Description of problem: I use https://github.com/kwart/spnego-demo/tree/demo-for-adelton to test SPNEGO under JBoss AS. When I deploy the application, depending on having correct Kerberos ticket or not, curl --raw --negotiate -u : -Li http://$(hostname):8080/spnego-demo returns 200 OK or 401 Unauthorized. However, the content I get for the 200 OK is empty. When I disable security-constraint/auth-constraint and let the application run unauthenticated, it returns 200 OK and the content of the index.html file just fine. Version-Release number of selected component (if applicable): # rpm -qa 'jboss-as*' jboss-as-7.1.1-21.fc19.noarch How reproducible: Deterministic. Steps to Reproduce: 1. Install JBoss AS on Fedora 19. 2. Run jboss-as-cp -l $HOME/jboss-as-user-instance. 3. Deploy the spnego-demo to deployments (compile WEB-INF/classes/org/jboss/AddRoleLoginModule.java manually if needed). 4. Amend configuration/standalone-web.xml with the patch below. 5. Put proper keytab to /etc/http.keytab. 6. Start the JBoss standalone: $HOME/jboss-as-user-instance/bin/standalone.sh & 6. Run curl --raw --negotiate -u : -Li http://$(hostname):8080/spnego-demo Actual results: HTTP/1.1 302 Moved Temporarily Server: Apache-Coyote/1.1 Location: http://www.example.com:8080/spnego-demo/ Transfer-Encoding: chunked Date: Tue, 01 Oct 2013 09:37:38 GMT HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 Pragma: No-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 19:00:00 EST WWW-Authenticate: Negotiate Content-Type: text/html;charset=utf-8 Content-Length: 962 Date: Tue, 01 Oct 2013 09:37:38 GMT HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Pragma: No-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 19:00:00 EST Set-Cookie: JSESSIONID=eXF7GVHAO9tXkMJGpn7gEGJC.undefined; Path=/spnego-demo Transfer-Encoding: chunked Date: Tue, 01 Oct 2013 09:37:38 GMT 0 Expected results: HTTP/1.1 302 Moved Temporarily Server: Apache-Coyote/1.1 Location: http://www.example.com:8080/spnego-demo/ Transfer-Encoding: chunked Date: Tue, 01 Oct 2013 09:37:38 GMT HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 Pragma: No-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 19:00:00 EST WWW-Authenticate: Negotiate Content-Type: text/html;charset=utf-8 Content-Length: 962 Date: Tue, 01 Oct 2013 09:37:38 GMT HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Pragma: No-cache Cache-Control: no-cache Expires: Wed, 31 Dec 1969 19:00:00 EST Accept-Ranges: bytes ETag: W/"150-1380293412000" Last-Modified: Fri, 27 Sep 2013 14:50:12 GMT Content-Type: text/html Content-Length: 150 Date: Tue, 01 Oct 2013 09:40:25 GMT <html> <head> <title>Sample secured web application</title> </head> <body> <h1> You are authorized to view this page </h1> </body> </html> Additional info: The patch to standalone-web.xml is as follows: diff --git a/configuration/standalone-web.xml b/configuration/standalone-web.xml index 73276bc..a59f17c 100644 --- a/configuration/standalone-web.xml +++ b/configuration/standalone-web.xml @@ -1,6 +1,6 @@ <?xml version="1.0" ?> -<server xmlns="urn:jboss:domain:1.1"> +<server xmlns="urn:jboss:domain:1.2"> <extensions> <extension module="org.jboss.as.clustering.infinispan"/> @@ -20,6 +20,11 @@ <extension module="org.jboss.as.weld"/> </extensions> + <system-properties> + <property name="java.security.krb5.debug" value="true"/> + <property name="jboss.security.disable.secdomain.option" value="true"/> + </system-properties> + <management> <security-realms> <security-realm name="ManagementRealm"> @@ -32,7 +37,7 @@ <native-interface security-realm="ManagementRealm"> <socket-binding native="management-native"/> </native-interface> - <http-interface console-enabled="false" security-realm="ManagementRealm"> + <http-interface security-realm="ManagementRealm" console-enabled="false"> <socket-binding http="management-http"/> </http-interface> </management-interfaces> @@ -125,7 +130,7 @@ </thread-pool> </thread-pools> </subsystem> - <subsystem xmlns="urn:jboss:domain:infinispan:1.1" default-cache-container="hibernate"> + <subsystem xmlns="urn:jboss:domain:infinispan:1.2" default-cache-container="hibernate"> <cache-container