BadCredentialsException: Kerberos validation not succesfull

spring tomcat spring-security kerberos spnego
11,207

I found the problem. Spring-security-kerbos requires path to keytab file as "Resource String" (details: http://static.springsource.org/spring/docs/3.0.x/reference/resources.html). When I set path as "file:/home/xxxxx/conf/krb5/krb5.keytab" then application runs but I think that it can't open the file later and Kerberos cant load any key. Unfortunately Log from Kerberos is not so clear.

When I set path as "/home/xxxxx/conf/krb5/krb5.keytab" I got the following exception

Caused by: java.io.FileNotFoundException: ServletContext resource [/home/xxxxx/conf/krb5/krb5.keytab] cannot be resolved to URL because it does not exist

Solution for this issue can be the fix in the file SunJaasKerberosTicketValidator.java:

private String keyTabLocation;

LoginConfig loginConfig = new LoginConfig(keyTabLocation, servicePrincipal, debug);

instead of:

private Resource keyTabLocation;

LoginConfig loginConfig = new LoginConfig(keyTabLocation.getURL().toExternalForm(), servicePrincipal, debug);

With this fix everything works. We can set path to file in format "/home/xxxxx/conf/krb5/krb5.keytab"

If someone knows more details about it, please write it here.

Share:
11,207
dpolaczanski
Author by

dpolaczanski

java, big data, hadoop, spark

Updated on June 26, 2022

Comments

  • dpolaczanski
    dpolaczanski about 2 years

    I would like to perform authentification with SPNEGO. I use:

    • spring-core-3.1.0.RELEASE.jar
    • spring-security-core-3.1.0.RELEASE.jar
    • spring-security-kerberos-core-1.0.0.M2.jar
    • package codec from spring core security 3.0.7 (https://jira.springsource.org/browse/SES-98)
    • tomcat

    My Config file looks like the following. When I try to authentificate with the above libraries I got the following exception.

    Had someone the same problem and handled it?

    Config file (taken from spring security kerberos example):

    <?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <!-- This configuration uses SPNEGO by default, but one could also use a form if he directly goes to /login.html -->
    <sec:http entry-point-ref="spnegoEntryPoint" use-expressions="true">
        <sec:intercept-url pattern="/secure/**" access="isAuthenticated()" />
        <sec:custom-filter ref="spnegoAuthenticationProcessingFilter"
            position="BASIC_AUTH_FILTER" />
        <sec:form-login login-page="/login.html" default-target-url="/secure/index.jsp"/>
    </sec:http>

    <bean id="spnegoEntryPoint"
        class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint" />

    <bean id="spnegoAuthenticationProcessingFilter"
        class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter">
        <property name="authenticationManager" ref="authenticationManager" />
    </bean>

    <sec:authentication-manager alias="authenticationManager">
        <sec:authentication-provider ref="kerberosServiceAuthenticationProvider" /> <!-- Used with SPNEGO -->
        <sec:authentication-provider user-service-ref="dummyUserDetailsService"/> <!-- Used with form login -->
    </sec:authentication-manager>



    <bean id="kerberosServiceAuthenticationProvider"
        class="org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider">
        <property name="ticketValidator">
            <bean
                class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
                <property name="servicePrincipal" value="HTTP/[email protected]" />
                <!-- Setting keyTabLocation to a classpath resource will most likely not work in a Java EE application Server -->
                <!-- See the Javadoc for more information on that -->
                <property name="keyTabLocation" value="file:/home/xxxxx/conf/krb5/krb5.keytab" />
                <property name="debug" value="true" />
            </bean>
        </property>
        <property name="userDetailsService" ref="dummyUserDetailsService" />
    </bean>

    <!-- This bean definition enables a very detailed Kerberos logging -->
    <bean
        class="org.springframework.security.extensions.kerberos.GlobalSunJaasKerberosConfig">
        <property name="debug" value="true" />
    </bean>

    <!--
        Just returns the User authenticated by Kerberos and gives him the
        ROLE_USER
    -->

    <bean id="dummyUserDetailsService"
        class="org.springframework.security.extensions.kerberos.sample.DummyUserDetailsService" />

</beans>

    Exception which I got:

    org.springframework.security.authentication.BadCredentialsException: Kerberos validation not succesfull
        at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:69)
        at org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:86)
        at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
        at org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter.doFilter(SpnegoAuthenticationProcessingFilter.java:131)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
        at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
        at org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:219)
        at org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:333)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:987)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579)
        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
        at java.lang.Thread.run(Thread.java:722)
Caused by: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate
type to decrypt AP REP - RC4 with HMAC)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:415)
        at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:67)
        ... 29 more
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:778)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
        at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:871)
        at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:544)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
        at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:146)
        at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:136)
        ... 32 more
Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
        at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:273)
        at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:144)
        at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:761)
        ... 40 more

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Spring Security Single Sign On in Windows Environment
How to set custom Http header "server" for Spring Boot applications
Tomcat authentication using SPNEGO/Kerberos and delegation
Is it possible to invalidate a spring security session?
Spring Security: ClassNotFoundException or IllegalArgumentException on deploy
Kerberos spring javax.security.auth.login.LoginException: Unable to obtain password from user
CORS issue - No 'Access-Control-Allow-Origin' header is present on the requested resource
Spring Boot with embedded Tomcat behind Apache proxy
Spring Security Kerberos + AD, Checksum Fail
Spring security 3.0.3 configuration error