[MNT-1607] 3.4 new kerberos Share SSO feature does not work on Websphere Created: 21-Dec-10  Updated: 22-Mar-13  Resolved: 24-Aug-11

Status: Closed
Project: Service Packs and Hot Fixes
Component/s: Installer
Affects Version/s: 3.4
Fix Version/s: 3.4.5

Type: Service Pack Request
Reporter: Alex Madon [X] (Inactive) Assignee: Closed Bugs (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: 0 minutes
Time Spent: 4 days, 4 hours
Original Estimate: Not Specified
Environment:

ibm java +linux+tomcat+mysql


Attachments: File ALF-6284.diff    
Issue Links:
Related
relates to MNT-1087 CIFS kerberos authentification does n... Closed
is related to by MNT-1499 3.4 new kerberos Share SSO feature do... Closed
is related to by MNT-7128 when using Share Kerberos SSO new fea... Closed
Bug Priority:
Category 2
ACT Numbers:

25307


 Description   

3.4 new kerberos Share SSO feature does not work when using IBM java

Note we are only interested in behaviour on Websphere, since that is the only stack we certify with IBM Java so please modify the steps below as appropriate.

How to reproduce?
==================
1) build a linux+tomcat+mysql 3.4b2 alfresco with kerberos auth
2) set your env to use IBM java:
e.g:

export JAVA_HOME=/usr/local/ibm-java-i386-60
export JAVA="/usr/local/ibm-java-i386-60/jre/bin/java"
export JDK_HOME="/usr/local/ibm-java-i386-60"

3) set the java security:

In JRE\lib\security\java.security. In file:

Add the following line

login.config.url.1=file:${java.home}/lib/security/java.login.config

In jre/lib/security

create a file:
java.login.config
------------------------
Alfresco

{ com.ibm.security.auth.module.Krb5LoginModule sufficient; };

AlfrescoCIFS { com.ibm.security.auth.module.Krb5LoginModule required debug=true credsType=acceptor useKeyTab="file:///etc/keys/alfrescocifs.keytab" principal="cifs/madona.example.foo"; };

AlfrescoHTTP { com.ibm.security.auth.module.Krb5LoginModule required debug=true credsType=acceptor useKeytab="file:///etc/keys/alfrescohttp.keytab" principal="HTTP/madona.example.foo"; };

com.sun.net.ssl.client { com.ibm.security.auth.module.Krb5LoginModule sufficient; }

;

other

{ com.ibm.security.auth.module.Krb5LoginModule sufficient; }

;
--------------

4) activate kerberos in share-config-custom.xml

cp ./shared/classes/alfresco/web-extension/share-config-custom.xml.sample ./shared/classes/alfresco/web-extension/share-config-custom.xml

(following the comments)

5) boot alfresco

Results:
========
From a XP client HTTP explorer (jsp client) works with SSO kerberos.

From a XP client HTTP Share fails, with error in the logs:

13:59:14,773 http-8080-8 WARN [site.servlet.KerberosSessionSetupPrivilegedAction] Caught GSS Error
org.ietf.jgss.GSSException, major code: 16, minor code: 0
major string: Operation unavailable or not implemented
minor string: Context method getDelegCred unavailable because of the state of the context
at com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NException.java:7)
at com.ibm.security.jgss.mech.krb5.eb.getDelegCred(eb.java:1096)
at com.ibm.security.jgss.GSSContextImpl.getDelegCred(GSSContextImpl.java:64)
at org.alfresco.web.site.servlet.KerberosSessionSetupPrivilegedAction.run(KerberosSessionSetupPrivilegedAction.java:113)
at org.alfresco.web.site.servlet.KerberosSessionSetupPrivilegedAction.run(KerberosSessionSetupPrivilegedAction.java:44)
at java.security.AccessController.doPrivileged(AccessController.java:224)
at javax.security.auth.Subject.doAs(Subject.java:495)
at org.alfresco.web.site.servlet.SSOAuthenticationFilter.doKerberosLogon(SSOAuthenticationFilter.java:967)
at org.alfresco.web.site.servlet.SSOAuthenticationFilter.doFilter(SSOAuthenticationFilter.java:436)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:857)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Thread.java:736)

Expected results:
=================
It works

Notes:
======
a) it fails also from a Linux (firefox) client
b) On XP it fails on both IE6 and Firefox
c) when using Oracle (Sin) Java it works from a XP client (IE6 and Firefox) but still fails from Linux + firefox (see liked bug)
d) due to ALF-5205 the XP client cannot find the name of the alf seerver so you need to tell the client (for instance using the hosts file) the IP of the alf server



 Comments   
Comment by Alex Madon [X] (Inactive) [ 21-Dec-10 ]

Steve,

Yes I can too make Explorer work with Kerberos SSO on a IBM JVM.

But the issue here is not about
Explorer Kerberos SSO
but about
Share Kerberos SSO

To me only Explorer Kerberos SSO works on a IBM JVM.
Both CIFS (jira ALF-5205) and Share (this Jira) have problems.

Comment by Monica Basandrai [X] (Inactive) [ 01-Sep-11 ]

Retest with build 328

Comment by Alfresco QA Team (Inactive) [ 07-Oct-11 ]

Successfully validated using Alfresco Enterprise - v3.4.5 (498), CentOS, Tomcat, mysql, Java IBM (all installer deployed)AndreiMa

Generated at Tue May 18 06:40:50 BST 2021 using Jira 7.13.15#713015-sha1:7c5ddd2c3e1709974ae9c48c17df8edd3919fe2c.