1 Reply Latest reply: Sep 26, 2013 5:49 AM by user1104930 RSS

    Kerberos SSO from a java client application

      I have Weblogic successfully working with an EJB module, and a java client application remotely connecting (by InitialContext JNDI lookup, using t3 or t3s).
      I now want to try and use Kerberos SSO (for Windows clients). I have followed the instructions at http://docs.oracle.com/cd/E12839_01/web.1111/e13707/sso.htm#i1104998, successfully, and can access a servlet via a browser, i.e. the Kerberos tickets all work properly. All good so far.

      Now my problem: I am now trying to access the EJB from the client app using Kerberos SSO. (Is this possible?) I have done the following:

      LoginContext lc = new LoginContext("com.sun.security.jgss.initiate");
      with my client-side jaas login file contents:

      com.sun.security.jgss.initiate {
      com.sun.security.auth.module.Krb5LoginModule required debug=true useTicketCache=true doNotPrompt=true renewTGT=true;

      and with the debug enabled, I see the following in my output, indicating that the TGT has been acquired:

      Acquire TGT from Cache
      Principal is my.user@MYDOMAIN.COM
      Commit Succeeded

      However, when I attempt to do a bean lookup, or even access the same URL in java code (that works via a browser), then I get access errors. I tried to use the following method:

      weblogic.security.Security.runAs(lc.getSubject(), pa);

      where pa is a PrivilegedAction that calls an EJB method. When I did this, it did generate an error on the WL server when calling the EJB method. See the following for the Weblogic debug output error, which did correctly state the user principal (my.user) but didn't recognise it:

      ... <Warning> <RMI> <BEA-080003> <RuntimeException thrown by rmi server: weblogic.rmi.internal.BasicServerRef@124, implementation
      : '[BaseRemoteObject] home: weblogic.ejb.container.internal.StatelessEJBHomeImpl
      @38e9e9', oid: '292', implementationClassName: 'net.x.y.z.MyBean_n1vxhq_MyDataImpl'
      java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[my.user@MYDOMAIN.COM].
      java.lang.SecurityException: [Security:090398]Invalid Subject: principals=[my.user@MYDOMAIN.COM]
      at weblogic.security.service.SecurityServiceManager.seal(SecurityServiceManager.java:835)
      at weblogic.security.service.SecurityServiceManager.getSealedSubjectFromWire(SecurityServiceManager.java:524)
      at weblogic.rjvm.MsgAbbrevInputStream.getSubject(MsgAbbrevInputStream.java:351)
      at weblogic.rmi.internal.BasicServerRef.acceptRequest(BasicServerRef.java:875)
      at weblogic.rmi.internal.BasicServerRef.dispatch(BasicServerRef.java:310)
      Truncated. see log file for complete stacktrace

      Any help would be greatly appreciated.
      - Am I on the right track?
      - Is this possible to do?


      Edited by: stevenjonik on Nov 9, 2012 7:07 AM

      Edited by: stevenjonik on Nov 9, 2012 7:08 AM