Details
-
Bug
-
Resolution: Done
-
Major
-
2.0.0.Alpha9
-
None
Description
This was cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1228228
Attribute for-hosts for Security realm with Kerberos does not select keytab in order which is described in $EAP_SERVER/docs/schema/jboss-as-config_1_7.xsd (begin on line 456).
According to this XSD hostname values from for-hosts attributes (steps 1. nad 2.) are iterated before values obtained from principal (steps 3. and 4.). In case when keytab element (denote as keytab1) contains for-hosts attribute with hostname EXAMPLE and some another keytab element (denote as keytab2) contains principal HTTP/EXAMPLE@SOMETHING.COM then keytab2 is selected instead of keytab1. It means step 3. is performed before step 2.
Configuration for mentioned above example:
<server-identities> <kerberos> <keytab principal="HTTP/ANYVALUE@SOMETHING.COM" path="/path/to/krb1.keytab" for-hosts="EXAMPLE"/> <keytab principal="HTTP/EXAMPLE@SOMETHING.COM" path="/path/to/krb2.keytab" for-hosts="SOMEHOST"/> </kerberos> </server-identities>
In case when hostname in for-hosts contains also protocol (HTTP/EXAMPLE instead of EXAMPLE) then it works correctly.