Skip to Main Content
Forums

ORDS, SODA & JSON in the Database

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

Followup to 'Windows Integrated Authentication - HOWTO'

R HachemSep 15 2020 — edited Sep 18 2020

I've been using the Windows Integrated Authenticate - HOWTO set up originally written by @"partlycloudy" for quite some time and it has been working great! Since our users are already logged on via Windows, they can just go to their APEX apps and are directly logged in. Our apps use the HTTP Header variable REMOTE_USER to figure out who's logged on.

So ... this has been working great - as long as I don't upgrade past Tomcat 8.5.31. Once I go to 8.5.32 or above, it seems the JAAS authenticate calls aren't working the same and it's causing it to fail.I really hate to admit how much time I've spent trying to figure this out ... Well let's say I've been working on this off and on for many months. I've sort of given up at this point so I'm still stuck on an older version of Tomcat.

When I turn on tracing, here is what I see

Up to 8.5.31 - this works:

05-Jul-2019 11:09:36.958 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.realm.JAASRealm.authenticate JAAS LoginContext created for username [rahachem]

05-Jul-2019 11:09:36.958 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.realm.JAASRealm.createPrincipal Checking Principal [HTTP/<snip>] [javax.security.auth.kerberos.KerberosPrincipal]

05-Jul-2019 11:09:36.958 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.realm.JAASRealm.createPrincipal No valid user Principal found

05-Jul-2019 11:09:36.958 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.realm.JAASRealm.createPrincipal No valid role Principals found.

05-Jul-2019 11:09:36.960 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.realm.JAASRealm.authenticate Username [rahachem] successfully authenticated as Principal [{1}] -- Subject was created too

                [Krb5LoginModule]: Entering logout

                [Krb5LoginModule]: logged out Subject

05-Jul-2019 11:09:36.964 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.authenticator.AuthenticatorBase.register Authenticated 'rahachem' with type 'SPNEGO'

8.5.32 or above - this breaks:

05-Jul-2019 10:56:01.769 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.realm.JAASRealm.authenticate JAAS LoginContext created for username [rahachem]

05-Jul-2019 10:56:01.770 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.realm.JAASRealm.createPrincipal Checking Principal [HTTP/<snip>] [javax.security.auth.kerberos.KerberosPrincipal]

05-Jul-2019 10:56:01.770 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.realm.JAASRealm.createPrincipal No valid user Principal found

05-Jul-2019 10:56:01.770 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.realm.JAASRealm.createPrincipal No valid role Principals found.

05-Jul-2019 10:56:01.770 FINE [https-jsse-nio-8443-exec-4] org.apache.catalina.realm.JAASRealm.authenticate Username [rahachem] NOT successfully authenticated

                [Krb5LoginModule]: Entering logout

                [Krb5LoginModule]: logged out Subject

So it seems to be JAASRealm's authenticate() call that is failing.

When I look at the changelog for 8.5.32, I see one fix that maybe is related?

       Fix:  Make JAASRealm mis-configuration more obvious by requiring the authenticated Subject to include at least one Principal of a type specified by userClassNames. (markt)

I know that should be pointing me in the direction of the problem but I'm no Tomcat expert so I haven't been able to make any progress.

Here is my set up:

My jaas.conf:

APEX {

  com.sun.security.auth.module.Krb5LoginModule required

  doNotPrompt=true

  principal="HTTP/<snip>"

  useKeyTab=true

  keyTab="/u00/app/apache/tomcat/conf/keytab"

  storeKey=true

  debug=false;

};

The tail of my web.xml:

    <security-constraint>

      <web-resource-collection>

        <web-resource-name>APEX</web-resource-name>

        <url-pattern>/*</url-pattern>

      </web-resource-collection>

      <auth-constraint>

        <role-name>*</role-name>

      </auth-constraint>

      <user-data-constraint>

        <transport-guarantee>CONFIDENTIAL</transport-guarantee>

      </user-data-constraint>

    </security-constraint>

    <login-config>

      <auth-method>SPNEGO</auth-method>

    </login-config>

</web-app>

My apex.xml

<?xml version="1.0" encoding="UTF-8"?>

<Context>

  <Valve className="org.apache.catalina.authenticator.SpnegoAuthenticator"

         loginConfigName="APEX"

  />

  <Realm className="org.apache.catalina.realm.JAASRealm"

         allRolesMode="authOnly"

         appName="APEX"

  />

</Context>

I've seen a couple of other threads where it seems that people have been having issues with this as well. For example, this one seems to show a fix but that only applies to Tomcat 9 because Tomcat 8.5 doesn't have the call that is being used here. Here is another one that I think is possibly the same problem as well.

Anyway I would really appreciate any help if anyone has any suggestions. Thank you
This post has been answered by partlycloudy on Sep 16 2020
Jump to Answer

Comments

Post Details

Added on Sep 15 2020
2 comments
830 views