name="hibernate" default-cache="local-query"> <local-cache name="entity"> <transaction mode="NON_XA"/> @@ -198,6 +203,31 @@ <policy-module code="Delegating" flag="required"/> </authorization> </security-domain> + <security-domain name="host" cache-type="default"> + <authentication> + <login-module code="Kerberos" flag="required"> + <module-option name="debug" value="true"/> + <module-option name="storeKey" value="true"/> + <module-option name="refreshKrb5Config" value="true"/> + <module-option name="useKeyTab" value="true"/> + <module-option name="doNotPrompt" value="true"/> + <module-option name="keyTab" value="/etc/http.keytab"/> + <module-option name="principal" value="HTTP/${jboss.qualified.host.name}@EXAMPLE.COM"/> + </login-module> + </authentication> + </security-domain> + <security-domain name="SPNEGO" cache-type="default"> + <authentication> + <login-module code="SPNEGO" flag="required"> + <module-option name="serverSecurityDomain" value="host"/> + <module-option name="password-stacking" value="useFirstPass"/> + </login-module> + <login-module code="org.jboss.AddRoleLoginModule" flag="optional"> + <module-option name="roleName" value="admin"/> + <module-option name="password-stacking" value="useFirstPass"/> + </login-module> + </authentication> + </security-domain> </security-domains> </subsystem> <subsystem xmlns="urn:jboss:domain:transactions:1.1"> @@ -210,7 +240,7 @@ <coordinator-environment default-timeout="300"/> </subsystem> <subsystem xmlns="urn:jboss:domain:threads:1.1"/> - <subsystem xmlns="urn:jboss:domain:web:1.1" native="false" default-virtual-server="default-host"> + <subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host" native="false"> <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/> <virtual-server name="default-host" enable-welcome-root="true"> <alias name="localhost"/> @@ -225,7 +255,7 @@ <inet-address value="${jboss.bind.address.management:127.0.0.1}"/> </interface> <interface name="public"> - <inet-address value="${jboss.bind.address:127.0.0.1}"/> + <inet-address value="${jboss.bind.address:0.0.0.0}"/> </interface> </interfaces>
Applying diff --git a/deployments/spnego-demo.war/WEB-INF/web.xml b/deployments/spnego-demo.war/WEB-INF/web.xml index c4dcc25..f041afc 100644 --- a/deployments/spnego-demo.war/WEB-INF/web.xml +++ b/deployments/spnego-demo.war/WEB-INF/web.xml @@ -8,9 +8,11 @@ <web-resource-name>Protect User data</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> +<!-- <auth-constraint> <role-name>*</role-name> </auth-constraint> +--> </security-constraint> <security-role> makes the content show (but without authentication (which is expected)) which at least partially verifies that JBoss is capable of serving that file.
Does the error exist in the upstream version (zip) of jboss-as 7.1.1.Final too?
Yes, I see the same behaviour with http://download.jboss.org/jbossas/7.1/jboss-as-7.1.1.Final/jboss-as-7.1.1.Fin.zip.
I just took the exploded jboss-as-7.1.1.Final directory, copied it to RHEL 6.4 where jboss-eap-6.1 works, and the problem is there as well. Which makes me believe that it's not a Fedora-specific issue. Do you have a way to report the problem upstream?
Since jboss-as is not maintained anymore and the codebase moved to wildfly (with the latest release 8.0.0.Alpha4) we need to check if this is fixed n the latest release. You can do it by using Fedora 20+ packaged wildfy (I'm going submit updated package very soon, again) or using the upstream zip. All issues regarding upstream code should be reported here: https://issues.jboss.org/browse/WFLY but if we confirm that this issue is true for a Fedora package (wildfly namely), I'll file the bug upstream.
With wildfly-8.0.0.Alpha4.zip on Fedora 19, the SPNEGO does not seem to work at all -- I get 403 Forbidden when I apply the same configuration I used for AS 7 and EAP 6.1.
AFAIK, Valves are still not supported in Wildfly (namely Undertow - new web server implementation). JBoss Negotiation requires usage of NegotiationAuthenticator valve for correct work.
OK, I'm closing this issue as CANTFIX. Please watch the wildfly upgrades in F20/Rawhide, this should fix the issue once the feature will be implemented in Undertow.