[jboss-jira] [JBoss JIRA] (WFCORE-2466) Elytron, IBM java, SPNEGO continuation required situation
Darran Lofthouse (JIRA)
issues at jboss.org
Tue Mar 7 13:16:42 EST 2017
[ https://issues.jboss.org/browse/WFCORE-2466?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Darran Lofthouse moved WFLY-7875 to WFCORE-2466:
------------------------------------------------
Project: WildFly Core (was: WildFly)
Key: WFCORE-2466 (was: WFLY-7875)
Component/s: Security
(was: Security)
Affects Version/s: 3.0.0.Beta7
(was: 11.0.0.Alpha1)
> Elytron, IBM java, SPNEGO continuation required situation
> ---------------------------------------------------------
>
> Key: WFCORE-2466
> URL: https://issues.jboss.org/browse/WFCORE-2466
> Project: WildFly Core
> Issue Type: Bug
> Components: Security
> Affects Versions: 3.0.0.Beta7
> Reporter: Martin Choma
> Assignee: Darran Lofthouse
> Priority: Blocker
> Attachments: ContinuationRequiredIBM.pcap, server.log
>
>
> I have problem to achieve this scenario with elytron on IBM java:
> # Using IBM Java
> # Client sends non kerberos OID mechanism as most preferred with non kerberos ticket
> # Server response with "continuation required"
> # Client sends kerberos ticket
> # Server response with 401 instead of 200
> # In server there is error
> {code}
> 10:43:35,570 TRACE [org.wildfly.security] (default task-3) GSSContext message exchange failed: org.ietf.jgss.GSSException, major code: 10, minor code: 0
> major string: Defective token
> minor string: Bad token tag: -95
> at com.ibm.security.jgss.i18n.I18NException.throwGSSException(I18NException.java:5)
> at com.ibm.security.jgss.TokenHeader.a(TokenHeader.java:33)
> at com.ibm.security.jgss.TokenHeader.a(TokenHeader.java:102)
> at com.ibm.security.jgss.TokenHeader.<init>(TokenHeader.java:70)
> at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:119)
> at com.ibm.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:186)
> at org.wildfly.security.http.impl.SpnegoAuthenticationMechanism.evaluateRequest(SpnegoAuthenticationMechanism.java:138)
> at org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:115)
> at org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77)
> at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:106)
> at org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:90)
> at org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:74)
> at org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:82)
> {code}
> Basically, it is same scenario as tested in [1] (for legacy security).
> This scenario works correctly
> * on Oracle and OpenJDK java with elytron in EAP 7.1
> * with legacy security on IBM java in EAP 7.1
> Setting high priority as:
> * It works in legacy security, so customers won't be able to migrate
> * Similar error was resolved in EAP 7.0 (JBEAP-3709) as blocker because customer case existed for that.
> [1] https://github.com/wildfly/wildfly/blob/15f9a4f2b5a10cc3acbaa2df57d5cc13db50ff43/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/loginmodules/negotiation/SPNEGOLoginModuleTestCase.java#L344
> [2] https://github.com/wildfly/wildfly/blob/15f9a4f2b5a10cc3acbaa2df57d5cc13db50ff43/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/security/loginmodules/negotiation/SPNEGOLoginModuleTestCase.java#L357
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list