search

cloudsoft / winrm4j

Apache License 2.0
93 stars 55 forks source link

Kerberos Authentication Issue #56

Open Arulanand opened 7 years ago

Arulanand commented 7 years ago

I am trying to use winrm4j to execute commands as a part of larger service with kerberos authentication. I am getting below error when i run the program from Linux Server with the below command. java -jar -Djava.security.auth.login.config=login.conf play.jar

Caused by: java.io.IOException: Authorization loop detected on Conduit "{http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd}WinRmPort.http-conduit" on URL "http:/XXXX.XXX.COM:5985/wsman" with realm "null"
        at org.apache.cxf.transport.http.HTTPConduit.detectAuthorizationLoop(HTTPConduit.java:1937)
        at org.apache.cxf.transport.http.HTTPConduit.access$600(HTTPConduit.java:149)
        at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.authorizationRetransmit(HTTPConduit.java:1515)

login.conf

com.sun.security.jgss.login {
    com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true debug=true;
};
com.sun.security.jgss.initiate {
    com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true debug=true;
};
com.sun.security.jgss.accept {
    com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true debug=true;
};

Client Code

final WinRmTool.Builder winRmToolBuilder 
                = WinRmTool.Builder.builder("XXX.XXX.COM","XYZ","Arulanand_Dayalan@XXX.COM", "XXX@5432");
            winRmToolBuilder.setAuthenticationScheme(AuthSchemes.KERBEROS);
            winRmToolBuilder.useHttps(false);
            winRmToolBuilder.disableCertificateChecks(true);

If run the same jar with system property -Djavax.security.auth.useSubjectCredsOnly=false enabled it prompts for user id and password. If i enter the program completes successfully. The way i am going to use winrm4j in the larger service this is not possible. Can you please share any pointers for the execution of command without prompting for user id and password.

Arulanand commented 7 years ago

To make it work with Kerberos added the below code with authorization policy. This based on the cfx documentation - http://cxf.apache.org/docs/client-http-transport-including-ssl-support.html 

case AuthSchemes.KERBEROS:
                AsyncHTTPConduit kerberosConduit = (AsyncHTTPConduit) client.getConduit();

                AuthorizationPolicy keberosPolicy = new AuthorizationPolicy();
                keberosPolicy.setAuthorizationType(HttpAuthHeader.AUTH_TYPE_NEGOTIATE);
                keberosPolicy.setAuthorization("WINRM4JClient");
                keberosPolicy.setUserName(username);
                keberosPolicy.setPassword(password);

                kerberosConduit.setAuthorization(keberosPolicy);
                if (disableCertificateChecks) {
                    TLSClientParameters tlsClientParameters = disableCertificates();
                    kerberosConduit.setTlsClientParameters(tlsClientParameters);
                }
                if (hostnameVerifier != null) {
                    TLSClientParameters tlsClientParameters = disableHostName();
                    kerberosConduit.setTlsClientParameters(tlsClientParameters);
                }
                HTTPClientPolicy kerberosPolicy = new HTTPClientPolicy();
                kerberosPolicy.setAllowChunking(false);
                kerberosPolicy.setReceiveTimeout(receiveTimeout);

                kerberosConduit.setClient(kerberosPolicy);
                kerberosConduit.getClient().setAutoRedirect(true);
                break;
            //End of Case statement.

JAAS.CONF

WINRM4JClient{
    com.sun.security.auth.module.Krb5LoginModule required
    client=TRUE
    useTicketCache=true;
};
bostko commented 7 years ago

Hi @Arulanand , It would be benefitial for everyone using winrm4j if you contribute your code to master branch. What do you think, would you like to make a PR. I am happy to help doing that.

mlnsharma commented 7 years ago

Hi @Arulanand

I'm observing the same 'Authorization loop' error while running winrm4j with Kerberos authentication. I am able to connect successfully using Basic authorization + allowUnencrypted=true on both client/server.

Can you please elaborate on the changes you made to your code + winrm settings on client/server ? Did you update the case statement in the winrm4j code & rebuild it for your application ?

awdamle commented 6 years ago

@bostko I'm also facing the exact same issue that @Arulanand saw with Kerberos authentication working when system property -Djavax.security.auth.useSubjectCredsOnly=false is enabled and fails, otherwise. Are the changes suggested by @Arulanand planned to be included in the next release? I'm using v0.5.0. @Arulanand Can you please share that updated class/code which has the change that you have mentioned in the above comment? Just want to reuse tried and tested code. :)

rathn commented 5 years ago

Is there any plan to update this library for Kerberos? I did the changes as suggested by Arulanand and apparently did not work and seeing same authorization loop error as posted by others. It would be nice to have the updated library if the changes as suggested above are working.