Bug 1039989 - SPNEGOLoginModule does not always respect removeRealmFromPrincipal
Summary: SPNEGOLoginModule does not always respect removeRealmFromPrincipal
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security
Version: 6.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: DR6
: EAP 6.4.0
Assignee: jboss-set
QA Contact: Pavel Slavicek
URL:
Whiteboard:
Depends On:
Blocks: 1040008
TreeView+ depends on / blocked
 
Reported: 2013-12-10 13:15 UTC by Tom Fonteyne
Modified: 2019-08-19 12:42 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1040008 (view as bug list)
Environment:
Last Closed:
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1039955 0 medium CLOSED [GSS] (6.3.0) Upgrade JBoss Negotiation from 2.2.6.Final-redhat-1 to 2.2.7 2021-02-22 00:41:40 UTC
Red Hat Issue Tracker SECURITY-772 0 Minor Resolved SPNEGOLoginModule does not always respect removeRealmFromPrincipal 2016-09-09 01:14:58 UTC

Internal Links: 1039955

Description Tom Fonteyne 2013-12-10 13:15:47 UTC 
https://issues.jboss.org/browse/SECURITY-772


org.jboss.security.negotiation.spnego.SPNEGOLoginModule

private class AcceptSecContext:

if (gssContext.isEstablished())
{
log.warn("Authentication was performed despite already being authenticated!");

// TODO - Refactor to only do this once.
setIdentity(new KerberosPrincipal(gssContext.getSrcName().toString()));

The last line should obey the "removeRealmFromPrincipal" flag similarly as a bit further down:

setIdentity(createIdentity(gssContext.getSrcName().toString()));
Comment 1 Tom Fonteyne 2013-12-10 13:21:58 UTC 
fixed in https://issues.jboss.org/browse/SECURITY-772

BZ-1039955 is the component upgrade request
Comment 7 Ondrej Lukas 2015-01-30 10:00:20 UTC 
Verified in EAP 6.4.0.ER1.
Note You need to log in before you can comment on or make changes to this bug.