[jboss-jira] [JBoss JIRA] (ELY-715) SPNEGO: missing negState field in the first reply for defective token
Jan Kalina (JIRA)
issues at jboss.org
Wed Mar 21 12:33:03 EDT 2018
[ https://issues.jboss.org/browse/ELY-715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13548693#comment-13548693 ]
Jan Kalina edited comment on ELY-715 at 3/21/18 12:32 PM:
----------------------------------------------------------
Note: this issue cover "Defective token" (which cannot be parsed and gssContext throws GSSException), but not "Invalid token" (which is expired for example and gssContext returns srcName = null) - that is in ELY-1547
was (Author: honza889):
Note: this issue cover "Defective token" (which cannot be parsed and gssContext throws GSSException), but not "Invalid token" (which is expired for example and gssContext returns srcName = null)
> SPNEGO: missing negState field in the first reply for defective token
> ---------------------------------------------------------------------
>
> Key: ELY-715
> URL: https://issues.jboss.org/browse/ELY-715
> Project: WildFly Elytron
> Issue Type: Bug
> Components: Authentication Mechanisms
> Reporter: Jan Kalina
> Assignee: Darran Lofthouse
> Fix For: 1.1.0.CR2
>
>
> When the client sends an initial SPNEGO token with Kerberos as preferred mechanism and includes an invalid kerberos token, then client expects to see the {{WWW-Authenticate}} HTTP header with SPNEGO response {{negTokenResp[ negState = reject ]}}.
> As stated in [SPNEGO specification|https://tools.ietf.org/html/rfc4178#section-4.2.2] negstat is required in first reply:
> {code:borderStyle=dashed}
> negState
> ...
> This field is REQUIRED in the first reply from the target, and is
> OPTIONAL thereafter. When negState is absent, the actual state
> should be inferred from the state of the negotiated mechanism
> context.
> {code}
--
This message was sent by Atlassian JIRA
(v7.5.0#75005)
More information about the jboss-jira
mailing list