[jboss-jira] [JBoss JIRA] (WFLY-8547) Elytron, SPNEGO in deployment exceptional states handling, 500 should be returned

Jan Kalina (JIRA) issues at jboss.org
Thu Oct 5 10:37:01 EDT 2017 

     [ https://issues.jboss.org/browse/WFLY-8547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jan Kalina closed WFLY-8547.
----------------------------
    Resolution: Cannot Reproduce Bug


Already resolved:

* no authentication mechanisms are available (wrong protocol in http-authentication-factory) correctly returns 500 in currect version
* exception evaluating the request and there are no other mechanisms available (wrong principal name in kerberos security factory) correctly returns 500 in currect version

Just note second scenario requires to set obtain-kerberos-ticket=true to ensure incorrect principal name causes server-side exception.

> Elytron, SPNEGO in deployment exceptional states handling, 500 should be returned
> ---------------------------------------------------------------------------------
>
>                 Key: WFLY-8547
>                 URL: https://issues.jboss.org/browse/WFLY-8547
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security
>            Reporter: Martin Choma
>            Assignee: Jan Kalina
>
> During SPNEGO in deployment authentication, there should be these rules applied
> * If authentication is required and no authentication mechanisms are available for use report - 500
> * If a mechanism throws an exception evaluating the request and there are no other mechanisms available - 500
> Same as Elytron securing management interface discussed on https://issues.jboss.org/browse/JBEAP-9970?focusedCommentId=13386447&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13386447
> I test these scenarios by:
> * wrong protocol=DOES_NOT_EXIST in http-authentication-factory 
> ** I get 403 on first GET
> ** {code}
> 14:35:41,907 TRACE [org.wildfly.security] (default task-1) Handling MechanismInformationCallback type='HTTP' name='SPNEGO' host-name='localhost.localdomain' protocol='http'
> 14:35:41,908 TRACE [org.wildfly.security] (default task-1) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='SPNEGO', hostName='localhost.localdomain', protocol='http'.
> {code}
> * wrong principal name in kerberos security factory
> ** I get 401  on first GET
> ** {code}
> 14:38:37,280 TRACE [org.wildfly.security] (default task-1) Handling MechanismInformationCallback type='HTTP' name='SPNEGO' host-name='localhost.localdomain' protocol='http'
> 14:38:37,280 TRACE [org.wildfly.security] (default task-1) Evaluating SPNEGO request: cached GSSContext = null
> 14:38:37,280 TRACE [org.wildfly.security] (default task-1) Obtaining GSSCredential for the service from callback handler...
> 14:38:37,281 TRACE [org.wildfly.security] (default task-1) No valid cached credential, obtaining new one...
> 14:38:37,281 TRACE [org.wildfly.security] (default task-1) Logging in using LoginContext and subject [Subject:
> ]
> 14:38:37,281 TRACE [org.wildfly.security] (default task-1) Logging in using LoginContext and subject [Subject:
> 	Principal: HTTP/wronghost at JBOSS.ORG
> 	Private Credential: /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.6037194374738244164.keytab for HTTP/wronghost at JBOSS.ORG
> ] succeed
> 14:38:37,281 TRACE [org.wildfly.security] (default task-1) Creating GSSName for Principal 'HTTP/wronghost at JBOSS.ORG'
> 14:38:37,282 INFO  [stdout] (default task-1) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.6037194374738244164.keytab for HTTP/wronghost at JBOSS.ORG
> 14:38:37,282 INFO  [stdout] (default task-1) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.6037194374738244164.keytab for HTTP/wronghost at JBOSS.ORG
> 14:38:37,282 TRACE [org.wildfly.security] (default task-1) Obtained GSSCredentialCredential [org.wildfly.security.credential.GSSKerberosCredential at 1f]
> 14:38:37,282 TRACE [org.wildfly.security] (default task-1) Handling ServerCredentialCallback: successfully obtained credential type type=class org.wildfly.security.credential.GSSKerberosCredential, algorithm=null, params=null
> 14:38:37,282 TRACE [org.wildfly.security] (default task-1) Using SpnegoAuthenticationMechanism to authenticate HTTP/wronghost at JBOSS.ORG using the following mechanisms: [[Lorg.ietf.jgss.Oid;@7e6a9da]
> 14:38:37,282 TRACE [org.wildfly.security] (default task-1) Caching GSSContext sun.security.jgss.GSSContextImpl at 2df4c570
> 14:38:37,282 TRACE [org.wildfly.security] (default task-1) Caching KerberosTicket null
> 14:38:37,282 TRACE [org.wildfly.security] (default task-1) Sent HTTP authorizations: [null]
> 14:38:37,282 TRACE [org.wildfly.security] (default task-1) Request lacks valid authentication credentials
> {code}



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list