Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-344

The GSSAPI mechanism needs to create a GSSCredential in advance so we can specify the supported mechanisms.

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 1.2.0.Beta6
    • None
    • Security
    • None

      Otherwise we can end up with an error like this: -

      13:20:41,619 INFO  [stdout] (XNIO-1 task-4) [JGSS_DBG_CRED]  XNIO-1 task-4 getName found name: HTTP/web.dal.wildfly.org@DAL.WILDFLY.ORG, mech=1.2.840.113554.1.2.2
13:20:41,620 INFO  [stdout] (XNIO-1 task-4) [JGSS_DBG_CRED]  XNIO-1 task-4 Krb5 name type = 0
13:22:09,371 INFO  [stdout] (XNIO-1 task-4) [JGSS_DBG_UNMARSH]  XNIO-1 task-4 Real token len 692
13:22:09,372 INFO  [stdout] (XNIO-1 task-4) [JGSS_DBG_UNMARSH]  XNIO-1 task-4 Token oid 1.3.6.1.5.5.2
13:22:09,373 INFO  [stdout] (XNIO-1 task-4) [JGSS_DBG_UNMARSH]  XNIO-1 task-4 inner token len 684
13:22:09,374 ERROR [stderr] (XNIO-1 task-4) java.security.PrivilegedActionException: org.ietf.jgss.GSSException, major code: 13, minor code: 0
13:22:09,375 ERROR [stderr] (XNIO-1 task-4) 	major string: Invalid credentials
13:22:09,375 ERROR [stderr] (XNIO-1 task-4) 	minor string: Cannot obtain mechanism credential for mechanism 1.3.6.1.5.5.2
13:22:09,376 ERROR [stderr] (XNIO-1 task-4) 	at java.security.AccessController.doPrivileged(AccessController.java:375)
13:22:09,377 ERROR [stderr] (XNIO-1 task-4) 	at javax.security.auth.Subject.doAs(Subject.java:572)
13:22:09,378 ERROR [stderr] (XNIO-1 task-4) 	at io.undertow.security.impl.GSSAPIAuthenticationMechanism.runGSSAPI(GSSAPIAuthenticationMechanism.java:168)
13:22:09,378 ERROR [stderr] (XNIO-1 task-4) 	at io.undertow.security.impl.GSSAPIAuthenticationMechanism.authenticate(GSSAPIAuthenticationMechanism.java:119)
13:22:09,379 ERROR [stderr] (XNIO-1 task-4) 	at org.jboss.as.domain.http.server.security.AuthenticationMechanismWrapper.authenticate(AuthenticationMechanismWrapper.java:52)
13:22:09,380 ERROR [stderr] (XNIO-1 task-4) 	at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:280)
13:22:09,381 ERROR [stderr] (XNIO-1 task-4) 	at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:297)
13:22:09,382 ERROR [stderr] (XNIO-1 task-4) 	at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:267)
13:22:09,383 ERROR [stderr] (XNIO-1 task-4) 	at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:130)
13:22:09,384 ERROR [stderr] (XNIO-1 task-4) 	at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:105)
13:22:09,385 ERROR [stderr] (XNIO-1 task-4) 	at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:98)
13:22:09,386 ERROR [stderr] (XNIO-1 task-4) 	at io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:50)
13:22:09,386 ERROR [stderr] (XNIO-1 task-4) 	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199)
13:22:09,387 ERROR [stderr] (XNIO-1 task-4) 	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:767)
13:22:09,387 ERROR [stderr] (XNIO-1 task-4) 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1177)
13:22:09,388 ERROR [stderr] (XNIO-1 task-4) 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
13:22:09,388 ERROR [stderr] (XNIO-1 task-4) 	at java.lang.Thread.run(Thread.java:857)
13:22:09,389 ERROR [stderr] (XNIO-1 task-4) Caused by: org.ietf.jgss.GSSException, major code: 13, minor code: 0
13:22:09,389 ERROR [stderr] (XNIO-1 task-4) 	major string: Invalid credentials
13:22:09,389 ERROR [stderr] (XNIO-1 task-4) 	minor string: Cannot obtain mechanism credential for mechanism 1.3.6.1.5.5.2
13:22:09,390 ERROR [stderr] (XNIO-1 task-4) 	at com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NException.java:9)
13:22:09,391 ERROR [stderr] (XNIO-1 task-4) 	at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:33)
13:22:09,391 ERROR [stderr] (XNIO-1 task-4) 	at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:396)
13:22:09,392 ERROR [stderr] (XNIO-1 task-4) 	at io.undertow.security.impl.GSSAPIAuthenticationMechanism$AcceptSecurityContext.run(GSSAPIAuthenticationMechanism.java:221)
13:22:09,392 ERROR [stderr] (XNIO-1 task-4) 	at io.undertow.security.impl.GSSAPIAuthenticationMechanism$AcceptSecurityContext.run(GSSAPIAuthenticationMechanism.java:191)
13:22:09,393 ERROR [stderr] (XNIO-1 task-4) 	at java.security.AccessController.doPrivileged(AccessController.java:369)
13:22:09,393 ERROR [stderr] (XNIO-1 task-4) 	... 16 more

      The client is sending a SPNEGO message (1.3.6.1.5.5.2) but the default GSSCredential is for Kerberos (1.2.840.113554.1.2.2) so we need to ensure we are creating a GSSCredential ourselves that is compatible with SPNEGO.

              darran.lofthouse@redhat.com Darran Lofthouse
              darran.lofthouse@redhat.com Darran Lofthouse
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: