[jboss-jira] [JBoss JIRA] (SECURITY-722) SPNEGO-fallback-to-FORM authentication does not work with httpd+JBossEAP6 if SPNEGO not available

Sean Flanigan (JIRA) issues at jboss.org
Mon Jan 6 23:43:32 EST 2014 

    [ https://issues.jboss.org/browse/SECURITY-722?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12934007#comment-12934007 ] 

Sean Flanigan commented on SECURITY-722:
----------------------------------------

This happened to us too.  The problem is three-fold: 
1. If httpd.conf has ProxyErrorOverride On, the 401 login form will be replaced with a custom error page.
2. org.jboss.security.negotiation.NegotiationAuthenticator apparently doesn't set a contentType for the 401 Response.
3. Apache httpd sees that the response has no Content-Type, and adds a Content-Type header using the DefaultType, which defaults to "text/plain".

See http://httpd.apache.org/docs/2.2/mod/core.html#defaulttype

So the workaround is to edit /etc/httpd/conf/httpd.conf, remove "ProxyErrorOverride On"  and set "DefaultType none" instead of "DefaultType text/plain".

Another option (instead of changing DefaultType) would be to override the method {{org.jboss.security.negotiation.NegotiationAuthenticator.authenticate()}} so that contentType is set to "text/html", and to activate it as a valve in jboss-web.xml:

{{<valve><class-name>com.example.CustomNegotiationAuthenticator</class-name></valve>}}

But it would be better to change org.jboss.security.negotiation.NegotiationAuthenticator.authenticate() so that it sets contentType on the Response itself.

                
> SPNEGO-fallback-to-FORM authentication does not work with httpd+JBossEAP6 if SPNEGO not available
> -------------------------------------------------------------------------------------------------
>
>                 Key: SECURITY-722
>                 URL: https://issues.jboss.org/browse/SECURITY-722
>             Project: PicketBox 
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Negotiation
>    Affects Versions: Negotiation_2_2_1
>         Environment: RHEL6, JBoss EAP 6
>            Reporter: flame liu
>            Assignee: Darran Lofthouse
>
> I configured SPNEGO in EAP6. It works well both with EAP only and EAP6 + Apache httpd(mod_proxy). Users just run kinit and will be able to be successfully authenticated.
> After that, I added the fallback-to-form files/configurations both in the web app and standalone-full.xml. The fallback-to-form works only if httpd stops. If httpd starts, 401 error will always be thrown out.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list