Bug 1185917

Summary: GSSAPI in IBM JDK 7 strips square brackets from IPv6 SPNs
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Josef Cacek <jcacek>
Component: SecurityAssignee: Darran Lofthouse <darran.lofthouse>
Status: CLOSED EOL QA Contact: Pavel Slavicek <pslavice>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.4.0CC: anmiller, bdawidow, pskopek, pslavice
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-19 12:44:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josef Cacek 2015-01-26 15:53:47 UTC 
If a Java client does the kerberos authentication to EAP and the HTTP SPN contains IPv6 address, then authentication fails because IBM implementation of JGSSAPI strips square brackets from the SPN.

e.g. server name is initialized to "HTTP/[2620:52:0:2804:2430:ba4:52c6:8453]" in the client, but during GSSContext.initSecContex(...) it's changed to "HTTP/2620:52:0:2804:2430:ba4:52c6:8453"

The problem comes from a method Krb5Name.getHostBasedNameString(), which is called from:
  com.ibm.security.jgss.mech.krb5.Krb5Name.canonicalize
  com.ibm.security.jgss.mech.krb5.Krb5Name.init (Krb5Name.java:260)
  com.ibm.security.jgss.mech.krb5.Krb5Name.<init> (Krb5Name.java:265)
  com.ibm.security.jgss.mech.krb5.Krb5MechFactory.getNameElement (Krb5MechFactory.java:155)
  com.ibm.security.jgss.GSSManagerImpl.createMechName (GSSManagerImpl.java:262)
  com.ibm.security.jgss.GSSNameImpl.createMechName (GSSNameImpl.java:549)
  com.ibm.security.jgss.GSSNameImpl.canonicalize (GSSNameImpl.java:275)
  com.ibm.security.jgss.mech.spnego.SPNEGOContext.createContext (SPNEGOContext.java:964)
  com.ibm.security.jgss.mech.spnego.SPNEGOContext.getPreferredMech (SPNEGOContext.java:1,185)
  com.ibm.security.jgss.mech.spnego.SPNEGOContext.createInitToken (SPNEGOContext.java:1,132)
  com.ibm.security.jgss.mech.spnego.SPNEGOContext.initSecContext (SPNEGOContext.java:529)
  com.ibm.security.jgss.GSSContextImpl.initSecContext (GSSContextImpl.java:382)
  com.ibm.security.jgss.GSSContextImpl.initSecContext (GSSContextImpl.java:331)

Workaround:
Use Oracle JDK or OpenJDK on the client.

This issue doesn't root in EAP, but we hit this with EAP testsuite in tests which employs Kerberos authentication.