Bug 1014028

Summary: GET returns empty content for authenticated (?) URI
Product: [Fedora] Fedora Reporter: Jan Pazdziora <jpazdziora>
Component: jboss-asAssignee: Marek Goldmann <mgoldman>
Status: CLOSED CANTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: jcacek, jpazdziora, mgoldman, smarlow
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-28 11:06:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jan Pazdziora 2013-10-01 09:41:28 UTC 
Description of problem:

I use https://github.com/kwart/spnego-demo/tree/demo-for-adelton to test SPNEGO under JBoss AS. When I deploy the application, depending on having correct Kerberos ticket or not,

curl --raw --negotiate -u : -Li http://$(hostname):8080/spnego-demo

returns 200 OK or 401 Unauthorized. However, the content I get for the 200 OK is empty.

When I disable security-constraint/auth-constraint and let the application run unauthenticated, it returns 200 OK and the content of the index.html file just fine.

Version-Release number of selected component (if applicable):

# rpm -qa 'jboss-as*'
jboss-as-7.1.1-21.fc19.noarch

How reproducible:

Deterministic.

Steps to Reproduce:
1. Install JBoss AS on Fedora 19.
2. Run jboss-as-cp -l $HOME/jboss-as-user-instance.
3. Deploy the spnego-demo to deployments (compile WEB-INF/classes/org/jboss/AddRoleLoginModule.java manually if needed).
4. Amend configuration/standalone-web.xml with the patch below.
5. Put proper keytab to /etc/http.keytab.
6. Start the JBoss standalone: $HOME/jboss-as-user-instance/bin/standalone.sh &
6. Run curl --raw --negotiate -u : -Li http://$(hostname):8080/spnego-demo

Actual results:

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Location: http://www.example.com:8080/spnego-demo/
Transfer-Encoding: chunked
Date: Tue, 01 Oct 2013 09:37:38 GMT

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 19:00:00 EST
WWW-Authenticate: Negotiate
Content-Type: text/html;charset=utf-8
Content-Length: 962
Date: Tue, 01 Oct 2013 09:37:38 GMT

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 19:00:00 EST
Set-Cookie: JSESSIONID=eXF7GVHAO9tXkMJGpn7gEGJC.undefined; Path=/spnego-demo
Transfer-Encoding: chunked
Date: Tue, 01 Oct 2013 09:37:38 GMT

0


Expected results:

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Location: http://www.example.com:8080/spnego-demo/
Transfer-Encoding: chunked
Date: Tue, 01 Oct 2013 09:37:38 GMT

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 19:00:00 EST
WWW-Authenticate: Negotiate
Content-Type: text/html;charset=utf-8
Content-Length: 962
Date: Tue, 01 Oct 2013 09:37:38 GMT

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 19:00:00 EST
Accept-Ranges: bytes
ETag: W/"150-1380293412000"
Last-Modified: Fri, 27 Sep 2013 14:50:12 GMT
Content-Type: text/html
Content-Length: 150
Date: Tue, 01 Oct 2013 09:40:25 GMT

<html>
<head>
<title>Sample secured web application</title>
</head>
<body>
<h1>
	You are authorized to view this	page
</h1>
</body>
</html>


Additional info:

The patch to standalone-web.xml is as follows:

diff --git a/configuration/standalone-web.xml b/configuration/standalone-web.xml
index 73276bc..a59f17c 100644
--- a/configuration/standalone-web.xml
+++ b/configuration/standalone-web.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" ?>
 
-<server xmlns="urn:jboss:domain:1.1">
+<server xmlns="urn:jboss:domain:1.2">
 
     <extensions>
         <extension module="org.jboss.as.clustering.infinispan"/>
@@ -20,6 +20,11 @@
         <extension module="org.jboss.as.weld"/>
     </extensions>
 
