[jboss-jira] [JBoss JIRA] (ELY-693) Elytron SPNEGO "continuation required" situation

Jan Kalina (JIRA) issues at jboss.org
Wed Oct 26 09:14:00 EDT 2016 

     [ https://issues.jboss.org/browse/ELY-693?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jan Kalina moved JBEAP-6645 to ELY-693:
---------------------------------------

              Project: WildFly Elytron  (was: JBoss Enterprise Application Platform)
                  Key: ELY-693  (was: JBEAP-6645)
             Workflow: GIT Pull Request workflow   (was: CDW with loose statuses v1)
          Component/s: Authentication Mechanisms
                           (was: Security)
    Affects Version/s:     (was: 7.1.0.DR7)


> Elytron SPNEGO "continuation required" situation
> ------------------------------------------------
>
>                 Key: ELY-693
>                 URL: https://issues.jboss.org/browse/ELY-693
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: Authentication Mechanisms
>            Reporter: Jan Kalina
>            Assignee: Jan Kalina
>            Priority: Critical
>
> I have problem to achieve this scenario with elytron:
> # Client sends non kerberos OID mechanism as most preferred with non kerberos ticket
> # Server response with "continuation required"
> # Client sends kerberos ticket 
> # Server response with 401 instead of 200
> Actually, it is scenario tested in [1]. It worked correctly in EAP 7.0 . Also works with elytron when client sends non-kerberos OID mechanism with kerberos ticket.
> Problem as I see is that SpnegoAuthenticationMechanism: 
> # Creates {{gssContext}} with first provided ticket (non-kerberos) and sends "continuation required"
> # Client provide proper kerberos ticket, but that anyway leads to 401 bare challenge, because {{gssContext}} was already created in first step and is not tried to make again.
> Setting to critical as it behaves differently compared to EAP 7.0 and IMHO it doesn't comply to spec [2]. Similar error was resolved in EAP 7.0 (JBEAP-3709) as blocker because customer case existed for that.
> [1] https://github.com/wildfly/wildfly/blob/15f9a4f2b5a10cc3acbaa2df57d5cc13db50ff43/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/loginmodules/negotiation/SPNEGOLoginModuleTestCase.java#L344
> [2] https://tools.ietf.org/html/rfc4178



--
This message was sent by Atlassian JIRA
(v7.2.2#72004)

More information about the jboss-jira mailing list