Bug 1131225

Summary: [GSS] (6.4.0) Fallback to FORM authentication when an invalid kerberos token is used
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Derek Horton <dehort>
Component: SecurityAssignee: Derek Horton <dehort>
Status: CLOSED CURRENTRELEASE QA Contact: Pavel Slavicek <pslavice>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3.0CC: anmiller, chaowan, darran.lofthouse, jkudrnac, kkhan
Target Milestone: DR1   
Target Release: EAP 6.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1131229 (view as bug list) Environment:
Last Closed: 2019-08-19 12:38:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1131227, 1131229    

Description Derek Horton 2014-08-18 17:59:36 UTC 
Description of problem:

Negotiation will not fallback to FORM authentication if the client has a kerberos token from a different KDC than what JBoss is configured to use.
This results in the user getting presented with a 401 error and no way to login.


Steps to Reproduce:

Get a token from a different KDC than what JBoss is configured to use. Hit a Negotiation protected endpoint. This will result in a 401.
With the patch applied, it is possible to fallback to form authentication.
Comment 1 Derek Horton 2014-08-18 18:01:11 UTC 
PR:
https://github.com/wildfly-security/jboss-negotiation/pull/19
Comment 2 JBoss JIRA Server 2014-08-18 18:08:36 UTC 
Darran Lofthouse <darran.lofthouse> updated the status of jira SECURITY-854 to Resolved
Comment 3 Kabir Khan 2014-08-22 15:41:39 UTC 
Should be fixed by component upgrade to negotiation 2.3.4 -> MODIFIED
Comment 4 FIlip Bogyai 2014-09-19 11:44:23 UTC 
Verified on EAP 6.4.0.DR1