JBoss 6

May 21, 2012 at 5:01 PM

Hello,

 

I need to replace JCIFS in my webapp deployed in JBoss 6. It's possible to use this project in JBoss? 

I've managed to configure everything, but when I try to access a secured url, the server just throws the following exception:

2012-05-21 18:01:00,821 [org.apache.catalina.connector.CoyoteAdapter] - An excep
tion or error occurred in the container during the request processing: java.lang
.AbstractMethodError: org.apache.catalina.authenticator.AuthenticatorBase.authen
ticate(Lorg/apache/catalina/connector/Request;Ljavax/servlet/http/HttpServletRes
ponse;Lorg/apache/catalina/deploy/LoginConfig;)Z
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica
torBase.java:559) [:6.1.0.Final]
        at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValv
e.java:88) [:6.1.0.Final]
        at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invok
e(SecurityContextEstablishmentValve.java:100) [:6.1.0.Final]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
ava:159) [:6.1.0.Final]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
ava:102) [:6.1.0.Final]
        at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedC
onnectionValve.java:158) [:6.1.0.Final]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal
ve.java:109) [:6.1.0.Final]
        at org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.
invoke(ActiveRequestResponseCacheValve.java:53) [:6.1.0.Final]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav
a:362) [:6.1.0.Final]
        at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcesso
r.java:893) [:6.1.0.Final]
        at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.pr
ocess(Http11AprProtocol.java:600) [:6.1.0.Final]
        at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:20
19) [:6.1.0.Final]
        at java.lang.Thread.run(Unknown Source) [:1.6.0_31]

Coordinator
May 21, 2012 at 7:19 PM

Hello,

I do not use Jboss, but some colleagues use Jboss with tomcatspnego .

The configuaration of Jboss is not the same as tomcat. For instance, the file context.xml is in the directory WEB-INF, not META-INF.

Could you send the configuration? (The file context.xlml, the part of the web.xml with the security constraints). Did you install the version with the dll, with jna or with the service Negoserver? Where did you put the jars?

To send filles, you can go to Issue Tracker.

Dominique 

 

Coordinator
May 21, 2012 at 8:20 PM

Hello

AuthenticatorBase does not find the method

org.apache.catalina.authenticator.AuthenticatorBase.authenticate(Lorg/apache/catalina/connector/Request;Ljavax/servlet/http/HttpServletResponse;Lorg/apache/catalina/deploy/LoginConfig;)

You can find this definition in tomcat 7, not in tomcat 5 nor 6.

So you must use the jars given for tomcat 7 (frdoumesspitc7.jar or frdoumesspitc7jna.jar or frdoumesspitc7tcp.jar)

Did you use one of these jars?

Dominique

 

 

May 22, 2012 at 8:47 AM

Hi,

Thank you for the reply.

I was using the tomcat 6 version. Like you've said, using the tomcat 7 version the exception disappears. However, another one throws up:

2012-05-22 09:20:56,850 [org.apache.tomcat.util.http.Cookies] - Cookies: Invalid
 cookie. Value not a token or quoted value
2012-05-22 09:20:56,975 [org.apache.tomcat.util.http.Cookies] - Cookies: Invalid
 cookie. Value not a token or quoted value
2012-05-22 09:20:57,232 [org.apache.tomcat.util.http.Cookies] - Cookies: Invalid
 cookie. Value not a token or quoted value
2012-05-22 09:20:57,319 [org.apache.catalina.connector.CoyoteAdapter] - An excep
tion or error occurred in the container during the request processing: java.lang
.NoSuchMethodError: org.apache.catalina.realm.GenericPrincipal.(Ljava/lang
/String;Ljava/lang/String;Ljava/util/List;)V
        at fr.doume.jna.authenticator.SSPAuthenticator.getPrincipal(SSPAuthentic
ator.java:558) [:]
        at fr.doume.jna.authenticator.SSPAuthenticator.authenticate(SSPAuthentic
ator.java:478) [:]
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica
torBase.java:559) [:6.1.0.Final]
        at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValv
e.java:88) [:6.1.0.Final]
        at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invok
e(SecurityContextEstablishmentValve.java:100) [:6.1.0.Final]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
ava:159) [:6.1.0.Final]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
ava:102) [:6.1.0.Final]
        at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedC
onnectionValve.java:158) [:6.1.0.Final]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal
ve.java:109) [:6.1.0.Final]
        at org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.
invoke(ActiveRequestResponseCacheValve.java:53) [:6.1.0.Final]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav
a:362) [:6.1.0.Final]
        at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcesso
r.java:893) [:6.1.0.Final]
        at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.pr
ocess(Http11AprProtocol.java:600) [:6.1.0.Final]
        at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:20
19) [:6.1.0.Final]
        at java.lang.Thread.run(Unknown Source) [:1.6.0_31]
 
I'm trying to use the jna version, and i've upload a skeleton of my configuration in issue tracker:
http://tomcatspnego.codeplex.com/workitem/7996
Kind regards,
Pedro Saraiva
Coordinator
May 22, 2012 at 10:34 PM
Edited May 22, 2012 at 10:38 PM

Hello,

Could you test with the jar frdoumesspitc6jbossjna.jar ?

