[jboss-jira] [JBoss JIRA] (WFLY-5492) SPNEGO authentication fails on Windows-KDC
Harald Krause (JIRA)
issues at jboss.org
Thu Oct 8 07:24:00 EDT 2015
Harald Krause created WFLY-5492:
-----------------------------------
Summary: SPNEGO authentication fails on Windows-KDC
Key: WFLY-5492
URL: https://issues.jboss.org/browse/WFLY-5492
Project: WildFly
Issue Type: Bug
Components: Web (Undertow)
Affects Versions: 10.0.0.CR2
Environment: *
Reporter: Harald Krause
Assignee: Stuart Douglas
Inside the "SPNEGOLoginModule" (3.0.0.CR2-SNAPSHOT) the run()-Method of inner class "AcceptSecContext" checks for existence of Kerberos-oid within the SPNEGO-Token. But it checks solely the first element of the mechanism-list:
{code:java}
if (mechList.get(0).equals(kerberos))
{
gssToken = negTokenInit.getMechToken();
}
else
{
boolean kerberosSupported = false;
...
{code}
But SPNEGO-Token from Windows-KDC (2008 R2) supports four types of authentication (oids):
* oid: 1.2.840.48018.1.2.2 (Windows Kerberos V5)
* oid: 1.2.840.113554.1.2.2 (Kerberos V5 - we are looking for)
* oid: 1.3.6.1.4.1.311.2.2.30 NegoEx
* oid: 1.3.6.1.4.1.311.2.2.10 NTLM
So Kerberos-check within run()-method should iterate the mechList until it founds Kerberos-V5-oid:
{code:java}
for (Oid oid : mechList)
{
if (oid.equals(kerberos))
{
gssToken = negTokenInit.getMechToken();
break;
}
}
{code}
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list