Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2466

Elytron, IBM java, SPNEGO continuation required situation

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Blocker
    • 3.0.0.Beta29
    • 3.0.0.Beta7
    • Security
    • None

    Description

      I have problem to achieve this scenario with elytron on IBM java:

      1. Using IBM Java
      2. Client sends non kerberos OID mechanism as most preferred with non kerberos ticket
      3. Server response with "continuation required"
      4. Client sends kerberos ticket
      5. Server response with 401 instead of 200
      6. In server there is error
        10:43:35,570 TRACE [org.wildfly.security] (default task-3) GSSContext message exchange failed: org.ietf.jgss.GSSException, major code: 10, minor code: 0
        	major string: Defective token
        	minor string: Bad token tag: -95
        	at com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NException.java:5)
        	at com.ibm.security.jgss.TokenHeader.a(TokenHeader.java:33)
        	at com.ibm.security.jgss.TokenHeader.a(TokenHeader.java:102)
        	at com.ibm.security.jgss.TokenHeader.<init>(TokenHeader.java:70)
        	at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:119)
        	at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:186)
        	at org.wildfly.security.http.impl.SpnegoAuthenticationMechanism.evaluateRequest(SpnegoAuthenticationMechanism.java:138)
        	at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:115)
        	at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77)
        	at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:106)
        	at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:90)
        	at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:74)
        	at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:82)
        

      Basically, it is same scenario as tested in [1] (for legacy security).

      This scenario works correctly

      • on Oracle and OpenJDK java with elytron in EAP 7.1
      • with legacy security on IBM java in EAP 7.1

      Setting high priority as:

      • It works in legacy security, so customers won't be able to migrate
      • Similar error was resolved in EAP 7.0 (JBEAP-3709) as blocker because customer case existed for that.

      [1] https://github.com/wildfly/wildfly/blob/15f9a4f2b5a10cc3acbaa2df57d5cc13db50ff43/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/loginmodules/negotiation/SPNEGOLoginModuleTestCase.java#L344
      [2] https://github.com/wildfly/wildfly/blob/15f9a4f2b5a10cc3acbaa2df57d5cc13db50ff43/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/loginmodules/negotiation/SPNEGOLoginModuleTestCase.java#L357

      Attachments

        Issue Links

          Activity

            Public project attachment banner

              context keys: [headless, issue, helper, isAsynchronousRequest, project, action, user]
              current Project key: WFCORE

              People

                darran.lofthouse@redhat.com Darran Lofthouse
                mchoma@redhat.com Martin Choma
                Martin Choma Martin Choma
                Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: