[jboss-jira] [JBoss JIRA] (SECURITY-719) request.getRemoteUser() returns invalid username on EAP 6.0.1.ER4.2

Darran Lofthouse (JIRA) issues at jboss.org
Tue Aug 21 08:14:02 EDT 2018 

     [ https://issues.jboss.org/browse/SECURITY-719?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse updated SECURITY-719:
--------------------------------------
    Fix Version/s:     (was: Negotiation_2_2_2)


> request.getRemoteUser() returns invalid username on EAP 6.0.1.ER4.2
> -------------------------------------------------------------------
>
>                 Key: SECURITY-719
>                 URL: https://issues.jboss.org/browse/SECURITY-719
>             Project: PicketBox 
>          Issue Type: Feature Request
>          Components: Negotiation
>    Affects Versions: Negotiation_2_2_1
>         Environment: EAP 6.0.1.ER4.2
> SPNEGO setup with Kerberos
> Kerberos user: demo at LOCAL.NETWORK
>            Reporter: Marek Posolda
>
> It seems that JBoss negotiation 2.2.1.Final doesn't work correctly on EAP 6.0.1.ER4.2. I am able to reproduce issue with SecuredServlet from negotiation toolkit.
> I logged in through SPNEGO (Kerberos) and in SecuredServlet, I am seeing those outputs:
> request.getUserPrincipal() returns principal with name "demo at LOCAL.NETWORK" -> OK
> request.getRemoteUser() returns something like "dPC0cG6NhAUi88tSbvQar59M_1357729358922" -> FAILURE!!!
> SecurityContextAssociation.getSecurityContext().getSubjectInfo().getIdentities().next() also returns "dPC0cG6NhAUi88tSbvQar59M_1357729358922" => FAILURE!!!
> Note that JBoss Negotiation 2.2.1.Final works correctly on JBoss AS 7.1.3 but it failed only on EAP 6.0.1.ER4.2. The reason is not related to Negotiation itself, but due to changes in behaviour in related libraries like jboss-as-web and picketbox-infinispan. 
> In NegotiationAuthenticator the call to JBossWebRealm:
> principal = realm.authenticate(username, (String) null);
> now returns JBossGenericPrincipal with username taken from calling username. So it's something like "dPC0cG6NhAUi88tSbvQar59M_1357729358922" as calling username is only placeholder computed from sessionId and system time.
> Previously the username was taken from principal of JAAS authenticated user, which correctly returned "demo at LOCAL.NETWORK". 
> So the bug seems to be due to changes in JBossWebRealm and maybe also picketbox classes like JBossCachedAuthenticationManager (seeing that cache key is now also calling username instead of username of authenticated principal).



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list