Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

Program fails in Krb5LoginModule on Snow Leopard (Mac OS X 10.6)

843810Sep 17 2009 — edited Oct 13 2009
Hi,

FWIW, I've already file a bug report with Apple for this, but maybe you can help me. We have a program that authenticates against Active Directory using Krb5LoginModule. It's been working for years under Mac OS X, Windows, Linux and FreeBSD, but under Snow Leopard (Mac OS X 10.6), using JRE 1.6.0_15 it fails with the following stack trace:
09:16:36,451 ERROR LoginDialog:225 - Password check failed: java.lang.IllegalArgumentException: EncryptionKey: Key bytes cannot be null!
	at sun.security.krb5.EncryptionKey.<init>(EncryptionKey.java:214)
	at sun.security.krb5.EncryptionKey.acquireSecretKeys(EncryptionKey.java:191)
	at sun.security.krb5.EncryptionKey.acquireSecretKeys(EncryptionKey.java:159)
	at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:665)
	at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
	at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
	at de.unikoeln.rrz.uklanadmin.services.LoginService.checkPassword(LoginService.java:47)
I've read the source and found that pre-auth works. Actually that's all we care about, we don't need the keys at all! But this call in Krb5LoginModule fails:
		    // update keys after pre-auth
		    encKeys = EncryptionKey.acquireSecretKeys(
			password, principal.getSalt());
Please refer to http://openradar.appspot.com/radar?id=76405 for more details.

Comments

843793
You only need the RMISecurity Manager if you plan to download the stub dynamically. If you are using it make sure you have granted access to the appropriate socket.

if you are not using dynamic class loading enure that the stub you generated for CalculatorImpl is available locally to the client. Put in in the same JAR or directory for example.

If you are using dynamic class loading ensure that the stub and class are both included in a download directory.
843793
Hey thanks Michael for your time.
My problem is, if I put the Stub class into the client's bin folder, it works fine but I want my CalculatorClient class to download Stub class dynamically from server's bin folder which is a remote folder.
I dont think I am doing any mistake in assigning codebase.
What's the problem then?
Will really appreciate your advise, Thanks
843793
This is rmi.policy file i am using, 
grant
{
permission java.net.SocketPermission "*:1024-65535","connect,accept,listen,resolve";
permission java.net.SocketPermission "*:80","connect";
permission java.security.AllPermission;
};
843793
From the look of your code I guess your not using a webserver and your using windows?
You need to add file download permission in your client policy file.

e.g
permission java.io.FilePermission
"P:\\Projects\\RMIServer\\bin\\-", "read";

Just test the codebase without using system.setproperty.

start java -Djava.rmi.server.codebase=file:/P:\Projects\RMIServer\bin/ yourserver

I notice you left out the "/" at the end of your codebase. Might be the problem?

Then start client

java -Djava.security.policy=client.policy your client

Let me know if this works
843793
Michael,
Ya I am trying this example in windowsXP.
I did everything you suggested but again the same error I got.
I am using eclipse and there also you can configure codebase and security properties in IDE.
I tried that aswell, still the same error..... no security manager: RMI class loader disabled.
If you can guide me how to work out a simple example using dynamic stub loading, it will be a great help.
Thanks
-Satya008
843793
You need to create the security manager in the client and try the above again.

Use the code you provied in the server. I just think you just have it in the wrong place :)



843793
At the start of your client. Make sure it can access the policy.

Remove the security manager form the server

System.setProperty("java.security.policy","C:\\Program Files\\eclipse\\security\\rmi.policy");

if (System.getSecurityManager() == null)
{
System.setSecurityManager(new RMISecurityManager());
}
System.out.println("Security manager registered");
843793
Hey Michael you are 100% correct. It worked :o)
But I don't understand why in many tutorials/forums it says to define security manager on server side.
Anyways, thanks a lot for your help. Assigning you some more dukes.
Take care,
Satyen
843793
One more thing...
If you are setting your codebase programatically thenit should be defined as...
System.setProperty("java.rmi.server.codebase","file:/P:/Projects/Olem_Server/bin/");
In the same forum I found few ppl recommend to use "file:///P:\\Projects\\Olem_Server\\bin\\"

but I didn't work for me atleast.

Thanks,
Satyen
843793
Glad to be of help :)
843793
I hope this doesn't sound too lame. I had EXACTLY the same problem. I did two things: first, I added import java.rmi.*; to the file and System.setSecurityManager(new RMISecurityManager());

The class loader problem went away, and I got to my next series of exceptions. I hope this works for you.
843793
Hello all,

I know about only simple RMI techniques. now i have assigned a work to dynamically download the class file that is availabe at server . now when i m using this application in the same machine then it works fine.
but when i tried this in different machine (i.e. client and server separated ) then i have this exception at client side
note :- my remote interface class is available at both client and remote side and corresponding stub/skel are also available to client and server. the class ConsignmentNote is available only at server side.
I want to access this ConsignmentNote at client side, by dynamically downloading it.


