Basically Elytron clone of JBEAP-4114.
When the client sends an initial SPNEGO token with Kerberos as preferred mechanism and includes an invalid kerberos token, then client expects to see the WWW-Authenticate HTTP header with SPNEGO response negTokenResp[ negState = reject ].
As stated in SPNEGO specification negstat is required in first reply:
negState
...
This field is REQUIRED in the first reply from the target, and is
OPTIONAL thereafter. When negState is absent, the actual state
should be inferred from the state of the negotiated mechanism
context.
https://github.com/wildfly/wildfly/blob/15f9a4f2b5a10cc3acbaa2df57d5cc13db50ff43/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/loginmodules/negotiation/SPNEGOLoginModuleTestCase.java testInvalidKerberosSpnegoWorkflow.
- is cloned by
-
ELY-715 SPNEGO: missing negState field in the first reply for defective token
-
- Resolved
-
- relates to
-
-
- Closed
-