[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [jetty-users] migration woes from version 9 to 10 - possible character encoding issue
|
- From: Bryan Coleman <bryan.coleman@xxxxxxxx>
- Date: Wed, 7 Sep 2022 15:03:06 +0000
- Accept-language: en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=dart.biz; dmarc=pass action=none header.from=dart.biz; dkim=pass header.d=dart.biz; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=IlttS86GnJk7erE6GCUVIM1zYg+4/XG69mEC+EJGDH4=; b=BRRyzIsshpNwNmT04vyWOGeaLCx5hs+kSs5io8/iranOx4wqWuy2QQsQyztUf141yKv23hF1N6kPeWZSvbN++7HvePXQXcE3IjjloAzes0ApCcXv8uBvvpsr9/1IbJ0unMVFEaXXBY8vPGbyGtJMVLneKfAOQC9ifne7htV8e4Khy5ilFGv4UPYGpotOLaEPJGMA8a/05hi/x4nOb7sTvw4KLZd1eoh8wLVYzWUIOTXfbK+LuYb7kPd+dqnnTl6IOMJULdexLS0CmPArvTiR3//+DiG0EIpQzJa0muaPuu0FR58rcF9eYq8BCnopgTTpET41LA00sa23rmokK+7/4g==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BKohUXKOu0HckmhP4bggt9w0kx7CjTqI/E2t3IIzVb2GUNSYArwKo7OnNc+5swBrtxWuqP01C6o/zLpErWNyb64mZmyyftb1pUINzkhjTRvm1QWNcaw1Kjf2e/1I5iBwEy6YXK/Xi6roXh9NjNxtrJb3l+EFnTIydLx+VyVYtBfU1tmgxy+q+t1R3e8+AB4jCQ5/vBD/oHcuNyRlzuOxd3w5j6vrrcIiyCsfrDzD/vWuY648IcK+U+P2vuv+cwfGygrzvPI+vzX364YxTMOZTZFTGeC8sCdYTjkLI2TI6Z6/6s5wH2yvR+tsirS0MkmCNBEpjEeeZhdDkMTPCrrUWg==
- Delivered-to: jetty-users@xxxxxxxxxxx
- List-archive: <https://www.eclipse.org/mailman/private/jetty-users/>
- List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
- List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
- List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>
- Thread-index: AQHYsjLBBXbI7TDmsEykBqBgXPJjta20JhwAgABlL/CACZFhAIABOO4AgBMtvjCAASzJAIAAeGUAgAAIvEA=
- Thread-topic: [jetty-users] migration woes from version 9 to 10 - possible character encoding issue
java.lang.RuntimeException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC)
at org.eclipse.jetty.security.ConfigurableSpnegoLoginService.lambda$acceptGSSContext$2(ConfigurableSpnegoLoginService.java:238)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/javax.security.auth.Subject.doAs(Subject.java:361)
at org.eclipse.jetty.security.ConfigurableSpnegoLoginService.login(ConfigurableSpnegoLoginService.java:186)
at org.eclipse.jetty.security.authentication.ConfigurableSpnegoAuthenticator.login(ConfigurableSpnegoAuthenticator.java:104)
at org.eclipse.jetty.security.authentication.ConfigurableSpnegoAuthenticator.validateRequest(ConfigurableSpnegoAuthenticator.java:129)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:508)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:223)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1571)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1378)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1544)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1300)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:192)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
at org.eclipse.jetty.server.Server.handle(Server.java:562)
at org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:505)
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:319)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:558)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:379)
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:146)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:412)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:381)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:268)
at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.lambda$new$0(AdaptiveExecutionStrategy.java:138)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:407)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:894)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1038)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC)
at java.security.jgss/sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:859)
at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:361)
at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:303)
at java.security.jgss/sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:907)
at java.security.jgss/sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:556)
at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:361)
at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:303)
at org.eclipse.jetty.security.ConfigurableSpnegoLoginService.lambda$acceptGSSContext$2(ConfigurableSpnegoLoginService.java:234)
... 39 more
Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC
at java.security.jgss/sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
at java.security.jgss/sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149)
at java.security.jgss/sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:139)
at java.security.jgss/sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:832)
... 46 more
-----Original Message-----
From: jetty-users <jetty-users-bounces@xxxxxxxxxxx> On Behalf Of Bryan Coleman via jetty-users
Sent: Wednesday, September 7, 2022 10:48 AM
To: JETTY user mailing list <jetty-users@xxxxxxxxxxx>
Cc: Bryan Coleman <bryan.coleman@xxxxxxxx>
Subject: Re: [jetty-users] migration woes from version 9 to 10 - possible character encoding issue
Thanks for the information.
