[jboss-jira] [JBoss JIRA] (SECURITY-741) Spnego fallback with LDAP login modul does does not authorize properly

Darran Lofthouse (JIRA) issues at jboss.org
Tue Aug 21 08:14:01 EDT 2018 

     [ https://issues.jboss.org/browse/SECURITY-741?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse reassigned SECURITY-741:
-----------------------------------------

    Assignee:     (was: Darran Lofthouse)


> Spnego fallback with LDAP login modul does does not authorize properly
> ----------------------------------------------------------------------
>
>                 Key: SECURITY-741
>                 URL: https://issues.jboss.org/browse/SECURITY-741
>             Project: PicketBox 
>          Issue Type: Feature Request
>          Components: Negotiation
>    Affects Versions: PicketBox_4_0_14.Final
>         Environment: Windows 2008
> AS 7.1.3
>            Reporter: L D
>
> When using LDAP fallback mechanism with SPNEGO looks that Authorization always fails.
> Users are getting 403 message.
> When I setup same login modules to work in only Form authentication (without Spnego) or only SPNEGO (without fallback) everything is working.
> In server logs everything looks OK – user is authenticated but web application throwing 403 exception.
> 12:50:16,560 TRACE [org.jboss.security] (http-whofr836w33/172.29.60.93:8080-1) PBOX000201: End isValid, result = true
> 12:50:16,560 TRACE [org.jboss.as.web.security] (http-whofr836w33/172.29.60.93:8080-1) User: ld  is authenticated
> 12:50:16,564 TRACE [org.jboss.as.web.security] (http-whofr836w33/172.29.60.93:8080-1) End invoke, caller=null
> 12:50:16,565 TRACE [org.jboss.security] (http-whofr836w33/172.29.60.93:8080-1) PBOX000354: Setting security roles ThreadLocal: null
> 12:50:16,567 TRACE [org.jboss.as.web.security] (http-whofr836w33/172.29.60.93:8080-1) Begin invoke, caller=null
> 12:50:16,567 TRACE [org.jboss.as.web.security] (http-whofr836w33/172.29.60.93:8080-1) Restoring principal info from cache
> 12:50:16,567 TRACE [org.jboss.security.negotiation.NegotiationAuthenticator] (http-whofr836w33/172.29.60.93:8080-1) Authenticating user
> 12:50:16,567 TRACE [org.jboss.security.negotiation.NegotiationAuthenticator] (http-whofr836w33/172.29.60.93:8080-1) Already authenticated 'ld'
> 12:50:16,567 TRACE [org.jboss.as.web.security] (http-whofr836w33/172.29.60.93:8080-1) hasRole:RealmBase says:false::Authz framework says:true:final=false
> 12:50:16,568 TRACE [org.jboss.as.web.security] (http-whofr836w33/172.29.60.93:8080-1) hasResourcePermission:RealmBase says:false::Authz framework says:true:final=false
> 12:50:16,568 TRACE [org.jboss.as.web.security] (http-whofr836w33/172.29.60.93:8080-1) End invoke, caller=null
> Example of standalone.xml
> <security-domain name="host" cache-type="default">
>                     <authentication>
>                         <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
>                             <module-option name="debug" value="true"/>
>                             <module-option name="principal" value="HTTP/xxx"/>
>                             <module-option name="storeKey" value="true"/>
>                             <module-option name="useKeyTab" value="true"/>
>                             <module-option name="doNotPrompt" value="true"/>
>                             <module-option name="keyTab" value="D:/path to keytab.keytab"/>
>                         </login-module>
>                     </authentication>
>                 </security-domain>
>                 <security-domain name="SPNEGO" cache-type="default">
>                     <authentication>
>                         <login-module code="SPNEGO" flag="requisite">
>                             <module-option name="password-stacking" value="useFirstPass"/>
>                             <module-option name="serverSecurityDomain" value="host"/>
>                             <module-option name="debug" value="true"/>
>                             <module-option name="usernamePasswordDomain" value="fallback"/>
>                         </login-module>
>                         <login-module code="AdvancedAdLdap" flag="sufficient">
>                             <module-option name="bindAuthentication" value="GSSAPI"/>
>                             <module-option name="password-stacking" value="useFirstPass"/>
>                             <module-option name="jaasSecurityDomain" value="host"/>
>                             <module-option name="debug" value="true"/>
>                             <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
>                             <module-option name="java.naming.provider.url" value="ldap://xxx:389"/>
>                             <module-option name="bindDN" value="xxx"/>
>                             <module-option name="bindCredential" value="xxx"/>
>                             <module-option name="baseCtxDN" value="OU=xxx,DC=xx,DC=xxx,DC=xx"/>
>                             <module-option name="baseFilter" value="(userPrincipalName={0})"/>
>                             <module-option name="rolesCtxDN" value="OU=Production,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xx"/>
>                             <module-option name="roleFilter" value="(member={1})"/>
>                             <module-option name="roleAttributeID" value="accountNameHistory"/>
>                             <module-option name="roleNameAttributeID" value="cn"/>
>                             <module-option name="roleAttributeIsDN" value="false"/>
>                             <module-option name="throwValidateError" value="true"/>
>                             <module-option name="searchScope" value="SUBTREE_SCOPE"/>
>                             <module-option name="allowEmptyPasswords" value="false"/>
>                             <module-option name="java.naming.referral" value="follow"/>
>                             <module-option name="realmName" value="SPNEGO"/>
>                         </login-module>
>                     </authentication>
>                 </security-domain>
>                 <security-domain name="fallback" cache-type="default">
>                     <authentication>
>                         <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient">
>                             <module-option name="bindAuthentication" value="GSSAPI"/>
>                             <module-option name="password-stacking" value="useFirstPass"/>
>                             <module-option name="debug" value="true"/>
>                             <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
>                             <module-option name="java.naming.provider.url" value="ldap://xxx:389"/>
>                             <module-option name="bindDN" value="xxx"/>
>                             <module-option name="bindCredential" value="xxx"/>
>                             <module-option name="baseCtxDN" value=" OU=xxx,DC=xx,DC=xxx,DC=xx "/>
>                             <module-option name="baseFilter" value="(sAMAccountName={0})"/>
>                             <module-option name="rolesCtxDN" value=" OU=Production,OU=xxx,OU=xxx,DC=xxx,DC=xxx,DC=xx "/>
>                             <module-option name="roleFilter" value="(member={1})"/>
>                             <module-option name="roleAttributeID" value="accountNameHistory"/>
>                             <module-option name="roleNameAttributeID" value="cn"/>
>                             <module-option name="roleAttributeIsDN" value="false"/>
>                             <module-option name="throwValidateError" value="true"/>
>                             <module-option name="searchScope" value="SUBTREE_SCOPE"/>
>                             <module-option name="allowEmptyPasswords" value="false"/>
>                             <module-option name="java.naming.referral" value="follow"/>
>                             <module-option name="removeRealmFromPrincipal" value="true"/>
>                             <module-option name="realmName" value="SPNEGO"/>
>                         </login-module>
>                     </authentication>
>                 </security-domain>



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list