[jboss-jira] [JBoss JIRA] (WFLY-7397) Elytron SPNEGO: missing negstat field in the first reply
Martin Choma (JIRA)
issues at jboss.org
Thu Oct 27 09:38:00 EDT 2016
[ https://issues.jboss.org/browse/WFLY-7397?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Martin Choma moved JBEAP-6680 to WFLY-7397:
-------------------------------------------
Project: WildFly (was: JBoss Enterprise Application Platform)
Key: WFLY-7397 (was: JBEAP-6680)
Workflow: GIT Pull Request workflow (was: CDW with loose statuses v1)
Component/s: Security
(was: Security)
Affects Version/s: 11.0.0.Alpha1
(was: 7.1.0.DR7)
> Elytron SPNEGO: missing negstat field in the first reply
> --------------------------------------------------------
>
> Key: WFLY-7397
> URL: https://issues.jboss.org/browse/WFLY-7397
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Affects Versions: 11.0.0.Alpha1
> Reporter: Martin Choma
>
> Basically Elytron clone of JBEAP-4114.
> When the client sends an initial SPNEGO token with Kerberos as preferred mechanism and includes an invalid kerberos token, then client expects to see the {{WWW-Authenticate}} HTTP header with SPNEGO response {{negTokenResp[ negState = reject ]}}.
> As stated in [SPNEGO specification|https://tools.ietf.org/html/rfc4178#section-4.2.2] negstat is required in first reply:
> {code:borderStyle=dashed}
> negState
> ...
> This field is REQUIRED in the first reply from the target, and is
> OPTIONAL thereafter. When negState is absent, the actual state
> should be inferred from the state of the negotiated mechanism
> context.
> {code}
> https://github.com/wildfly/wildfly/blob/15f9a4f2b5a10cc3acbaa2df57d5cc13db50ff43/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/loginmodules/negotiation/SPNEGOLoginModuleTestCase.java testInvalidKerberosSpnegoWorkflow.
--
This message was sent by Atlassian JIRA
(v7.2.2#72004)
More information about the jboss-jira
mailing list