Tomcat 7.0.91 : Issue with Kerberos Authentication

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Tomcat 7.0.91 : Issue with Kerberos Authentication

Vipul Mehta
We have upgraded from tomcat version 7.0.84 to 7.0.91.
Users authenticate with our web app service using Kerberos logged in user
credential. After upgrade, login started to fail.

It was because of this change due to which the modified method started
returning null:

https://github.com/apache/tomcat70/commit/7b7b5932b6618d13042732c77a4e19ea89b432e3#diff-6fec32edbbb606fe1d1888c99d74e665


User principal was KerberosPrincipal and the class was not specified in
userClassNames in JAAS config of web application for tomcat. So, I added
'KerberosPrincipal' class in JAAS configuration.

=>
"org.apache.catalina.realm.GenericPrincipal,javax.security.auth.kerberos.KerberosPrincipal"


Now we are facing new issue. The principal being returned by
JAASRealm->createPrincipal() is KerberosPrincipal and not
GenericUserPrincipal which breaks our code.

KerberosPrincipal does not have delegated credential.


On debugging i found that, in JAASRealm->authenticate() method,
loginContext.getSubject() returns server's subject and not client's. So,
later in createPrincipal() call username is client's username but subject
belongs to server. Is this an issue ?


--
Regards,
Vipul
Reply | Threaded
Open this post in threaded view
|

Re: Tomcat 7.0.91 : Issue with Kerberos Authentication

markt
On 05/11/2018 12:24, Vipul Mehta wrote:

> We have upgraded from tomcat version 7.0.84 to 7.0.91.
> Users authenticate with our web app service using Kerberos logged in user
> credential. After upgrade, login started to fail.
>
> It was because of this change due to which the modified method started
> returning null:
>
> https://github.com/apache/tomcat70/commit/7b7b5932b6618d13042732c77a4e19ea89b432e3#diff-6fec32edbbb606fe1d1888c99d74e665
>
>
> User principal was KerberosPrincipal and the class was not specified in
> userClassNames in JAAS config of web application for tomcat. So, I added
> 'KerberosPrincipal' class in JAAS configuration.
>
> =>
> "org.apache.catalina.realm.GenericPrincipal,javax.security.auth.kerberos.KerberosPrincipal"
>
>
> Now we are facing new issue. The principal being returned by
> JAASRealm->createPrincipal() is KerberosPrincipal and not
> GenericUserPrincipal which breaks our code.
>
> KerberosPrincipal does not have delegated credential.
>
>
> On debugging i found that, in JAASRealm->authenticate() method,
> loginContext.getSubject() returns server's subject and not client's. So,
> later in createPrincipal() call username is client's username but subject
> belongs to server. Is this an issue ?

I've spun up the VMs I use for testing this and checked Tomcat 7.0.88
(the last version before the change above) and 7.0.x. The environment is
configured as per
http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html and uses
the JNDI Realm.

Both work as expected with no configuration changes required.

It isn't clear from the original post how the JAAS Realm has been
configured. At present this looks like a configuration issue which means
the users list is the place to follow this up. You'll need to provide
enough information for the problem to be replicated.

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Tomcat 7.0.91 : Issue with Kerberos Authentication

Vipul Mehta
 I made a small mistake in my query.
'javax.security.auth.kerberos.KerberosPrincipal' was added to server.xml in
userClassNames within Realm Attribute and Realm attribute looks like
following in server.xml:
=>      <Realm allRolesMode="authOnly" appName="Tomcat"
className="org.apache.catalina.realm.JAASRealm"
roleClassNames="org.apache.catalina.realm.GenericPrincipal"
stripRealmForGss="false" useContextClassLoader="false"
userClassNames="org.apache.catalina.realm.GenericPrincipal,javax.security.auth.kerberos.KerberosPrincipal"/>

In 7.0.84 version, there was no requirement to modify userClassNames.
We use Microsoft KDC. This is the case of integrated windows authentication.

Our JAAS config for tomcat web application
(tomcat/temp/<webapp_name>/conf/jaas.conf) looks like following:
com.sun.security.jgss.krb5.accept {
   com.sun.security.auth.module.Krb5LoginModule required
   doNotPrompt=true
   isInitiator=false
   principal="HTTP/
[hidden email]"
   useKeyTab=true
   keyTab="//home//ispqa//sitekey//webapp_http.keytab"
   storeKey=true
   debug=false;
};

Tomcat {
   com.sun.security.auth.module.Krb5LoginModule required
   doNotPrompt=true
   isInitiator=false
   useKeyTab=true
   principal="HTTP/
[hidden email]"
   keyTab="//home//ispqa//sitekey//webapp_http.keytab"
   storeKey=true
   debug=false;
};

