I made a small mistake in my query.
'javax.security.auth.kerberos.KerberosPrincipal' was added to server.xml in
userClassNames within Realm Attribute and Realm attribute looks like
following in server.xml:
=> <Realm allRolesMode="authOnly" appName="Tomcat"
className="org.apache.catalina.realm.JAASRealm"
roleClassNames="org.apache.catalina.realm.GenericPrincipal"
stripRealmForGss="false" useContextClassLoader="false"
userClassNames="org.apache.catalina.realm.GenericPrincipal,javax.security.auth.kerberos.KerberosPrincipal"/>
In 7.0.84 version, there was no requirement to modify userClassNames.
We use Microsoft KDC. This is the case of integrated windows authentication.
Our JAAS config for tomcat web application
(tomcat/temp/<webapp_name>/conf/jaas.conf) looks like following:
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
isInitiator=false
principal="HTTP/
azureadlinuxvm.ispazuread.onmicrosoft....@ispazuread.onmicrosoft.com"
useKeyTab=true
keyTab="//home//ispqa//sitekey//webapp_http.keytab"
storeKey=true
debug=false;
};
Tomcat {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
isInitiator=false
useKeyTab=true
principal="HTTP/
azureadlinuxvm.ispazuread.onmicrosoft....@ispazuread.onmicrosoft.com"
keyTab="//home//ispqa//sitekey//webapp_http.keytab"
storeKey=true
debug=false;
};
Here's the stacktrace which I think has issue:
LoginContext.invokePriv(String) line: 679
LoginContext.login() line: 588
JAASRealm.authenticate(String, CallbackHandler) line: 427
JAASRealm.getPrincipal(String) line: 505
JAASRealm(RealmBase).getPrincipal(String, GSSCredential) line: 1374
JAASRealm(RealmBase).authenticate(GSSContext, boolean) line: 581
SpnegoAuthenticator$AuthenticateAction.run() line: 352
SpnegoAuthenticator$AuthenticateAction.run() line: 337
AccessController.doPrivileged(PrivilegedAction<T>, AccessControlContext)
line: not available [native method]
Subject.doAs(Subject, PrivilegedAction<T>) line: 360
SpnegoAuthenticator.authenticate(Request, HttpServletResponse, LoginConfig)
line: 251
SpnegoAuthenticator(AuthenticatorBase).invoke(Request, Response) line:
566
StandardHostValve.invoke(Request, Response) line: 169
ErrorReportValve.invoke(Request, Response) line: 104
StandardEngineValve.invoke(Request, Response) line: 116
CoyoteAdapter.service(Request, Response) line: 445
Http11Processor(AbstractHttp11Processor<S>).process(SocketWrapper<S>) line:
1137
Http11Protocol$Http11ConnectionHandler(AbstractProtocol$AbstractConnectionHandler<S,P>).process(SocketWrapper<S>,
SocketStatus) line: 637
JIoEndpoint$SocketProcessor.run() line: 318
ThreadPoolExecutor(ThreadPoolExecutor).runWorker(ThreadPoolExecutor$Worker)
line: 1149
ThreadPoolExecutor$Worker.run() line: 624
TaskThread$WrappingRunnable.run() line: 61
TaskThread(Thread).run() line: 748
LoginContext.invokePriv() -> this populates the Subject with subject of
server Principal "HTTP/
azureadlinuxvm.ispazuread.onmicrosoft....@ispazuread.onmicrosoft.com".
Authenticating username belongs to client i.e.
[email protected].
Here's the GenericPrincipal that is return by JAASRealm.authenticate():
GenericPrincipal (id=213)
gssCredential null
loginContext LoginContext (id=218)
name "[email protected]" (id=219)
password null
roles String[0] (id=221)
userPrincipal KerberosPrincipal (id=223)
fullName "HTTP/
azureadlinuxvm.ispazuread.onmicrosoft....@ispazuread.onmicrosoft.com"
(id=225)
nameType 1
realm "ISPAZUREAD.ONMICROSOFT.COM" (id=226)
I don't think it should populate server's KerberosPrincipal as
userPrincipal. Let me know if you need more information.
On Wed, Nov 7, 2018 at 2:41 PM Mark Thomas <[email protected]> wrote:
> On 05/11/2018 12:24, Vipul Mehta wrote:
> > We have upgraded from tomcat version 7.0.84 to 7.0.91.
> > Users authenticate with our web app service using Kerberos logged in user
> > credential. After upgrade, login started to fail.
> >
> > It was because of this change due to which the modified method started
> > returning null:
> >
> >
> https://github.com/apache/tomcat70/commit/7b7b5932b6618d13042732c77a4e19ea89b432e3#diff-6fec32edbbb606fe1d1888c99d74e665
> >
> >
> > User principal was KerberosPrincipal and the class was not specified in
> > userClassNames in JAAS config of web application for tomcat. So, I added
> > 'KerberosPrincipal' class in JAAS configuration.
> >
> > =>
> >
> "org.apache.catalina.realm.GenericPrincipal,javax.security.auth.kerberos.KerberosPrincipal"
> >
> >
> > Now we are facing new issue. The principal being returned by
> > JAASRealm->createPrincipal() is KerberosPrincipal and not
> > GenericUserPrincipal which breaks our code.
> >
> > KerberosPrincipal does not have delegated credential.
> >
> >
> > On debugging i found that, in JAASRealm->authenticate() method,
> > loginContext.getSubject() returns server's subject and not client's. So,
> > later in createPrincipal() call username is client's username but subject
> > belongs to server. Is this an issue ?
>
> I've spun up the VMs I use for testing this and checked Tomcat 7.0.88
> (the last version before the change above) and 7.0.x. The environment is
> configured as per
> http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html and uses
> the JNDI Realm.
>
> Both work as expected with no configuration changes required.
>
> It isn't clear from the original post how the JAAS Realm has been
> configured. At present this looks like a configuration issue which means
> the users list is the place to follow this up. You'll need to provide
> enough information for the problem to be replicated.
>
> Mark
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
--
Regards,
Vipul
