Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Won't Do
Priority: Major
Fix Version/s: None
Affects Version/s: None
Component/s: Security
Labels:

Steps to Reproduce:

Hide

1. Configure SPNEGO for deployment (https://docs.jboss.org/author/display/WFLY/WildFly+Elytron+Security#WildFlyElytronSecurity-ConfigureAuthenticationwithaKerberosBasedIdentityStore)
2. Configure https for deployment (https://docs.jboss.org/author/display/WFLY/WildFly+Elytron+Security#WildFlyElytronSecurity-EnableOnewaySSL%2FTLSforApplications)
3. Try to acces https://localhost.localdomain:8443/app/
4. It is not possible - 401 http code is returned. EAP ask for ticket for HTTPS/localhost.localdomain service

Show
1. Configure SPNEGO for deployment ( https://docs.jboss.org/author/display/WFLY/WildFly+Elytron+Security#WildFlyElytronSecurity-ConfigureAuthenticationwithaKerberosBasedIdentityStore ) 2. Configure https for deployment ( https://docs.jboss.org/author/display/WFLY/WildFly+Elytron+Security#WildFlyElytronSecurity-EnableOnewaySSL%2FTLSforApplications ) 3. Try to acces https://localhost.localdomain:8443/app/ 4. It is not possible - 401 http code is returned. EAP ask for ticket for HTTPS/localhost.localdomain service

Description

Accessing deployment secured by Kerberos + TLS causes EAP requests from KDC ticket HTTPS/hostname.

See network dump krb_https_deployment.pcap in attachement, where TGS-REQ for HTTPS/localhost is captured.

If I configure HTTPS/hostname in KDC and kerberos credential factory to use principal HTTPS/hostname it works correctly. But I still believe it is bug:

At least it is not consistent with legacy management interface behaviour (~~JBEAP-8572~~).
found 2 sources describing protocol and service does not match 1:1 and for https protocol HTTP/hostname SPN should be used [1][2]

[1] https://sites.google.com/a/chromium.org/dev/developers/design-documents/http-authentication
[2] https://support.microsoft.com/en-us/help/929650/how-to-use-spns-when-you-configure-web-applications-that-are-hosted-on-internet-information-services

Attachments

Issue Links

clones

JBEAP-10121 Elytron SPNEGO authentication in deployment over HTTPS, EAP requests for HTTPS/hostname ticket.

Closed

Activity

People

Assignee:: Darran Lofthouse

Reporter:: Martin Choma

Tester:: Martin Choma

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2017/04/04 7:57 AM

Updated:: 2017/12/06 12:02 PM

Resolved:: 2017/09/27 6:40 AM