3 Replies Latest reply: Oct 8, 2011 11:33 PM by 817264 RSS

    Can't load applet from a kerberized server

    alabala_kiril
      Hi there,

      I have the following problem:
      There's a java applet served as part of a web application. The User accessing the java applet should be authenticated by the web application. When this is done with basic authentication - the applet works fine.
      However when a kerberos authentication is configured on the webserver(using spnego module) - the applet can't be loaded.
      I log in to Windows XP using my user and pass. Then using IE I am automatically logged into the web application. I open the page on which the applet is embed, but the JRE can't load it(saying a ClassNotFoundException) The server's access log reveal that the jar can't be loaded because of authentication error:

      - - [05/Oct/2011:15:19:54 +0200] "GET /peria/Grid.jar HTTP/1.1" 401 490
      - - [05/Oct/2011:15:19:54 +0200] "GET /peria/Grid.jar HTTP/1.1" 401 490
      - - [05/Oct/2011:15:19:54 +0200] "GET /peria/Grid.jar HTTP/1.1" 401 490

      It seems as if the JRE is having problems authentication itself in front of the server? Could it be that or it is another issue?

      Note that I can access the jar file directly via the browser. But when I open the page that has it embed - the applet could not be loaded due to ClassNotFound

      Would anyone be so kind as to point me in the right direction?
        • 1. Re: Can't load applet from a kerberized server
          baftos
          On the client machine, try to disable next generation plug-in (Control Panel->Java->Advanced->Java plug-in).
          If it works, this is not always a practical solution, but let's first see if it works first and then we can discuss it.
          • 2. Re: Can't load applet from a kerberized server
            alabala_kiril
            On the client machine, try to disable next generation plug-in (Control Panel->Java->Advanced->Java plug-in).
            If it works, this is not always a practical solution, but let's first see if it works first and then we can discuss it.
            thank you for your suggestion! Unfortunately this did not do the trick. Still the same problem. The applet is not loaded due to ClassNotFoundException and 401 not authenticated error response code to the JAR file request.


            this is some more of the server's access.log: What seems strange to me is that there's an 401 error for nearly every resource, before a valid 200 response. It seems as if the browser do not provide the ticket the first time:
            Is that normal for the kerberos protocol?
            [Thu Oct  6 14:33:01 2011] Administrator@TEST.ALABALA.NET (Administrator@peria.net Administrator@alabala.net) called /var/www/i86/cgi-bin/workflow_manager.pl?edit=1
            190.135.164.250 - Administrator@alabala.net [06/Oct/2011:14:33:01 +0200] "GET /cgi-bin/workflow_manager.pl?edit=1 HTTP/1.1" 200 92943
            190.135.164.250 - - [06/Oct/2011:14:33:02 +0200] "GET /alabala/skin/images/toptable/menu.gif HTTP/1.1" 401 490
            190.135.164.250 - Administrator@alabala.net [06/Oct/2011:14:33:02 +0200] "GET /alabala/skin/images/toptable/menu.gif HTTP/1.1" 200 350
            190.135.164.250 - - [06/Oct/2011:14:33:02 +0200] "GET /alabala/images/buttons/mini/favorite_add.gif HTTP/1.1" 401 490
            190.135.164.250 - Administrator@alabala.net [06/Oct/2011:14:33:02 +0200] "GET /alabala/images/buttons/mini/favorite_add.gif HTTP/1.1" 200 123
            190.135.164.250 - - [06/Oct/2011:14:33:02 +0200] "GET /alabala/images/buttons/medium/preferences.gif HTTP/1.1" 401 490
            190.135.164.250 - Administrator@alabala.net [06/Oct/2011:14:33:02 +0200] "GET /alabala/images/buttons/medium/preferences.gif HTTP/1.1" 200 72
            190.135.164.250 - - [06/Oct/2011:14:33:02 +0200] "GET /alabala/skin/images/contentblock/beige/row_footer.gif HTTP/1.1" 401 490
            190.135.164.250 - - [06/Oct/2011:14:33:02 +0200] "GET /alabala/skin/images/contentblock/beige/row_3_left.gif HTTP/1.1" 401 490
            190.135.164.250 - Administrator@alabala.net [06/Oct/2011:14:33:02 +0200] "GET /alabala/skin/images/contentblock/beige/row_footer.gif HTTP/1.1" 200 45
            190.135.164.250 - - [06/Oct/2011:14:33:02 +0200] "GET /alabala/iwl/jscript/button.js HTTP/1.1" 401 490
            190.135.164.250 - Administrator@alabala.net [06/Oct/2011:14:33:02 +0200] "GET /alabala/skin/images/contentblock/beige/row_3_left.gif HTTP/1.1" 200 96
            190.135.164.250 - - [06/Oct/2011:14:33:02 +0200] "GET /alabala/skin/images/contentblock/beige/row_3_center.gif HTTP/1.1" 401 490
            190.135.164.250 - Administrator@alabala.net [06/Oct/2011:14:33:02 +0200] "GET /alabala/skin/images/contentblock/beige/row_3_center.gif HTTP/1.1" 200 94
            190.135.164.250 - Administrator@alabala.net [06/Oct/2011:14:33:02 +0200] "GET /alabala/iwl/jscript/button.js HTTP/1.1" 200 8778
            190.135.164.250 - - [06/Oct/2011:14:33:02 +0200] "GET /alabala/skin/images/contentblock/beige/row_3_right.gif HTTP/1.1" 401 490
            190.135.164.250 - Administrator@alabala.net [06/Oct/2011:14:33:02 +0200] "GET /alabala/skin/images/contentblock/beige/row_3_right.gif HTTP/1.1" 200 96
            190.135.164.250 - - [06/Oct/2011:14:33:02 +0200] "GET /alabala/iwl/skin/default/images/icons/close.gif HTTP/1.1" 401 490
            190.135.164.250 - - [06/Oct/2011:14:33:02 +0200] "GET /alabala/iwl/skin/default/images/button/button_default.gif HTTP/1.1" 401 490
            190.135.164.250 - Administrator@alabala.net [06/Oct/2011:14:33:02 +0200] "GET /alabala/iwl/skin/default/images/button/button_default.gif HTTP/1.1" 200 352
            190.135.164.250 - Administrator@alabala.net [06/Oct/2011:14:33:02 +0200] "GET /alabala/iwl/skin/default/images/icons/close.gif HTTP/1.1" 200 90
            190.135.164.250 - - [06/Oct/2011:14:33:04 +0200] "GET /cgi-bin/workflow_edit.pl?id=default&realm=workflow HTTP/1.1" 401 490
            190.135.164.250 - Administrator@alabala.net [06/Oct/2011:14:33:04 +0200] "GET /cgi-bin/workflow_edit.pl?id=default&realm=workflow HTTP/1.1" 200 89640
            190.135.164.250 - - [06/Oct/2011:14:33:07 +0200] "GET /alabala/images/buttons/icons/back.gif HTTP/1.1" 401 490
            190.135.164.250 - Administrator@alabala.net [06/Oct/2011:14:33:07 +0200] "GET /alabala/images/buttons/icons/back.gif HTTP/1.1" 200 83
            190.135.164.250 - - [06/Oct/2011:14:33:08 +0200] "GET /alabala/PeriaGrid.jar HTTP/1.1" 401 490
            190.135.164.250 - - [06/Oct/2011:14:33:08 +0200] "GET /alabala/PeriaGrid.jar HTTP/1.1" 401 490
            190.135.164.250 - - [06/Oct/2011:14:33:08 +0200] "GET /cgi-bin/alabala/workflow/PeriaGrid.class HTTP/1.1" 401 490
            190.135.164.250 - - [06/Oct/2011:14:33:08 +0200] "GET /cgi-bin/alabala/workflow/PeriaGrid/class.class HTTP/1.1" 401 490
            This is the configuration of the Virtual Host in apache:

