[Jalview-discuss] Kerberos

ASMR (Anders Sønderberg Mortensen) asmr at novonordisk.com
Tue Jan 10 07:50:27 GMT 2012


Hi Jim and others,

Thanks for the prompt reply - I appreciate it! Your description of what is happening sounds correct. The Java console output is listed below with the debug .jar. It appears to be using basic authentication scheme which is not what I execpted. We have already been talking about getting around with the problem by putting the .aln file in a place accessible to everybody, but we are not too happy about doing it that way.

Thanks -

--Anders



basic: Starting applet teardown
Applet panel0 stop().
Applet panel0 destroy().
basic: Finished applet teardown
basic: Added progress listener: sun.plugin.util.GrayBoxPainter$GrayBoxProgressListener at fc1dce
basic: Plugin2ClassLoader.addURL parent called for http://davinci/kerb_test/jalview/jalviewApplet.jar
basic: Applet loaded.
basic: Applet resized and added to parent container
basic: PERF: AppletExecutionRunnable - applet.init() BEGIN ; jvmLaunch dt 169575 us, pluginInit dt 454179971 us, TotalTime: 454349546 us
Applet context is 'class sun.plugin2.applet.Plugin2Manager$AppletContextImpl'
Applet has Javascript callback support.
JalviewLite Version 2.7
Build Date : 27 September 2011
basic: Applet initialized
basic: Removed progress listener: sun.plugin.util.GrayBoxPainter$GrayBoxProgressListener at fc1dce
basic: Applet made visible
basic: Starting applet
basic: completed perf rollup
basic: Applet started
basic: Told clients applet is started
security: Accessing keys and certificate in Mozilla user profile: null
Clear classloader cache ... completed.
basic: Starting applet teardown
Applet panel1 stop().
Applet panel1 destroy().
basic: Finished applet teardown
basic: Added progress listener: sun.plugin.util.GrayBoxPainter$GrayBoxProgressListener at b408b0
basic: Plugin2ClassLoader.addURL parent called for http://davinci/kerb_test/jalview/jalviewApplet.jar
network: Cache entry found [url: http://davinci/kerb_test/jalview/jalviewApplet.jar, version: null] prevalidated=false/0
network: Connecting http://davinci/kerb_test/jalview/jalviewApplet.jar with proxy=DIRECT
network: Connecting http://davinci:80/ with proxy=DIRECT
network: Firewall authentication: site=davinci/172.19.1.52:80, protocol=http, prompt=Bioweb login, scheme=basic
network: Connecting http://davinci/kerb_test/jalview/jalviewApplet.jar with proxy=DIRECT
network: Connecting http://davinci:80/ with proxy=DIRECT
network: Firewall authentication: site=davinci/172.19.1.52:80, protocol=http, prompt=Bioweb login, scheme=basic


-----Original Message-----
From: Jim Procter [mailto:foreveremain at gmail.com] On Behalf Of Jim Procter
Sent: 9. januar 2012 17:26
To: ASMR (Anders Sønderberg Mortensen)
Cc: jalview-discuss at jalview.org
Subject: Re: [Jalview-discuss] Kerberos

Hello Anders.

On 09/01/2012 13:48, ASMR (Anders Sønderberg Mortensen) wrote:
> I am trying to run the latest version of the Jalview applet in a single-sign-on (SSO) environment using Kerberos authentication. I have setup my Apache web server to use kerberos authentication when a user accesses the directory, where these files are located:
>
> -rw-r--r-- 1 root root 436094 2012-01-06 15:06 jalviewApplet.jar
> -rw-r--r-- 1 root root    623 2012-01-06 15:09 jalviewtest.aln
> -rw-r--r-- 1 root root    448 2012-01-06 15:28 jalviewtest.html
>
> The user can load the html file and the applet just fine with SSO, but when the applet tries to access the .aln file a new login prompt is displayed by the applet. Is there any chance that the applet can reuse the kerberos authentication session so the user does not need to provide credentials again?
I'm pretty sure there is a way of doing this, but I'm not familiar enough with the JAAS architecture to know the solution without some digging around.

I've opened a bug here: http://issues.jalview.org/browse/JAL-1038

What I think is going on is as follows:
1. JalviewLite is being launched with a properly configured security context provided by the browser 2. It's trying to use a generic URL data retrieval method
(URL.openStream()) to retrieve data from the server.
=> Instead of reusing the existing context, Java seems to be wanting to create a new security context for the connection.

Could you confirm this is happening by sending me the output from the java console when you put in an incorrect password ?  (it would be even better if you were using unobfuscated debug version of jalviewLite at http://www.jalview.org/examples/debug/jalviewApplet.jar - so the line numbers make sense).

Jim.
ps. One other thing: you might be able to get around the problem simply by adding the data you are loading into the applet to its classpath. If you make a zip containing the data, and add it to the 'archive' tag like 'jalviewApplet.jar,mydata.zip', the applet should then load the data from mydata.zip. You'll be able to see that happening in the debug output on the console.


More information about the Jalview-discuss mailing list