[jboss-jira] [JBoss JIRA] (ELY-1070) Elytron, WWW-Authenticate Negotiate header is send although SPNEGO is misconfigured
Darran Lofthouse (JIRA)
issues at jboss.org
Mon Apr 10 11:53:01 EDT 2017
[ https://issues.jboss.org/browse/ELY-1070?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13391687#comment-13391687 ]
Darran Lofthouse commented on ELY-1070:
---------------------------------------
I can't quite reproduce this one but I can see a location where the mechanism should be throwing an exception if it can not obtain a server identity.
> Elytron, WWW-Authenticate Negotiate header is send although SPNEGO is misconfigured
> -----------------------------------------------------------------------------------
>
> Key: ELY-1070
> URL: https://issues.jboss.org/browse/ELY-1070
> Project: WildFly Elytron
> Issue Type: Bug
> Components: HTTP
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
> Priority: Critical
> Labels: kerberos
> Attachments: kerberos_http_interface.pcap
>
>
> If SPNEGO is misconfigured Negotiate header is still send back to client, although SPNEGO can't be used.
> {code}
> 13:19:20,861 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback type='HTTP' name='BASIC' host-name='localhost.localdomain' protocol='http'
> 13:19:20,862 TRACE [org.wildfly.security] (management task-6) Handling AvailableRealmsCallback: realms = [fileSystemFallbackRealm]
> 13:19:20,862 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback type='HTTP' name='CLIENT_CERT' host-name='localhost.localdomain' protocol='http'
> 13:19:20,862 TRACE [org.wildfly.security] (management task-6) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='CLIENT_CERT', hostName='localhost.localdomain', protocol='http'.
> 13:19:20,862 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback type='HTTP' name='DIGEST' host-name='localhost.localdomain' protocol='http'
> 13:19:20,862 TRACE [org.wildfly.security] (management task-6) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='DIGEST', hostName='localhost.localdomain', protocol='http'.
> 13:19:20,862 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback type='HTTP' name='FORM' host-name='localhost.localdomain' protocol='http'
> 13:19:20,862 TRACE [org.wildfly.security] (management task-6) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='FORM', hostName='localhost.localdomain', protocol='http'.
> 13:19:20,862 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback type='HTTP' name='SPNEGO' host-name='localhost.localdomain' protocol='http'
> 13:19:20,863 TRACE [org.wildfly.security] (management task-6) Evaluating SPNEGO request: cached GSSContext = null
> 13:19:20,863 TRACE [org.wildfly.security] (management task-6) Obtaining GSSCredential for the service from callback handler...
> 13:19:20,863 TRACE [org.wildfly.security] (management task-6) No valid cached credential, obtaining new one...
> 13:19:20,863 TRACE [org.wildfly.security] (management task-6) Logging in using LoginContext and subject [Subject:
> ]
> 13:19:20,863 INFO [stdout] (management task-6) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator false KeyTab is /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.4985635734744374940.keytab refreshKrb5Config is false principal is HTTP/wronghost at JBOSS.ORG tryFirstPass is false useFirstPass is false storePass is false clearPass is false
> 13:19:20,863 INFO [stdout] (management task-6) principal is HTTP/wronghost at JBOSS.ORG
> 13:19:20,863 INFO [stdout] (management task-6) Will use keytab
> 13:19:20,863 INFO [stdout] (management task-6) Commit Succeeded
> 13:19:20,863 INFO [stdout] (management task-6)
> 13:19:20,863 TRACE [org.wildfly.security] (management task-6) Logging in using LoginContext and subject [Subject:
> Principal: HTTP/wronghost at JBOSS.ORG
> Private Credential: /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.4985635734744374940.keytab for HTTP/wronghost at JBOSS.ORG
> ] succeed
> 13:19:20,864 TRACE [org.wildfly.security] (management task-6) Creating GSSName for Principal 'HTTP/wronghost at JBOSS.ORG'
> 13:19:20,864 TRACE [org.wildfly.security] (management task-6) Obtained GSSCredentialCredential [org.wildfly.security.credential.GSSKerberosCredential at 1f]
> 13:19:20,864 TRACE [org.wildfly.security] (management task-6) Handling ServerCredentialCallback: successfully obtained credential type type=class org.wildfly.security.credential.GSSKerberosCredential, algorithm=null, params=null
> 13:19:20,864 TRACE [org.wildfly.security] (management task-6) Using SpnegoAuthenticationMechanism to authenticate HTTP/wronghost at JBOSS.ORG using the following mechanisms: [[Lorg.ietf.jgss.Oid;@4133c756]
> 13:19:20,864 TRACE [org.wildfly.security] (management task-6) Caching GSSContext sun.security.jgss.GSSContextImpl at 3adbbdae
> 13:19:20,864 TRACE [org.wildfly.security] (management task-6) Caching KerberosTicket null
> 13:19:20,864 TRACE [org.wildfly.security] (management task-6) Sent HTTP authorizations: [null]
> 13:19:20,864 TRACE [org.wildfly.security] (management task-6) Request lacks valid authentication credentials
> 13:19:20,864 TRACE [org.wildfly.security] (management task-6) Handling MechanismInformationCallback type='HTTP' name='BEARER_TOKEN' host-name='localhost.localdomain' protocol='http'
> 13:19:20,864 TRACE [org.wildfly.security] (management task-6) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='BEARER_TOKEN', hostName='localhost.localdomain', protocol='http'.
> {code}
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list