[jboss-jira] [JBoss JIRA] (SECURITY-719) request.getRemoteUser() returns invalid username on EAP 6.0.1.ER4.2

RH Bugzilla Integration (JIRA) jira-events at lists.jboss.org
Thu Jan 10 09:45:09 EST 2013 

    [ https://issues.jboss.org/browse/SECURITY-719?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12744839#comment-12744839 ] 

RH Bugzilla Integration commented on SECURITY-719:
--------------------------------------------------

mposolda at redhat.com changed the Status of [bug 891976|https://bugzilla.redhat.com/show_bug.cgi?id=891976] from ASSIGNED to MODIFIED
                
> request.getRemoteUser() returns invalid username on EAP 6.0.1.ER4.2
> -------------------------------------------------------------------
>
>                 Key: SECURITY-719
>                 URL: https://issues.jboss.org/browse/SECURITY-719
>             Project: PicketBox 
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>          Components: Negotiation
>    Affects Versions: Negotiation_2_2_1
>         Environment: EAP 6.0.1.ER4.2
> SPNEGO setup with Kerberos
> Kerberos user: demo at LOCAL.NETWORK
>            Reporter: Marek Posolda
>            Assignee: Darran Lofthouse
>             Fix For: Negotiation_2_2_2
>
>
> It seems that JBoss negotiation 2.2.1.Final doesn't work correctly on EAP 6.0.1.ER4.2. I am able to reproduce issue with SecuredServlet from negotiation toolkit.
> I logged in through SPNEGO (Kerberos) and in SecuredServlet, I am seeing those outputs:
> request.getUserPrincipal() returns principal with name "demo at LOCAL.NETWORK" -> OK
> request.getRemoteUser() returns something like "dPC0cG6NhAUi88tSbvQar59M_1357729358922" -> FAILURE!!!
> SecurityContextAssociation.getSecurityContext().getSubjectInfo().getIdentities().next() also returns "dPC0cG6NhAUi88tSbvQar59M_1357729358922" => FAILURE!!!
> Note that JBoss Negotiation 2.2.1.Final works correctly on JBoss AS 7.1.3 but it failed only on EAP 6.0.1.ER4.2. The reason is not related to Negotiation itself, but due to changes in behaviour in related libraries like jboss-as-web and picketbox-infinispan. 
> In NegotiationAuthenticator the call to JBossWebRealm:
> principal = realm.authenticate(username, (String) null);
> now returns JBossGenericPrincipal with username taken from calling username. So it's something like "dPC0cG6NhAUi88tSbvQar59M_1357729358922" as calling username is only placeholder computed from sessionId and system time.
> Previously the username was taken from principal of JAAS authenticated user, which correctly returned "demo at LOCAL.NETWORK". 
> So the bug seems to be due to changes in JBossWebRealm and maybe also picketbox classes like JBossCachedAuthenticationManager (seeing that cache key is now also calling username instead of username of authenticated principal).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list