[jboss-jira] [JBoss JIRA] (WFLY-8547) Elytron, SPNEGO in deployment exceptional states handling, 500 should be returned

Darran Lofthouse (JIRA) issues at jboss.org
Wed Sep 20 10:20:01 EDT 2017 

     [ https://issues.jboss.org/browse/WFLY-8547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse updated WFLY-8547:
-----------------------------------
    Priority: Major  (was: Critical)


> Elytron, SPNEGO in deployment exceptional states handling, 500 should be returned
> ---------------------------------------------------------------------------------
>
>                 Key: WFLY-8547
>                 URL: https://issues.jboss.org/browse/WFLY-8547
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security
>            Reporter: Martin Choma
>            Assignee: Darran Lofthouse
>
> During SPNEGO in deployment authentication, there should be these rules applied
> * If authentication is required and no authentication mechanisms are available for use report - 500
> * If a mechanism throws an exception evaluating the request and there are no other mechanisms available - 500
> Same as Elytron securing management interface discussed on https://issues.jboss.org/browse/JBEAP-9970?focusedCommentId=13386447&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13386447
> I test these scenarios by:
> * wrong protocol=DOES_NOT_EXIST in http-authentication-factory 
> ** I get 403 on first GET
> ** {code}
> 14:35:41,907 TRACE [org.wildfly.security] (default task-1) Handling MechanismInformationCallback type='HTTP' name='SPNEGO' host-name='localhost.localdomain' protocol='http'
> 14:35:41,908 TRACE [org.wildfly.security] (default task-1) java.lang.IllegalStateException: ELY01119: Unable to resolve MechanismConfiguration for mechanismType='HTTP', mechanismName='SPNEGO', hostName='localhost.localdomain', protocol='http'.
> {code}
> * wrong principal name in kerberos security factory
> ** I get 401  on first GET
> ** {code}
> 14:38:37,280 TRACE [org.wildfly.security] (default task-1) Handling MechanismInformationCallback type='HTTP' name='SPNEGO' host-name='localhost.localdomain' protocol='http'
> 14:38:37,280 TRACE [org.wildfly.security] (default task-1) Evaluating SPNEGO request: cached GSSContext = null
> 14:38:37,280 TRACE [org.wildfly.security] (default task-1) Obtaining GSSCredential for the service from callback handler...
> 14:38:37,281 TRACE [org.wildfly.security] (default task-1) No valid cached credential, obtaining new one...
> 14:38:37,281 TRACE [org.wildfly.security] (default task-1) Logging in using LoginContext and subject [Subject:
> ]
> 14:38:37,281 TRACE [org.wildfly.security] (default task-1) Logging in using LoginContext and subject [Subject:
> 	Principal: HTTP/wronghost at JBOSS.ORG
> 	Private Credential: /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.6037194374738244164.keytab for HTTP/wronghost at JBOSS.ORG
> ] succeed
> 14:38:37,281 TRACE [org.wildfly.security] (default task-1) Creating GSSName for Principal 'HTTP/wronghost at JBOSS.ORG'
> 14:38:37,282 INFO  [stdout] (default task-1) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.6037194374738244164.keytab for HTTP/wronghost at JBOSS.ORG
> 14:38:37,282 INFO  [stdout] (default task-1) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap71/target/krb/krb.6037194374738244164.keytab for HTTP/wronghost at JBOSS.ORG
> 14:38:37,282 TRACE [org.wildfly.security] (default task-1) Obtained GSSCredentialCredential [org.wildfly.security.credential.GSSKerberosCredential at 1f]
> 14:38:37,282 TRACE [org.wildfly.security] (default task-1) Handling ServerCredentialCallback: successfully obtained credential type type=class org.wildfly.security.credential.GSSKerberosCredential, algorithm=null, params=null
> 14:38:37,282 TRACE [org.wildfly.security] (default task-1) Using SpnegoAuthenticationMechanism to authenticate HTTP/wronghost at JBOSS.ORG using the following mechanisms: [[Lorg.ietf.jgss.Oid;@7e6a9da]
> 14:38:37,282 TRACE [org.wildfly.security] (default task-1) Caching GSSContext sun.security.jgss.GSSContextImpl at 2df4c570
> 14:38:37,282 TRACE [org.wildfly.security] (default task-1) Caching KerberosTicket null
> 14:38:37,282 TRACE [org.wildfly.security] (default task-1) Sent HTTP authorizations: [null]
> 14:38:37,282 TRACE [org.wildfly.security] (default task-1) Request lacks valid authentication credentials
> {code}



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list