Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10246

Elytron, WWW-Authenticate Negotiate header is send although SPNEGO is misconfigured

    XMLWordPrintable

Details

    • Hide
      • Replace creation of kerberos-security-factory to use wrong principal 
        /subsystem=elytron/kerberos-security-factory=krbSF:add( \
  principal="HTTP/wrong_host@REALM", \
  path="/path/to/http.keytab", \
)
      • Replace creation of http-authentication-factory with this command specifying protocol HTTP 
        /subsystem=elytron/http-authentication-factory=example-krb-http-auth:add( \
  http-server-mechanism-factory=global, \
  security-domain=exampleFsSD, \
  mechanism-configurations=[ \
    { \
      mechanism-name=SPNEGO,\
      mechanism-realm-configurations= \
        [ \
          { \
            realm-name=exampleFsSD \
          } \
        ], \
      credential-security-factory=krbSF \
    },     { \
      mechanism-name=BASIC,\
      mechanism-realm-configurations= \
        [ \
          { \
            realm-name=exampleFsSD \
          } \
        ]
    }
  ] \
)
      • Negotiate header is send, although it won't be possible to authenticate using SPNEGO
      Show
      Follow steps for securing management interface with kerberos https://doc-stage.usersys.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1.alpha/html-single/how_to_set_up_sso_with_kerberos/#secure_mgmt_interface_krb_elytron Replace creation of kerberos-security-factory to use wrong principal /subsystem=elytron/kerberos-security-factory=krbSF:add( \ principal= "HTTP/wrong_host@REALM" , \ path= "/path/to/http.keytab" , \ ) Replace creation of http-authentication-factory with this command specifying protocol HTTP /subsystem=elytron/http-authentication-factory=example-krb-http-auth:add( \ http-server-mechanism-factory=global, \ security-domain=exampleFsSD, \ mechanism-configurations=[ \ { \ mechanism-name=SPNEGO,\ mechanism-realm-configurations= \ [ \ { \ realm-name=exampleFsSD \ } \ ], \ credential-security-factory=krbSF \ }, { \ mechanism-name=BASIC,\ mechanism-realm-configurations= \ [ \ { \ realm-name=exampleFsSD \ } \ ] } ] \ ) Negotiate header is send, although it won't be possible to authenticate using SPNEGO

    Description

      If SPNEGO is misconfigured or KDC is down Negotiate header is still send back to client, although SPNEGO can't be used.

      13:19:20,861 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback type='HTTP' name='BASIC' host-name='localhost.localdomain' protocol='http'
13:19:20,862 TRACE [org.wildfly.security] (management task-6) Handling AvailableRealmsCallback: realms = [fileSystemFallbackRealm]
13:19:20,862 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback type='HTTP' name='CLIENT_CERT' host-name='localhost.localdomain' protocol='http'
13:19:20,862 TRACE [org.wildfly.security] (management task-6) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='CLIENT_CERT', hostName='localhost.localdomain', protocol='http'.
13:19:20,862 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback type='HTTP' name='DIGEST' host-name='localhost.localdomain' protocol='http'
13:19:20,862 TRACE [org.wildfly.security] (management task-6) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='DIGEST', hostName='localhost.localdomain', protocol='http'.
13:19:20,862 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback type='HTTP' name='FORM' host-name='localhost.localdomain' protocol='http'
13:19:20,862 TRACE [org.wildfly.security] (management task-6) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='FORM', hostName='localhost.localdomain', protocol='http'.
13:19:20,862 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback type='HTTP' name='SPNEGO' host-name='localhost.localdomain' protocol='http'
13:19:20,863 TRACE [org.wildfly.security] (management task-6) Evaluating SPNEGO request: cached GSSContext = null
13:19:20,863 TRACE [org.wildfly.security] (management task-6) Obtaining GSSCredential for the service from callback handler...
13:19:20,863 TRACE [org.wildfly.security] (management task-6) No valid cached credential, obtaining new one...
13:19:20,863 TRACE [org.wildfly.security] (management task-6) Logging in using LoginContext and subject [Subject:
]
13:19:20,863 INFO  [stdout] (management task-6) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator false KeyTab is /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.4985635734744374940.keytab refreshKrb5Config is false principal is HTTP/wronghost@JBOSS.ORG tryFirstPass is false useFirstPass is false storePass is false clearPass is false
13:19:20,863 INFO  [stdout] (management task-6) principal is HTTP/wronghost@JBOSS.ORG
13:19:20,863 INFO  [stdout] (management task-6) Will use keytab
13:19:20,863 INFO  [stdout] (management task-6) Commit Succeeded 
13:19:20,863 INFO  [stdout] (management task-6) 
13:19:20,863 TRACE [org.wildfly.security] (management task-6) Logging in using LoginContext and subject [Subject:
	Principal: HTTP/wronghost@JBOSS.ORG
	Private Credential: /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.4985635734744374940.keytab for HTTP/wronghost@JBOSS.ORG
] succeed
13:19:20,864 TRACE [org.wildfly.security] (management task-6) Creating GSSName for Principal 'HTTP/wronghost@JBOSS.ORG'
13:19:20,864 TRACE [org.wildfly.security] (management task-6) Obtained GSSCredentialCredential [org.wildfly.security.credential.GSSKerberosCredential@1f]
13:19:20,864 TRACE [org.wildfly.security] (management task-6) Handling ServerCredentialCallback: successfully obtained credential type type=class org.wildfly.security.credential.GSSKerberosCredential, algorithm=null, params=null
13:19:20,864 TRACE [org.wildfly.security] (management task-6) Using SpnegoAuthenticationMechanism to authenticate HTTP/wronghost@JBOSS.ORG using the following mechanisms: [[Lorg.ietf.jgss.Oid;@4133c756]
13:19:20,864 TRACE [org.wildfly.security] (management task-6) Caching GSSContext sun.security.jgss.GSSContextImpl@3adbbdae
13:19:20,864 TRACE [org.wildfly.security] (management task-6) Caching KerberosTicket null
13:19:20,864 TRACE [org.wildfly.security] (management task-6) Sent HTTP authorizations: [null]
13:19:20,864 TRACE [org.wildfly.security] (management task-6) Request lacks valid authentication credentials
13:19:20,864 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback type='HTTP' name='BEARER_TOKEN' host-name='localhost.localdomain' protocol='http'
13:19:20,864 TRACE [org.wildfly.security] (management task-6) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='BEARER_TOKEN', hostName='localhost.localdomain', protocol='http'.

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. ELY-1070 Elytron, WWW-Authenticate Negotiate header is send although SPNEGO is misconfigured

          • Critical - To be worked on immediately following BLOCKER issues.
          • Resolved
          is incorporated by

          Component Upgrade - A task tracking an update to a bundled component or revision of component upstream of the project. JBEAP-10243 Upgrade WildFly Elytron to 1.1.0.Beta36

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Activity

            People

              darran.lofthouse@redhat.com Darran Lofthouse
              mchoma@redhat.com Martin Choma
              Martin Choma Martin Choma
              Martin Choma Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: