Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-12688

Unable to use GS2-KRB5-PLUS SASL mechanism - AP_REQ token id does not match

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 7.1.0.CR1
    • 7.1.0.ER3
    • Security
    • None
    • Hide

      Reproducer is available in this method

      Full steps to reproduce the issue:

      git clone -b ELY-1328-reproducer https://github.com/kwart/wildfly-core.git
      cd wildfly-core
      mvn clean install -DskipTests -Dcheckstyle.skip -Denforcer.skip
      cd testsuite/elytron
      mvn clean test -Dcheckstyle.skip -Denforcer.skip -DtestLogToFile=false -Dtest=KerberosMgmtSaslTestCase#testGs2Krb5PlusOverSsl
      

      Then you should see following in the console window:

      14:51:13,143 INFO  [stdout] (management task-7) Entered Krb5Context.acceptSecContext with state=STATE_NEW
      14:51:13,145 TRACE [org.jboss.remoting.remote.server] (management task-7) Server sending authentication rejected: javax.security.sasl.SaslException: ELY05031: [GS2-KRB5-PLUS] Unable to accept SASL client message [Caused by GSSException: Defective token detected (Mechanism level: AP_REQ token id does not match!)]
      	at org.wildfly.security.sasl.gs2.Gs2SaslServer.evaluateMessage(Gs2SaslServer.java:238)
      	at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180)
      	at org.wildfly.security.sasl.util.AbstractSaslServer.evaluateResponse(AbstractSaslServer.java:52)
      	at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
      	at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
      	at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:57)
      	at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)
      	at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)
      	at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:486)
      	at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:898)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
      	at java.lang.Thread.run(Thread.java:748)
      Caused by: GSSException: Defective token detected (Mechanism level: AP_REQ token id does not match!)
      	at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:96)
      	at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
      	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
      	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
      	at org.wildfly.security.sasl.gs2.Gs2SaslServer.evaluateMessage(Gs2SaslServer.java:212)
      	... 12 more
      
      Show
      Reproducer is available in this method Full steps to reproduce the issue: git clone -b ELY-1328-reproducer https: //github.com/kwart/wildfly-core.git cd wildfly-core mvn clean install -DskipTests -Dcheckstyle.skip -Denforcer.skip cd testsuite/elytron mvn clean test -Dcheckstyle.skip -Denforcer.skip -DtestLogToFile= false -Dtest=KerberosMgmtSaslTestCase#testGs2Krb5PlusOverSsl Then you should see following in the console window: 14:51:13,143 INFO [stdout] (management task-7) Entered Krb5Context.acceptSecContext with state=STATE_NEW 14:51:13,145 TRACE [org.jboss.remoting.remote.server] (management task-7) Server sending authentication rejected: javax.security.sasl.SaslException: ELY05031: [GS2-KRB5-PLUS] Unable to accept SASL client message [Caused by GSSException: Defective token detected (Mechanism level: AP_REQ token id does not match!)] at org.wildfly.security.sasl.gs2.Gs2SaslServer.evaluateMessage(Gs2SaslServer.java:238) at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180) at org.wildfly.security.sasl.util.AbstractSaslServer.evaluateResponse(AbstractSaslServer.java:52) at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58) at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106) at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:57) at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245) at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217) at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:486) at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:898) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: GSSException: Defective token detected (Mechanism level: AP_REQ token id does not match!) at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:96) at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) at org.wildfly.security.sasl.gs2.Gs2SaslServer.evaluateMessage(Gs2SaslServer.java:212) ... 12 more

      Invalid initial token is used on server for GS2-KRB5-PLUS SASL mechanism. The Gs2SaslServer uses a GSSContext to accept the token. It expects AP_REQ is comming (AP_REQ_ID=256), but the incomming tokenId has value 669 (value of first 2 bytes of token body).

      Setting blocker as this mechanism is required by EAP7-530 and EAP7-142.

      Following exception is thrown:

      GSSException: Defective token detected (Mechanism level: AP_REQ token id does not match!)
              at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:96)
              at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
              at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
              at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
              at org.wildfly.security.sasl.gs2.Gs2SaslServer.evaluateMessage(Gs2SaslServer.java:212)
              at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180)
              at org.wildfly.security.sasl.util.AbstractSaslServer.evaluateResponse(AbstractSaslServer.java:52)
              at org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
              at org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
              at org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:57)
              at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)
              at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)
              at org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:486)
              at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:898)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
              at java.lang.Thread.run(Thread.java:748)
      

              fjuma1@redhat.com Farah Juma
              josef.cacek@gmail.com Josef Cacek (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: