OK, good to know. I am running version 11.0.16.1. From: Joakim Erdfelt <joa...@webtide.com> Sent: Wednesday, September 7, 2022 11:20 AM To: JETTY user mailing list <jetty-users@eclipse.org> Cc: Bryan Coleman <bryan.cole...@dart.biz> Subject: Re: [jetty-users] migration woes from version 9 to 10 - possible character encoding issue
Did you, by chance, also upgrade your JVM? JDK 17 has deprecated 3DES and RC4 in Kerberos https://bugs.openjdk.org/browse/JDK-8139348<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugs.openjdk.org%2Fbrowse%2FJDK-8139348&data=05%7C01%7Cbryan.coleman%40dart.biz%7Ca9881120c94d43d3539108da90e47f16%7Cd90804aba2264b3da37a256f7aba7ff1%7C0%7C0%7C637981608314982187%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=us9T5ZPr3eUEAKrStDSGhZtGnMnrFs3%2F9XBV2vD2tCs%3D&reserved=0> Joakim Erdfelt / joa...@webtide.com<mailto:joa...@webtide.com> On Wed, Sep 7, 2022 at 10:03 AM Bryan Coleman via jetty-users <jetty-users@eclipse.org<mailto:jetty-users@eclipse.org>> wrote: java.lang.RuntimeException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC) at org.eclipse.jetty.security.ConfigurableSpnegoLoginService.lambda$acceptGSSContext$2(ConfigurableSpnegoLoginService.java:238) at java.base/java.security.AccessController.doPrivileged(Native Method) at java.base/javax.security.auth.Subject.doAs(Subject.java:361) at org.eclipse.jetty.security.ConfigurableSpnegoLoginService.login(ConfigurableSpnegoLoginService.java:186) at org.eclipse.jetty.security.authentication.ConfigurableSpnegoAuthenticator.login(ConfigurableSpnegoAuthenticator.java:104) at org.eclipse.jetty.security.authentication.ConfigurableSpnegoAuthenticator.validateRequest(ConfigurableSpnegoAuthenticator.java:129) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:508) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:223) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1571) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1378) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1544) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1300) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129) at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:192) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122) at org.eclipse.jetty.server.Server.handle(Server.java:562) at org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:505) at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282) at org.eclipse.jetty.io<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Forg.eclipse.jetty.io%2F&data=05%7C01%7Cbryan.coleman%40dart.biz%7Ca9881120c94d43d3539108da90e47f16%7Cd90804aba2264b3da37a256f7aba7ff1%7C0%7C0%7C637981608314982187%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Oq%2F8cuOu44mcg9pqJBNar5uoe6GhhylA63X4tGSxrjM%3D&reserved=0>.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:319) at org.eclipse.jetty.io<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Forg.eclipse.jetty.io%2F&data=05%7C01%7Cbryan.coleman%40dart.biz%7Ca9881120c94d43d3539108da90e47f16%7Cd90804aba2264b3da37a256f7aba7ff1%7C0%7C0%7C637981608314982187%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Oq%2F8cuOu44mcg9pqJBNar5uoe6GhhylA63X4tGSxrjM%3D&reserved=0>.FillInterest.fillable(FillInterest.java:100) at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:558) at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:379) at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:146) at org.eclipse.jetty.io<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Forg.eclipse.jetty.io%2F&data=05%7C01%7Cbryan.coleman%40dart.biz%7Ca9881120c94d43d3539108da90e47f16%7Cd90804aba2264b3da37a256f7aba7ff1%7C0%7C0%7C637981608314982187%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Oq%2F8cuOu44mcg9pqJBNar5uoe6GhhylA63X4tGSxrjM%3D&reserved=0>.FillInterest.fillable(FillInterest.java:100) at org.eclipse.jetty.io<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Forg.eclipse.jetty.io%2F&data=05%7C01%7Cbryan.coleman%40dart.biz%7Ca9881120c94d43d3539108da90e47f16%7Cd90804aba2264b3da37a256f7aba7ff1%7C0%7C0%7C637981608314982187%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Oq%2F8cuOu44mcg9pqJBNar5uoe6GhhylA63X4tGSxrjM%3D&reserved=0>.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:412) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:381) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:268) at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.lambda$new$0(AdaptiveExecutionStrategy.java:138) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:407) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:894) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1038) at java.base/java.lang.Thread.run(Thread.java:829) Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC) at java.security.jgss/sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:859) at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:361) at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:303) at java.security.jgss/sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:907) at java.security.jgss/sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:556) at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:361) at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:303) at org.eclipse.jetty.security.ConfigurableSpnegoLoginService.lambda$acceptGSSContext$2(ConfigurableSpnegoLoginService.java:234) ... 39 more Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC at java.security.jgss/sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278) at java.security.jgss/sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149) at java.security.jgss/sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:139) at java.security.jgss/sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:832) ... 46 more -----Original Message----- From: jetty-users <jetty-users-boun...@eclipse.org<mailto:jetty-users-boun...@eclipse.org>> On Behalf Of Bryan Coleman via jetty-users Sent: Wednesday, September 7, 2022 10:48 AM To: JETTY user mailing list <jetty-users@eclipse.org<mailto:jetty-users@eclipse.org>> Cc: Bryan Coleman <bryan.cole...@dart.biz<mailto:bryan.cole...@dart.biz>> Subject: Re: [jetty-users] migration woes from version 9 to 10 - possible character encoding issue Thanks for the information. Yes, I believe it is related to the FallbackAuthenticator as well. I was able to get the Basic portion of the fallback to work by bringing it in line with apparent differences from the BasicAuthenticator; specifically, the credential "space" and charset. I wonder if there isn't something similar with the Kerberos authentication? I since tried to temporarily replace the FallbackAuthenticator with the ConfigurableSpnegoAuthenticator. The result is a "RuntimeException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC)". My thought was to get the out-of-the-box ConfigurableSpnegoAuthenticator to work before using custom code. The odd thing is the code works fine with jetty 9; however, with jetty 10 the GSSException keeps coming to the surface. A few things I was trying to track down: 1) Does jetty 10 use a different set of default encoding types? 2) Is there a way to set libdefaults default_tkt_enctypes and default_tgt_enctypes programically via the JassConfigurator (i.e. Configuration)? 3) Do I need to create the keytab file differently? -----Original Message----- From: Simone Bordet <simone.bor...@gmail.com<mailto:simone.bor...@gmail.com>> Sent: Wednesday, September 7, 2022 3:20 AM To: JETTY user mailing list <jetty-users@eclipse.org<mailto:jetty-users@eclipse.org>> Cc: Bryan Coleman <bryan.cole...@dart.biz<mailto:bryan.cole...@dart.biz>> Subject: Re: [jetty-users] migration woes from version 9 to 10 - possible character encoding issue [You don't often get email from simone.bor...@gmail.com<mailto:simone.bor...@gmail.com>. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] Hi, On Tue, Sep 6, 2022 at 5:08 PM Bryan Coleman via jetty-users <jetty-users@eclipse.org<mailto:jetty-users@eclipse.org>> wrote: > > I believe I have narrowed the issue down to the login arena (i.e. login / > authentication / authorization). > > I am using a fallback authenticator which is an extension of the > ConfigurableSpnegoAuthenticator and works to authenticate clients using a > myriad of options (Spnego, NTLM, Basic). > > With jetty 10, if I change things to start with the BasicAuthenticator, > provide credentials, stop things and then restart with the > FallbackAuthenticator it works; however, if I start with the > FallbackAuthenticator out of the gate it tries to do Anonymous authentication > and fails. >From your description, seems to be a problem in your FallbackAuthenticator... > Questions: > > Any ideas? > > Has anything changed with the Spnego setup requirements from jetty 9 > to 10? No. > Is there a good reference for Spnego setup? (I noticed that > the programming guide still shows TODO for HttpClient SPNEGO > authentication support) Look at the tests, see https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feclipse%2Fjetty.project%2Fblob%2Fjetty-10.0.11%2Fjetty-client%2Fsrc%2Ftest%2Fjava%2Forg%2Feclipse%2Fjetty%2Fclient%2Futil%2FSPNEGOAuthenticationTest.java&data=05%7C01%7Cbryan.coleman%40dart.biz%7C9b33e026454e4f4b17b108da90dffb21%7Cd90804aba2264b3da37a256f7aba7ff1%7C0%7C0%7C637981588912780431%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=z1hxb6A0%2BzHUSc8TY%2BRa9D4MuWonA8dTaBcS%2Bp%2FlNEA%3D&reserved=0<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feclipse%2Fjetty.project%2Fblob%2Fjetty-10.0.11%2Fjetty-client%2Fsrc%2Ftest%2Fjava%2Forg%2Feclipse%2Fjetty%2Fclient%2Futil%2FSPNEGOAuthenticationTest.java&data=05%7C01%7Cbryan.coleman%40dart.biz%7Ca9881120c94d43d3539108da90e47f16%7Cd90804aba2264b3da37a256f7aba7ff1%7C0%7C0%7C637981608314982187%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=7KURYNN5k8x88AeUVb%2Bchib5w6EhYPXJMU%2BwxS19qlc%3D&reserved=0>. -- Simone Bordet --- Finally, no matter how good the architecture and design are, to deliver bug-free software with optimal performance and reliability, the implementation technique must be flawless. Victoria Livschitz _______________________________________________ jetty-users mailing list jetty-users@eclipse.org<mailto:jetty-users@eclipse.org> To unsubscribe from this list, visit https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.eclipse.org%2Fmailman%2Flistinfo%2Fjetty-users&data=05%7C01%7Cbryan.coleman%40dart.biz%7C9b33e026454e4f4b17b108da90dffb21%7Cd90804aba2264b3da37a256f7aba7ff1%7C0%7C0%7C637981588912780431%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=WxrkS7r6goic5djd6KVAR4YjuOyAJ8TOfjIL1vG6Bqs%3D&reserved=0<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.eclipse.org%2Fmailman%2Flistinfo%2Fjetty-users&data=05%7C01%7Cbryan.coleman%40dart.biz%7Ca9881120c94d43d3539108da90e47f16%7Cd90804aba2264b3da37a256f7aba7ff1%7C0%7C0%7C637981608314982187%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=agH9hX9gNWxZCPAPCLCct%2Bnc%2FFXWL0LS94TitEpehPA%3D&reserved=0> _______________________________________________ jetty-users mailing list jetty-users@eclipse.org<mailto:jetty-users@eclipse.org> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.eclipse.org%2Fmailman%2Flistinfo%2Fjetty-users&data=05%7C01%7Cbryan.coleman%40dart.biz%7Ca9881120c94d43d3539108da90e47f16%7Cd90804aba2264b3da37a256f7aba7ff1%7C0%7C0%7C637981608314982187%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=agH9hX9gNWxZCPAPCLCct%2Bnc%2FFXWL0LS94TitEpehPA%3D&reserved=0>
_______________________________________________ jetty-users mailing list jetty-users@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
