| Summary: | SPNEGO: missing negstat field in the first reply | ||
|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | mchoma |
| Component: | Security | Assignee: | jboss-set |
| Status: | CLOSED EOL | QA Contact: | Pavel Slavicek <pslavice> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.4.7 | CC: | anmiller, bdawidow, darran.lofthouse, pskopek |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-08-19 12:44:48 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Description of problem: When the client sends an initial SPNEGO token with Kerberos as preferred mechanism and includes an invalid kerberos token, then client expects to see the WWW-Authenticate HTTP header with SPNEGO response negTokenResp[ negState = reject ]. As stated in SPNEGO specification [1] negstat is required in first reply: negState ... This field is REQUIRED in the first reply from the target, and is OPTIONAL thereafter. When negState is absent, the actual state should be inferred from the state of the negotiated mechanism context. [1] https://tools.ietf.org/html/rfc4178#section-4.2.2 How reproducible: testInvalidKerberosSpnegoWorkflow in https://github.com/jbossas/jboss-eap7/pull/457/commits/661c2c6c8a1b91feab54f3394c03e7a54818ed18 Additional info: This is effectivelly clone of EAP7 issue https://issues.jboss.org/browse/JBEAP-4114 created for reference in EAP6.