Spring Security: "GSSHeader did not find the right tag"

[vilmosnagy]

Hi there,

I'm trying to get this work with Spring Security and Vaadin 8.

Is there an example project which I can take a look at?

Currently I have the following setup in the application-context.xml:

<sec:http entry-point-ref="spnegoEntryPoint">
    <sec:intercept-url pattern="/**" access="hasRole('Authenticated')"/>
    <sec:custom-filter ref="spnegoAuthenticationProcessingFilter"
                       position="BASIC_AUTH_FILTER"/>
    <sec:form-login login-page="/login.html" default-target-url="/secure/index.jsp"/>
</sec:http>
 
<sec:authentication-manager alias="authenticationManager">
    <sec:authentication-provider ref="kerberosServiceAuthenticationProvider"/> <!-- Used with SPNEGO -->
    <sec:authentication-provider user-service-ref="dummyUserDetailsService"/> <!-- Used with form login -->
</sec:authentication-manager>
 
<bean id="kerberosServiceAuthenticationProvider"
      class="com.kerb4j.server.spring.SpnegoAuthenticationProvider">
    <property name="ticketValidator">
        <bean class="com.kerb4j.server.spring.jaas.sun.SunJaasKerberosTicketValidator">
            <property name="servicePrincipal" value="HTTP/user.local@COMPANY.LOCAL"/>
            <property name="keyTabLocation" value="file:C:\Temp\foobar.keytab"/>
        </bean>
    </property>
    <property name="userDetailsService" ref="dummyUserDetailsService"/>
</bean>
 
<bean id="dummyUserDetailsService" class="com.company.DummyUserDetailsService"/>
 
<bean id="spnegoEntryPoint" class="com.kerb4j.server.spring.SpnegoEntryPoint"/>

And the web.xml has:

    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

The keytab file is correct, and the servicePrincipal here matches the one in the keytab file. Still, the app throws the Exception in the title, with the following stacktrace:

2021-02-25 13:09:54 WARN  SpnegoAuthenticationProcessingFilter:169 - Negotiate Header was invalid: Negotiate <TOKEN>
org.springframework.security.authentication.BadCredentialsException: Kerberos validation not successful
	at com.kerb4j.server.spring.jaas.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:83)
	at com.kerb4j.server.spring.SpnegoAuthenticationProvider.authenticate(SpnegoAuthenticationProvider.java:108)
	at com.kerb4j.server.spring.SpnegoAuthenticationProvider.authenticate(SpnegoAuthenticationProvider.java:60)
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
	at com.kerb4j.server.spring.SpnegoAuthenticationProcessingFilter.doFilterInternal(SpnegoAuthenticationProcessingFilter.java:165)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:100)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
	at com.mycompany.frontend.security.config.HttpSessionFilterBean.doFilter(HttpSessionFilterBean.java:23)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
	at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:201)
	at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1435)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1350)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
	at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:191)
	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
	at org.eclipse.jetty.server.Server.handle(Server.java:516)
	at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388)
	at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:273)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
	at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
	at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:375)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:773)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:905)
	at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
	at java.security.jgss/sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
	at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:325)
	at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:303)
	at java.security.jgss/sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:905)
	at java.security.jgss/sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:556)
	at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:361)
	at java.security.jgss/sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:303)
	at com.kerb4j.client.SpnegoContext.acceptToken(SpnegoContext.java:55)
	at com.kerb4j.server.spring.jaas.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:68)
	... 63 more

If I debug the app at the GSSHeader.java:97, the the variable tag has the value of 78 <- my guess is that the app fails 'cause of this.

Thanks for any help,

[bedrin]

Kerberos erros can be misleading.

I would say that following lines look suspicious:

            <property name="servicePrincipal" value="HTTP/user.local@COMPANY.LOCAL"/>
            <property name="keyTabLocation" value="file:C:\Temp\foobar.keytab"/>

Say you have an AD account for your server called srv_server
DNS name of your server (A-record ideally) is foo.bar and your srv_server account has HTTP/foo.bar SPN associated with it.

In this case you should create keytab for account srv_server (it's case sensitive; you wouldn't get an error when creating keytab if you mess up something) and use srv_server as servicePrincipal property.

Hope it helps.

[vilmosnagy]

@bedrin thanks for the help.

one more question: so the srv_server is the name of the account, and the servicePrincipal's value should be srv_server as well?

            <property name="servicePrincipal" value="srv_server"/> <!-- as here -->

with this setup I got the following stacktrace:

Stack trace:
javax.security.auth.login.LoginException: Unable to obtain password from user
     at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:856)
...

Edit:
If I list the keytab file it contains the following info:

$ java sun.security.krb5.internal.tools.Klist -k -t /c/Temp/app.keytab
 
Key tab: C:/Temp/app.keytab, 5 entries found.
 
[1] Service principal: HTTP/machine-name.company.local@COMPANY.LOCAL
         KVNO: 5
         Time stamp: Jan 01, 1970 01:00:00
[2] Service principal: HTTP/machine-name.company.local@COMPANY.LOCAL
         KVNO: 5
         Time stamp: Jan 01, 1970 01:00:00
[3] Service principal: HTTP/machine-name.company.local@COMPANY.LOCAL
         KVNO: 5
         Time stamp: Jan 01, 1970 01:00:00
[4] Service principal: HTTP/machine-name.company.local@COMPANY.LOCAL
         KVNO: 5
         Time stamp: Jan 01, 1970 01:00:00
[5] Service principal: HTTP/machine-name.company.local@COMPANY.LOCAL
         KVNO: 5
         Time stamp: Jan 01, 1970 01:00:00