tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chawla, Rachit" <RachitCha...@fico.com>
Subject RE: SpnegoAuthenticator gives GSSException (Desired initLifetime) wih IBM JDK
Date Wed, 09 Oct 2013 15:28:28 GMT


> Hi All,
>
> I am struggling on SSO configuration using SPENGO mechanism on Tomcat 7.0.42 but not
able to get it working. We tried on 7.0.29 version too.  Since I get Login Successful in logs,
I assume Kerberos login was successful. Its SpnegoAuthentication that is failing.
>
> Exception:
>
> java.security.PrivilegedActionException: org.ietf.jgss.GSSException, major code: 11,
minor code: 0
>      major string: General failure, unspecified at GSSAPI level
>      minor string: Desired initLifetime zero or less
>
>
> Used http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html as reference. On
decompiling SpnegoAuthenticator code, we saw that we are using GSSCredential.DEFAULT_LIFETIME
in createCredential method, which might be the reason for the exception.
>
> final PrivilegedExceptionAction<GSSCredential> action =
>                  new PrivilegedExceptionAction<GSSCredential>() {
>                      @Override
>                      public GSSCredential run() throws GSSException {
>                          return manager.createCredential(null,
>                                  GSSCredential.DEFAULT_LIFETIME,
>                                  new Oid("1.3.6.1.5.5.2"),
>                                  GSSCredential.ACCEPT_ONLY);
>                      }
>                  };

Hi,

I am using the same source code for my SpnegoAuthenticator with an Oracle JVM on Windows and
a HP VM on HP-UX.

Something must be different/wrong with the JGSS Provider from IBM.

What you could do is download my source [1], change the lifetime to GSSCredential.INDEFINITE_LIFETIME
and see whether it fixes the problem.

Michael

[1] http://tomcatspnegoad.sourceforge.net/download.html


Thanks Michael. It did solve the issue. 
Not sure, if it will be acceptable as  a fix,  due to constraints and stuff.

Appreciate the effort :). 

This email and any files transmitted with it are confidential, proprietary and intended solely
for the individual or entity to whom they are addressed. If you have received this email in
error please delete it immediately.
Mime
View raw message