-
Bug
-
Resolution: Done
-
Critical
-
7.1.0.DR16
During SPNEGO in deployment authentication, there should be these rules applied
- If authentication is required and no authentication mechanisms are available for use report - 500
- If a mechanism throws an exception evaluating the request and there are no other mechanisms available - 500
Same as Elytron securing management interface discussed on https://issues.jboss.org/browse/JBEAP-9970?focusedCommentId=13386447&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13386447
I test these scenarios by:
- wrong protocol=DOES_NOT_EXIST in http-authentication-factory
- I get 403 on first GET
14:35:41,907 TRACE [org.wildfly.security] (default task-1) Handling MechanismInformationCallback type='HTTP' name='SPNEGO' host-name='localhost.localdomain' protocol='http' 14:35:41,908 TRACE [org.wildfly.security] (default task-1) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='SPNEGO', hostName='localhost.localdomain', protocol='http'.
- wrong principal name in kerberos security factory
- I get 401 on first GET
14:38:37,280 TRACE [org.wildfly.security] (default task-1) Handling MechanismInformationCallback type='HTTP' name='SPNEGO' host-name='localhost.localdomain' protocol='http' 14:38:37,280 TRACE [org.wildfly.security] (default task-1) Evaluating SPNEGO request: cached GSSContext = null 14:38:37,280 TRACE [org.wildfly.security] (default task-1) Obtaining GSSCredential for the service from callback handler... 14:38:37,281 TRACE [org.wildfly.security] (default task-1) No valid cached credential, obtaining new one... 14:38:37,281 TRACE [org.wildfly.security] (default task-1) Logging in using LoginContext and subject [Subject: ] 14:38:37,281 TRACE [org.wildfly.security] (default task-1) Logging in using LoginContext and subject [Subject: Principal: HTTP/wronghost@JBOSS.ORG Private Credential: /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.6037194374738244164.keytab for HTTP/wronghost@JBOSS.ORG ] succeed 14:38:37,281 TRACE [org.wildfly.security] (default task-1) Creating GSSName for Principal 'HTTP/wronghost@JBOSS.ORG' 14:38:37,282 INFO [stdout] (default task-1) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.6037194374738244164.keytab for HTTP/wronghost@JBOSS.ORG 14:38:37,282 INFO [stdout] (default task-1) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.6037194374738244164.keytab for HTTP/wronghost@JBOSS.ORG 14:38:37,282 TRACE [org.wildfly.security] (default task-1) Obtained GSSCredentialCredential [org.wildfly.security.credential.GSSKerberosCredential@1f] 14:38:37,282 TRACE [org.wildfly.security] (default task-1) Handling ServerCredentialCallback: successfully obtained credential type type=class org.wildfly.security.credential.GSSKerberosCredential, algorithm=null, params=null 14:38:37,282 TRACE [org.wildfly.security] (default task-1) Using SpnegoAuthenticationMechanism to authenticate HTTP/wronghost@JBOSS.ORG using the following mechanisms: [[Lorg.ietf.jgss.Oid;@7e6a9da] 14:38:37,282 TRACE [org.wildfly.security] (default task-1) Caching GSSContext sun.security.jgss.GSSContextImpl@2df4c570 14:38:37,282 TRACE [org.wildfly.security] (default task-1) Caching KerberosTicket null 14:38:37,282 TRACE [org.wildfly.security] (default task-1) Sent HTTP authorizations: [null] 14:38:37,282 TRACE [org.wildfly.security] (default task-1) Request lacks valid authentication credentials
- is cloned by
-
WFLY-8547 Elytron, SPNEGO in deployment exceptional states handling, 500 should be returned
- Closed
- relates to
-
JBEAP-9945 Elytron, be consistent with legacy for misconfigured kerberos authentication of http management interface
- Closed