[jboss-jira] [JBoss JIRA] (WFCORE-2477) Legacy Kerberos in management, regression in choosing keytab strategy

Tue Mar 28 12:40:00 EDT 2017

     [ https://issues.jboss.org/browse/WFCORE-2477?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse resolved WFCORE-2477.
--------------------------------------
    Resolution: Duplicate Issue

This is the same issue as covered by WFCORE-2398

Effectively for both issues the protocol had become 'http' / 'https' when for http requests it should always be 'HTTP'.

> Legacy Kerberos in management, regression in choosing keytab strategy
> ---------------------------------------------------------------------
>
>                 Key: WFCORE-2477
>                 URL: https://issues.jboss.org/browse/WFCORE-2477
>             Project: WildFly Core
>          Issue Type: Bug
>          Components: Security
>            Reporter: Martin Choma
>            Assignee: Darran Lofthouse
>             Fix For: 3.0.0.Beta12
>
>
> There is regresion in strategy of choosing keytab described by xsd
> {code:xml|title=wildfly-config_5_0.xsd}
>             <xs:element name="keytab">
>                 <xs:complexType>
>                     <xs:annotation>
>                         <xs:documentation>
>                             Reference to an individual keytab.
>                             On handling the authentication for an incoming request two pieces of information are known, the protocol and the name of the host
>                             this server is acting as.  For HTTP requests the protocol will always be HTTP, for requests over Remoting by default the protocol will
>                             be 'remote' although this can be overridden.
>                             At the time authentication is going to be handled the keytab will be selected as follows: -
>                              1 - Iterate the list of keytabs and identity one where the for-hosts attribute contains an entry matching protocol/hostname.
>                              2 - Iterate the list of keytabs and identify one where the name of the principal matches matches protocol/hostname.
>                              3 - Iterate the list of keytabs and identity one where the for-hosts attribute contains an entry matching hostname.
>                              4 - Iterate the list of keytabs and identify one where the hostname portion of the principal matches the hostname of the request.
>                              5 - Use the keytab where for-hosts is set to '*'.
>                             If no match is found no keytab will be selected and Kerberos will not be available for communication as that host.
>                         </xs:documentation>
>                     </xs:annotation>
> {code}
> In this example 
> {code:xml|title=standalone.xlm}
>             <security-realm name="PriorityForHostsProtocolBeforePrincipal">
>                 <server-identities>
>                     <kerberos>
>                         <keytab principal="HTTP/localhost.localdomain at JBOSS.ORG" path="krb.keytab" for-hosts="wrongprotocol/localhost.localdomain"/>
>                         <keytab principal="HTTP/wronghost at JBOSS.ORG" path="krb.keytab" for-hosts="HTTP/localhost.localdomain"/>
>                     </kerberos>
> {code}
> Rule 1 should be applied, but {{<keytab principal="HTTP/localhost.localdomain at JBOSS.ORG" path="krb.keytab" for-hosts="wrongprotocol/localhost.localdomain"/>}} is chosen,
> {code:title=server.log}
> 10:28:40,743 TRACE [org.jboss.as.domain.management.security] (management task-8) No mapping for name 'http/localhost.localdomain' to KeytabService, attempting to use host only match.
> 10:28:40,744 TRACE [org.jboss.as.domain.management.security] (management task-8) Selected KeytabService with principal 'HTTP/localhost.localdomain at JBOSS.ORG' for host 'localhost.localdomain'
> 10:28:40,744 INFO  [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain at JBOSS.ORG
> 10:28:40,745 INFO  [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain at JBOSS.ORG
> 10:28:40,745 INFO  [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain at JBOSS.ORG
> 10:28:40,745 INFO  [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain at JBOSS.ORG
> 10:28:40,847 TRACE [org.jboss.as.domain.management.security] (management task-9) No mapping for name 'http/localhost.localdomain' to KeytabService, attempting to use host only match.
> 10:28:40,848 TRACE [org.jboss.as.domain.management.security] (management task-9) Selected KeytabService with principal 'HTTP/localhost.localdomain at JBOSS.ORG' for host 'localhost.localdomain'
> 10:28:40,848 INFO  [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain at JBOSS.ORG
> 10:28:40,848 INFO  [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain at JBOSS.ORG
> 10:28:40,849 INFO  [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain at JBOSS.ORG
> 10:28:40,849 INFO  [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/localhost.localdomain at JBOSS.ORG
> {code}
> In this example 
> {code:xml|title=standalone.xlm}
>             <security-realm name="PriorityProtocolPrincipalBeforeForHosts">
>                 <server-identities>
>                     <kerberos>
>                         <keytab principal="HTTP/localhost.localdomain at JBOSS.ORG" path="krb.keytab" for-hosts="wronghost"/>
>                         <keytab principal="HTTP/wronghost at JBOSS.ORG" path="krb.keytab" for-hosts="localhost.localdomain"/>
>                     </kerberos>
> {code}
> Rule 2 should be applied, but {{<keytab principal="HTTP/wronghost at JBOSS.ORG" path="krb.keytab" for-hosts="localhost.localdomain"/>}} is chosen
> {code:title=server.log}
> 10:29:21,889 TRACE [org.jboss.as.domain.management.security] (management task-8) No mapping for name 'http/localhost.localdomain' to KeytabService, attempting to use host only match.
> 10:29:21,890 TRACE [org.jboss.as.domain.management.security] (management task-8) Selected KeytabService with principal 'HTTP/wronghost at JBOSS.ORG' for host 'localhost.localdomain'
> 10:29:21,890 INFO  [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost at JBOSS.ORG
> 10:29:21,890 INFO  [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost at JBOSS.ORG
> 10:29:21,891 INFO  [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost at JBOSS.ORG
> 10:29:21,891 INFO  [stdout] (management task-8) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost at JBOSS.ORG
> 10:29:21,955 TRACE [org.jboss.as.domain.management.security] (management task-9) No mapping for name 'http/localhost.localdomain' to KeytabService, attempting to use host only match.
> 10:29:21,955 TRACE [org.jboss.as.domain.management.security] (management task-9) Selected KeytabService with principal 'HTTP/wronghost at JBOSS.ORG' for host 'localhost.localdomain'
> 10:29:21,957 INFO  [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost at JBOSS.ORG
> 10:29:21,957 INFO  [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost at JBOSS.ORG
> 10:29:21,958 INFO  [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost at JBOSS.ORG
> 10:29:21,958 INFO  [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.4426394941284285487.keytab for HTTP/wronghost at JBOSS.ORG
> 10:29:21,959 INFO  [stdout] (management task-9) Entered Krb5Context.acceptSecContext with state=STATE_NEW
> 10:29:21,960 INFO  [stdout] (management task-9) Looking for keys for: HTTP/wronghost at JBOSS.ORG
> {code}

--
This message was sent by Atlassian JIRA
(v7.2.3#72005)