[jboss-jira] [JBoss JIRA] (SECURITY-719) request.getRemoteUser() returns invalid username on EAP 6.0.1.ER4.2

Wed Jan 9 09:29:08 EST 2013

    [ https://issues.jboss.org/browse/SECURITY-719?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12744409#comment-12744409 ] 

RH Bugzilla Integration commented on SECURITY-719:
--------------------------------------------------

mposolda at redhat.com made a comment on [bug 891976|https://bugzilla.redhat.com/show_bug.cgi?id=891976]

Issue is caused by Negotiation issue https://issues.jboss.org/browse/SECURITY-719 . Actually this bug happens because of changes in jboss-as-web and picketbox, which are causing that negotiation doesn't work as expected. Details in SECURITY-719

Proper fix needs to be done either in negotiation or in JBoss AS security integration layer (jboss-as-web or picketbox libraries). ATM I am not sure, will discuss it with Darran.

Anyway I can workaround it in gatein-sso to have it fixed in ER5 (because it seems that it's too late to have JBoss Negotiation or jboss-as-web fix and release to be available in JPP6 ER5)

This bug can't be reproduced with GateIn master on AS 7.1.3 or AS 7.1.1 but only with JPP6 ER4.2 (seems that changes in EAP 6.0.1.ER4.2 are causing this)

> request.getRemoteUser() returns invalid username on EAP 6.0.1.ER4.2
> -------------------------------------------------------------------
>
>                 Key: SECURITY-719
>                 URL: https://issues.jboss.org/browse/SECURITY-719
>             Project: PicketBox 
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>          Components: Negotiation
>    Affects Versions: Negotiation_2_2_1
>         Environment: EAP 6.0.1.ER4.2
> SPNEGO setup with Kerberos
> Kerberos user: demo at LOCAL.NETWORK
>            Reporter: Marek Posolda
>            Assignee: Darran Lofthouse
>             Fix For: Negotiation_2_2_2
>
>
> It seems that JBoss negotiation 2.2.1.Final doesn't work correctly on EAP 6.0.1.ER4.2. I am able to reproduce issue with SecuredServlet from negotiation toolkit.
> I logged in through SPNEGO (Kerberos) and in SecuredServlet, I am seeing those outputs:
> request.getUserPrincipal() returns principal with name "demo at LOCAL.NETWORK" -> OK
> request.getRemoteUser() returns something like "dPC0cG6NhAUi88tSbvQar59M_1357729358922" -> FAILURE!!!
> SecurityContextAssociation.getSecurityContext().getSubjectInfo().getIdentities().next() also returns "dPC0cG6NhAUi88tSbvQar59M_1357729358922" => FAILURE!!!
> Note that JBoss Negotiation 2.2.1.Final works correctly on JBoss AS 7.1.3 but it failed only on EAP 6.0.1.ER4.2. The reason is not related to Negotiation itself, but due to changes in behaviour in related libraries like jboss-as-web and picketbox-infinispan. 
> In NegotiationAuthenticator the call to JBossWebRealm:
> principal = realm.authenticate(username, (String) null);
> now returns JBossGenericPrincipal with username taken from calling username. So it's something like "dPC0cG6NhAUi88tSbvQar59M_1357729358922" as calling username is only placeholder computed from sessionId and system time.
> Previously the username was taken from principal of JAAS authenticated user, which correctly returned "demo at LOCAL.NETWORK". 
> So the bug seems to be due to changes in JBossWebRealm and maybe also picketbox classes like JBossCachedAuthenticationManager (seeing that cache key is now also calling username instead of username of authenticated principal).

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira