Elytron, SPNEGO in deployment exceptional states handling, 500 should be returned --------------------------------------------------------------------------------- Key: WFLY-8547 URL: https://issues.jboss.org/browse/WFLY-8547 Project: WildFly Issue Type: Bug Components: Security Reporter: Martin Choma Assignee: Jan Kalina During SPNEGO in deployment authentication, there should be these rules applied * If authentication is required and no authentication mechanisms are available for use report - 500 * If a mechanism throws an exception evaluating the request and there are no other mechanisms available - 500 Same as Elytron securing management interface discussed on https://issues.jboss.org/browse/JBEAP-9970?focusedCommentId=13386447&... I test these scenarios by: * wrong protocol=DOES_NOT_EXIST in http-authentication-factory ** I get 403 on first GET ** {code} 14:35:41,907 TRACE [org.wildfly.security] (default task-1) Handling MechanismInformationCallback type='HTTP' name='SPNEGO' host-name='localhost.localdomain' protocol='http' 14:35:41,908 TRACE [org.wildfly.security] (default task-1) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='SPNEGO', hostName='localhost.localdomain', protocol='http'. {code} * wrong principal name in kerberos security factory ** I get 401 on first GET ** {code} 14:38:37,280 TRACE [org.wildfly.security] (default task-1) Handling MechanismInformationCallback type='HTTP' name='SPNEGO' host-name='localhost.localdomain' protocol='http' 14:38:37,280 TRACE [org.wildfly.security] (default task-1) Evaluating SPNEGO request: cached GSSContext = null 14:38:37,280 TRACE [org.wildfly.security] (default task-1) Obtaining GSSCredential for the service from callback handler... 14:38:37,281 TRACE [org.wildfly.security] (default task-1) No valid cached credential, obtaining new one... 14:38:37,281 TRACE [org.wildfly.security] (default task-1) Logging in using LoginContext and subject [Subject: ] 14:38:37,281 TRACE [org.wildfly.security] (default task-1) Logging in using LoginContext and subject [Subject: Principal: HTTP/wronghost(a)JBOSS.ORG Private Credential: /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.6037194374738244164.keytab for HTTP/wronghost(a)JBOSS.ORG ] succeed 14:38:37,281 TRACE [org.wildfly.security] (default task-1) Creating GSSName for Principal 'HTTP/wronghost(a)JBOSS.ORG' 14:38:37,282 INFO [stdout] (default task-1) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.6037194374738244164.keytab for HTTP/wronghost(a)JBOSS.ORG 14:38:37,282 INFO [stdout] (default task-1) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.6037194374738244164.keytab for HTTP/wronghost(a)JBOSS.ORG 14:38:37,282 TRACE [org.wildfly.security] (default task-1) Obtained GSSCredentialCredential [org.wildfly.security.credential.GSSKerberosCredential@1f] 14:38:37,282 TRACE [org.wildfly.security] (default task-1) Handling ServerCredentialCallback: successfully obtained credential type type=class org.wildfly.security.credential.GSSKerberosCredential, algorithm=null, params=null 14:38:37,282 TRACE [org.wildfly.security] (default task-1) Using SpnegoAuthenticationMechanism to authenticate HTTP/wronghost(a)JBOSS.ORG using the following mechanisms: [[Lorg.ietf.jgss.Oid;@7e6a9da] 14:38:37,282 TRACE [org.wildfly.security] (default task-1) Caching GSSContext sun.security.jgss.GSSContextImpl@2df4c570 14:38:37,282 TRACE [org.wildfly.security] (default task-1) Caching KerberosTicket null 14:38:37,282 TRACE [org.wildfly.security] (default task-1) Sent HTTP authorizations: [null] 14:38:37,282 TRACE [org.wildfly.security] (default task-1) Request lacks valid authentication credentials {code}