stackoom
  简体   繁体   中英

Use of spnego and kerberos with gss in graal

 原文  2021-05-21 19:11:31       java/ quarkus/ graalvm/ spnego/ jgss

Question

I'm attempting to reuse some existing code which enables spnego authentication in a new Quarkus app. The Quarkus app when compiled as a standard JAR and run with OpenJDK 11 works perfectly. As soon as a I package it up as a native executable (on linux) I get the following exception:

2021-05-21 17:31:17,178 ERROR [com.organisation.sec.ker.eng.gss.AbstractGssAuthenticator] (executor-thread-1) GSS error occured: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC)
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:859)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:361)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:303)
    at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:905)
    at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:556)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:361)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:303)
    at com.organisation.security.kerberos.engine.gss.AbstractGssAuthenticator$AuthAction.run(AbstractGssAuthenticator.java:110)
    at com.organisation.security.kerberos.engine.gss.AbstractGssAuthenticator$AuthAction.run(AbstractGssAuthenticator.java:77)
    at java.security.AccessController.doPrivileged(AccessController.java:147)
    at javax.security.auth.Subject.doAs(Subject.java:423)
    at com.organisation.security.kerberos.engine.gss.AbstractGssAuthenticator.handle(AbstractGssAuthenticator.java:49)
    at com.organisation.security.kerberos.KerberosAuthenticationFilter.processAuthHeader(KerberosAuthenticationFilter.java:95)
    at com.organisation.security.kerberos.KerberosAuthenticationFilter.authenticate(KerberosAuthenticationFilter.java:64)
    at com.organisation.jaxrs.security.AuthenticationContainerRequestFilter.filter(AuthenticationContainerRequestFilter.java:69)
    at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:312)
    at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164)
    at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247)
    at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:249)
    at io.quarkus.resteasy.runtime.ResteasyFilter$ResteasyResponseWrapper.service(ResteasyFilter.java:70)
    at io.quarkus.resteasy.runtime.ResteasyFilter$ResteasyResponseWrapper.sendError(ResteasyFilter.java:76)
    at io.undertow.servlet.handlers.DefaultServlet.doGet(DefaultServlet.java:172)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:503)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
    at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
    at io.quarkus.resteasy.runtime.ResteasyFilter.doFilter(ResteasyFilter.java:31)
    at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
    at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
    at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
    at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:63)
    at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
    at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
    at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:67)
    at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:133)
    at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
    at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:65)
    at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
    at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
    at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
    at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:247)
    at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:56)
    at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:111)
    at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:108)
    at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
    at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
    at io.quarkus.undertow.runtime.UndertowDeploymentRecorder$9$1.call(UndertowDeploymentRecorder.java:587)
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227)
    at io.undertow.servlet.handlers.ServletInitialHandler.handleRequest(ServletInitialHandler.java:152)
    at io.quarkus.undertow.runtime.UndertowDeploymentRecorder$1.handleRequest(UndertowDeploymentRecorder.java:119)
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:290)
    at io.undertow.server.DefaultExchangeHandler.handle(DefaultExchangeHandler.java:18)
    at io.quarkus.undertow.runtime.UndertowDeploymentRecorder$5$1.run(UndertowDeploymentRecorder.java:413)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
    at java.util.concurrent.FutureTask.run(FutureTask.java:264)
    at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2415)
    at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1452)
    at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
    at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
    at java.lang.Thread.run(Thread.java:834)
    at org.jboss.threads.JBossThread.run(JBossThread.java:501)
    at com.oracle.svm.core.thread.JavaThreads.threadStartRoutine(JavaThreads.java:519)
    at com.oracle.svm.core.posix.thread.PosixJavaThreads.pthreadStartRoutine(PosixJavaThreads.java:192)
Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC
    at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
    at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
    at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:139)
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:832)
    ... 67 more

I'm fairly new to Graal, and not sure what I need to add to allow this to work (or if it is even something that is currently supported).

I did have some problems to start with nad I've enabled reflection for sun.security.provider.ConfigFile , sun.security.jgss.GSSContextImpl , sun.security.jgss.GSSManagerImpl which sorted them out, unfortunatly I'm not sure how to deal with the missing key type.

Here's an example of the code

    final GSSManager manager = GSSManager.getInstance();
    final Oid spnegoOid = new Oid(oid);
    final GSSCredential serverCreds = manager.createCredential(null, GSSCredential.DEFAULT_LIFETIME, spnegoOid,
            GSSCredential.ACCEPT_ONLY);

    final GSSContext context = manager.createContext(serverCreds);

    try
    {
        final byte[] outToken = context.acceptSecContext(inToken, 0, inToken.length);

1 answers

solution1
 0  2021-12-08 07:55:20

You could generate a new keytab file using /crypto ALL with the ktpass command:

ktpass /out "server.keytab" /princ HTTP/SERVER@DOMAIN /mapuser KERBEROS_SERVICEUSER /mapop set /pass PASSWORD_PLACEHOLDER /crypto ALL /ptype KRB5_NT_PRINCIPAL

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Error: Java GSS-API with SPNEGO: Server not found in Kerberos database (7) Spnego / Kerberos support with hessian GSS-API Kerberos Authentication Decrypt kerberos ticket using Spnego Unable to compile Secure Authentication Using SPNEGO Java GSS Mechanism Accessing kerberos secured WebHDFS without SPnego Configuring Tomcat SSO using Kerberos SPNEGO Why Kerberos/SPNEGO authentication doesn't work? How to obtain a kerberos service ticket via GSS-API? How to obtain renewable kerberos tickets using java GSS+JAAS
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM