JMX-RMI/T3 connection causes CallbackHandler to throw exception with ContextHandlerCallback present
I have a custom Authenticator in Weblogic 10.3 that I'm using and having problems.
When a user connects and authenticates over HTTP everything functions fine. However if the connection is a JMX-RMI/T3 connection the call to javax.security.auth.callback.CallbackHandler.handle
an exception is thrown. The ContextHandlerCallback
default constructor is being used and passed in the array of callbacks with a username and password callback. Below is the code where callbackHandler is a javax.security.auth.callback.CallbackHandler
callbacks = new Callback[2];
callbacks[0] = new NameCallback("username: ");
callbacks[1] = new PasswordCallback("password: ", false);
callbacks[2] = new ContextHandlerCallback();
callbackHandler.handle(callbacks);
Here is the top of the excetption being thrown to the point of callbackHandler.handle(callbacks)
from above:
javax.security.auth.callback.UnsupportedCallbackException: [Security:090175]Unrecognized Callback
at weblogic.security.SimpleCallbackHandler.handle(SimpleCallbackHandler.java:71)
at com.bea.common.security.internal.service.CallbackHandlerWrapp开发者_如何学Goer.handle(CallbackHandlerWrapper.java:76)
at weblogic.security.service.internal.WLSJAASLoginServiceImpl$CallbackHandlerWrapper.handle(WLSJAASLoginServiceImpl.java:156)
at javax.security.auth.login.LoginContext$SecureCallbackHandler$1.run(LoginContext.java:955)
at javax.security.auth.login.LoginContext$SecureCallbackHandler.handle(LoginContext.java:951)
And here is another exception trace that we're seeing as well:
javax.security.auth.callback.UnsupportedCallbackException: Unrecognized Callback
at weblogic.management.mbeanservers.internal.JMXAuthenticator$JMXCallbackHandler.handle(JMXAuthenticator.java:130)
at com.bea.common.security.internal.service.CallbackHandlerWrapper.handle(CallbackHandlerWrapper.java:76)
at weblogic.security.service.internal.WLSJAASLoginServiceImpl$CallbackHandlerWrapper.handle(WLSJAASLoginServiceImpl.java:156)
at javax.security.auth.login.LoginContext$SecureCallbackHandler$1.run(LoginContext.java:955)
at javax.security.auth.login.LoginContext$SecureCallbackHandler.handle(LoginContext.java:951)
It's worth noting that this exception is thrown if the users are authenticating over a JMX/T3 connection but HTTP works just fine.
Part of what we're trying to achieve is capturing information about the authentication, such as the IP address the request originated from, which is why we need the ContextHandlerCallback
. I can see that trying to retrieve an HttpServletRequest
from a JMX-RMI/T3 connection could cause problems, but an exception is being thrown during javax.security.auth.callback.CallbackHandler.handle().
Some other information that may or may not be relevant, but why not include all I can?
- Application is using Form Based Authentication, as do the WS calls but the JMX-RMI/T3 call may not.
- Unsure if it's possible to define what implementation to use for the CallbackHandler when authenticating. Currently we've defined a custom LoginModule but not a custom CallbackHandler.
- If there is a way outside of the ContextHandlerCallback to get access to the caller's IP address inside of the LoginModule, that would provide a suitable workaround.
I'm confused why it would work via one protocol and not the other. Anyone else seen this sort of behavior or know of a way to handle this?
Thanks, Todd
In WebLogic, the ContextHandlerCallback is only defined for HTTP servlets requests.
You can access the IP address of the caller on all protocols (HTTP, RMI-IIOP, ...) by implementing the ConnectionFilter/ConnectionEvent interfaces. You can use them to log or reject requests based on the IP address.
精彩评论