The required mechanism 'FORM' is not available in mechanisms [SPNEGO] from the HttpAuthenticationFactory in JBoss EAP

Solution Verified - Updated -

Environment

  • JBoss Enterprise Application Platform (EAP)
    • 7.1 and later
  • Elytron
  • Kerberos/SPNEGO
  • JBoss Negotiation Toolkit

Issue

Testing Kerberos, or SPNEGO, with jboss-negotiation-toolkit configuration with Elytron is giving the following error:

java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'FORM' is not available in mechanisms [SPNEGO] from the HttpAuthenticationFactory.

Resolution

Next steps should be followed:

Step 1:
Check and see if the file called WEB-INF/web.xml from jboss-negotionation-toolkit.war has configured FORM as an option of <auth-method> in <login-config> section as described below:

<login-config>   
   <auth-method>SPNEGO,FORM</auth-method>
   <realm-name>SPNEGO</realm-name>
   <form-login-config>
     <form-login-page>/login.html</form-login-page>
     <form-error-page>/error.html</form-error-page>
   </form-login-config>
</login-config>

Step 2:
Add a mechanism for FORM authentication in the http-authentication-factory.
You can use the existing http-authentication-factory you configured for kerberos-based authentication and an additional mechanism for FORM authentication.

/subsystem=elytron/http-authentication-factory=example-krb-http-auth:list-add(name=mechanism-configurations, value={mechanism-name=FORM})

Step 3:
After that, make sure that http-authentication-factory is configured as follows:

<http-authentication-factory name="example-krb-http-auth" security-domain="exampleFsSD" http-server-mechanism-factory="global">
     <mechanism-configuration>
         <mechanism mechanism-name="SPNEGO" pre-realm-principal-transformer="realm-stripper" credential-security-factory="krbSF">
                <mechanism-realm realm-name="exampleFsSD"/>
         </mechanism>
         <mechanism mechanism-name="FORM"/>
      </mechanism-configuration>
</http-authentication-factory>

Root Cause

From version jboss-negotiation-toolkit-2.3.0.Final.war onwards, FORM login authentication mechanism is configured by default. Adding a FORM Login as a Fallback as described in 3.1.2. Update the Elytron Subsystem is mandatory.

Diagnostic Steps

Step 1:
Follow the steps as described in the following article: How to configure Kerberos authentication in JBoss EAP using Elytron ?

Step 2:
Download a prebuilt WAR file of the JBoss Negotiation Toolkit from the JBoss Negotiation Toolkit repository.

Step 3:
Deploy the prebuilt WAR file into the JBoss EAP server instance, check the server.log and find the following error:

MSC000001: Failed to start service jboss.deployment.unit."jboss-negotiation-toolkit.war".undertow-deployment: org.jboss.msc.service.StartException in service jboss.deployment.unit."jboss-negotiation-toolkit.war".undertow-deployment: java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'FORM' is not available in mechanisms [SPNEGO] from the HttpAuthenticationFactory.
        at org.wildfly.extension.undertow@7.4.15.GA-redhat-00002//org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81)
        at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at org.jboss.threads@2.4.0.Final-redhat-00001//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
        at org.jboss.threads@2.4.0.Final-redhat-00001//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
        at org.jboss.threads@2.4.0.Final-redhat-00001//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
        at org.jboss.threads@2.4.0.Final-redhat-00001//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
        at java.base/java.lang.Thread.run(Thread.java:829)
        at org.jboss.threads@2.4.0.Final-redhat-00001//org.jboss.threads.JBossThread.run(JBossThread.java:513)
Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'FORM' is not available in mechanisms [SPNEGO] from the HttpAuthenticationFactory.
        at io.undertow.servlet@2.2.28.SP1-redhat-00001//io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:257)
        at org.wildfly.extension.undertow@7.4.15.GA-redhat-00002//org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:96)
        at org.wildfly.extension.undertow@7.4.15.GA-redhat-00002//org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:78)
        ... 8 more
Caused by: java.lang.IllegalStateException: The required mechanism 'FORM' is not available in mechanisms [SPNEGO] from the HttpAuthenticationFactory.
        at org.wildfly.security.elytron-web.undertow-server-servlet@1.9.3.Final-redhat-00001//org.wildfly.elytron.web.undertow.server.servlet.AuthenticationManager.initialSecurityHandler(AuthenticationManager.java:156)
        at org.wildfly.security.elytron-web.undertow-server-servlet@1.9.3.Final-redhat-00001//org.wildfly.elytron.web.undertow.server.servlet.AuthenticationManager.lambda$configure$2(AuthenticationManager.java:101)
        at io.undertow.servlet@2.2.28.SP1-redhat-00001//io.undertow.servlet.core.DeploymentManagerImpl.setupSecurityHandlers(DeploymentManagerImpl.java:445)
        at io.undertow.servlet@2.2.28.SP1-redhat-00001//io.undertow.servlet.core.DeploymentManagerImpl.access$600(DeploymentManagerImpl.java:122)
        at io.undertow.servlet@2.2.28.SP1-redhat-00001//io.undertow.servlet.core.DeploymentManagerImpl$1.call(DeploymentManagerImpl.java:226)
        at io.undertow.servlet@2.2.28.SP1-redhat-00001//io.undertow.servlet.core.DeploymentManagerImpl$1.call(DeploymentManagerImpl.java:187)
        at io.undertow.servlet@2.2.28.SP1-redhat-00001//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
        at io.undertow.servlet@2.2.28.SP1-redhat-00001//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
        at org.wildfly.extension.undertow@7.4.15.GA-redhat-00002//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1555)
        at org.wildfly.extension.undertow@7.4.15.GA-redhat-00002//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1555)
        at org.wildfly.extension.undertow@7.4.15.GA-redhat-00002//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1555)
        at org.wildfly.extension.undertow@7.4.15.GA-redhat-00002//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1555)
        at io.undertow.servlet@2.2.28.SP1-redhat-00001//io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:255)
        ... 10 more

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments