[jboss-jira] [JBoss JIRA] (ELY-693) Elytron SPNEGO "continuation required" situation

Darran Lofthouse (JIRA) issues at jboss.org
Wed Nov 2 12:52:00 EDT 2016 

     [ https://issues.jboss.org/browse/ELY-693?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse updated ELY-693:
---------------------------------
    Fix Version/s: 1.1.0.Beta13


> Elytron SPNEGO "continuation required" situation
> ------------------------------------------------
>
>                 Key: ELY-693
>                 URL: https://issues.jboss.org/browse/ELY-693
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: Authentication Mechanisms
>            Reporter: Jan Kalina
>            Assignee: Jan Kalina
>            Priority: Critical
>             Fix For: 1.1.0.Beta13
>
>
> I have problem to achieve this scenario with elytron:
> # Client sends non kerberos OID mechanism as most preferred with non kerberos ticket
> # Server response with "continuation required"
> # Client sends kerberos ticket 
> # Server response with 401 instead of 200
> Actually, it is scenario tested in [1]. It worked correctly in EAP 7.0 . Also works with elytron when client sends non-kerberos OID mechanism with kerberos ticket.
> Problem as I see is that SpnegoAuthenticationMechanism: 
> # Creates {{gssContext}} with first provided ticket (non-kerberos) and sends "continuation required"
> # Client provide proper kerberos ticket, but that anyway leads to 401 bare challenge, because {{gssContext}} was already created in first step and is not tried to make again.
> Setting to critical as it behaves differently compared to EAP 7.0 and IMHO it doesn't comply to spec [2]. Similar error was resolved in EAP 7.0 (JBEAP-3709) as blocker because customer case existed for that.
> [1] https://github.com/wildfly/wildfly/blob/15f9a4f2b5a10cc3acbaa2df57d5cc13db50ff43/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/loginmodules/negotiation/SPNEGOLoginModuleTestCase.java#L344
> [2] https://tools.ietf.org/html/rfc4178



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list