This discussion is archived
3 Replies Latest reply: Oct 8, 2011 9:33 PM by 817264 RSS

Can't load applet from a kerberized server

alabala_kiril Newbie
Currently Being Moderated
Hi there,

I have the following problem:
There's a java applet served as part of a web application. The User accessing the java applet should be authenticated by the web application. When this is done with basic authentication - the applet works fine.
However when a kerberos authentication is configured on the webserver(using spnego module) - the applet can't be loaded.
I log in to Windows XP using my user and pass. Then using IE I am automatically logged into the web application. I open the page on which the applet is embed, but the JRE can't load it(saying a ClassNotFoundException) The server's access log reveal that the jar can't be loaded because of authentication error:

- - [05/Oct/2011:15:19:54 +0200] "GET /peria/Grid.jar HTTP/1.1" 401 490
- - [05/Oct/2011:15:19:54 +0200] "GET /peria/Grid.jar HTTP/1.1" 401 490
- - [05/Oct/2011:15:19:54 +0200] "GET /peria/Grid.jar HTTP/1.1" 401 490

It seems as if the JRE is having problems authentication itself in front of the server? Could it be that or it is another issue?

Note that I can access the jar file directly via the browser. But when I open the page that has it embed - the applet could not be loaded due to ClassNotFound

Would anyone be so kind as to point me in the right direction?
  • 1. Re: Can't load applet from a kerberized server
    baftos Expert
    Currently Being Moderated
    On the client machine, try to disable next generation plug-in (Control Panel->Java->Advanced->Java plug-in).
    If it works, this is not always a practical solution, but let's first see if it works first and then we can discuss it.
  • 2. Re: Can't load applet from a kerberized server
    alabala_kiril Newbie
    Currently Being Moderated
    On the client machine, try to disable next generation plug-in (Control Panel->Java->Advanced->Java plug-in).
    If it works, this is not always a practical solution, but let's first see if it works first and then we can discuss it.
    thank you for your suggestion! Unfortunately this did not do the trick. Still the same problem. The applet is not loaded due to ClassNotFoundException and 401 not authenticated error response code to the JAR file request.


    this is some more of the server's access.log: What seems strange to me is that there's an 401 error for nearly every resource, before a valid 200 response. It seems as if the browser do not provide the ticket the first time:
    Is that normal for the kerberos protocol?
    [Thu Oct  6 14:33:01 2011] Administrator@TEST.ALABALA.NET (Administrator@peria.net Administrator@alabala.net) called /var/www/i86/cgi-bin/workflow_manager.pl?edit=1
    190.135.164.250 - Administrator@alabala.net [06/Oct/2011:14:33:01 +0200] "GET /cgi-bin/workflow_manager.pl?edit=1 HTTP/1.1" 200 92943
    190.135.164.250 - - [06/Oct/2011:14:33:02 +0200] "GET /alabala/skin/images/toptable/menu.gif HTTP/1.1" 401 490
    190.135.164.250 - Administrator@alabala.net [06/Oct/2011:14:33:02 +0200] "GET /alabala/skin/images/toptable/menu.gif HTTP/1.1" 200 350
    190.135.164.250 - - [06/Oct/2011:14:33:02 +0200] "GET /alabala/images/buttons/mini/favorite_add.gif HTTP/1.1" 401 490
    190.135.164.250 - Administrator@alabala.net [06/Oct/2011:14:33:02 +0200] "GET /alabala/images/buttons/mini/favorite_add.gif HTTP/1.1" 200 123
    190.135.164.250 - - [06/Oct/2011:14:33:02 +0200] "GET /alabala/images/buttons/medium/preferences.gif HTTP/1.1" 401 490
    190.135.164.250 - Administrator@alabala.net [06/Oct/2011:14:33:02 +0200] "GET /alabala/images/buttons/medium/preferences.gif HTTP/1.1" 200 72
    190.135.164.250 - - [06/Oct/2011:14:33:02 +0200] "GET /alabala/skin/images/contentblock/beige/row_footer.gif HTTP/1.1" 401 490
    190.135.164.250 - - [06/Oct/2011:14:33:02 +0200] "GET /alabala/skin/images/contentblock/beige/row_3_left.gif HTTP/1.1" 401 490
    190.135.164.250 - Administrator@alabala.net [06/Oct/2011:14:33:02 +0200] "GET /alabala/skin/images/contentblock/beige/row_footer.gif HTTP/1.1" 200 45
    190.135.164.250 - - [06/Oct/2011:14:33:02 +0200] "GET /alabala/iwl/jscript/button.js HTTP/1.1" 401 490
    190.135.164.250 - Administrator@alabala.net [06/Oct/2011:14:33:02 +0200] "GET /alabala/skin/images/contentblock/beige/row_3_left.gif HTTP/1.1" 200 96
    190.135.164.250 - - [06/Oct/2011:14:33:02 +0200] "GET /alabala/skin/images/contentblock/beige/row_3_center.gif HTTP/1.1" 401 490
    190.135.164.250 - Administrator@alabala.net [06/Oct/2011:14:33:02 +0200] "GET /alabala/skin/images/contentblock/beige/row_3_center.gif HTTP/1.1" 200 94
    190.135.164.250 - Administrator@alabala.net [06/Oct/2011:14:33:02 +0200] "GET /alabala/iwl/jscript/button.js HTTP/1.1" 200 8778
    190.135.164.250 - - [06/Oct/2011:14:33:02 +0200] "GET /alabala/skin/images/contentblock/beige/row_3_right.gif HTTP/1.1" 401 490
    190.135.164.250 - Administrator@alabala.net [06/Oct/2011:14:33:02 +0200] "GET /alabala/skin/images/contentblock/beige/row_3_right.gif HTTP/1.1" 200 96
    190.135.164.250 - - [06/Oct/2011:14:33:02 +0200] "GET /alabala/iwl/skin/default/images/icons/close.gif HTTP/1.1" 401 490
    190.135.164.250 - - [06/Oct/2011:14:33:02 +0200] "GET /alabala/iwl/skin/default/images/button/button_default.gif HTTP/1.1" 401 490
    190.135.164.250 - Administrator@alabala.net [06/Oct/2011:14:33:02 +0200] "GET /alabala/iwl/skin/default/images/button/button_default.gif HTTP/1.1" 200 352
    190.135.164.250 - Administrator@alabala.net [06/Oct/2011:14:33:02 +0200] "GET /alabala/iwl/skin/default/images/icons/close.gif HTTP/1.1" 200 90
    190.135.164.250 - - [06/Oct/2011:14:33:04 +0200] "GET /cgi-bin/workflow_edit.pl?id=default&realm=workflow HTTP/1.1" 401 490
    190.135.164.250 - Administrator@alabala.net [06/Oct/2011:14:33:04 +0200] "GET /cgi-bin/workflow_edit.pl?id=default&realm=workflow HTTP/1.1" 200 89640
    190.135.164.250 - - [06/Oct/2011:14:33:07 +0200] "GET /alabala/images/buttons/icons/back.gif HTTP/1.1" 401 490
    190.135.164.250 - Administrator@alabala.net [06/Oct/2011:14:33:07 +0200] "GET /alabala/images/buttons/icons/back.gif HTTP/1.1" 200 83
    190.135.164.250 - - [06/Oct/2011:14:33:08 +0200] "GET /alabala/PeriaGrid.jar HTTP/1.1" 401 490
    190.135.164.250 - - [06/Oct/2011:14:33:08 +0200] "GET /alabala/PeriaGrid.jar HTTP/1.1" 401 490
    190.135.164.250 - - [06/Oct/2011:14:33:08 +0200] "GET /cgi-bin/alabala/workflow/PeriaGrid.class HTTP/1.1" 401 490
    190.135.164.250 - - [06/Oct/2011:14:33:08 +0200] "GET /cgi-bin/alabala/workflow/PeriaGrid/class.class HTTP/1.1" 401 490
    This is the configuration of the Virtual Host in apache:

