Loading...

XML

Word

Printable

Steps to Reproduce:
Hide

Follow steps in documentation https://doc-stage.usersys.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1.alpha/html-single/how_to_set_up_sso_with_kerberos/#secure_mgmt_interface_krb_elytron

But misconfigure kerberos, e.g. by principal=HTTP/wronghost@REALM

/subsystem=elytron/kerberos-security-factory=krbSF:add( \ principal="HTTP/wronghost@REALM", \ path="/path/to/http.keytab", \ mechanism-oids=[ \ 1.2.840.113554.1.2.2, \ 1.3.6.1.5.5.2 \ ] \ )
Show
Follow steps in documentation https://doc-stage.usersys.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1.alpha/html-single/how_to_set_up_sso_with_kerberos/#secure_mgmt_interface_krb_elytron But misconfigure kerberos, e.g. by principal=HTTP/wronghost@REALM /subsystem=elytron/kerberos-security-factory=krbSF:add( \ principal= "HTTP/wronghost@REALM" , \ path= "/path/to/http.keytab" , \ mechanism-oids=[ \ 1.2.840.113554.1.2.2, \ 1.3.6.1.5.5.2 \ ] \ )
Git Pull Request:
https://github.com/wildfly-security/wildfly-elytron/pull/886

Intention on legacy security realm is tracked by ~~JBEAP-8563~~:

If this is the only mechanism enabled then 500 is the correct status code
however if a fallback mechanism was also enabled then that mechanism should be able to challenge with a HTTP 401 status code.

clones

JBEAP-9945 Elytron, be consistent with legacy for misconfigured kerberos authentication of http management interface