Bug 1131229

Summary: [GSS] (6.3.1) Fallback to FORM authentication when an invalid kerberos token is used
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Derek Horton <dehort>
Component: SecurityAssignee: baranowb <bbaranow>
Status: CLOSED CURRENTRELEASE QA Contact: Josef Cacek <jcacek>
Severity: unspecified Docs Contact: Russell Dickenson <rdickens>
Priority: unspecified    
Version: 6.3.0CC: anmiller, bbaranow, darran.lofthouse, fbogyai, jcacek, myarboro, pskopek, rdickens
Target Milestone: CR1Keywords: Triaged
Target Release: EAP 6.3.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1131225 Environment:
Last Closed: 2014-10-13 18:36:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1131225    
Bug Blocks: 1102082, 1131231, 1133098    

Description Derek Horton 2014-08-18 18:22:46 UTC
+++ This bug was initially created as a clone of Bug #1131225 +++

Description of problem:

Negotiation will not fallback to FORM authentication if the client has a kerberos token from a different KDC than what JBoss is configured to use.
This results in the user getting presented with a 401 error and no way to login.


Steps to Reproduce:

Get a token from a different KDC than what JBoss is configured to use. Hit a Negotiation protected endpoint. This will result in a 401.
With the patch applied, it is possible to fallback to form authentication.

--- Additional comment from Derek Horton on 2014-08-18 14:01:11 EDT ---

PR:
https://github.com/wildfly-security/jboss-negotiation/pull/19

--- Additional comment from JBoss JIRA Server on 2014-08-18 14:08:36 EDT ---

Darran Lofthouse <darran.lofthouse> updated the status of jira SECURITY-854 to Resolved

Comment 2 FIlip Bogyai 2014-09-02 07:39:05 UTC
Verified on EAP 6.3.1.CR1