SPNEGO authentication fails on Windows-KDC ------------------------------------------ Key: SECURITY-921 URL: https://issues.jboss.org/browse/SECURITY-921 Project: PicketBox Issue Type: Bug Components: Negotiation Affects Versions: Negotiation_3_0_0_CR1, Negotiation_2_3_11_Final Environment: * Reporter: Harald Krause Assignee: Radovan Netuka Labels: web_security Inside the "SPNEGOLoginModule" (3.0.0.CR2-SNAPSHOT) the run()-Method of inner class "AcceptSecContext" checks for existence of Kerberos-oid within the SPNEGO-Token. But it checks solely the first element of the mechanism-list: {code:java} if (mechList.get(0).equals(kerberos)) { gssToken = negTokenInit.getMechToken(); } else { boolean kerberosSupported = false; ... {code} But SPNEGO-Token from Windows-KDC (2008 R2) supports four types of authentication (oids): * oid: 1.2.840.48018.1.2.2 (Windows Kerberos V5) * oid: 1.2.840.113554.1.2.2 (Kerberos V5 - we are looking for) * oid: 1.3.6.1.4.1.311.2.2.30 NegoEx * oid: 1.3.6.1.4.1.311.2.2.10 NTLM So Kerberos-check within run()-method should iterate the mechList until it founds Kerberos-V5-oid: {code:java} for (Oid oid : mechList) { if (oid.equals(kerberos)) { gssToken = negTokenInit.getMechToken(); break; } } {code}