Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-6644

Elytron SPNEGO "continuation required" situation

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 7.1.0.DR9
    • 7.1.0.DR7
    • Security

      I have problem to achieve this scenario with elytron:

      1. Client sends non kerberos OID mechanism as most preferred with non kerberos ticket
      2. Server response with "continuation required"
      3. Client sends kerberos ticket
      4. Server response with 401 instead of 200

      Actually, it is scenario tested in [1]. It worked correctly in EAP 7.0 . Also works with elytron when client sends non-kerberos OID mechanism with kerberos ticket.

      Problem as I see is that SpnegoAuthenticationMechanism:

      1. Creates gssContext with first provided ticket (non-kerberos) and sends "continuation required"
      2. Client provide proper kerberos ticket, but that anyway leads to 401 bare challenge, because gssContext was already created in first step and is not tried to make again.

      Setting to blocker as it behaves differently compared to EAP 7.0 and it doesn't comply to spec [2]. Similar error was resolved in EAP 7.0 (JBEAP-3709) as blocker because customer case existed for that.

      [1] https://github.com/wildfly/wildfly/blob/15f9a4f2b5a10cc3acbaa2df57d5cc13db50ff43/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/loginmodules/negotiation/SPNEGOLoginModuleTestCase.java#L344
      [2] https://tools.ietf.org/html/rfc4178

              jkalina@redhat.com Jan Kalina (Inactive)
              mchoma@redhat.com Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: