webapp.  Is it a 1:1 mapping, or does it need some sort of configuration?
c) get more documentation on how these things are actually supposed to work.
Most of the information I find is examples, not proper documentation.
d) Understand why I get this: init() encoding tag is 126 req type is 11
error.

Thanks,

James Henderson




--
View this message in context: http://tomcat.10.x6.nabble.com/Tomcat7-and-SPNEGO-configuration-questions-tp4999666p4999977.html
Sent from the Tomcat - User mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message