Go to Downloads to get this file.

Dominique

May 23, 2012 at 12:46 PM

Hi,

With frdoumesspitc6jbossjna.jar it doest give any exceptions. However, I can't seem to authenticate (probably due to bad configuration). When I access to a protected url it just gives me "HTTP Status 403 - Access to the requested resource has been denied", without ever prompting for credentials. I've tried a test webapp within tomcat 7 with the same configuration and the results were the same. Shouldn't the browser prompt for credentials?

Thanks and kind regards,

Pedro Saraiva

Coordinator
May 23, 2012 at 1:52 PM
Use the group everyone (tout le monde in french), not MAISIS\* as role name in the file web.xml

Dominique Guerin
Coordinator
May 23, 2012 at 2:15 PM
403: The user is authenticated but has no authorization

Dominique Guerin
May 23, 2012 at 3:56 PM

Ok, but when I access through a browser in a machine that isn't in the domain (i.e. my linux computer), it throws "HTTP Status 401 - This request requires HTTP authentication ()". I want it to prompt the user for credentials, is that possible?

Kind regards,

Pedro Saraiva

HTTP Status 401 - This request requires HTTP authentication ().
Coordinator
May 23, 2012 at 6:02 PM

Hello,

Add a parmeter in the context.xml  file:

<Parameter name="choiceoftheaccount"  value = ""   override="false" />

 

Dominique Guerin

May 24, 2012 at 8:42 AM

Hi,

Sorry but that doesn't work. Tested with both JBoss 6 and Tomcat 7. HTTP Status 401 on both.

Kind regards,

Pedro Saraiva

Coordinator
May 24, 2012 at 2:54 PM
Edited May 24, 2012 at 3:50 PM

Hello,

With this parameter, the server send 401, but with the method of authentication: Negotiate. On Windows, the browser send a popup to the user, to test SPNEGO with another account. 

With the servlet 3.0, the request has the methods login and authenrticate. I use this possibility with tomcat 7 in the examples explOnlyt7FallbckUsrPwd and explOnlyt7FallbckUsrPwdNoFree. When the user cannot be authenticated, the error page with the error 401 is a form. In this form, the method login is called.

Tomcat 6 does not use the servlet 3.0 and the method login does not exist. I give a solution, but the code is very dependant of tomcat.

Jboss 6 use the code of tomcat 6 with some modifications The code of catalina.jar in tomcat is the code of jbossweb.jar in JBoss. But, JBoss 6 is compatible with the specifications of the servlet 3.0 

You can test with tomcat 7 with these examples without the parameter choiceoftheaccount. These examples use the version 3.0 of the specifications.

The jar frdoumesspitc6jbossjna is the version for tomcat 6 modified.

I compiled a new jar frdoumesspitc7jboss6jna. You can test this jar with the examples given above. I will give this jar on IssueTracker.

You could test.

Dominique

May 24, 2012 at 3:55 PM

Hi,

There's some strange issues that I don't understand. If I try to access a protected url from various Windows machines in other domains the browser prompts for credentials. However, in every machine with Linux it doesn't prompt for credentials, it just throws http 401...

I've captured the traffic with wireshark on both windows and linux to see the differences, but they have the same packets (one request, and one reply with unauthorized (negotiate)). Do you know what i'm missing here?

Kind regards,

Pedro Saraiva

Coordinator
May 24, 2012 at 7:49 PM

Hello,

With SPNEGO, the server send a a header WWW-Authenticate whith the value Negotiate. What the browser on Linux send? I think the browser does not understand. With the parameter "choiceoftheaccount", the server send WWW-Authenticate: Negotiate when the authentication is failed. Without this parameter, the server send only the value 401 without this header. So, on windows, the browser cannot try with another account. So, the browser does not open a popup.

