1326177 – SPNEGO: missing negstat field in the first reply

Bug 1326177 - SPNEGO: missing negstat field in the first reply

Summary: SPNEGO: missing negstat field in the first reply

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Security
Sub Component:
Version:	6.4.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	low
Target Milestone:	---
Target Release:	---
Assignee:	jboss-set
QA Contact:	Pavel Slavicek
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-04-12 05:16 UTC by mchoma
Modified:	2019-08-19 12:44 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-08-19 12:44:48 UTC
Type:	Bug

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description mchoma 2016-04-12 05:16:55 UTC

Description of problem:

When the client sends an initial SPNEGO token with Kerberos as preferred mechanism and includes an invalid kerberos token, then client expects to see the WWW-Authenticate HTTP header with SPNEGO response negTokenResp[ negState = reject ].

As stated in SPNEGO specification [1] negstat is required in first reply:

negState


...
 
      This field is REQUIRED in the first reply from the target, and is
      OPTIONAL thereafter.  When negState is absent, the actual state
      should be inferred from the state of the negotiated mechanism
      context.


[1] https://tools.ietf.org/html/rfc4178#section-4.2.2

How reproducible:

testInvalidKerberosSpnegoWorkflow in https://github.com/jbossas/jboss-eap7/pull/457/commits/661c2c6c8a1b91feab54f3394c03e7a54818ed18 


Additional info:
This is effectivelly clone of EAP7 issue https://issues.jboss.org/browse/JBEAP-4114 created for reference in EAP6.

Note You need to log in before you can comment on or make changes to this bug.