Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-8207

Elytron, IBM java, SPNEGO continuation required situation

    XMLWordPrintable

Details

    Description

      I have problem to achieve this scenario with elytron on IBM java:

      1. Using IBM Java
      2. Client sends non kerberos OID mechanism as most preferred with non kerberos ticket
      3. Server response with "continuation required"
      4. Client sends kerberos ticket
      5. Server response with 401 instead of 200
      6. In server there is error
        10:43:35,570 TRACE [org.wildfly.security] (default task-3) GSSContext message exchange failed: org.ietf.jgss.GSSException, major code: 10, minor code: 0
        	major string: Defective token
        	minor string: Bad token tag: -95
        	at com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NException.java:5)
        	at com.ibm.security.jgss.TokenHeader.a(TokenHeader.java:33)
        	at com.ibm.security.jgss.TokenHeader.a(TokenHeader.java:102)
        	at com.ibm.security.jgss.TokenHeader.<init>(TokenHeader.java:70)
        	at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:119)
        	at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:186)
        	at org.wildfly.security.http.impl.SpnegoAuthenticationMechanism.evaluateRequest(SpnegoAuthenticationMechanism.java:138)
        	at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:115)
        	at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77)
        	at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:106)
        	at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:90)
        	at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:74)
        	at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:82)
        

      Basically, it is same scenario as tested in [1] (for legacy security).

      This scenario works correctly

      • on Oracle and OpenJDK java with elytron in EAP 7.1
      • with legacy security on IBM java in EAP 7.1

      Setting high priority as:

      • It works in legacy security, so customers won't be able to migrate
      • Similar error was resolved in EAP 7.0 (JBEAP-3709) as blocker because customer case existed for that.

      [1] https://github.com/wildfly/wildfly/blob/15f9a4f2b5a10cc3acbaa2df57d5cc13db50ff43/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/loginmodules/negotiation/SPNEGOLoginModuleTestCase.java#L344
      [2] https://github.com/wildfly/wildfly/blob/15f9a4f2b5a10cc3acbaa2df57d5cc13db50ff43/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/loginmodules/negotiation/SPNEGOLoginModuleTestCase.java#L357

      Attachments

        1. ContinuationRequiredIBM.pcap
          9 kB
        2. server.log
          17 kB
        3. TokenHeader.java
          16 kB

        Issue Links

          Activity

            People

              darran.lofthouse@redhat.com Darran Lofthouse
              mchoma@redhat.com Martin Choma
              Martin Choma Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: