Re: Tomcat 8.5 SPNEGO Active Directory stuck with a "Failed authenticate() test"

[Tommy Schneider]

Hi,

I turned on the logging as you recommended, this is what it get in the
catalina.out

Krb5Context setting mySeqNumber to: 441582303
[Krb5LoginModule]: Entering logout
[Krb5LoginModule]: logged out Subject
13-Feb-2019 14:07:56.755 FINE [http-nio-8080-exec-3]
org.apache.catalina.authenticator.AuthenticatorBase.invoke  Failed
authenticate() test
13-Feb-2019 14:07:56.816 FINE [http-nio-8080-exec-5]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Security
checking request GET /favicon.ico
13-Feb-2019 14:07:56.816 FINE [http-nio-8080-exec-5]
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking
constraint 'SecurityConstraint[Tomcat SPNEGO Login Example]' against
GET /favicon.ico --> true
13-Feb-2019 14:07:56.817 FINE [http-nio-8080-exec-5]
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking
constraint 'SecurityConstraint[Tomcat SPNEGO Login Example]' against
GET /favicon.ico --> true
13-Feb-2019 14:07:56.817 FINE [http-nio-8080-exec-5]
org.apache.catalina.authenticator.AuthenticatorBase.invoke  Calling
hasUserDataPermission()
13-Feb-2019 14:07:56.817 FINE [http-nio-8080-exec-5]
org.apache.catalina.realm.RealmBase.hasUserDataPermission   User data
constraint has no restrictions
13-Feb-2019 14:07:56.817 FINE [http-nio-8080-exec-5]
org.apache.catalina.authenticator.AuthenticatorBase.invoke  Calling
authenticate()
13-Feb-2019 14:07:56.818 FINE [http-nio-8080-exec-5]
org.apache.catalina.authenticator.SpnegoAuthenticator.doAuthenticate
No authorization header sent by client
13-Feb-2019 14:07:56.820 FINE [http-nio-8080-exec-5]
org.apache.catalina.authenticator.AuthenticatorBase.invoke  Failed
authenticate() test


The part with the "No authorization header sent by client" seems to be
new, however I don't know what to conclude from that information.

Kind regards,
Thomas

Am Mo., 11. Feb. 2019 um 10:24 Uhr schrieb Mark Thomas :
>
> On 08/02/2019 21:43, Michael Osipov wrote:
> > Am 2019-02-08 um 12:54 schrieb Tommy Schneider:
> >> Hello,
> >>
> >> I'm trying to set up Tomcat 8.5 with SPNEGO in the following environment:
> >>
> >> Tomcat: 8.5.37 built: Dec 12 2018 12:07:02 UTC
> >> Platform/OS:  AIX 7.2 ppc64
> >> Java: Eclipse OpenJ9 9-internal+0-adhoc.jenkins
> >>
> >>> From what I can see in the catalina log I think it's almost working
> >> (AD user is returned back correctly), but in the web application I
> >> always get stuck with a HTTP 401. No matter whether I'm using a JNDI
> >> realm or a simple JAAS realm. I also tried different approaches in the
> >> application's web.xml like using "*" as generic role name or
> >> specifiying a list of role names like they should come back from the
> >> AD). I'm starting to think the cause may still be somewhere in the
> >> SPNEGO/Kerberos stuff and not in my realm/application config.
> >>
> >> Currently I'm trying to use a simple JAAS realm (as I found a tutorial
> >> saying this is the simplest way to go when you just need the user name
> >> and no roles)
> >> snippet from server.xml
> >>   >> autoDeploy="true">
> >>  
> >> >> className="org.apache.catalina.authenticator.SpnegoAuthenticator"
> >> storeDelegatedCredential="true">
> >> >> className="org.apache.catalina.realm.JAASRealm"
> >> allRolesMode="strictAuthOnly" />
> >>  
> >>
> >> snippet from catalina.out:
> >>  Found KeyTab /opt/apache-tomcat-8.5/conf/tomcat.keytab for
> >> HTTP/mymachine.mycompany@mycompany.com
> >>  Found ticket for
> >> HTTP/mymachine.mycompany@mycompany.com to go to
> >> krbtgt/mycompany@mycompany.com expiring on Fri Feb 08 21:26:27 CET
> >> 2019
> >>  Entered Krb5Context.acceptSecContext with state=STATE_NEW
> >>  Looking for keys for:
> >> HTTP/mymachine.mycompany@mycompany.com
> >>  Added key: 17version: 15
> >>  Added key: 18version: 15
> >>  Added key: 23version: 15
> >>  Found unsupported keytype (3) for
> >> HTTP/mymachine.mycompany@mycompany.com
> >>  Found unsupported keytype (1) for
> >> HTTP/mymachine.mycompany@mycompany.com
> >>  >>> EType:
> >> sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
> >>  Using builtin default etypes for permitted_enctypes
> >>  default etypes for permitted_enctypes: 18 17 16 23.
> >>  >>> EType:
> >> sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
> >>  MemoryCache: add
> >> 1549621587/000784/231A915D0FE70A039CF82095FC685C843F4D981D20A70F972015D8EB16D07CA5/myusern...@mycompany.com
> >>
> >> to myusern...@mycompany.com|
> >> HTTP/mymachine.mycompany@mycompany.com
> >>  >>> KrbApReq: authenticate succeed.
> >>  >>> EType:
> >> sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
> >>  >>>Delegated Creds have 

Tomcat session management with Redisson

[Herb Burnswell]

All,

Tomcat 8.5.23
RHEL   7.5

We are looking to set up session management via Redisson to offload the CPU
consumption of using Tomcat's built in clustering session management.  We
have CPU licensing limits and need to conserve as much CPU as possible.

I have never set up a configuration this way, however I have Redis set up
and running as 1 Master, 1 Slave.  I seemingly just need to point our
application to it.  I have read this doc on how to:


https://github.com/redisson/redisson/tree/master/redisson-tomcat


It seems pretty straight forward except for the redisson.conf configuration:


Add RedissonSessionManager into tomcat/conf/context.xml




I am more familiar with YAML so plan on configuring the redisson.conf as
such.  I have read the referenced configuration wiki page:


https://github.com/redisson/redisson/wiki/2.-Configuration


However, it has a great deal of options and I'm not sure what is and is not
needed.

I am reaching out here on the Tomcat user group to see if anyone else is
using Redisson for session management and if maybe I can get some guidance
on a basic redisson.conf configuration.  I'd also be interested in comments
on if there are better options or things to watch out for.

Thanks in advance,

HB