            <VirtualHost *:80>
                 ServerName i86.kerberos.imperia.net
                 ServerAdmin admin@alabala.net
            DocumentRoot /var/www/i86/htdocs

            ScriptAlias /cgi-bin /var/www/i86/cgi-bin

            ErrorLog /var/www/i86/site/logs/error.log
            CustomLog /var/www/i86/site/logs/access.log common

                 AddDefaultCharset UTF-8

                 <Directory /var/www/i86/>
                           AllowOverride All
            Options Indexes MultiViews Includes FollowSymLinks
            Order allow,deny
            Allow from all
            # kerb config
            AuthType Kerberos
            AuthName "ALABALA 8.6 - DEV Kerberos Login"
            KrbMethodNegotiate on
            KrbMethodK5Passwd off
            KrbSaveCredentials off
            KrbAuthoritative on
            KrbAuthRealms TEST.ALABALA.NET
            KrbVerifyKDC off
            KrbServiceName HTTP
            Krb5Keytab /etc/httpd/i86.keytab
            require valid-user
            </Directory>

                 <Directory /var/www/i86/htdocs>
            Order deny,allow
            Allow from all
            Options Includes Indexes MultiViews SymLinksIfOwnerMatch
            AddOutputFilter INCLUDES .html .pl .de .en .ssi
            </Directory>

            <Directory /var/www/i86/cgi-bin>
            Order deny,allow
            Allow from all
            Options +Includes SymLinksIfOwnerMatch
            AddOutputFilter INCLUDES .html .pl .de .en .ssi
            </Directory>

            <Location /cgi-bin>
            Options Includes
            AddOutputFilter INCLUDES .html .pl
            </Location>

            <Directory "/var/www/i86/htdocs/alabala/md">
            # No PHP!
            AddHandler none .php
            # No Perl
            AddHandler none .pl
            </Directory>


                      SetEnv ALABALA_CONF /var/www/i86/cgi-bin/alabala.conf
            SetEnv MOD_PERL_API_VERSION 2
            SetEnv LS_CORE_FILE /config/LiveServer/gkss-dev.core.conf

            PerlOptions Parent SetupEnv
            PerlSwitches -I/var/www/i86/cgi-bin
            PerlSwitches -I/var/www/i86/site/modules/core
            PerlSwitches -I/var/www/i86/site/modules/collection




            # <Directory /var/www/i86/cgi-bin>
            # Options ExecCGI
            # </Directory>
            #      <Directory /var/www/i86/htdocs/alabala/images>
            # Options +Indexes
            # IndexOptions FancyIndexing
            # </Directory>
            # <Location />
            # AuthType Basic
            # AuthName "restr."
            # AuthUserFile /alabala/live/851/passwd.file
            # Require valid-user
            # </Location>
            </VirtualHost>
            Do applets have problems with kerberized servers in general ot it's just my problem?
            What do you think?
            • 3. Re: Can't load applet from a kerberized server
              817264
              What security/auth details are available in the deployment trace file?

              http://download.oracle.com/javase/7/docs/webnotes/tsg/TSG-Desktop/html/plugin.html#gcexdf