Thursday, May 29, 2014

spring kerberos spnego Cannot locate default realm

While trying to start my kerberized application using the maven-tomcat-plugin as a different user under Windows 7, I got the following error : Cannot locate default realm.

Looking at the krb5.conf file, I realized that various things in the file were wrong so I changed them and the file look as follows:

 [libdefaults]
default_realm = EXAMPLE.COM
# default_tgs_enctypes = des-cbc-md5,des3-cbc-sha1-kd
# defaualt_tkt_enctypes = des-cbc-md5,des3-cbc-sha1-kd
kdc_timeout = 5000
dns_lookup_realm = false
dns_lookup_kdc = false
allow_weak_crypto = yes
forwardable = true

 [realms]
EXAMPLE.COM = {
kdc = 127.0.0.1:60088
}

 [login]
krb4_convert = true
krb4_get_tickets = false


This didn't do much so I looked in the ApacheDS log file for more clues and noticed that the service principal's name (servicePrincipal) of the KerberosServiceAuthenticationProvider bean was incorrect. I corrected it and the server started properly. Below is the complete Spring Security configuration file, less the namespace related attributes, and below that the corresponding LDAP structure.

 <beans ...>
    
<sec:http entry-point-ref="spnegoEntryPoint">
    <sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
    <sec:custom-filter ref="spnegoAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" />
</sec:http>
    
    
<bean id="spnegoEntryPoint" class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint" />

 <bean id="spnegoAuthenticationProcessingFilter" class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter">
    <property name="authenticationManager" ref="authenticationManager" />
</bean>

 <sec:authentication-manager alias="authenticationManager">
    <sec:authentication-provider ref="kerberosServiceAuthenticationProvider" />
</sec:authentication-manager>

 <bean id="kerberosServiceAuthenticationProvider" class="org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider">
    <property name="ticketValidator">
        <bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator">
            <property name="servicePrincipal" value="HTTP/tomcat@EXAMPLE.COM" />
            <property name="keyTabLocation" value="classpath:krb5.keytab" />
            <property name="debug" value="true"/>
        </bean>
    </property>
    <property name="userDetailsService" ref="dummyUserDetailsService" />
</bean>

 <!-- Just returns the User authenticated by Kerberos and gives him the ROLE_USER -->
<!--  
<bean id="dummyUserDetailsService1" class="org.springframework.security.extensions.kerberos.sample.DummyUserDetailsService"/>
-->

 <bean id="dummyUserDetailsService" class="org.wmmnpr.mykrb.config.Krb5DumyUserService"/>

</beans>




 The server produced the following output during its start.


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)