[jboss-jira] [JBoss JIRA] (SECURITY-719) request.getRemoteUser() returns invalid username on EAP 6.0.1.ER4.2

Marek Posolda (JIRA) jira-events at lists.jboss.org
Wed Jan 9 07:06:09 EST 2013 

Marek Posolda created SECURITY-719:
--------------------------------------

             Summary: request.getRemoteUser() returns invalid username on EAP 6.0.1.ER4.2
                 Key: SECURITY-719
                 URL: https://issues.jboss.org/browse/SECURITY-719
             Project: PicketBox 
          Issue Type: Feature Request
      Security Level: Public (Everyone can see)
          Components: Negotiation
    Affects Versions: Negotiation_2_2_1
         Environment: EAP 6.0.1.ER4.2
SPNEGO setup with Kerberos
Kerberos user: demo at LOCAL.NETWORK
            Reporter: Marek Posolda
            Assignee: Darran Lofthouse
             Fix For: Negotiation_2_2_2


It seems that JBoss negotiation 2.2.1.Final doesn't work correctly on EAP 6.0.1.ER4.2. I am able to reproduce issue with SecuredServlet from negotiation toolkit.

I logged in through SPNEGO (Kerberos) and in SecuredServlet, I am seeing those outputs:
request.getUserPrincipal() returns principal with name "demo at LOCAL.NETWORK" -> OK
request.getRemoteUser() returns something like "dPC0cG6NhAUi88tSbvQar59M_1357729358922" -> FAILURE!!!
SecurityContextAssociation.getSecurityContext().getSubjectInfo().getIdentities().next() also returns "dPC0cG6NhAUi88tSbvQar59M_1357729358922" => FAILURE!!!

Note that JBoss Negotiation 2.2.1.Final works correctly on JBoss AS 7.1.3 but it failed only on EAP 6.0.1.ER4.2. The reason is not related to Negotiation itself, but due to changes in behaviour in related libraries like jboss-as-web and picketbox-infinispan. 

In NegotiationAuthenticator the call to JBossWebRealm:

principal = realm.authenticate(username, (String) null);

now returns JBossGenericPrincipal with username taken from calling username. So it's something like "dPC0cG6NhAUi88tSbvQar59M_1357729358922" as calling username is only placeholder computed from sessionId and system time.
Previously the username was taken from principal of JAAS authenticated user, which correctly returned "demo at LOCAL.NETWORK". 

So the bug seems to be due to changes in JBossWebRealm and maybe also picketbox classes like JBossCachedAuthenticationManager (seeing that cache key is now also calling username instead of username of authenticated principal).


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list