[
https://issues.jboss.org/browse/SECURITY-719?page=com.atlassian.jira.plug...
]
Marek Posolda commented on SECURITY-719:
----------------------------------------
Just a note that issue can be reproduced with latest AS7 master and negotiation
2.2.2.Final.
I needed quick fix available today for JPP6, so I workaround for GateIn with commit
https://github.com/mposolda/gatein-sso/commit/630208526f669beb9132172c6f0...,
which simply rewrite the session_systemTime token with real username in the principal
returned from jbossweb realm.
request.getRemoteUser() returns invalid username on EAP 6.0.1.ER4.2
-------------------------------------------------------------------
Key: SECURITY-719
URL:
https://issues.jboss.org/browse/SECURITY-719
Project: PicketBox
Issue Type: Feature Request
Security Level: Public(Everyone can see)
Components: Negotiation
Affects Versions: Negotiation_2_2_1
Environment: EAP 6.0.1.ER4.2
SPNEGO setup with Kerberos
Kerberos user: demo(a)LOCAL.NETWORK
Reporter: Marek Posolda
Assignee: Darran Lofthouse
Fix For: Negotiation_2_2_2
It seems that JBoss negotiation 2.2.1.Final doesn't work correctly on EAP
6.0.1.ER4.2. I am able to reproduce issue with SecuredServlet from negotiation toolkit.
I logged in through SPNEGO (Kerberos) and in SecuredServlet, I am seeing those outputs:
request.getUserPrincipal() returns principal with name "demo(a)LOCAL.NETWORK"
-> OK
request.getRemoteUser() returns something like
"dPC0cG6NhAUi88tSbvQar59M_1357729358922" -> FAILURE!!!
SecurityContextAssociation.getSecurityContext().getSubjectInfo().getIdentities().next()
also returns "dPC0cG6NhAUi88tSbvQar59M_1357729358922" => FAILURE!!!
Note that JBoss Negotiation 2.2.1.Final works correctly on JBoss AS 7.1.3 but it failed
only on EAP 6.0.1.ER4.2. The reason is not related to Negotiation itself, but due to
changes in behaviour in related libraries like jboss-as-web and picketbox-infinispan.
In NegotiationAuthenticator the call to JBossWebRealm:
principal = realm.authenticate(username, (String) null);
now returns JBossGenericPrincipal with username taken from calling username. So it's
something like "dPC0cG6NhAUi88tSbvQar59M_1357729358922" as calling username is
only placeholder computed from sessionId and system time.
Previously the username was taken from principal of JAAS authenticated user, which
correctly returned "demo(a)LOCAL.NETWORK".
So the bug seems to be due to changes in JBossWebRealm and maybe also picketbox classes
like JBossCachedAuthenticationManager (seeing that cache key is now also calling username
instead of username of authenticated principal).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:
http://www.atlassian.com/software/jira