tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael-O <1983-01...@gmx.net>
Subject Re: SpnegoAuthenticator gives GSSException (Desired initLifetime) wih IBM JDK
Date Tue, 08 Oct 2013 18:33:28 GMT
Am 2013-10-08 10:39, schrieb Chawla, Rachit:
> Hi All,
>
> I am struggling on SSO configuration using SPENGO mechanism on Tomcat 7.0.42 but not
able to get it working. We tried on 7.0.29 version too.  Since I get Login Successful in logs,
I assume Kerberos login was successful. Its SpnegoAuthentication that is failing.
>
> Exception:
>
> java.security.PrivilegedActionException: org.ietf.jgss.GSSException, major code: 11,
minor code: 0
>      major string: General failure, unspecified at GSSAPI level
>      minor string: Desired initLifetime zero or less
>
>
> Used http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html as reference. On
decompiling SpnegoAuthenticator code, we saw that we are using GSSCredential.DEFAULT_LIFETIME
in createCredential method, which might be the reason for the exception.
>
> final PrivilegedExceptionAction<GSSCredential> action =
>                  new PrivilegedExceptionAction<GSSCredential>() {
>                      @Override
>                      public GSSCredential run() throws GSSException {
>                          return manager.createCredential(null,
>                                  GSSCredential.DEFAULT_LIFETIME,
>                                  new Oid("1.3.6.1.5.5.2"),
>                                  GSSCredential.ACCEPT_ONLY);
>                      }
>                  };

Hi,

I am using the same source code for my SpnegoAuthenticator with an 
Oracle JVM on Windows and a HP VM on HP-UX.

Something must be different/wrong with the JGSS Provider from IBM.

What you could do is download my source [1], change the lifetime to 
GSSCredential.INDEFINITE_LIFETIME and see whether it fixes the problem.

Michael

[1] http://tomcatspnegoad.sourceforge.net/download.html


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message