Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-8207

Elytron, IBM java, SPNEGO continuation required situation

    Details

      Description

      I have problem to achieve this scenario with elytron on IBM java:

      1. Using IBM Java
      2. Client sends non kerberos OID mechanism as most preferred with non kerberos ticket
      3. Server response with "continuation required"
      4. Client sends kerberos ticket
      5. Server response with 401 instead of 200
      6. In server there is error
        10:43:35,570 TRACE [org.wildfly.security] (default task-3) GSSContext message exchange failed: org.ietf.jgss.GSSException, major code: 10, minor code: 0
        	major string: Defective token
        	minor string: Bad token tag: -95
        	at com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NException.java:5)
        	at com.ibm.security.jgss.TokenHeader.a(TokenHeader.java:33)
        	at com.ibm.security.jgss.TokenHeader.a(TokenHeader.java:102)
        	at com.ibm.security.jgss.TokenHeader.<init>(TokenHeader.java:70)
        	at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:119)
        	at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:186)
        	at org.wildfly.security.http.impl.SpnegoAuthenticationMechanism.evaluateRequest(SpnegoAuthenticationMechanism.java:138)
        	at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:115)
        	at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77)
        	at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:106)
        	at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:90)
        	at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:74)
        	at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:82)
        

      Basically, it is same scenario as tested in [1] (for legacy security).

      This scenario works correctly

      • on Oracle and OpenJDK java with elytron in EAP 7.1
      • with legacy security on IBM java in EAP 7.1

      Setting high priority as:

      • It works in legacy security, so customers won't be able to migrate
      • Similar error was resolved in EAP 7.0 (JBEAP-3709) as blocker because customer case existed for that.

      [1] https://github.com/wildfly/wildfly/blob/15f9a4f2b5a10cc3acbaa2df57d5cc13db50ff43/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/loginmodules/negotiation/SPNEGOLoginModuleTestCase.java#L344
      [2] https://github.com/wildfly/wildfly/blob/15f9a4f2b5a10cc3acbaa2df57d5cc13db50ff43/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/loginmodules/negotiation/SPNEGOLoginModuleTestCase.java#L357

        Gliffy Diagrams

          Attachments

          1. ContinuationRequiredIBM.pcap
            9 kB
          2. server.log
            17 kB
          3. TokenHeader.java
            16 kB

            Issue Links

              Activity

                People

                • Assignee:
                  dlofthouse Darran Lofthouse
                  Reporter:
                  mchoma Martin Choma
                  Tester:
                  Martin Choma
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  7 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: