Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-1070

Elytron, WWW-Authenticate Negotiate header is send although SPNEGO is misconfigured

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 1.1.0.Beta36
    • None
    • HTTP
    • Hide
      • Replace creation of http-authentication-factory with this command specifying protocol HTTP
        /subsystem=elytron/http-authentication-factory=example-krb-http-auth:add( \
          http-server-mechanism-factory=global, \
          security-domain=exampleFsSD, \
          mechanism-configurations=[ \
            { \
              mechanism-name=SPNEGO,\
              mechanism-realm-configurations= \
                [ \
                  { \
                    realm-name=exampleFsSD \
                  } \
                ], \
              protocol=DOES_NOT_EXIST,\
              credential-security-factory=krbSF \
            },     { \
              mechanism-name=BASIC,\
              mechanism-realm-configurations= \
                [ \
                  { \
                    realm-name=exampleFsSD \
                  } \
                ]
            }
          ] \
        )
        
      • Negotiate header is send, although it won't be possible to authenticate using SPNEGO
      Show
      Follow steps for securing management interface with kerberos https://doc-stage.usersys.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1.alpha/html-single/how_to_set_up_sso_with_kerberos/#secure_mgmt_interface_krb_elytron Replace creation of http-authentication-factory with this command specifying protocol HTTP /subsystem=elytron/http-authentication-factory=example-krb-http-auth:add( \ http-server-mechanism-factory=global, \ security-domain=exampleFsSD, \ mechanism-configurations=[ \ { \ mechanism-name=SPNEGO,\ mechanism-realm-configurations= \ [ \ { \ realm-name=exampleFsSD \ } \ ], \ protocol=DOES_NOT_EXIST,\ credential-security-factory=krbSF \ }, { \ mechanism-name=BASIC,\ mechanism-realm-configurations= \ [ \ { \ realm-name=exampleFsSD \ } \ ] } ] \ ) Negotiate header is send, although it won't be possible to authenticate using SPNEGO

      If SPNEGO is misconfigured Negotiate header is still send back to client, although SPNEGO can't be used.

      13:19:20,861 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback type='HTTP' name='BASIC' host-name='localhost.localdomain' protocol='http'
      13:19:20,862 TRACE [org.wildfly.security] (management task-6) Handling AvailableRealmsCallback: realms = [fileSystemFallbackRealm]
      13:19:20,862 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback type='HTTP' name='CLIENT_CERT' host-name='localhost.localdomain' protocol='http'
      13:19:20,862 TRACE [org.wildfly.security] (management task-6) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='CLIENT_CERT', hostName='localhost.localdomain', protocol='http'.
      13:19:20,862 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback type='HTTP' name='DIGEST' host-name='localhost.localdomain' protocol='http'
      13:19:20,862 TRACE [org.wildfly.security] (management task-6) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='DIGEST', hostName='localhost.localdomain', protocol='http'.
      13:19:20,862 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback type='HTTP' name='FORM' host-name='localhost.localdomain' protocol='http'
      13:19:20,862 TRACE [org.wildfly.security] (management task-6) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='FORM', hostName='localhost.localdomain', protocol='http'.
      13:19:20,862 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback type='HTTP' name='SPNEGO' host-name='localhost.localdomain' protocol='http'
      13:19:20,863 TRACE [org.wildfly.security] (management task-6) Evaluating SPNEGO request: cached GSSContext = null
      13:19:20,863 TRACE [org.wildfly.security] (management task-6) Obtaining GSSCredential for the service from callback handler...
      13:19:20,863 TRACE [org.wildfly.security] (management task-6) No valid cached credential, obtaining new one...
      13:19:20,863 TRACE [org.wildfly.security] (management task-6) Logging in using LoginContext and subject [Subject:
      ]
      13:19:20,863 INFO  [stdout] (management task-6) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator false KeyTab is /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.4985635734744374940.keytab refreshKrb5Config is false principal is HTTP/wronghost@JBOSS.ORG tryFirstPass is false useFirstPass is false storePass is false clearPass is false
      13:19:20,863 INFO  [stdout] (management task-6) principal is HTTP/wronghost@JBOSS.ORG
      13:19:20,863 INFO  [stdout] (management task-6) Will use keytab
      13:19:20,863 INFO  [stdout] (management task-6) Commit Succeeded 
      13:19:20,863 INFO  [stdout] (management task-6) 
      13:19:20,863 TRACE [org.wildfly.security] (management task-6) Logging in using LoginContext and subject [Subject:
      	Principal: HTTP/wronghost@JBOSS.ORG
      	Private Credential: /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.4985635734744374940.keytab for HTTP/wronghost@JBOSS.ORG
      ] succeed
      13:19:20,864 TRACE [org.wildfly.security] (management task-6) Creating GSSName for Principal 'HTTP/wronghost@JBOSS.ORG'
      13:19:20,864 TRACE [org.wildfly.security] (management task-6) Obtained GSSCredentialCredential [org.wildfly.security.credential.GSSKerberosCredential@1f]
      13:19:20,864 TRACE [org.wildfly.security] (management task-6) Handling ServerCredentialCallback: successfully obtained credential type type=class org.wildfly.security.credential.GSSKerberosCredential, algorithm=null, params=null
      13:19:20,864 TRACE [org.wildfly.security] (management task-6) Using SpnegoAuthenticationMechanism to authenticate HTTP/wronghost@JBOSS.ORG using the following mechanisms: [[Lorg.ietf.jgss.Oid;@4133c756]
      13:19:20,864 TRACE [org.wildfly.security] (management task-6) Caching GSSContext sun.security.jgss.GSSContextImpl@3adbbdae
      13:19:20,864 TRACE [org.wildfly.security] (management task-6) Caching KerberosTicket null
      13:19:20,864 TRACE [org.wildfly.security] (management task-6) Sent HTTP authorizations: [null]
      13:19:20,864 TRACE [org.wildfly.security] (management task-6) Request lacks valid authentication credentials
      13:19:20,864 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback type='HTTP' name='BEARER_TOKEN' host-name='localhost.localdomain' protocol='http'
      13:19:20,864 TRACE [org.wildfly.security] (management task-6) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='BEARER_TOKEN', hostName='localhost.localdomain', protocol='http'.
      

              darran.lofthouse@redhat.com Darran Lofthouse
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: