I dont think this version supports IBM JDK. Please update if this works with IBM JDK, and i tried with all options. But looking at the source, it looks SPNEGO is tightly coupled with Sun JDK.
Please update if you look at supporting in near future.
By the way, your project works fine and helpful but unfortunately I have few other applications working with IBM JDK and can not propose this solution to implement SSO in my project.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Second you need to delete following section in the SpnegoFilterConfig.java
if (opt.containsKey("storeKey")) {
final Object store = opt.get("storeKey");
if (null == store || !Boolean.parseBoolean((String) store)) {
throw new UnsupportedOperationException("Login Module for server "
+ "must have storeKey option in login file set to true.");
}
} else {
throw new UnsupportedOperationException("Login Module for server does "
+ "not have the storeKey option defined in login file.");
}
In the IBM JDK Krb5LoginModule the principals key is stored by default in the Subjects private credentials.
Third some minor changes in the SpnegoProvider. Depending on your JDK version you dont need this changes. This changes have their roots deep in the implementation of GSSCredential.
Due to IBM SDK combines useKeyTab and keyTab options in login.conf to useKeytab (be aware of match case) what must be set like this:
useKeytab="file:///opt/freeware/tomcat7/conf/krb_sasdev.keytab"
Note that you have to use URL form instead of file path.
In this case you must leave empty the user and password information in web.xml.
Furthermore I experienced that in the login.conf the credsType=both setting works correctly instead of credsType=acceptor.
Last edit: Vörös László 2016-10-05
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
I dont think this version supports IBM JDK. Please update if this works with IBM JDK, and i tried with all options. But looking at the source, it looks SPNEGO is tightly coupled with Sun JDK.
Please update if you look at supporting in near future.
By the way, your project works fine and helpful but unfortunately I have few other applications working with IBM JDK and can not propose this solution to implement SSO in my project.
Unfortunately, I haven't heard of anyone attempting this library on IBM.
Perhaps others will give it a try and post their results to this forum thread.
But either way, if changes are required, IBM support may not happen anytime soon.
I'm currently trying to get it running on a AIX-server IBM JDK 1.7
But im having trouble with the option keyStore in login.conf because this option isnt supported by the IBM JDK
is there any alternative? and is this option that important?
I just found that IBM is storing a instance of KerberosKey by default in the credential set of a Subject!
This means there is no need for this flag (storeKey) on IBM machines.
like this
Good news for everybody who is trying to use this framework with IBM JDK.
With some minor changes in the code i got it running.
my Setup:
JDK 1.7.0
Tomcat 7.0.61
First of all you need to change the login.conf file:
spnego-client {
com.ibm.security.auth.module.Krb5LoginModule required;
};
spnego-server {
com.ibm.security.auth.module.Krb5LoginModule required
debug=true
noAddress=false
credsType=acceptor;
};
Second you need to delete following section in the SpnegoFilterConfig.java
if (opt.containsKey("storeKey")) { final Object store = opt.get("storeKey"); if (null == store || !Boolean.parseBoolean((String) store)) { throw new UnsupportedOperationException("Login Module for server " + "must have storeKey option in login file set to true."); } } else { throw new UnsupportedOperationException("Login Module for server does " + "not have the storeKey option defined in login file."); }In the IBM JDK Krb5LoginModule the principals key is stored by default in the Subjects private credentials.
Third some minor changes in the SpnegoProvider. Depending on your JDK version you dont need this changes. This changes have their roots deep in the implementation of GSSCredential.
SpnegoProvider.java
public static GSSCredential getClientCredential(final Subject subject) throws PrivilegedActionException { final PrivilegedExceptionAction<GSSCredential> action = new PrivilegedExceptionAction<GSSCredential>() { public GSSCredential run() throws GSSException { GSSCredential gssCred = MANAGER.createCredential( null , GSSCredential.INDEFINITE_LIFETIME , SpnegoProvider.SPNEGO_OID , GSSCredential.ACCEPT_ONLY); gssCred.add(null, GSSCredential.INDEFINITE_LIFETIME,GSSCredential.INDEFINITE_LIFETIME ,new Oid("1.2.840.113554.1.2.2"), GSSCredential.ACCEPT_ONLY); return gssCred; } }; return Subject.doAs(subject, action); }static GSSCredential getServerCredential(final Subject subject) throws PrivilegedActionException { final PrivilegedExceptionAction<GSSCredential> action = new PrivilegedExceptionAction<GSSCredential>() { public GSSCredential run() throws GSSException { GSSCredential gssCred = MANAGER.createCredential( null , GSSCredential.INDEFINITE_LIFETIME , SpnegoProvider.SPNEGO_OID , GSSCredential.ACCEPT_ONLY); gssCred.add(null, GSSCredential.INDEFINITE_LIFETIME,GSSCredential.INDEFINITE_LIFETIME ,new Oid("1.2.840.113554.1.2.2"), GSSCredential.ACCEPT_ONLY); return gssCred; } }; return Subject.doAs(subject, action); }Thank you Darwin for this framework.
Probably we extend the framework one day with context looping.
Greetings
Mario
Last edit: Mario Egli 2015-06-11
Excellent Mario!
Thank you for sharing your findings!
Can you please patch the chages ? Will it part of the new release anytime in near future ?
Last edit: Niranjan 2016-10-03
More change needed in SpnegoFilterConfig.java/doServerModule function if you want to use keytab.
Replace this part:
if (opt.containsKey("useKeyTab") && opt.containsKey("principal") && opt.containsKey("keyTab")) { this.canUseKeyTab = true; } else { this.canUseKeyTab = false; }with this:
if (opt.containsKey("useKeytab") && opt.containsKey("principal")) { this.canUseKeyTab = true; } else { this.canUseKeyTab = false; }Due to IBM SDK combines useKeyTab and keyTab options in login.conf to useKeytab (be aware of match case) what must be set like this:
useKeytab="file:///opt/freeware/tomcat7/conf/krb_sasdev.keytab"
Note that you have to use URL form instead of file path.
In this case you must leave empty the user and password information in web.xml.
Furthermore I experienced that in the login.conf the credsType=both setting works correctly instead of credsType=acceptor.
Last edit: Vörös László 2016-10-05