Bug 1039989

Summary: SPNEGOLoginModule does not always respect removeRealmFromPrincipal
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Tom Fonteyne <tfonteyn>
Component: SecurityAssignee: jboss-set
Status: CLOSED CURRENTRELEASE QA Contact: Pavel Slavicek <pslavice>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.2.0CC: cdewolf, kkhan
Target Milestone: DR6   
Target Release: EAP 6.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1040008 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1040008    

Description Tom Fonteyne 2013-12-10 13:15:47 UTC 
https://issues.jboss.org/browse/SECURITY-772


org.jboss.security.negotiation.spnego.SPNEGOLoginModule

private class AcceptSecContext:

if (gssContext.isEstablished())
{
log.warn("Authentication was performed despite already being authenticated!");

// TODO - Refactor to only do this once.
setIdentity(new KerberosPrincipal(gssContext.getSrcName().toString()));

The last line should obey the "removeRealmFromPrincipal" flag similarly as a bit further down:

setIdentity(createIdentity(gssContext.getSrcName().toString()));
Comment 1 Tom Fonteyne 2013-12-10 13:21:58 UTC 
fixed in https://issues.jboss.org/browse/SECURITY-772

BZ-1039955 is the component upgrade request
Comment 7 Ondrej Lukas 2015-01-30 10:00:20 UTC 
Verified in EAP 6.4.0.ER1.