Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1547

SPNEGO: missing negstat field in the first reply for expired token

    Details

    • Steps to Reproduce:
      Hide
      git clone git@gitlab.mw.lab.eng.bos.redhat.com:mchoma/tests-ldap-kerberos.git
      cd tests-ldap-kerberos
      git checkout 7.x
      ./build-eap71.sh -Deap -Djboss.dist.zip=/home/jkalina/work/tests-ldap-kerberos/wildfly.zip -Dversion.wildfly.core=5.0.0.Alpha1-SNAPSHOT -Dversion.jboss.bom=7.1.0.GA -Dtest=SPNEGODefaultTestCase#testInvalidTicketFormFallback
      

      But add check into testInvalidTicketFormFallback:

                  assertHttpHeader(response, HEADER_WWW_AUTHENTICATE, "Negotiate oQcwBaADCgEC");
      
      Show
      git clone git@gitlab.mw.lab.eng.bos.redhat.com:mchoma/tests-ldap-kerberos.git cd tests-ldap-kerberos git checkout 7.x ./build-eap71.sh -Deap -Djboss.dist.zip=/home/jkalina/work/tests-ldap-kerberos/wildfly.zip -Dversion.wildfly.core=5.0.0.Alpha1-SNAPSHOT -Dversion.jboss.bom=7.1.0.GA -Dtest=SPNEGODefaultTestCase#testInvalidTicketFormFallback But add check into testInvalidTicketFormFallback : assertHttpHeader(response, HEADER_WWW_AUTHENTICATE, "Negotiate oQcwBaADCgEC" );

      Description

      When the client sends an initial SPNEGO token with Kerberos as preferred mechanism and includes an invalid kerberos token, then client expects to see the WWW-Authenticate HTTP header with SPNEGO response negTokenResp[ negState = reject ].

      As stated in SPNEGO specification negstat is required in first reply:

      negState
      
      ...
      
            This field is REQUIRED in the first reply from the target, and is
      
            OPTIONAL thereafter.  When negState is absent, the actual state
      
            should be inferred from the state of the negotiated mechanism
      
            context.
      

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  honza889 Jan Kalina
                  Reporter:
                  honza889 Jan Kalina
                  Tester:
                  Martin Choma
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  0 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: