Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-747

SubjectInfo.getRoles is null with cached credentials in SPNEGO

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • Negotiation
    • None

    • EAP 6.1
      SPNEGO setup with KERBEROS

    • Hide

      The JBoss Negotiation Toolkit (2.2.5)'s 3rd test calls uses this, so can be reproduced by:

      • setting up a SPNEGO environment with a KDC, JBoss with SPNEGO configured in security module and browser configured to do Kerberos negotiation
      • install JBoss Negotiation Toolkit 2.2.5
      • log in
      • navigating to the 3rd test (which succeeds)
      • refresh and get a NullPointerException on subjectinfo.getRoles().getRoles()
      Show
      The JBoss Negotiation Toolkit (2.2.5)'s 3rd test calls uses this, so can be reproduced by: setting up a SPNEGO environment with a KDC, JBoss with SPNEGO configured in security module and browser configured to do Kerberos negotiation install JBoss Negotiation Toolkit 2.2.5 log in navigating to the 3rd test (which succeeds) refresh and get a NullPointerException on subjectinfo.getRoles().getRoles()

      SecurityContextAssociation.getSecurityContext().getSubjectInfo().getRoles() returns the user's roles on the initial login, but if you refresh you get null. All subsequent calls will return null.

      I'm using the 3rd test in JBoss Negotiation Toolkit. If you refresh after logging in, you get a NullPointerException

      It appears that with Basic autentication, JBossWebRealm.authenticate calls
      JBossAuthenticationManager.getSubjectRoles
      which sets the roles on the SubjectInfo. However, with SPNEGO
      (NegotiationAuthenticator) JBossWebRealm.authenticate is not called on
      subsequent requests due to request.getUserPrincipal() being set, so the roles are never set on SubjectInfo. However, the role information is in SubjectInfo as a principal.

              Unassigned Unassigned
              rhn-support-cdolphy Chris Dolphy
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: