Hi,I'm trying to use the new Kerberos authentication in httpclient-4.1-alpha1. To start of, I'm simply running the example kerberos authentication program for the url "http://tunneltest.servoy.com/private"; (this is an internal test url, so it does not work from the internet). I tested the test url with Firefox with Kerberos authentication and it works fine, but with httpclient I'm seeing 2 things I don't understand:
1) A ticket request is done for the HTTP/[email protected] service even though it's already in my ticket cache.
2) The ticket request fails with the error:Dec 11, 2009 10:40:11 AM org.apache.http.client.protocol.RequestTargetAuthentication process SEVERE: Authentication error: Defective token detected (Mechanism level: Defective token detected (Mechanism level: Invalid SPNEGO NegTokenTarg token : DerInputStream.getLength(): lengthTag=127, too big.))
First of all, I don't understand why it has to request the ticket for the service if it's already in the cache. However, the request is for the right service, because I get the following line in my kdc.log:
2009-12-11T10:37:03 TGS-REQ [email protected] from IPv4:85.147.225.232 for HTTP/[email protected]
This is slightly different from the line I get when requesting the url from firefox, which reads:
2009-12-11T10:49:49 TGS-REQ [email protected] from IPv4:85.147.225.232 for HTTP/[email protected] [canonicalize]
Does anybody know what I'm doing wrong? To make sure that I'm not withholding any relevant information, below I've posted all the details. Especially interesting is the program output...
Thanks in advance,
Sebastiaan
login.conf
------8<------
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required client=TRUE
useTicketCache="true" ticketCache="/tmp/krb5cc_1000" debug=true;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required client=TRUE
useTicketCache="true" ticketCache="/tmp/krb5cc_1000" debug=true;
};
------8<------
krb5.conf
------8<------
[libdefaults]
default_realm = SERVOY.COM
[realms]
SERVOY.COM = {
kdc = tunneltest.servoy.com
kpasswd_server = tunneltest.servoy.com
}
[domain_realm]
.servoy.com = SERVOY.COM
------8<------
the main method:
------8<------
public static void main(String[] args) throws Exception {
System.setProperty("java.security.auth.login.config",
"/home/sebster/login.conf");
System.setProperty("java.security.krb5.conf", "/etc/krb5.conf");
System.setProperty("sun.security.krb5.debug", "true");
System.setProperty("javax.security.auth.useSubjectCredsOnly",
"false");
DefaultHttpClient httpclient = new DefaultHttpClient();
NegotiateSchemeFactory nsf = new NegotiateSchemeFactory();
// nsf.setStripPort(false);
// nsf.setSpengoGenerator(new BouncySpnegoTokenGenerator());
httpclient.getAuthSchemes().register(AuthPolicy.SPNEGO, nsf);
Credentials use_jaas_creds = new Credentials() {
public String getPassword() {
return null;
}
public Principal getUserPrincipal() {
return null;
}
};
httpclient.getCredentialsProvider().setCredentials(new AuthScope(null,
-1, null), use_jaas_creds);
HttpUriRequest request = new HttpGet("http://tunneltest.servoy.com/private";);
HttpResponse response = httpclient.execute(request);
HttpEntity entity = response.getEntity();
System.out.println("----------------------------------------");
System.out.println(response.getStatusLine());
System.out.println("----------------------------------------");
if (entity != null) {
System.out.println(EntityUtils.toString(entity));
}
System.out.println("----------------------------------------");
// This ensures the connection gets released back to the manager
if (entity != null) {
entity.consumeContent();
}
// When HttpClient instance is no longer needed,
// shut down the connection manager to ensure
// immediate deallocation of all system resources
httpclient.getConnectionManager().shutdown();
}
------8<------
the program output:
------8<------
Debug is true storeKey false useTicketCache true useKeyTab false
doNotPrompt false ticketCache is /tmp/krb5cc_1000 isInitiator true
KeyTab is null refreshKrb5Config is false principal is null tryFirstPass
is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache >>>DEBUG <CCacheInputStream> client principal is [email protected]>>>DEBUG <CCacheInputStream> server principal is krbtgt/[email protected]
>>>DEBUG <CCacheInputStream> key type: 16 >>>DEBUG <CCacheInputStream> auth time: Fri Dec 11 08:23:24 CET 2009 >>>DEBUG <CCacheInputStream> start time: Fri Dec 11 08:23:24 CET 2009 >>>DEBUG <CCacheInputStream> end time: Fri Dec 11 18:26:31 CET 2009 >>>DEBUG <CCacheInputStream> renew_till time: Thu Jan 01 01:00:00 CET 1970 >>> CCacheInputStream: readFlags() INITIAL; >>>DEBUG <CCacheInputStream> >>>DEBUG <CCacheInputStream> client principal is [email protected]>>>DEBUG <CCacheInputStream> server principal is HTTP/[email protected]
