Java Security

Hi,

Appreciate if someone can shed some light on this problem and guide on what else am I missing.

I'm trying to call .NET based WCF webservice (MS Dynamics CRM - OrganizationSvc) from a java client. Started looking at Metro framework for interoperability. I was able to generate all the proxy classes and was able to write the code to invoke web service. However the challenge was using Kerberos based authentication and related setup.

I primarily followed the link below which was very helpful but had to dig more to get more specific details.
http://blogs.sun.com/enterprisetechtips/entry/building_kerberos_based_secure_services

Tried to follow netbeans route and hit some roadblocks in verifying the setup (krb5.conf & login.conf & wsit-client.xml). So, came across SPNEGO and used their examples, made changes accordingly and after experimenting with various configuration settings(krb5.conf and login.conf), finallyI was able to run HelloKDC & HelloKeytab files successfully.

krb5.conf_

[libdefaults]
default_realm = NA.CONVERGYS.COM

[realms]
NA.CONVERGYS.COM = {
kdc = CDCWW13.na.convergys.com
admin_server = CDCWW13.na.convergys.com
}

[domain_realm]
.na.convergys.com = NA.CONVERGYS.COM

login.conf_

spnego-server {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
keyTab="C:/WINDOWS/orldwv705_feb03.keytab"
doNotPrompt=false
storeKey=true
principal="HOST/ORLDWV705.na.convergys.com"
debug=true;
};

C:\spnego-r7>klist -k C:\WINDOWS\orldwv705_feb03.keytab

Key tab: C:\WINDOWS\orldwv705_feb03.keytab, 1 entry found.

[1] Service principal: HOST/ORLDWV705.na.convergys.com@NA.CONVERGYS.COM
KVNO: 7


With these settings, I was able to successfully make the call & Hello Keytab was able to get the Ticket and authenticate.

http://spnego.sourceforge.net/index.html
http://spnego.sourceforge.net/client_keytab.html
http://spnego.sourceforge.net/troubleshoot_hellokeytab.html

However, when I run the example in Netbeans with the setup mentioned in the link below, I run into following exception...
http://metro.java.net/guide/Developing_with_NetBeans.html#wsit_example_with_nb-creating_wsit_client
http://metro.java.net/guide/_Configuring_Kerberos_for_Glassfish_and_Tomcat.html

1) noticed that sc:KerberosConfig element in wsit-client.xml does not get updated automatically in netbeans ide, so manually edited to put the entries.
2) also followed the setup required in glassfish domain.xml & login.conf xml.
3) also noticed that netbeans setup requires us to use C:\Windows\krb5.ini file which is nothing but krb5.conf file referred elsewhere.)

wsit-client.xml_

<wsp:Policy wsu:Id="ClientKerberosPolicy"
xmlns:sc="http://schemas.sun.com/2006/03/wss/client"
xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy"
xmlns:scc="http://schemas.sun.com/ws/2006/05/sc/client"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<sc:KerberosConfig wspp:visibility="private"
loginModule="KerberosClient"
servicePrincipal="HOST/ORLDWV705.na.convergys.com"
credentialDelegation="true" />
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>

ERROR
INFO: WSP5018: Loaded WSIT configuration from file: file:/C:/Documents%20and%20Settings/rchoppal/My%20Documents/NetBeansProjects/TestOrgSvc/build/web/WEB-INF/classes/META-INF/wsit-client.xml.
WARNING: [failed to localize] WSP_0075_PROBLEMATIC_ASSERTION_STATE({http://schemas.microsoft.com/xrm/2011/Contracts/Services}AuthenticationPolicy, UNKNOWN)
WARNING: [failed to localize] WSP_0019_SUBOPTIMAL_ALTERNATIVE_SELECTED(PARTIALLY_SUPPORTED)
INFO: >>>KinitOptions cache name is C:\Documents and Settings\rchoppal\krb5cc_rchoppal
INFO: >>> KrbCreds found the default ticket granting ticket in credential cache.
SEVERE: WSITPVD0050: Error while Securing Request Message.
com.sun.xml.wss.XWSSecurityException: Unexpected Exception in Kerberos login - unable to continue
at com.sun.xml.ws.security.impl.kerberos.KerberosLogin.login(KerberosLogin.java:94)
at com.sun.xml.wss.impl.misc.WSITProviderSecurityEnvironment.doKerberosLogin(WSITProviderSecurityEnvironment.java:3049)
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.populateKerberosContext(WSITClientAuthContext.java:911)
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:318)
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:291)
at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:158)

-
-
-
Caused by: javax.security.auth.login.LoginException: java.lang.NullPointerException
at sun.security.krb5.Credentials.acquireDefaultCreds(Credentials.java:451) (i tried to search open source code, but this line did'nt match exactly)
at sun.security.krb5.Credentials.acquireTGTFromCache(Credentials.java:272)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:589)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at com.sun.xml.ws.security.impl.kerberos.KerberosLogin.login(KerberosLogin.java:85)
-
-
-

SEVERE: SEC2004: Container-auth: wss: Error securing request
javax.xml.ws.WebServiceException: WSITPVD0050: Error while Securing Request Message.
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:299)
at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:158)
-
-
-
Caused by: javax.xml.ws.soap.SOAPFaultException: Unexpected Exception in Kerberos login - unable to continue
at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1617)
at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1633)
... 42 more

WARNING: StandardWrapperValve[TestOrgSvcServlet]: PWC1406: Servlet.service() for servlet TestOrgSvcServlet threw exception
javax.xml.ws.WebServiceException: Cannot secure request for {http://schemas.microsoft.com/xrm/2011/Contracts}CustomBinding_IOrganizationService
at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:165)
-
-
-

Caused by: javax.xml.ws.WebServiceException: WSITPVD0050: Error while Securing Request Message.
at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.secureRequest(WSITClientAuthContext.java:299)
at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:158)
... 40 more
Caused by: javax.xml.ws.soap.SOAPFaultException: Unexpected Exception in Kerberos login - unable to continue
at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1617)
at com.sun.xml.wss.provider.wsit.WSITAuthContextBase.getSOAPFaultException(WSITAuthContextBase.java:1633)
... 42 more

Edited by: user6748004 on Feb 3, 2011 5:36 PM

Edited by: user6748004 on Feb 3, 2011 5:38 PM