RemoteException
java.rmi.UnmarshalException: error unmarshalling return; nested exception is:
java.lang.ClassNotFoundException: com.myrmi.server.ConsignmentNote (no security manager: RMI class loader disabled)
at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:169)
at com.myrmi.server.MyRemoteImpl_Stub.getExtraObject(MyRemoteImpl_Stub.java:141)
at com.myrmi.server.MyClient.main(MyClient.java:20)
Caused by: java.lang.ClassNotFoundException: com.myrmi.server.ConsignmentNote (no security manager: RMI class loader disabled)
at sun.rmi.server.LoaderHandler.loadClass(LoaderHandler.java:371)
at sun.rmi.server.LoaderHandler.loadClass(LoaderHandler.java:165)
at java.rmi.server.RMIClassLoader$2.loadClass(RMIClassLoader.java:631)
at java.rmi.server.RMIClassLoader.loadClass(RMIClassLoader.java:257)
at sun.rmi.server.MarshalInputStream.resolveClass(MarshalInputStream.java:200)
at java.io.ObjectInputStream.readNonProxyDesc(ObjectInputStream.java:1513)
at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:1435)
at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:1626)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1274)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:324)
at sun.rmi.server.UnicastRef.unmarshalValue(UnicastRef.java:297)
at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:146)
... 2 more
java.rmi.UnmarshalException: error unmarshalling return; nested exception is:
java.lang.ClassNotFoundException: com.myrmi.server.ConsignmentNote (no security manager: RMI class loader disabled)

C:\programs\JBuilderX\jdk1.4\bin>


I have window 2000 enviornment and i m using JBuilder IDE

i dont know as to how to use RMISecurity Manager and how to use class loader (or RMIClassLoader)

Please provide me ur valuable suggestions and guide me as to how i proceed.

if some one can provide me source code of this type of application or any link for this,

I'll be greatly indebited to him/her.

thanking in advance

Manish Agarwal
843793
I am having this problem:

the interface:


Calculator.java

import java.rmi.Remote;
import java.rmi.RemoteException;

public interface Calculator extends java.rmi.Remote
 { 
    public void print_msg(String s)  throws java.rmi.RemoteException; 
    
}
interface Implimentation class:

CalculatorImpl.java

public class CalculatorImpl    extends   java.rmi.server.UnicastRemoteObject 
    implements Calculator { 
 
    // Implementations must have an explicit constructor  in order to declare the 
    //RemoteException exception 

    public CalculatorImpl()  throws java.rmi.RemoteException 
    { 
        super(); 
    } 
 
    public void print_msg(String s) throws java.rmi.RemoteException 
	{

		System.out.println(s);
		
	}
  
}
main class:


CalculatorServer.java

import java.rmi.Naming;
import java.rmi.RMISecurityManager;

public class CalculatorServer {

   public CalculatorServer() {
	try {
	
	System.setSecurityManager(new RMISecurityManager());
     
        Calculator c = new CalculatorImpl();
 	Naming.rebind("rmi://localhost:1099/CalculatorService", c);

     } catch (Exception e) {
       System.out.println("Trouble: " + e);
     }
   }

   public static void main(String args[]) {
     System.setSecurityManager(new RMISecurityManager());
     new CalculatorServer();
   }
}
policy file:

grant
{
	permission java.net.SocketPermission "*:1024-65535", "connect,listen,resolve,accept";
	permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute";
};
commands to run:

javac *.java

rmic -v1.2 CalculatorImpl

start rmiregistry

java -Djava.security.policy=java.policy -Djava.rmi.server.codebase=file:///E:\MyDocuments\j2EE\RMI\12-09-05\chat\server CalculatorServer


But still I get this error:

E:\MyDocuments\j2EE\RMI\12-09-05\chat\server>java -Djava.security.policy=java.po
licy -Djava.rmi.server.codebase=file:///E:\MyDocuments\j2EE\RMI\12-09-05\chat\se
rver CalculatorServer
Trouble: java.rmi.ServerException: RemoteException occurred in server thread; ne
sted exception is:
java.rmi.UnmarshalException: error unmarshalling arguments; nested excep
tion is:
java.lang.ClassNotFoundException: CalculatorImpl_Stub




When i did rmic -v1.2 CalculatorImpl
the CalculatorImpl_Stub was created. then why the server is not getting the file. why do the server need the stub?
1 - 13
Locked Post
New comments cannot be posted to this locked post.

Post Details

Locked on Nov 10 2009
Added on Sep 17 2009
#kerberos-java-gss-jgss
28 comments
1,935 views