Loading...

Details

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: 7.1.0.CR1
Affects Version/s: 7.1.0.ER3
Component/s: Security
Labels:
None

Target Release:

7.1.0.GA
Git Pull Request:
https://github.com/wildfly-security/wildfly-elytron/pull/942
Steps to Reproduce:
Hide

Reproducer is available in this method

Full steps to reproduce the issue:

git clone -b ELY-1328-reproducer https://github.com/kwart/wildfly-core.git cd wildfly-core mvn clean install -DskipTests -Dcheckstyle.skip -Denforcer.skip cd testsuite/elytron mvn clean test -Dcheckstyle.skip -Denforcer.skip -DtestLogToFile=false -Dtest=KerberosMgmtSaslTestCase#testGs2Krb5PlusOverSsl

Then you should see following in the console window:

14:51:13,143 INFO [stdout] (management task-7) Entered Krb5Context.acceptSecContext with state=STATE_NEW 14:51:13,145 TRACE [org.jboss.remoting.remote.server] (management task-7) Server sending authentication rejected: javax.security.sasl.SaslException: ELY05031: [GS2-KRB5-PLUS] Unable to accept SASL client message [Caused by GSSException: Defective token detected (Mechanism level: AP_REQ token id does not match!)] at org.wildfly.security.sasl.gs2.Gs2SaslServer.evaluateMessage(Gs2SaslServer.java:238) at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180) at org.wildfly.security.sasl.util.AbstractSaslServer.evaluateResponse(AbstractSaslServer.java:52) at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58) at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106) at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:57) at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245) at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217) at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:486) at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:898) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: GSSException: Defective token detected (Mechanism level: AP_REQ token id does not match!) at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:96) at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) at org.wildfly.security.sasl.gs2.Gs2SaslServer.evaluateMessage(Gs2SaslServer.java:212) ... 12 more
Show
Reproducer is available in this method Full steps to reproduce the issue: git clone -b ELY-1328-reproducer https: //github.com/kwart/wildfly-core.git cd wildfly-core mvn clean install -DskipTests -Dcheckstyle.skip -Denforcer.skip cd testsuite/elytron mvn clean test -Dcheckstyle.skip -Denforcer.skip -DtestLogToFile= false -Dtest=KerberosMgmtSaslTestCase#testGs2Krb5PlusOverSsl Then you should see following in the console window: 14:51:13,143 INFO [stdout] (management task-7) Entered Krb5Context.acceptSecContext with state=STATE_NEW 14:51:13,145 TRACE [org.jboss.remoting.remote.server] (management task-7) Server sending authentication rejected: javax.security.sasl.SaslException: ELY05031: [GS2-KRB5-PLUS] Unable to accept SASL client message [Caused by GSSException: Defective token detected (Mechanism level: AP_REQ token id does not match!)] at org.wildfly.security.sasl.gs2.Gs2SaslServer.evaluateMessage(Gs2SaslServer.java:238) at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180) at org.wildfly.security.sasl.util.AbstractSaslServer.evaluateResponse(AbstractSaslServer.java:52) at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58) at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106) at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:57) at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245) at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217) at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:486) at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:898) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: GSSException: Defective token detected (Mechanism level: AP_REQ token id does not match!) at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:96) at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) at org.wildfly.security.sasl.gs2.Gs2SaslServer.evaluateMessage(Gs2SaslServer.java:212) ... 12 more

SFDC Cases Counter:
SFDC Cases Links:

Description

Invalid initial token is used on server for GS2-KRB5-PLUS SASL mechanism. The Gs2SaslServer uses a GSSContext to accept the token. It expects AP_REQ is comming (AP_REQ_ID=256), but the incomming tokenId has value 669 (value of first 2 bytes of token body).

Setting blocker as this mechanism is required by EAP7-530 and EAP7-142.

Following exception is thrown:

GSSException: Defective token detected (Mechanism level: AP_REQ token id does not match!)
        at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:96)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
        at org.wildfly.security.sasl.gs2.Gs2SaslServer.evaluateMessage(Gs2SaslServer.java:212)
        at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180)
        at org.wildfly.security.sasl.util.AbstractSaslServer.evaluateResponse(AbstractSaslServer.java:52)
        at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
        at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
        at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:57)
        at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)
        at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)
        at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:486)
        at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:898)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:748)

Attachments

Issue Links

blocks

JBEAP-12696 Unable to connect jboss-cli.sh using GS2-KRB5-PLUS

Verified

is cloned by

ELY-1328 Unable to use GS2-KRB5-PLUS SASL mechanism - AP_REQ token id does not match

Resolved

is incorporated by

JBEAP-12750 Upgrade WildFly Elytron to 1.1.0.CR6

Verified

Unable to use GS2-KRB5-PLUS SASL mechanism - AP_REQ token id does not match

Details

Description

Attachments

Issue Links

Activity

People

Dates