Here's the stacktrace which I think has issue:
LoginContext.invokePriv(String) line: 679
LoginContext.login() line: 588
JAASRealm.authenticate(String, CallbackHandler) line: 427
JAASRealm.getPrincipal(String) line: 505
JAASRealm(RealmBase).getPrincipal(String, GSSCredential) line: 1374
JAASRealm(RealmBase).authenticate(GSSContext, boolean) line: 581
SpnegoAuthenticator$AuthenticateAction.run() line: 352
SpnegoAuthenticator$AuthenticateAction.run() line: 337
AccessController.doPrivileged(PrivilegedAction<T>, AccessControlContext)
line: not available [native method]
Subject.doAs(Subject, PrivilegedAction<T>) line: 360
SpnegoAuthenticator.authenticate(Request, HttpServletResponse, LoginConfig)
line: 251
SpnegoAuthenticator(AuthenticatorBase).invoke(Request, Response) line:
566
StandardHostValve.invoke(Request, Response) line: 169
ErrorReportValve.invoke(Request, Response) line: 104
StandardEngineValve.invoke(Request, Response) line: 116
CoyoteAdapter.service(Request, Response) line: 445
Http11Processor(AbstractHttp11Processor<S>).process(SocketWrapper<S>) line:
1137
Http11Protocol$Http11ConnectionHandler(AbstractProtocol$AbstractConnectionHandler<S,P>).process(SocketWrapper<S>,
SocketStatus) line: 637
JIoEndpoint$SocketProcessor.run() line: 318
ThreadPoolExecutor(ThreadPoolExecutor).runWorker(ThreadPoolExecutor$Worker)
line: 1149
ThreadPoolExecutor$Worker.run() line: 624
TaskThread$WrappingRunnable.run() line: 61
TaskThread(Thread).run() line: 748


LoginContext.invokePriv() -> this populates the Subject with subject of
server Principal "HTTP/
[hidden email]".

Authenticating username belongs to client i.e.
[hidden email].

Here's the GenericPrincipal that is return by JAASRealm.authenticate():
GenericPrincipal  (id=213)
    gssCredential    null
    loginContext    LoginContext  (id=218)
    name    "[hidden email]" (id=219)
    password    null
    roles    String[0]  (id=221)
    userPrincipal    KerberosPrincipal  (id=223)
        fullName    "HTTP/
[hidden email]"
(id=225)
        nameType    1
        realm    "ISPAZUREAD.ONMICROSOFT.COM" (id=226)

I don't think it should populate server's KerberosPrincipal as
userPrincipal. Let me know if you need more information.

On Wed, Nov 7, 2018 at 2:41 PM Mark Thomas <[hidden email]> wrote:

> On 05/11/2018 12:24, Vipul Mehta wrote:
> > We have upgraded from tomcat version 7.0.84 to 7.0.91.
> > Users authenticate with our web app service using Kerberos logged in user
> > credential. After upgrade, login started to fail.
> >
> > It was because of this change due to which the modified method started
> > returning null:
> >
> >
> https://github.com/apache/tomcat70/commit/7b7b5932b6618d13042732c77a4e19ea89b432e3#diff-6fec32edbbb606fe1d1888c99d74e665
> >
> >
> > User principal was KerberosPrincipal and the class was not specified in
> > userClassNames in JAAS config of web application for tomcat. So, I added
> > 'KerberosPrincipal' class in JAAS configuration.
> >
> > =>
> >
> "org.apache.catalina.realm.GenericPrincipal,javax.security.auth.kerberos.KerberosPrincipal"
> >
> >
> > Now we are facing new issue. The principal being returned by
> > JAASRealm->createPrincipal() is KerberosPrincipal and not
> > GenericUserPrincipal which breaks our code.
> >
> > KerberosPrincipal does not have delegated credential.
> >
> >
> > On debugging i found that, in JAASRealm->authenticate() method,
> > loginContext.getSubject() returns server's subject and not client's. So,
> > later in createPrincipal() call username is client's username but subject
> > belongs to server. Is this an issue ?
>
> I've spun up the VMs I use for testing this and checked Tomcat 7.0.88
> (the last version before the change above) and 7.0.x. The environment is
> configured as per
> http://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html and uses
> the JNDI Realm.
>
> Both work as expected with no configuration changes required.
>
> It isn't clear from the original post how the JAAS Realm has been
> configured. At present this looks like a configuration issue which means
> the users list is the place to follow this up. You'll need to provide
> enough information for the problem to be replicated.
>
> Mark
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>

--
Regards,
Vipul