[jboss-jira] [JBoss JIRA] (ELY-1328) Unable to use GS2-KRB5-PLUS SASL mechanism - AP_REQ token id does not match

Thursday, 10 August 2017

     [
https://issues.jboss.org/browse/ELY-1328?page=com.atlassian.jira.plugin.s...
]

Josef Cacek updated ELY-1328:
-----------------------------
    Description: 
Invalid initial token is used on server for *GS2-KRB5-PLUS* SASL mechanism. The 
{{Gs2SaslServer}} uses a GSSContext to accept the token. It expects AP_REQ is comming
(*{{AP_REQ_ID=256}}*), but the incomming tokenId has value *{{669}}* (value of first 2
bytes of token body).

Setting blocker as this mechanism is required by EAP7-530 and EAP7-142.

Following exception is thrown:
{noformat}
GSSException: Defective token detected (Mechanism level: AP_REQ token id does not match!)
        at
sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:96)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
        at
org.wildfly.security.sasl.gs2.Gs2SaslServer.evaluateMessage(Gs2SaslServer.java:212)
        at
org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180)
        at
org.wildfly.security.sasl.util.AbstractSaslServer.evaluateResponse(AbstractSaslServer.java:52)
        at
org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
        at
org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
        at
org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:57)
        at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)
        at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)
        at
org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:486)
        at
org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:898)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:748)
{noformat}

  was:
Invalid initial token is used on server for *GS2-KRB5-PLUS* SASL mechanism. The 
{{Gs2SaslServer}} uses a GSSContext to accept the token. It expects AP_REQ is comming
(*{{AP_REQ_ID=256}}*), but the incomming tokenId has value *{{669}}* (value of first 2
bytes of token body).

Setting blocker as this mechanism is required by EAP7-530.

Following exception is thrown:
{noformat}
GSSException: Defective token detected (Mechanism level: AP_REQ token id does not match!)
        at
sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:96)
        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
        at
org.wildfly.security.sasl.gs2.Gs2SaslServer.evaluateMessage(Gs2SaslServer.java:212)
        at
org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180)
        at
org.wildfly.security.sasl.util.AbstractSaslServer.evaluateResponse(AbstractSaslServer.java:52)
        at
org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
        at
org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
        at
org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:57)
        at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)
        at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)
        at
org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:486)
        at
org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:898)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:748)
{noformat}

...
 Unable to use GS2-KRB5-PLUS SASL mechanism - AP_REQ token id does not
match
 ---------------------------------------------------------------------------

                 Key: ELY-1328
                 URL: https://issues.jboss.org/browse/ELY-1328
             Project: WildFly Elytron
          Issue Type: Bug
            Reporter: Josef Cacek
            Assignee: Darran Lofthouse
            Priority: Blocker

 Invalid initial token is used on server for *GS2-KRB5-PLUS* SASL mechanism. The 
{{Gs2SaslServer}} uses a GSSContext to accept the token. It expects AP_REQ is comming
(*{{AP_REQ_ID=256}}*), but the incomming tokenId has value *{{669}}* (value of first 2
bytes of token body).
 Setting blocker as this mechanism is required by EAP7-530 and EAP7-142.
 Following exception is thrown:
 {noformat}
 GSSException: Defective token detected (Mechanism level: AP_REQ token id does not
match!)
         at
sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:96)
         at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829)
         at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
         at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
         at
org.wildfly.security.sasl.gs2.Gs2SaslServer.evaluateMessage(Gs2SaslServer.java:212)
         at
org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:180)
         at
org.wildfly.security.sasl.util.AbstractSaslServer.evaluateResponse(AbstractSaslServer.java:52)
         at
org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory$1.evaluateResponse(AuthenticationCompleteCallbackSaslServerFactory.java:58)
         at
org.wildfly.security.sasl.util.AuthenticationTimeoutSaslServerFactory$DelegatingTimeoutSaslServer.evaluateResponse(AuthenticationTimeoutSaslServerFactory.java:106)
         at
org.wildfly.security.sasl.util.SecurityIdentitySaslServerFactory$1.evaluateResponse(SecurityIdentitySaslServerFactory.java:57)
         at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:245)
         at org.xnio.sasl.SaslUtils.evaluateResponse(SaslUtils.java:217)
         at
org.jboss.remoting3.remote.ServerConnectionOpenListener$AuthStepRunnable.run(ServerConnectionOpenListener.java:486)
         at
org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:898)
         at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
         at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
         at java.lang.Thread.run(Thread.java:748)
 {noformat} 

--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

[jboss-jira] [JBoss JIRA] (ELY-1328) Unable to use GS2-KRB5-PLUS SASL mechanism - AP_REQ token id does not match