Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: 7.1.0.DR15
Affects Version/s: 7.1.0.DR11
Component/s: Security
Labels:

CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

7.1.0.GA
Steps to Reproduce:
Hide

1. Setup kerberos for management interface (https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/how-to-set-up-sso-with-kerberos/#configure-krb-management-interfaces)
2. Configure <jaas> authentication as fallback

standalone.xml

<security-realm name="FallBackKerberosRealm"> <server-identities> <kerberos> <keytab principal="HTTP/localhost.localdomain@JBOSS.ORG" path="krb.keytab"/> </kerberos> </server-identities> <authentication> <kerberos/> <jaas name="JBossTestDomain"/> </authentication> </security-realm>

3. BASIC authentication is not performed with client which does not support SPNEGO

[mchoma@localhost ~]$ curl http://localhost.localdomain:9990/management?operation=attribute&name=server-state [mchoma@localhost ~]$ <html><head><title>Error</title></head><body>401 - Unauthorized</body></html>
Show
1. Setup kerberos for management interface ( https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/how-to-set-up-sso-with-kerberos/#configure-krb-management-interfaces ) 2. Configure <jaas> authentication as fallback standalone.xml <security-realm name= "FallBackKerberosRealm" > <server-identities> <kerberos> <keytab principal= "HTTP/localhost.localdomain@JBOSS.ORG" path= "krb.keytab" /> </kerberos> </server-identities> <authentication> <kerberos/> <jaas name= "JBossTestDomain" /> </authentication> </security-realm> 3. BASIC authentication is not performed with client which does not support SPNEGO [mchoma@localhost ~]$ curl http: //localhost.localdomain:9990/management?operation=attribute&name=server-state [mchoma@localhost ~]$ <html><head><title>Error</title></head><body>401 - Unauthorized</body></html>

SFDC Cases Counter:
SFDC Cases Links:

In EAP 7.0 there was possible to configure fallback (e.g. BASIC) authentication, if client does not support SPNEGO authentication. In EAP 7.1 this feature does not work anymore.

In EAP 7.0 server returns multiple chalanges (Negotiate/Basic) and client could choose which he will use.

EAP 7.0

HTTP/1.1 401 Unauthorized
Connection: keep-alive
WWW-Authenticate: Negotiate
WWW-Authenticate: Basic realm="FallBackKerberosRealm"
X-Frame-Options: SAMEORIGIN
Content-Length: 77
Content-Type: text/html
Date: Mon, 30 Jan 2017 11:02:45 GMT

<html><head><title>Error</title></head><body>401 - Unauthorized</body></html>

In EAP 7.1 (with same configuration) server returns only one chalange - Negotiate so client not supporting SPNEGO, can't fallback to Basic.

EAP 7.1

HTTP/1.1 401 Unauthorized
Connection: keep-alive
WWW-Authenticate: Negotiate
X-Frame-Options: SAMEORIGIN
Content-Length: 77
Content-Type: text/html
Date: Mon, 30 Jan 2017 11:01:28 GMT

<html><head><title>Error</title></head><body>401 - Unauthorized</body></html>

is cloned by

WFCORE-2386 Legacy Kerberos in management, unable to configure fallback authentication.

Resolved

Assignee:: Darran Lofthouse

Reporter:: Martin Choma

Tester:: Martin Choma

QA Contact:: Martin Choma

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2017/01/30 7:11 AM

Updated:: 2021/10/24 5:55 AM

Resolved:: 2017/03/28 10:05 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates