Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 1.3.0.Beta6
Affects Version/s: 1.3.0.Beta5
Component/s: Core, Security
Labels:
None

Steps to Reproduce:
Hide

1. Define security realm with Kerberos authentication:

<security-realm name="MinimalKeyTab"> <server-identities> <kerberos> <keytab principal="HTTP/127.0.0.1@JBOSS.ORG" path="http.keytab" relative-to="jboss.server.config.dir" debug="true"/> <keytab principal="HTTP/[2620:52::2804:56ee:75ff:fe2d:980f]@JBOSS.ORG" path="http.keytab" relative-to="jboss.server.config.dir" debug="true"/> </kerberos> </server-identities> <authentication> <local default-user="$local" skip-group-loading="true"/> <kerberos/> </authentication> </security-realm>

2. Set management interface realm to the created realm:

<management-interfaces> <http-interface security-realm="MinimalKeyTab" http-upgrade-enabled="true"> <socket-binding http="management-http"/> </http-interface> </management-interfaces>

3. Access management interface: http://hofik.brq.redhat.com:9990/management

Resulting output in logs:

TRACE [org.jboss.as.domain.management.security] (HttpManagementService-threads - 1) No mapping for name 'HTTP/[2620' to KeytabService, attempting to use host only match.
TRACE [org.jboss.as.domain.management.security] (HttpManagementService-threads - 1) No mapping for host '[2620' to KeytabService, attempting to use default.
TRACE [org.jboss.as.domain.management.security] (HttpManagementService-threads - 1) No KeytabService available for host '[2620' unable to return SubjectIdentity.
TRACE [org.jboss.as.domain.http.api] (HttpManagementService-threads - 1) No Subject available for host '[2620'
Show
1. Define security realm with Kerberos authentication: <security-realm name= "MinimalKeyTab" > <server-identities> <kerberos> <keytab principal= "HTTP/127.0.0.1@JBOSS.ORG" path= "http.keytab" relative-to= "jboss.server.config.dir" debug= "true" /> <keytab principal= "HTTP/[2620:52::2804:56ee:75ff:fe2d:980f]@JBOSS.ORG" path= "http.keytab" relative-to= "jboss.server.config.dir" debug= "true" /> </kerberos> </server-identities> <authentication> <local default-user= "$local" skip-group-loading= "true" /> <kerberos/> </authentication> </security-realm> 2. Set management interface realm to the created realm: <management-interfaces> <http-interface security-realm= "MinimalKeyTab" http-upgrade-enabled= "true" > <socket-binding http= "management-http" /> </http-interface> </management-interfaces> 3. Access management interface: http://hofik.brq.redhat.com:9990/management Resulting output in logs: TRACE [org.jboss.as.domain.management.security] (HttpManagementService-threads - 1) No mapping for name 'HTTP/[2620' to KeytabService, attempting to use host only match. TRACE [org.jboss.as.domain.management.security] (HttpManagementService-threads - 1) No mapping for host '[2620' to KeytabService, attempting to use default. TRACE [org.jboss.as.domain.management.security] (HttpManagementService-threads - 1) No KeytabService available for host '[2620' unable to return SubjectIdentity. TRACE [org.jboss.as.domain.http.api] (HttpManagementService-threads - 1) No Subject available for host '[2620'
Git Pull Request:
https://github.com/undertow-io/undertow/pull/324
Bugzilla References:
https://bugzilla.redhat.com/show_bug.cgi?id=1172180

Description

When WFLY with configured kerberos security realm is bound to IPv6 address (e.g. 2620:52:0:2804:56ee:75ff:fe2d:980f), undertow is trying to match keytabs against incorrectly parsed address "[2620" (should be "[2620:52:0:2804:56ee:75ff:fe2d:980f]").

Attachments

Activity

People

Assignee:: Tomas Hofman

Reporter:: Tomas Hofman

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2015/07/29 6:36 AM

Updated:: 2015/08/27 5:03 AM

Resolved:: 2015/07/31 2:51 AM