Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-1607

3.4 new kerberos Share SSO feature does not work on Websphere

    Details

    • Type: Service Pack Request
    • Status: Closed
    • Resolution: Fixed
    • Affects Version/s: 3.4
    • Fix Version/s: 3.4.5
    • Component/s: Installer
    • Labels:
      None
    • Environment:
      ibm java +linux+tomcat+mysql
    • Bug Priority:
      Category 2
    • ACT Numbers:

      25307

      Description

      3.4 new kerberos Share SSO feature does not work when using IBM java

      Note we are only interested in behaviour on Websphere, since that is the only stack we certify with IBM Java so please modify the steps below as appropriate.

      How to reproduce?
      ==================
      1) build a linux+tomcat+mysql 3.4b2 alfresco with kerberos auth
      2) set your env to use IBM java:
      e.g:

      export JAVA_HOME=/usr/local/ibm-java-i386-60
      export JAVA="/usr/local/ibm-java-i386-60/jre/bin/java"
      export JDK_HOME="/usr/local/ibm-java-i386-60"

      3) set the java security:

      In JRE\lib\security\java.security. In file:

      Add the following line

      login.config.url.1=file:${java.home}/lib/security/java.login.config

      In jre/lib/security

      create a file:
      java.login.config
      ------------------------
      Alfresco

      { com.ibm.security.auth.module.Krb5LoginModule sufficient; };

      AlfrescoCIFS { com.ibm.security.auth.module.Krb5LoginModule required debug=true credsType=acceptor useKeyTab="file:///etc/keys/alfrescocifs.keytab" principal="cifs/madona.example.foo"; };

      AlfrescoHTTP { com.ibm.security.auth.module.Krb5LoginModule required debug=true credsType=acceptor useKeytab="file:///etc/keys/alfrescohttp.keytab" principal="HTTP/madona.example.foo"; };

      com.sun.net.ssl.client { com.ibm.security.auth.module.Krb5LoginModule sufficient; }

      ;

      other

      { com.ibm.security.auth.module.Krb5LoginModule sufficient; }

      ;
      --------------

      4) activate kerberos in share-config-custom.xml

      cp ./shared/classes/alfresco/web-extension/share-config-custom.xml.sample ./shared/classes/alfresco/web-extension/share-config-custom.xml

      (following the comments)

      5) boot alfresco

      Results:
      ========
      From a XP client HTTP explorer (jsp client) works with SSO kerberos.

      From a XP client HTTP Share fails, with error in the logs:

      13:59:14,773 http-8080-8 WARN [site.servlet.KerberosSessionSetupPrivilegedAction] Caught GSS Error
      org.ietf.jgss.GSSException, major code: 16, minor code: 0
      major string: Operation unavailable or not implemented
      minor string: Context method getDelegCred unavailable because of the state of the context
      at com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NException.java:7)
      at com.ibm.security.jgss.mech.krb5.eb.getDelegCred(eb.java:1096)
      at com.ibm.security.jgss.GSSContextImpl.getDelegCred(GSSContextImpl.java:64)
      at org.alfresco.web.site.servlet.KerberosSessionSetupPrivilegedAction.run(KerberosSessionSetupPrivilegedAction.java:113)
      at org.alfresco.web.site.servlet.KerberosSessionSetupPrivilegedAction.run(KerberosSessionSetupPrivilegedAction.java:44)
      at java.security.AccessController.doPrivileged(AccessController.java:224)
      at javax.security.auth.Subject.doAs(Subject.java:495)
      at org.alfresco.web.site.servlet.SSOAuthenticationFilter.doKerberosLogon(SSOAuthenticationFilter.java:967)
      at org.alfresco.web.site.servlet.SSOAuthenticationFilter.doFilter(SSOAuthenticationFilter.java:436)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
      at java.lang.Thread.run(Thread.java:736)

      Expected results:
      =================
      It works

      Notes:
      ======
      a) it fails also from a Linux (firefox) client
      b) On XP it fails on both IE6 and Firefox
      c) when using Oracle (Sin) Java it works from a XP client (IE6 and Firefox) but still fails from Linux + firefox (see liked bug)
      d) due to ALF-5205 the XP client cannot find the name of the alf seerver so you need to tell the client (for instance using the hosts file) the IP of the alf server

        Attachments

          Issue Links

            Structure

              Activity

                People

                • Assignee:
                  closedbugs Closed Bugs (Inactive)
                  Reporter:
                  amadon Alex Madon [X] (Inactive)
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Time Tracking

                    Estimated:
                    Original Estimate - Not Specified
                    Not Specified
                    Remaining:
                    Remaining Estimate - 0 minutes
                    0m
                    Logged:
                    Time Spent - 4 days, 4 hours
                    4d 4h

                      Structure Helper Panel