1161580 – Different results of :test() operation for Kerberos in security-realm in JDK1.6 and JDK1.7

Bug 1161580 - Different results of :test() operation for Kerberos in security-realm in JDK1.6 and JDK1.7

Summary: Different results of :test() operation for Kerberos in security-realm in JDK1...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Domain Management
Sub Component:
Version:	6.4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Darran Lofthouse
QA Contact:	Ondrej Lukas
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-11-07 11:28 UTC by Ondrej Lukas
Modified:	2015-04-28 15:05 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2014-11-07 11:38:28 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1139934	0	unspecified	CLOSED	[Doc Feature] Kerberos auth for management interface over HTTP/HTTPS	2021-02-22 00:41:40 UTC
Red Hat Issue Tracker	EAP6-253	0	Major	Closed	Kerberos auth for management over HTTP/HTTPS	2015-09-08 11:41:08 UTC

Internal Links: 1139934

Description Ondrej Lukas 2014-11-07 11:28:44 UTC

Outcome of :test() opeartion is different for jdk1.6 and jdk1.7. Since there is no documentation I cannot say which is correct. However behavior should be same when same configuration is used.

Calling test operation in CLI on wrong keytab:
For jdk 1.7:
/core-service=management/security-realm=KrbKeyTab/server-identity=kerberos/keytab=HTTP\/localhost:test()
{
    "outcome" => "success",
    "result" => {"subject" => "Subject:
	Principal: HTTP/localhost
	Private Credential: /home/olukas/workspace/testing/EAP6-253/krb_dir/httpwrong.keytab
"}
}

For jdk 1.6:
/core-service=management/security-realm=KrbKeyTab/server-identity=kerberos/keytab=HTTP\/localhost:test()
{
    "outcome" => "failed",
    "failure-description" => "JBAS021008: Unable to obtain Kerberos TGT",
    "rolled-back" => true
}

Please also clarify which of these outcomes is correct.

Comment 1 Darran Lofthouse 2014-11-07 11:32:34 UTC

Both are correct, the response for the operation is only reflecting back how the JDK is handling that specific scenario, for Java 6 the JDK reports an error, for Java 7 the JDK just adds the Keytab as a private credential but does not obtain and add any Kerberos tickets.

Comment 2 Ondrej Lukas 2014-11-07 11:38:28 UTC

Ok, thanks for clarification. For that reason I close this issue as not a bug. However this behavior can be confusing for customers and for that reason it has to mentioned in documentation. I add it to BZ#1139934.

Comment 3 JBoss JIRA Server 2015-04-28 15:05:46 UTC

John Doyle <jdoyle> updated the status of jira EAP6-253 to Closed

Note You need to log in before you can comment on or make changes to this bug.