Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-2466

Elytron, IBM java, SPNEGO continuation required situation

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 3.0.0.Beta29
    • 3.0.0.Beta7
    • Security
    • None

      I have problem to achieve this scenario with elytron on IBM java:

      1. Using IBM Java
      2. Client sends non kerberos OID mechanism as most preferred with non kerberos ticket
      3. Server response with "continuation required"
      4. Client sends kerberos ticket
      5. Server response with 401 instead of 200
      6. In server there is error
        10:43:35,570 TRACE [org.wildfly.security] (default task-3) GSSContext message exchange failed: org.ietf.jgss.GSSException, major code: 10, minor code: 0
        	major string: Defective token
        	minor string: Bad token tag: -95
        	at com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NException.java:5)
        	at com.ibm.security.jgss.TokenHeader.a(TokenHeader.java:33)
        	at com.ibm.security.jgss.TokenHeader.a(TokenHeader.java:102)
        	at com.ibm.security.jgss.TokenHeader.<init>(TokenHeader.java:70)
        	at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:119)
        	at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:186)
        	at org.wildfly.security.http.impl.SpnegoAuthenticationMechanism.evaluateRequest(SpnegoAuthenticationMechanism.java:138)
        	at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:115)
        	at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77)
        	at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:106)
        	at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:90)
        	at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:74)
        	at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:82)
        

      Basically, it is same scenario as tested in [1] (for legacy security).

      This scenario works correctly

      • on Oracle and OpenJDK java with elytron in EAP 7.1
      • with legacy security on IBM java in EAP 7.1

      Setting high priority as:

      • It works in legacy security, so customers won't be able to migrate
      • Similar error was resolved in EAP 7.0 (JBEAP-3709) as blocker because customer case existed for that.

      [1] https://github.com/wildfly/wildfly/blob/15f9a4f2b5a10cc3acbaa2df57d5cc13db50ff43/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/loginmodules/negotiation/SPNEGOLoginModuleTestCase.java#L344
      [2] https://github.com/wildfly/wildfly/blob/15f9a4f2b5a10cc3acbaa2df57d5cc13db50ff43/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/loginmodules/negotiation/SPNEGOLoginModuleTestCase.java#L357

        1. ContinuationRequiredIBM.pcap
          9 kB
          Martin Choma
        2. server.log
          17 kB
          Martin Choma

              darran.lofthouse@redhat.com Darran Lofthouse
              mchoma@redhat.com Martin Choma
              Martin Choma Martin Choma
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: