[JBEAP-8207] Elytron, IBM java, SPNEGO continuation required situation - JBoss Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Rejected
Affects Version/s: 7.1.0.DR10
Fix Version/s: None
Component/s: Security
Labels:
- authentication
- http
- ibm-java
- kerberos
- spnego

Target Release:

7.1.0.GA
Affects:

Release Notes
Bugzilla References:
https://bugzilla.redhat.com/show_bug.cgi?id=1455036
Bugzilla Update:

Perform

Description

I have problem to achieve this scenario with elytron on IBM java:

Using IBM Java
Client sends non kerberos OID mechanism as most preferred with non kerberos ticket
Server response with "continuation required"
Client sends kerberos ticket
Server response with 401 instead of 200

In server there is error

10:43:35,570 TRACE [org.wildfly.security] (default task-3) GSSContext message exchange failed: org.ietf.jgss.GSSException, major code: 10, minor code: 0

	major string: Defective token

	minor string: Bad token tag: -95

	at com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NException.java:5)

	at com.ibm.security.jgss.TokenHeader.a(TokenHeader.java:33)

	at com.ibm.security.jgss.TokenHeader.a(TokenHeader.java:102)

	at com.ibm.security.jgss.TokenHeader.<init>(TokenHeader.java:70)

	at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:119)

	at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:186)

	at org.wildfly.security.http.impl.SpnegoAuthenticationMechanism.evaluateRequest(SpnegoAuthenticationMechanism.java:138)

	at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:115)

	at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77)

	at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:106)

	at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:90)

	at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:74)

	at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:82)

Basically, it is same scenario as tested in [1] (for legacy security).

This scenario works correctly

on Oracle and OpenJDK java with elytron in EAP 7.1
with legacy security on IBM java in EAP 7.1

Setting high priority as:

It works in legacy security, so customers won't be able to migrate
Similar error was resolved in EAP 7.0 (~~JBEAP-3709~~) as blocker because customer case existed for that.

[1] https://github.com/wildfly/wildfly/blob/15f9a4f2b5a10cc3acbaa2df57d5cc13db50ff43/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/loginmodules/negotiation/SPNEGOLoginModuleTestCase.java#L344
[2] https://github.com/wildfly/wildfly/blob/15f9a4f2b5a10cc3acbaa2df57d5cc13db50ff43/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/loginmodules/negotiation/SPNEGOLoginModuleTestCase.java#L357

Gliffy Diagrams

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

ContinuationRequiredIBM.pcap
9 kB
11/Jan/17 4:57 AM
server.log
17 kB
11/Jan/17 4:57 AM
TokenHeader.java
16 kB
22/May/17 4:11 PM

Issue Links

cloned to

WFCORE-2466 Elytron, IBM java, SPNEGO continuation required situation

Resolved

Activity

People

Assignee:

Darran Lofthouse

Reporter:

Martin Choma

Tester:

Martin Choma

Votes:

0 Vote for this issue

Watchers:

7 Start watching this issue

Dates

Created:

11/Jan/17 4:55 AM

Updated:

12/Feb/18 1:14 PM

Resolved:

20/Jun/17 11:17 AM