tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael-O <1983-01...@gmx.net>
Subject Re: SpnegoAuthenticator gives GSSException (Desired initLifetime) wih IBM JDK
Date Wed, 09 Oct 2013 18:41:50 GMT
Am 2013-10-09 17:28, schrieb Chawla, Rachit:
>
>
>> Hi All,
>>
>> I am struggling on SSO configuration using SPENGO mechanism on Tomcat 7.0.42 but
not able to get it working. We tried on 7.0.29 version too.  Since I get Login Successful
in logs, I assume Kerberos login was successful. Its SpnegoAuthentication that is failing.
>>
>> Exception:
>>
>> java.security.PrivilegedActionException: org.ietf.jgss.GSSException, major code:
11, minor code: 0
>>       major string: General failure, unspecified at GSSAPI level
>>       minor string: Desired initLifetime zero or less
>>
>>
>> Used http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html as reference.
On decompiling SpnegoAuthenticator code, we saw that we are using GSSCredential.DEFAULT_LIFETIME
in createCredential method, which might be the reason for the exception.
>>
>> final PrivilegedExceptionAction<GSSCredential> action =
>>                   new PrivilegedExceptionAction<GSSCredential>() {
>>                       @Override
>>                       public GSSCredential run() throws GSSException {
>>                           return manager.createCredential(null,
>>                                   GSSCredential.DEFAULT_LIFETIME,
>>                                   new Oid("1.3.6.1.5.5.2"),
>>                                   GSSCredential.ACCEPT_ONLY);
>>                       }
>>                   };
>
> Hi,
>
> I am using the same source code for my SpnegoAuthenticator with an Oracle JVM on Windows
and a HP VM on HP-UX.
>
> Something must be different/wrong with the JGSS Provider from IBM.
>
> What you could do is download my source [1], change the lifetime to GSSCredential.INDEFINITE_LIFETIME
and see whether it fixes the problem.
>
> Michael
>
> [1] http://tomcatspnegoad.sourceforge.net/download.html
>
>
> Thanks Michael. It did solve the issue.
> Not sure, if it will be acceptable as  a fix,  due to constraints and stuff.
>
> Appreciate the effort :).

If this one works, are you able to file a bug with IBM's JVM?

The behavior should be the same as in Oracle's VM or MIT/Heimdal Kerberos.

Michael


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message