+    <system-properties>
+        <property name="java.security.krb5.debug" value="true"/>
+        <property name="jboss.security.disable.secdomain.option" value="true"/>
+    </system-properties>
+
     <management>
         <security-realms>
             <security-realm name="ManagementRealm">
@@ -32,7 +37,7 @@
             <native-interface security-realm="ManagementRealm">
                 <socket-binding native="management-native"/>
             </native-interface>
-            <http-interface console-enabled="false" security-realm="ManagementRealm">
+            <http-interface security-realm="ManagementRealm" console-enabled="false">
                 <socket-binding http="management-http"/>
             </http-interface>
         </management-interfaces>
@@ -125,7 +130,7 @@
                 </thread-pool>
             </thread-pools>
         </subsystem>
-        <subsystem xmlns="urn:jboss:domain:infinispan:1.1" default-cache-container="hibernate">
+        <subsystem xmlns="urn:jboss:domain:infinispan:1.2" default-cache-container="hibernate">
             <cache-container name="hibernate" default-cache="local-query">
                 <local-cache name="entity">
                     <transaction mode="NON_XA"/>
@@ -198,6 +203,31 @@
                         <policy-module code="Delegating" flag="required"/>
                     </authorization>
                 </security-domain>
+                <security-domain name="host" cache-type="default">
+                    <authentication>
+                        <login-module code="Kerberos" flag="required">
+                            <module-option name="debug" value="true"/>
+                            <module-option name="storeKey" value="true"/>
+                            <module-option name="refreshKrb5Config" value="true"/>
+                            <module-option name="useKeyTab" value="true"/>
+                            <module-option name="doNotPrompt" value="true"/>
+                            <module-option name="keyTab" value="/etc/http.keytab"/>
+                            <module-option name="principal" value="HTTP/${jboss.qualified.host.name}@EXAMPLE.COM"/>
+                        </login-module>
+                    </authentication>
+                </security-domain>
+                <security-domain name="SPNEGO" cache-type="default">
+                    <authentication>
+                        <login-module code="SPNEGO" flag="required">
+                            <module-option name="serverSecurityDomain" value="host"/>
+                            <module-option name="password-stacking" value="useFirstPass"/>
+                        </login-module>
+                        <login-module code="org.jboss.AddRoleLoginModule" flag="optional">
+                            <module-option name="roleName" value="admin"/>
+                            <module-option name="password-stacking" value="useFirstPass"/>
+                        </login-module>
+                    </authentication>
+                </security-domain>
             </security-domains>
         </subsystem>
         <subsystem xmlns="urn:jboss:domain:transactions:1.1">
@@ -210,7 +240,7 @@
             <coordinator-environment default-timeout="300"/>
         </subsystem>
         <subsystem xmlns="urn:jboss:domain:threads:1.1"/>
-        <subsystem xmlns="urn:jboss:domain:web:1.1" native="false" default-virtual-server="default-host">
+        <subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false">
             <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
             <virtual-server name="default-host" enable-welcome-root="true">
                 <alias name="localhost"/>
@@ -225,7 +255,7 @@
             <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
         </interface>
         <interface name="public">
-            <inet-address value="${jboss.bind.address:127.0.0.1}"/>
+            <inet-address value="${jboss.bind.address:0.0.0.0}"/>
         </interface>
     </interfaces>
Comment 1 Jan Pazdziora 2013-10-01 09:42:33 UTC 
Applying

diff --git a/deployments/spnego-demo.war/WEB-INF/web.xml b/deployments/spnego-demo.war/WEB-INF/web.xml
index c4dcc25..f041afc 100644
--- a/deployments/spnego-demo.war/WEB-INF/web.xml
+++ b/deployments/spnego-demo.war/WEB-INF/web.xml
@@ -8,9 +8,11 @@
                        <web-resource-name>Protect User data</web-resource-name>
                        <url-pattern>/*</url-pattern>
                </web-resource-collection>
+<!--
                <auth-constraint>
                        <role-name>*</role-name>
                </auth-constraint>
+-->
        </security-constraint>
 
        <security-role>

makes the content show (but without authentication (which is expected)) which at least partially verifies that JBoss is capable of serving that file.
Comment 3 Marek Goldmann 2013-10-01 09:46:59 UTC 
Does the error exist in the upstream version (zip) of jboss-as 7.1.1.Final too?
Comment 4 Jan Pazdziora 2013-10-01 10:13:58 UTC 
Yes, I see the same behaviour with http://download.jboss.org/jbossas/7.1/jboss-as-7.1.1.Final/jboss-as-7.1.1.Fin.zip.
Comment 5 Jan Pazdziora 2013-10-01 10:21:22 UTC 
I just took the exploded jboss-as-7.1.1.Final directory, copied it to RHEL 6.4 where jboss-eap-6.1 works, and the problem is there as well.

Which makes me believe that it's not a Fedora-specific issue.

Do you have a way to report the problem upstream?
Comment 6 Marek Goldmann 2013-10-01 11:06:54 UTC 
Since jboss-as is not maintained anymore and the codebase moved to wildfly (with the latest release 8.0.0.Alpha4) we need to check if this is fixed n the latest release. You can do it by using Fedora 20+ packaged wildfy (I'm going submit updated package very soon, again) or using the upstream zip.

All issues regarding upstream code should be reported here: https://issues.jboss.org/browse/WFLY but if we confirm that this issue is true for a Fedora package (wildfly namely), I'll file the bug upstream.
Comment 8 Jan Pazdziora 2013-10-01 13:05:26 UTC 
With wildfly-8.0.0.Alpha4.zip on Fedora 19, the SPNEGO does not seem to work at all -- I get 403 Forbidden when I apply the same configuration I used for AS 7 and EAP 6.1.
Comment 9 Josef Cacek 2013-10-02 04:25:07 UTC 
AFAIK, Valves are still not supported in Wildfly (namely Undertow - new web server implementation). JBoss Negotiation requires usage of NegotiationAuthenticator valve for correct work.
Comment 10 Marek Goldmann 2013-10-28 11:06:08 UTC 
OK, I'm closing this issue as CANTFIX. Please watch the wildfly upgrades in F20/Rawhide, this should fix the issue once the feature will be implemented in Undertow.