Yes, I believe it is related to the FallbackAuthenticator as well. I was able to get the Basic portion of the fallback to work by bringing it in line with apparent differences from the BasicAuthenticator; specifically, the credential "space" and charset. I wonder if there isn't something similar with the Kerberos authentication?
I since tried to temporarily replace the FallbackAuthenticator with the ConfigurableSpnegoAuthenticator. The result is a "RuntimeException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC)". My thought was to get the out-of-the-box ConfigurableSpnegoAuthenticator to work before using custom code. The odd thing is the code works fine with jetty 9; however, with jetty 10 the GSSException keeps coming to the surface.
A few things I was trying to track down:
1) Does jetty 10 use a different set of default encoding types?
2) Is there a way to set libdefaults default_tkt_enctypes and default_tgt_enctypes programically via the JassConfigurator (i.e. Configuration)?
3) Do I need to create the keytab file differently?
-----Original Message-----
From: Simone Bordet <simone.bordet@xxxxxxxxx>
Sent: Wednesday, September 7, 2022 3:20 AM
To: JETTY user mailing list <jetty-users@xxxxxxxxxxx>
Cc: Bryan Coleman <bryan.coleman@xxxxxxxx>
Subject: Re: [jetty-users] migration woes from version 9 to 10 - possible character encoding issue
[You don't often get email from simone.bordet@xxxxxxxxx. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
Hi,
On Tue, Sep 6, 2022 at 5:08 PM Bryan Coleman via jetty-users <jetty-users@xxxxxxxxxxx> wrote:
>
> I believe I have narrowed the issue down to the login arena (i.e. login / authentication / authorization).
>
> I am using a fallback authenticator which is an extension of the ConfigurableSpnegoAuthenticator and works to authenticate clients using a myriad of options (Spnego, NTLM, Basic).
>
> With jetty 10, if I change things to start with the BasicAuthenticator, provide credentials, stop things and then restart with the FallbackAuthenticator it works; however, if I start with the FallbackAuthenticator out of the gate it tries to do Anonymous authentication and fails.
>From your description, seems to be a problem in your FallbackAuthenticator...
> Questions:
>
> Any ideas?
>
> Has anything changed with the Spnego setup requirements from jetty 9 to 10?
No.
> Is there a good reference for Spnego setup? (I noticed that
> the programming guide still shows TODO for HttpClient SPNEGO
> authentication support)
Look at the tests, see
https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feclipse%2Fjetty.project%2Fblob%2Fjetty-10.0.11%2Fjetty-client%2Fsrc%2Ftest%2Fjava%2Forg%2Feclipse%2Fjetty%2Fclient%2Futil%2FSPNEGOAuthenticationTest.java&data=05%7C01%7Cbryan.coleman%40dart.biz%7C9b33e026454e4f4b17b108da90dffb21%7Cd90804aba2264b3da37a256f7aba7ff1%7C0%7C0%7C637981588912780431%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=z1hxb6A0%2BzHUSc8TY%2BRa9D4MuWonA8dTaBcS%2Bp%2FlNEA%3D&reserved=0.
--
Simone Bordet
---
Finally, no matter how good the architecture and design are, to deliver bug-free software with optimal performance and reliability,
the implementation technique must be flawless. Victoria Livschitz
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.eclipse.org%2Fmailman%2Flistinfo%2Fjetty-users&data=05%7C01%7Cbryan.coleman%40dart.biz%7C9b33e026454e4f4b17b108da90dffb21%7Cd90804aba2264b3da37a256f7aba7ff1%7C0%7C0%7C637981588912780431%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=WxrkS7r6goic5djd6KVAR4YjuOyAJ8TOfjIL1vG6Bqs%3D&reserved=0
