[jboss-jira] [JBoss JIRA] (ELY-1547) SPNEGO: missing negstat field in the first reply for expired token
Jan Kalina (JIRA)
issues at jboss.org
Tue Mar 20 13:40:01 EDT 2018
[ https://issues.jboss.org/browse/ELY-1547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jan Kalina updated ELY-1547:
----------------------------
Steps to Reproduce:
{code}
git clone git at gitlab.mw.lab.eng.bos.redhat.com:mchoma/tests-ldap-kerberos.git
cd tests-ldap-kerberos
git checkout 7.x
./build-eap71.sh -Deap -Djboss.dist.zip=/home/jkalina/work/tests-ldap-kerberos/wildfly.zip -Dversion.wildfly.core=5.0.0.Alpha1-SNAPSHOT -Dversion.jboss.bom=7.1.0.GA -Dtest=SPNEGODefaultTestCase#testInvalidTicketFormFallback
{code}
But add check into *testInvalidTicketFormFallback*:
{code:java}
assertHttpHeader(response, HEADER_WWW_AUTHENTICATE, "Negotiate oQcwBaADCgEC");
{code}
was:testInvalidKerberosSpnegoWorkflow in [https://github.com/jbossas/jboss-eap7/pull/457/commits/661c2c6c8a1b91feab54f3394c03e7a54818ed18]
> SPNEGO: missing negstat field in the first reply for expired token
> ------------------------------------------------------------------
>
> Key: ELY-1547
> URL: https://issues.jboss.org/browse/ELY-1547
> Project: WildFly Elytron
> Issue Type: Bug
> Components: HTTP
> Affects Versions: 1.2.4.Final
> Reporter: Jan Kalina
> Assignee: Jan Kalina
>
> When the client sends an initial SPNEGO token with Kerberos as preferred mechanism and includes an invalid kerberos token, then client expects to see the {{WWW-Authenticate}} HTTP header with SPNEGO response {{negTokenResp[ negState = reject ]}}.
> As stated in [SPNEGO specification|https://tools.ietf.org/html/rfc4178#section-4.2.2] negstat is required in first reply:
> {code:borderStyle=dashed}
> negState
> ...
> This field is REQUIRED in the first reply from the target, and is
> OPTIONAL thereafter. When negState is absent, the actual state
> should be inferred from the state of the negotiated mechanism
> context.
> {code}
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
More information about the jboss-jira
mailing list