Without this parameter, with tomcat 7 and the examples, the error page 401 is send. This page is a form. You can give the name and the password and the method login will be called by the page. In this case, there is no header WWW-Authenticate. The authentication does not use Negotiate. On JNA, it will call LogonUser. With TCP, the service wille use another solution, but the client send only a username and a password.

With Jboss, try the new jar. It use the version for tomcat 7 with a little modification. A browser which does not understand the header WWW-Authenticate: Negotiate, The server send the error page which is not the default page.

Did you test with tomcat 7 and the example explOnlyt7FallbckUsrPwd? Did you test with JBoss 6 , the jar frdoumesspitc7jboss6jna.jar and the same example?

Dominique

Coordinator
May 25, 2012 at 4:24 AM

Hi,

I found this to use SPNEGO with Firefox on linux:

http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/sso-config-firefox.html

Dominique

May 28, 2012 at 1:32 PM
Edited May 28, 2012 at 1:37 PM

Hi,

The frdoumesspitc7jboss6jna works great. However, I'm having some trouble authenticating with the Apache HttpClient 4.2 over NTLM. If I don't set onlyntlm, the httpclient only tries to authenticate with Kerberos and doesn't fallback to NTLM. If I force Httpclient to use NTLM it doesn't work, because it's expecting a "WWW-Authenticate: NTLM" from server.  If I set onlyntlm it works great.

I've noticed that the server only sends "WWW-Authenticate: Negotiate" in the header. However, it's possible to include multiple Authenticate headers in the server response. It's possible to configure the server to send "WWW-Authenticate: Negotiate" and "WWW-Authenticate: NTLM" in the headers so httpclient can fallback to NTLM? (For example, IIS does this)

Thank you and kind regards,

Pedro Saraiva

 

Edit: It's possible to include this changes to the TCP version? I'm also planning to run the server on unix machines.

Coordinator
May 29, 2012 at 3:59 PM

Hello,

I will add this possibility with a parameter. NTLM is an old version of NTLM and is not so secure than NTLMv2.

Is a Tcp version with Jboss6 or tomcat 7? the two versions?

JBoss 5 use the code of tomcat 5. The code of JBoss6 is nor the code of tomcat 6 (wich does not use the specification 3.0 of the servlets) neither the code of tomcat 7 ( wich was written after JBoss 6).

Dominique Guerin

May 29, 2012 at 4:11 PM
Edited May 30, 2012 at 9:37 AM

Hi,

Sorry for the confusion. But by speaking of NTLM im referring to NTLMv2 (send a "WWW-Authenticate: Negotiate" and "WWW-Authenticate: NTLMSSP").

It would be nice to have the code for JBoss6 over TCP updated.

Another issue i'm not understanding, for example:

- Server Windows machine M1 is on domain DEV

- JBoss6 on M1 has <auth-constraint><role-name>MAISIS\Domain Users</role-name></auth-constraint> for the tomcatspnego configuration

- Client Windows machine M2 is on domain DEV2

- Client browser on M2 tries to access M1 JBoss. With valid credentials for a user on domain MAISIS I can't authenticate, it just keeps prompting for credentials until it fails with 401. With valid credentials for a user on domain DEV it shows "403: access to the requested resource has been denied"

What I need is to give access just to the MAISIS domain users. What I'm doing wrong?


Kind regards,

Pedro Saraiva

2012/5/29 doumeguerin <notifications@codeplex.com>:
> From: doumeguerin
>
> Hello,
>
> I will add this possibility with a parameter. NTLM is an old version of NTLM
> and is not so secure than NTLMv2.
>
> Is a Tcp version with Jboss6 or tomcat 7? the two versions?
>
> JBoss 5 use the code of tomcat 5. The code of JBoss6 is nor the code of
> tomcat 6 (wich does not use the specification 3.0 of the servlets) neither
> the code of tomcat 7 ( wich was written after JBoss 6).
>
> Dominique Guerin
>
> Read the full discussion online.
>
> To add a post to this discussion, reply to this email
> ([email removed])
>
> To start a new discussion for this project, email
> [email removed]
>
> You are receiving this email because you subscribed to this discussion on
> CodePlex. You can unsubscribe on CodePlex.com.
>
> Please note: Images and attachments will be removed from emails. Any posts
> to this discussion will also be available online at CodePlex.com

Coordinator
Jun 2, 2012 at 7:29 AM

Hello,

I added a new trunk. You can use Negotiate (SPNEGO) and NTLM. Add this parameter in the file context.xml

<Parameter name="spnegoandntlm" value="" />

It is also possible tu use Jboss6. I changed the two versions JNA and TCP.

Dominique Guerin