]
Radovan Netuka reassigned SECURITY-921:
---------------------------------------
Assignee: Radovan Netuka (was: Darran Lofthouse)
SPNEGO authentication fails on Windows-KDC
------------------------------------------
Key: SECURITY-921
URL:
https://issues.jboss.org/browse/SECURITY-921
Project: PicketBox
Issue Type: Bug
Components: Negotiation
Affects Versions: Negotiation_3_0_0_CR1
Environment: *
Reporter: Harald Krause
Assignee: Radovan Netuka
Labels: web_security
Inside the "SPNEGOLoginModule" (3.0.0.CR2-SNAPSHOT) the run()-Method of inner
class "AcceptSecContext" checks for existence of Kerberos-oid within the
SPNEGO-Token. But it checks solely the first element of the mechanism-list:
{code:java}
if (mechList.get(0).equals(kerberos))
{
gssToken = negTokenInit.getMechToken();
}
else
{
boolean kerberosSupported = false;
...
{code}
But SPNEGO-Token from Windows-KDC (2008 R2) supports four types of authentication
(oids):
* oid: 1.2.840.48018.1.2.2 (Windows Kerberos V5)
* oid: 1.2.840.113554.1.2.2 (Kerberos V5 - we are looking for)
* oid: 1.3.6.1.4.1.311.2.2.30 NegoEx
* oid: 1.3.6.1.4.1.311.2.2.10 NTLM
So Kerberos-check within run()-method should iterate the mechList until it founds
Kerberos-V5-oid:
{code:java}
for (Oid oid : mechList)
{
if (oid.equals(kerberos))
{
gssToken = negTokenInit.getMechToken();
break;
}
}
{code}