>>>DEBUG <CCacheInputStream> key type: 16 >>>DEBUG <CCacheInputStream> auth time: Fri Dec 11 08:23:24 CET 2009 >>>DEBUG <CCacheInputStream> start time: Fri Dec 11 10:49:49 CET 2009 >>>DEBUG <CCacheInputStream> end time: Fri Dec 11 18:26:31 CET 2009 >>>DEBUG <CCacheInputStream> renew_till time: Thu Jan 01 01:00:00 CET 1970 >>> CCacheInputStream: readFlags() >>>DEBUG <CCacheInputStream> Principal is [email protected] Commit SucceededFound ticket for [email protected] to go to krbtgt/[email protected] expiring on Fri Dec 11 18:26:31 CET 2009
Entered Krb5Context.initSecContext with state=STATE_NEW Service ticket not found in the subject >>> Credentials acquireServiceCreds: same realm Using builtin default etypes for default_tgs_enctypes default etypes for default_tgs_enctypes: 3 1 23 16 17. >>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType >>> EType: sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType>>> KrbKdcReq send: kdc=tunneltest.servoy.com UDP:88, timeout=30000, number of retries =3, #bytes=589 >>> KDCCommunication: kdc=tunneltest.servoy.com UDP:88, timeout=30000,Attempt =1, #bytes=589
>>> KrbKdcReq send: #bytes read=553 >>> KrbKdcReq send: #bytes read=553 >>> EType: sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType >>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000 >>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType Krb5Context setting mySeqNumber to: 97051396 Created InitSecContextToken: 0000: 01 00 6E 82 01 D5 30 82 01 D1 A0 03 02 01 05 A1 ..n...0......... 0010: 03 02 01 0E A2 07 03 05 00 20 00 00 00 A3 82 01 ......... ...... 0020: 01 61 81 FE 30 81 FB A0 03 02 01 05 A1 0C 1B 0A .a..0........... 0030: 53 45 52 56 4F 59 2E 43 4F 4D A2 28 30 26 A0 03 SERVOY.COM.(0&.. 0040: 02 01 01 A1 1F 30 1D 1B 04 48 54 54 50 1B 15 74 .....0...HTTP..t 0050: 75 6E 6E 65 6C 74 65 73 74 2E 73 65 72 76 6F 79 unneltest.servoy 0060: 2E 63 6F 6D A3 81 BB 30 81 B8 A0 03 02 01 03 A1 .com...0........ 0070: 03 02 01 01 A2 81 AB 04 81 A8 CF 09 B8 16 47 4B ..............GK 0080: A0 F1 83 49 AA A9 9F EA 25 C2 E0 07 C1 DF E9 5C ...I....%......\ 0090: 82 F6 09 55 F3 3F 35 5C C6 BE 22 B6 20 23 D0 92 ...U.?5\..". #.. 00A0: 2E AF 3B 71 5B 6F 88 5C D2 33 F7 8B 6B 7C 4C FB ..;q[o.\.3..k.L. 00B0: 95 F7 D0 22 A3 D1 85 58 B9 CB 40 8C B4 6B B4 51 ..."[email protected] 00C0: 87 FD 97 AD BC B8 A7 7D 5E 5D 42 78 F2 CC 41 A0 ........^]Bx..A. 00D0: 39 C8 5B 29 86 C4 62 77 3B E8 33 19 69 8F 33 62 9.[)..bw;.3.i.3b 00E0: 0A 14 9F B2 35 B9 04 6C 0D 31 B4 21 66 7B 1F 06 ....5..l.1.!f... 00F0: FA 1F 0C AF 73 E5 57 86 CC D7 46 23 79 B9 4A CB ....s.W...F#y.J. 0100: 69 13 46 E6 30 18 93 69 91 D6 91 E3 86 DD DE B5 i.F.0..i........ 0110: 8A 7C 73 E8 6F 12 F2 21 64 19 F0 9F 21 B3 00 1E ..s.o..!d...!... 0120: A0 3F A4 81 B6 30 81 B3 A0 03 02 01 03 A2 81 AB .?...0.......... 0130: 04 81 A8 9D 59 DC 23 05 29 7B 79 3E 99 35 30 61 ....Y.#.).y>.50a 0140: EC 59 46 2C F4 0B 82 87 72 9C 36 9F F3 C4 32 55 .YF,....r.6...2U 0150: 67 AA 47 DF 0A 61 A9 41 7C 25 CD F2 32 36 B6 4E g.G..a.A.%..26.N 0160: 22 5F 3C 60 CA D2 97 15 26 32 E9 4A B6 79 4A 23 "_<`....&2.J.yJ# 0170: F2 15 17 95 FB 87 66 63 8A 93 8D B2 BD 36 E3 D4 ......fc.....6.. 0180: 26 75 CD CA 23 3B E1 C5 8B 32 CD E2 70 1D 1A 03 &u..#;...2..p... 0190: DD ED 2B 1B AF 97 AB 19 A9 88 EF 52 87 6A 2D 94 ..+........R.j-. 01A0: DA 84 4E F4 F0 99 CE E6 CF 67 A8 E6 7F CB 7D C5 ..N......g...... 01B0: 68 D5 15 57 B5 52 08 F8 AC 24 21 52 B2 9E 55 68 h..W.R...$!R..Uh 01C0: D2 3D FA C2 51 D4 92 5B CF 60 E4 59 3C A8 85 4E .=..Q..[.`.Y<..N 01D0: 8F BB EE 39 3B 79 3A AE 06 F4 CC ...9;y:....Dec 11, 2009 10:55:08 AM org.apache.http.client.protocol.RequestTargetAuthentication process SEVERE: Authentication error: Defective token detected (Mechanism level: Defective token detected (Mechanism level: Invalid SPNEGO NegTokenTarg token : DerInputStream.getLength(): lengthTag=127, too big.))
---------------------------------------- HTTP/1.1 401 Authorization Required ---------------------------------------- <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>401 Authorization Required</title> </head><body> <h1>Authorization Required</h1> <p>This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.</p> </body></html> ---------------------------------------- ------8<------
smime.p7s
Description: S/MIME Cryptographic Signature
