Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1328

Unable to use GS2-KRB5-PLUS SASL mechanism - AP_REQ token id does not match

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Blocker
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: 1.1.0.CR6, 1.2.0.Beta1
    • Component/s: None
    • Labels:
      None

      Description

      Invalid initial token is used on server for GS2-KRB5-PLUS SASL mechanism. The Gs2SaslServer uses a GSSContext to accept the token. It expects AP_REQ is comming (AP_REQ_ID=256), but the incomming tokenId has value 669 (value of first 2 bytes of token body).

      Setting blocker as this mechanism is required by EAP7-530 and EAP7-142.

      Following exception is thrown:

      GSSException: Defective token detected (Mechanism level: AP_REQ token id does not match!)
              at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:96)
              at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
              at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
              at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
              at org.wildfly.security.sasl.gs2.Gs2SaslServer.evaluateMessage(Gs2SaslServer.java:212)
              at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180)
              at org.wildfly.security.sasl.util.AbstractSaslServer.evaluateResponse(AbstractSaslServer.java:52)
              at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
              at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
              at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:57)
              at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)
              at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)
              at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:486)
              at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:898)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
              at java.lang.Thread.run(Thread.java:748)
      

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  fjuma Farah Juma
                  Reporter:
                  jcacek Josef Cacek
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: