[
https://issues.jboss.org/browse/WFLY-8506?page=com.atlassian.jira.plugin....
]
Martin Choma moved JBEAP-10122 to WFLY-8506:
--------------------------------------------
Project: WildFly (was: JBoss Enterprise Application Platform)
Key: WFLY-8506 (was: JBEAP-10122)
Workflow: GIT Pull Request workflow (was: CDW with loose statuses v1)
Component/s: Security
(was: Security)
Affects Version/s: (was: 7.1.0.DR15)
Elytron SPNEGO authentication in deployment over HTTPS, EAP requests
for HTTPS/hostname ticket.
-----------------------------------------------------------------------------------------------
Key: WFLY-8506
URL:
https://issues.jboss.org/browse/WFLY-8506
Project: WildFly
Issue Type: Bug
Components: Security
Reporter: Martin Choma
Priority: Blocker
Labels: eap71_beta_candidate, kerberos, spnego, tls
Accessing deployment secured by Kerberos + TLS causes EAP requests from KDC ticket
HTTPS/hostname.
See network dump krb_https_deployment.pcap in attachement, where TGS-REQ for
HTTPS/localhost is captured.
If I configure HTTPS/hostname in KDC and kerberos credential factory to use principal
HTTPS/hostname it works correctly. But I still believe it is bug:
* At least it is not consistent with legacy management interface behaviour (JBEAP-8572).
* found 2 sources describing protocol and service does not match 1:1 and for https
protocol HTTP/hostname SPN should be used [1][2]
[1]
https://sites.google.com/a/chromium.org/dev/developers/design-documents/h...
[2]
https://support.microsoft.com/en-us/help/929650/how-to-use-spns-when-you-...
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)