12:16 p.m.
[
https://issues.jboss.org/browse/WFCORE-2477?page=com.atlassian.jira.plugi...
]
Darran Lofthouse moved WFLY-7991 to WFCORE-2477:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2477 (was: WFLY-7991)
Component/s: Security
(was: Security)
Legacy Kerberos in management, regression in choosing keytab
strategy
---------------------------------------------------------------------
Key: WFCORE-2477
URL: https://issues.jboss.org/browse/WFCORE-2477
Project: WildFly Core
Issue Type: Bug
Components: Security
Reporter: Martin Choma
Assignee: Darran Lofthouse
There is regresion in strategy of choosing keytab described by xsd
{code:xml|title=wildfly-config_5_0.xsd}
<xs:element name="keytab">
<xs:complexType>
<xs:annotation>
<xs:documentation>
Reference to an individual keytab.
On handling the authentication for an incoming request two
pieces of information are known, the protocol and the name of the host
this server is acting as. For HTTP requests the protocol
will always be HTTP, for requests over Remoting by default the protocol will
be 'remote' although this can be overridden.
At the time authentication is going to be handled the keytab
will be selected as follows: -
1 - Iterate the list of keytabs and identity one where the
for-hosts attribute contains an entry matching protocol/hostname.
2 - Iterate the list of keytabs and identify one where the
name of the principal matches matches protocol/hostname.
3 - Iterate the list of keytabs and identity one where the
for-hosts attribute contains an entry matching hostname.
4 - Iterate the list of keytabs and identify one where the
hostname portion of the principal matches the hostname of the request.
5 - Use the keytab where for-hosts is set to '*'.
If no match is found no keytab will be selected and Kerberos
will not be available for communication as that host.
</xs:documentation>
</xs:annotation>
{code}
In this example
{code:xml|title=standalone.xlm}
<security-realm
name="PriorityForHostsProtocolBeforePrincipal">
<server-identities>
<kerberos>
<keytab
principal="HTTP/localhost.localdomain(a)JBOSS.ORG" path="krb.keytab"
for-hosts="wrongprotocol/localhost.localdomain"/>
<keytab principal="HTTP/wronghost(a)JBOSS.ORG"
path="krb.keytab" for-hosts="HTTP/localhost.localdomain"/>
</kerberos>
{code}
Rule 1 should be applied, but {{<keytab
principal="HTTP/localhost.localdomain(a)JBOSS.ORG" path="krb.keytab"
for-hosts="wrongprotocol/localhost.localdomain"/>}} is chosen,
{code:title=server.log}
10:28:40,743 TRACE [org.jboss.as.domain.management.security] (management task-8) No
mapping for name 'http/localhost.localdomain' to KeytabService, attempting to use
host only match.
10:28:40,744 TRACE [org.jboss.as.domain.management.security] (management task-8) Selected
KeytabService with principal 'HTTP/localhost.localdomain(a)JBOSS.ORG' for host
'localhost.localdomain'
10:28:40,744 INFO [stdout] (management task-8) Found KeyTab
/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab
for HTTP/localhost.localdomain(a)JBOSS.ORG
10:28:40,745 INFO [stdout] (management task-8) Found KeyTab
/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab
for HTTP/localhost.localdomain(a)JBOSS.ORG
10:28:40,745 INFO [stdout] (management task-8) Found KeyTab
/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab
for HTTP/localhost.localdomain(a)JBOSS.ORG
10:28:40,745 INFO [stdout] (management task-8) Found KeyTab
/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab
for HTTP/localhost.localdomain(a)JBOSS.ORG
10:28:40,847 TRACE [org.jboss.as.domain.management.security] (management task-9) No
mapping for name 'http/localhost.localdomain' to KeytabService, attempting to use
host only match.
10:28:40,848 TRACE [org.jboss.as.domain.management.security] (management task-9) Selected
KeytabService with principal 'HTTP/localhost.localdomain(a)JBOSS.ORG' for host
'localhost.localdomain'
10:28:40,848 INFO [stdout] (management task-9) Found KeyTab
/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab
for HTTP/localhost.localdomain(a)JBOSS.ORG
10:28:40,848 INFO [stdout] (management task-9) Found KeyTab
/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab
for HTTP/localhost.localdomain(a)JBOSS.ORG
10:28:40,849 INFO [stdout] (management task-9) Found KeyTab
/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab
for HTTP/localhost.localdomain(a)JBOSS.ORG
10:28:40,849 INFO [stdout] (management task-9) Found KeyTab
/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab
for HTTP/localhost.localdomain(a)JBOSS.ORG
{code}
In this example
{code:xml|title=standalone.xlm}
<security-realm
name="PriorityProtocolPrincipalBeforeForHosts">
<server-identities>
<kerberos>
<keytab
principal="HTTP/localhost.localdomain(a)JBOSS.ORG" path="krb.keytab"
for-hosts="wronghost"/>
<keytab principal="HTTP/wronghost(a)JBOSS.ORG"
path="krb.keytab" for-hosts="localhost.localdomain"/>
</kerberos>
{code}
Rule 2 should be applied, but {{<keytab principal="HTTP/wronghost(a)JBOSS.ORG"
path="krb.keytab" for-hosts="localhost.localdomain"/>}} is chosen
{code:title=server.log}
10:29:21,889 TRACE [org.jboss.as.domain.management.security] (management task-8) No
mapping for name 'http/localhost.localdomain' to KeytabService, attempting to use
host only match.
10:29:21,890 TRACE [org.jboss.as.domain.management.security] (management task-8) Selected
KeytabService with principal 'HTTP/wronghost(a)JBOSS.ORG' for host
'localhost.localdomain'
10:29:21,890 INFO [stdout] (management task-8) Found KeyTab
/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab
for HTTP/wronghost(a)JBOSS.ORG
10:29:21,890 INFO [stdout] (management task-8) Found KeyTab
/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab
for HTTP/wronghost(a)JBOSS.ORG
10:29:21,891 INFO [stdout] (management task-8) Found KeyTab
/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab
for HTTP/wronghost(a)JBOSS.ORG
10:29:21,891 INFO [stdout] (management task-8) Found KeyTab
/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab
for HTTP/wronghost(a)JBOSS.ORG
10:29:21,955 TRACE [org.jboss.as.domain.management.security] (management task-9) No
mapping for name 'http/localhost.localdomain' to KeytabService, attempting to use
host only match.
10:29:21,955 TRACE [org.jboss.as.domain.management.security] (management task-9) Selected
KeytabService with principal 'HTTP/wronghost(a)JBOSS.ORG' for host
'localhost.localdomain'
10:29:21,957 INFO [stdout] (management task-9) Found KeyTab
/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab
for HTTP/wronghost(a)JBOSS.ORG
10:29:21,957 INFO [stdout] (management task-9) Found KeyTab
/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab
for HTTP/wronghost(a)JBOSS.ORG
10:29:21,958 INFO [stdout] (management task-9) Found KeyTab
/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab
for HTTP/wronghost(a)JBOSS.ORG
10:29:21,958 INFO [stdout] (management task-9) Found KeyTab
/home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab
for HTTP/wronghost(a)JBOSS.ORG
10:29:21,959 INFO [stdout] (management task-9) Entered Krb5Context.acceptSecContext with
state=STATE_NEW
10:29:21,960 INFO [stdout] (management task-9) Looking for keys for:
HTTP/wronghost(a)JBOSS.ORG
{code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)