My Mongo server should be set up correctly since I can query against it using GSSAPI mechanism with client.
According to the documentation, Java Driver's Kerberos Authentication can be as simple as credentialList.add(MongoCredential.createGSSAPICredential("people/myhost.com@EXAMPLE.COM"));
The principal I used
To make sure krb5.ini/conf is read, I manually set the system property java.security.krb5.conf=C:/Windows/krb5.conf
Before I set the property javax.security.auth.useSubjectCredsOnly
, GSSAPIAuthenticator.createSaslClient()
catched exception of GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
.
After I set the property javax.security.auth.useSubjectCredsOnly=false
, InternalStreamConnection.open()
catched throwable: java.lang.SecurityException: Unable to locate a login configuration
I am really confused here. I thought it is using the ticket cache which is specified under KRB5CCNAME. If I use jaas configuration, what name should I assign it to be?
Name {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="D:\\Kerberos\\people.keytab"
useTicketCache=false;
};
I set it with a random name and it started complaining GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))
.
Can you guys help me on this? What else I can try here or are there more useful and detailed logs that I can enable in this case?
Security error messages are cryptic, by design :-/
But there is a nice " security trace flag " property to help you debug GSSAPI config issues:
-Djava.security.debug=gssloginconfig,configfile,configparser,logincontext
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.