]
Jan Kalina moved JBEAP-6819 to ELY-710:
---------------------------------------
Project: WildFly Elytron (was: JBoss Enterprise Application Platform)
Key: ELY-710 (was: JBEAP-6819)
Workflow: GIT Pull Request workflow (was: CDW with loose statuses v1)
Component/s: Authentication Mechanisms
(was: Security)
Affects Version/s: (was: 7.1.0.DR7)
Elytron SPNEGO: missing negstat field in the first reply
--------------------------------------------------------
Key: ELY-710
URL:
https://issues.jboss.org/browse/ELY-710
Project: WildFly Elytron
Issue Type: Bug
Components: Authentication Mechanisms
Reporter: Jan Kalina
Assignee: Jan Kalina
Basically Elytron clone of JBEAP-4114.
When the client sends an initial SPNEGO token with Kerberos as preferred mechanism and
includes an invalid kerberos token, then client expects to see the {{WWW-Authenticate}}
HTTP header with SPNEGO response {{negTokenResp[ negState = reject ]}}.
As stated in [SPNEGO
specification|https://tools.ietf.org/html/rfc4178#section-4.2.2]
negstat is required in first reply:
{code:borderStyle=dashed}
negState
...
This field is REQUIRED in the first reply from the target, and is
OPTIONAL thereafter. When negState is absent, the actual state
should be inferred from the state of the negotiated mechanism
context.
{code}
https://github.com/wildfly/wildfly/blob/15f9a4f2b5a10cc3acbaa2df57d5cc13d...
testInvalidKerberosSpnegoWorkflow.