[JBoss JIRA] (WFCORE-2466) Elytron, IBM java, SPNEGO continuation required situation

Tuesday, 7 March 2017

     [
https://issues.jboss.org/browse/WFCORE-2466?page=com.atlassian.jira.plugi...
]

Darran Lofthouse moved WFLY-7875 to WFCORE-2466:
------------------------------------------------

              Project: WildFly Core  (was: WildFly)
                  Key: WFCORE-2466  (was: WFLY-7875)
          Component/s: Security
                           (was: Security)
    Affects Version/s: 3.0.0.Beta7
                           (was: 11.0.0.Alpha1)

...
 Elytron, IBM java, SPNEGO continuation required situation
 ---------------------------------------------------------

                 Key: WFCORE-2466
                 URL: https://issues.jboss.org/browse/WFCORE-2466
             Project: WildFly Core
          Issue Type: Bug
          Components: Security
    Affects Versions: 3.0.0.Beta7
            Reporter: Martin Choma
            Assignee: Darran Lofthouse
            Priority: Blocker
         Attachments: ContinuationRequiredIBM.pcap, server.log

 I have problem to achieve this scenario with elytron on IBM java:
 # Using IBM Java
 # Client sends non kerberos OID mechanism as most preferred with non kerberos ticket
 # Server response with "continuation required"
 # Client sends kerberos ticket 
 # Server response with 401 instead of 200
 # In server there is error
 {code}
 10:43:35,570 TRACE [org.wildfly.security] (default task-3) GSSContext message exchange
failed: org.ietf.jgss.GSSException, major code: 10, minor code: 0
 	major string: Defective token
 	minor string: Bad token tag: -95
 	at com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NException.java:5)
 	at com.ibm.security.jgss.TokenHeader.a(TokenHeader.java:33)
 	at com.ibm.security.jgss.TokenHeader.a(TokenHeader.java:102)
 	at com.ibm.security.jgss.TokenHeader.<init>(TokenHeader.java:70)
 	at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:119)
 	at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:186)
 	at
org.wildfly.security.http.impl.SpnegoAuthenticationMechanism.evaluateRequest(SpnegoAuthenticationMechanism.java:138)
 	at
org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:115)
 	at
org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77)
 	at
org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:106)
 	at
org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:90)
 	at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:74)
 	at
org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:82)
 {code}
 Basically, it is same scenario as tested in [1] (for legacy security). 
 This scenario works correctly 
 * on Oracle and OpenJDK java with elytron in EAP 7.1
 * with legacy security on IBM java in EAP 7.1
 Setting high priority as:
 * It works in legacy security, so customers won't be able to migrate
 * Similar error was resolved in EAP 7.0 (JBEAP-3709) as blocker because customer case
existed for that.
 [1]
https://github.com/wildfly/wildfly/blob/15f9a4f2b5a10cc3acbaa2df57d5cc13d...
 [2]
https://github.com/wildfly/wildfly/blob/15f9a4f2b5a10cc3acbaa2df57d5cc13d...

--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006