]
Jan Kalina moved WFLY-7397 to ELY-711:
--------------------------------------
Project: WildFly Elytron (was: WildFly)
Key: ELY-711 (was: WFLY-7397)
Component/s: Authentication Mechanisms
(was: Security)
Affects Version/s: (was: 11.0.0.Alpha1)
Elytron SPNEGO: missing negstat field in the first reply
--------------------------------------------------------
Key: ELY-711
URL:
https://issues.jboss.org/browse/ELY-711
Project: WildFly Elytron
Issue Type: Bug
Components: Authentication Mechanisms
Reporter: Martin Choma
Basically Elytron clone of JBEAP-4114.
When the client sends an initial SPNEGO token with Kerberos as preferred mechanism and
includes an invalid kerberos token, then client expects to see the {{WWW-Authenticate}}
HTTP header with SPNEGO response {{negTokenResp[ negState = reject ]}}.
As stated in [SPNEGO
specification|https://tools.ietf.org/html/rfc4178#section-4.2.2]
negstat is required in first reply:
{code:borderStyle=dashed}
negState
...
This field is REQUIRED in the first reply from the target, and is
OPTIONAL thereafter. When negState is absent, the actual state
should be inferred from the state of the negotiated mechanism
context.
{code}
https://github.com/wildfly/wildfly/blob/15f9a4f2b5a10cc3acbaa2df57d5cc13d...
testInvalidKerberosSpnegoWorkflow.