    <VirtualHost *:80>
         ServerName i86.kerberos.imperia.net
         ServerAdmin admin@alabala.net
    DocumentRoot /var/www/i86/htdocs

    ScriptAlias /cgi-bin /var/www/i86/cgi-bin

    ErrorLog /var/www/i86/site/logs/error.log
    CustomLog /var/www/i86/site/logs/access.log common

         AddDefaultCharset UTF-8

         <Directory /var/www/i86/>
                   AllowOverride All
    Options Indexes MultiViews Includes FollowSymLinks
    Order allow,deny
    Allow from all
    # kerb config
    AuthType Kerberos
    AuthName "ALABALA 8.6 - DEV Kerberos Login"
    KrbMethodNegotiate on
    KrbMethodK5Passwd off
    KrbSaveCredentials off
    KrbAuthoritative on
    KrbAuthRealms TEST.ALABALA.NET
    KrbVerifyKDC off
    KrbServiceName HTTP
    Krb5Keytab /etc/httpd/i86.keytab
    require valid-user
    </Directory>

         <Directory /var/www/i86/htdocs>
    Order deny,allow
    Allow from all
    Options Includes Indexes MultiViews SymLinksIfOwnerMatch
    AddOutputFilter INCLUDES .html .pl .de .en .ssi
    </Directory>

    <Directory /var/www/i86/cgi-bin>
    Order deny,allow
    Allow from all
    Options +Includes SymLinksIfOwnerMatch
    AddOutputFilter INCLUDES .html .pl .de .en .ssi
    </Directory>

    <Location /cgi-bin>
    Options Includes
    AddOutputFilter INCLUDES .html .pl
    </Location>

    <Directory "/var/www/i86/htdocs/alabala/md">
    # No PHP!
    AddHandler none .php
    # No Perl
    AddHandler none .pl
    </Directory>


              SetEnv ALABALA_CONF /var/www/i86/cgi-bin/alabala.conf
    SetEnv MOD_PERL_API_VERSION 2
    SetEnv LS_CORE_FILE /config/LiveServer/gkss-dev.core.conf

    PerlOptions Parent SetupEnv
    PerlSwitches -I/var/www/i86/cgi-bin
    PerlSwitches -I/var/www/i86/site/modules/core
    PerlSwitches -I/var/www/i86/site/modules/collection




    # <Directory /var/www/i86/cgi-bin>
    # Options ExecCGI
    # </Directory>
    #      <Directory /var/www/i86/htdocs/alabala/images>
    # Options +Indexes
    # IndexOptions FancyIndexing
    # </Directory>
    # <Location />
    # AuthType Basic
    # AuthName "restr."
    # AuthUserFile /alabala/live/851/passwd.file
    # Require valid-user
    # </Location>
    </VirtualHost>
    Do applets have problems with kerberized servers in general ot it's just my problem?
    What do you think?
  • 3. Re: Can't load applet from a kerberized server
    817264 Journeyer
    Currently Being Moderated
    What security/auth details are available in the deployment trace file?

    http://download.oracle.com/javase/7/docs/webnotes/tsg/TSG-Desktop/html/plugin.html#gcexdf

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points