问题
I have a problem setting up integrated authentication with Kerberos towards a MS Sql Server on Wildfly 8.2.0.
Here's what I've done so far:
Managed to get it going on Wildfly 9.0.2, simply because Wildfly 9 contains the "new" login module class org.jboss.security.negotiation.KerberosLoginModule. A security domain configured like this:
<login-module code="org.jboss.security.negotiation.KerberosLoginModule" flag="required" module="org.jboss.security.negotiation"> <module-option name="storeKey" value="false"/> <module-option name="useKeyTab" value="false"/> <module-option name="principal" value="app-srv@REALM"/> <module-option name="useTicketCache" value="true"/> <module-option name="debug" value="true"/> <module-option name="refreshKrb5Config" value="true"/> <module-option name="isInitiator" value="true"/> <module-option name="addGSSCredential" value="true"/> <module-option name="delegationCredential" value="USE"/> </login-module>works perfectly fine. Before I added "addGSSCredential" to "true" I was getting the error "No matching credentials in Subject!" but then I read what this guy was saying here: https://developer.jboss.org/message/913652#913652.
Now, the problem is that I don't want Wildfly 9, I want to have it set up on Wildfly 8.2. Should be possible right?
So, on Wildfly 8.2:
- Wildfly 8.2 does not have the KerberosLoginModule. It instead uses the sun provided login module (com.sun.security.auth.module.Krb5LoginModule) as specified here
- Once I got Wildfly 8 to use this login module from Sun (does NOT work out of the box - which makes me wonder if the guys from JBoss actually ever tested this?- ...because the module that loads the login class (org.picketbox) does not depend on sun.jdk module and it fails wonderfully with a classnotfoundexception), I stumbled upon the same error I was getting on Wildfly 9 before adding the addGSSCredentials option: "No matching credentials in Subject!"
- Problem is, addGSSCredentials is not supported by the Sun login module class.
So, has anybody ever set up Kerberos for a datasource on Wildfly 8.2 using the Sun class? Or must I upgrade the libraries to get the KerberosLoginModule from jboss-negotiation?
回答1:
The only way I can get this to work in WildFly 8.2.1.Final is to update the jboss-negotiation-common-<version>.jar and jboss-negotiation-extras-<version>.jar from 2.2.7.Final to 3.0.2.Final, the version supplied with WildFly 10.1.0.Final (sorry, I didn't try with those from WildFly 9).
You need to update modules\system\layers\base\org\jboss\security\negotiation\main\ to reference the new jars.
Alternatively, you can just replace the entirety of the org.jboss.security.negotiation module with the version included with WildFly 10.1.0.Final.
For reference, my login module in standalone.xml is:
<login-module code="org.jboss.security.negotiation.KerberosLoginModule" flag="required" module="org.jboss.security.negotiation">
<module-option name="useTicketCache" value="true"/>
<module-option name="debug" value="true"/>
<module-option name="refreshKrb5Config" value="true"/>
<module-option name="addGSSCredential" value="true"/>
</login-module>
I found that I didn't need to set the isInitiator or delegationCredential options.
PS. Thanks for posting this question! I had a lot of problems with Kerberos authentication because I was setting storeKey to true until I came across this.
PSS. I should add that I am not connecting to a MS SQL Server, but to an Apache Phoenix data source, which may explain why I don't need to set some login options.
来源:https://stackoverflow.com/questions/34205643/kerberos-sql-server-datasource-in-wildfly-8-2