[jboss-jira] [JBoss JIRA] (WFLY-8547) Elytron, SPNEGO in deployment exceptional states handling, 500 should be returned

Martin Choma (JIRA) issues at jboss.org
Mon Apr 10 09:10:00 EDT 2017 

Martin Choma created WFLY-8547:
----------------------------------

             Summary: Elytron, SPNEGO in deployment exceptional states handling, 500 should be returned
                 Key: WFLY-8547
                 URL: https://issues.jboss.org/browse/WFLY-8547
             Project: WildFly
          Issue Type: Bug
          Components: Security
            Reporter: Martin Choma
            Assignee: Darran Lofthouse
            Priority: Critical


During SPNEGO in deployment authentication, there should be these rules applied

* If authentication is required and no authentication mechanisms are available for use report - 500
* If a mechanism throws an exception evaluating the request and there are no other mechanisms available - 500

Same as Elytron securing management interface discussed on https://issues.jboss.org/browse/JBEAP-9970?focusedCommentId=13386447&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13386447

I test these scenarios by:
* wrong protocol=DOES_NOT_EXIST in http-authentication-factory 
** I get 403 on first GET
** {code}
14:35:41,907 TRACE [org.wildfly.security] (default task-1) Handling MechanismInformationCallback type='HTTP' name='SPNEGO' host-name='localhost.localdomain' protocol='http'
14:35:41,908 TRACE [org.wildfly.security] (default task-1) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='SPNEGO', hostName='localhost.localdomain', protocol='http'.
{code}
* wrong principal name in kerberos security factory
** I get 401  on first GET
** {code}
14:38:37,280 TRACE [org.wildfly.security] (default task-1) Handling MechanismInformationCallback type='HTTP' name='SPNEGO' host-name='localhost.localdomain' protocol='http'
14:38:37,280 TRACE [org.wildfly.security] (default task-1) Evaluating SPNEGO request: cached GSSContext = null
14:38:37,280 TRACE [org.wildfly.security] (default task-1) Obtaining GSSCredential for the service from callback handler...
14:38:37,281 TRACE [org.wildfly.security] (default task-1) No valid cached credential, obtaining new one...
14:38:37,281 TRACE [org.wildfly.security] (default task-1) Logging in using LoginContext and subject [Subject:
]
14:38:37,281 TRACE [org.wildfly.security] (default task-1) Logging in using LoginContext and subject [Subject:
	Principal: HTTP/wronghost at JBOSS.ORG
	Private Credential: /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.6037194374738244164.keytab for HTTP/wronghost at JBOSS.ORG
] succeed
14:38:37,281 TRACE [org.wildfly.security] (default task-1) Creating GSSName for Principal 'HTTP/wronghost at JBOSS.ORG'
14:38:37,282 INFO  [stdout] (default task-1) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.6037194374738244164.keytab for HTTP/wronghost at JBOSS.ORG
14:38:37,282 INFO  [stdout] (default task-1) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.6037194374738244164.keytab for HTTP/wronghost at JBOSS.ORG
14:38:37,282 TRACE [org.wildfly.security] (default task-1) Obtained GSSCredentialCredential [org.wildfly.security.credential.GSSKerberosCredential at 1f]
14:38:37,282 TRACE [org.wildfly.security] (default task-1) Handling ServerCredentialCallback: successfully obtained credential type type=class org.wildfly.security.credential.GSSKerberosCredential, algorithm=null, params=null
14:38:37,282 TRACE [org.wildfly.security] (default task-1) Using SpnegoAuthenticationMechanism to authenticate HTTP/wronghost at JBOSS.ORG using the following mechanisms: [[Lorg.ietf.jgss.Oid;@7e6a9da]
14:38:37,282 TRACE [org.wildfly.security] (default task-1) Caching GSSContext sun.security.jgss.GSSContextImpl at 2df4c570
14:38:37,282 TRACE [org.wildfly.security] (default task-1) Caching KerberosTicket null
14:38:37,282 TRACE [org.wildfly.security] (default task-1) Sent HTTP authorizations: [null]
14:38:37,282 TRACE [org.wildfly.security] (default task-1) Request lacks valid authentication credentials
{code}



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list