Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: Negotiation_3_0_4_Final, Negotiation_2_3_13_Final
Affects Version/s: Negotiation_3_0_0_CR1, Negotiation_2_3_11_Final
Component/s: Negotiation
Labels:
- web_security

Git Pull Request:
https://github.com/wildfly-security/jboss-negotiation/pull/35, https://github.com/wildfly-security/jboss-negotiation/pull/36

Description

Inside the "SPNEGOLoginModule" (3.0.0.CR2-SNAPSHOT) the run()-Method of inner class "AcceptSecContext" checks for existence of Kerberos-oid within the SPNEGO-Token. But it checks solely the first element of the mechanism-list:

	if (mechList.get(0).equals(kerberos))
	{
	 gssToken = negTokenInit.getMechToken();
	}
	else
	{
	 boolean kerberosSupported = false;
	 ...

But SPNEGO-Token from Windows-KDC (2008 R2) supports four types of authentication (oids):

oid: 1.2.840.48018.1.2.2 (Windows Kerberos V5)
oid: 1.2.840.113554.1.2.2 (Kerberos V5 - we are looking for)
oid: 1.3.6.1.4.1.311.2.2.30 NegoEx
oid: 1.3.6.1.4.1.311.2.2.10 NTLM

So Kerberos-check within run()-method should iterate the mechList until it founds Kerberos-V5-oid:

               for (Oid oid : mechList)
                {
             	   if (oid.equals(kerberos))
                   {
            		   gssToken = negTokenInit.getMechToken();
                           break;
            	   }
               }

Attachments

Activity

People

Assignee:: Radovan Netuka

Reporter:: Harald Krause (Inactive)

Votes:: 4 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 2015/10/08 7:23 AM

Updated:: 2020/09/14 5:31 AM

Resolved:: 2017/03/16 7:03 PM