Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 1.3.27.Final
    • Fix Version/s: 1.3.31.Final
    • Component/s: Servlet
    • Labels:
      None
    • Steps to Reproduce:
      Hide

      Setup a kerberos environment and test using IE (at least IE8, IE9 and IE10 send the token in every request). You will see the negotiation executed with every token sent.

      Show
      Setup a kerberos environment and test using IE (at least IE8, IE9 and IE10 send the token in every request). You will see the negotiation executed with every token sent.

      Description

      IE pre-authenticates with Kerberos in all situations, even when the server does not require any more authentication (the authorization header is sent in all request with the associated kerberos token). The current implementation in jboss-negotiation 3.0.4 (NegotiationMechanism.java) does not take into account if the user was already authenticated and, therefore, a new re-negotiation is done for every request if the token is there. This is an overwhelming extra work for the infrastructure (AD/Kerberos server mainly).

      After a lot of work in issue JBEAP-11680 this problem seems related to CachedAuthenticatedSessionMechanism not being executed. In EAP 7.0.6 the order of authentication mechanisms is:

      [stdout] (default task-1) traze AuthenticationMechanismsHandler handleRequest execute
      [stderr] (default task-1) AuthenticationMechanismsHandler.handleRequest: mechanisms.length=3
      [stderr] (default task-1) AuthenticationMechanismsHandler.handleRequest: mechanisms.length=org.jboss.security.negotiation.NegotiationMechanism@6ca0c877
      [stderr] (default task-1) AuthenticationMechanismsHandler.handleRequest: mechanisms.length=io.undertow.servlet.handlers.security.ServletFormAuthenticationMechanism@648a27fc
      [stderr] (default task-1) AuthenticationMechanismsHandler.handleRequest: mechanisms.length=io.undertow.security.impl.CachedAuthenticatedSessionMechanism@438cedb4
      

      The CachedAuthenticatedSessionMechanism is executed after the NegotiationMechanism. It seems that undertow 1.3.x in DeploymentManagerImpl.java adds the CachedAuthenticatedSessionMechanism at the end but in 1.4.x is added first.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  yersan Yeray Borges Santana
                  Reporter:
                  yersan Yeray Borges Santana
                  Tester:
                  Michael Cada
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  0 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: