'[jira] [Resolved] (WSS-501) Kerberos token decoder default implementation fails to extract the sessi'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       xmlrpc-user
Subject:    [jira] [Resolved] (WSS-501) Kerberos token decoder default implementation fails to extract the sessi
From:       "Colm O hEigeartaigh (JIRA)" <jira () apache ! org>
Date:       2014-05-23 14:27:04
Message-ID: JIRA.12715160.1400502042421.8604.1400855224897 () arcas
[Download RAW message or body]


     [ https://issues.apache.org/jira/browse/WSS-501?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel \
]

Colm O hEigeartaigh resolved WSS-501.
-------------------------------------

    Resolution: Fixed


Patch applied, thanks! I changed the logic a bit in the DOM code to extract the \
session token, so it uses the new code first, and then falls back to the \
KerberosTokenDecoder. Could you verify that the latest code works with your test \
environment?

Colm.

> Kerberos token decoder default implementation fails to extract the session when \
>                 validating a ticket issued by a KDC based on Active Directory
> ---------------------------------------------------------------------------------------------------------------------------------------------
>  
> Key: WSS-501
> URL: https://issues.apache.org/jira/browse/WSS-501
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 2.0.1
> Reporter: Boris Dushanov
> Assignee: Colm O hEigeartaigh
> Fix For: 2.0.1
> 
> Attachments: wss4j.patch
> 
> 
> This issue is related to WSS-500.After fixing the service name form from \
> NT_HOSTBASED_SERVICE to NT_USER_NAME in both Kerberos client/service actions I get \
> the following exception while the service ticket is being validated and the session \
>                 key is extracted from it :
> org.apache.wss4j.common.ext.WSSecurityException: \
> org.apache.directory.server.kerberos.shared.exceptions.KerberosException: Integrity \
> check on decrypted field failed Original Exception was \
> org.apache.wss4j.common.kerberos.KerberosTokenDecoderException: \
> org.apache.directory.server.kerberos.shared.exceptions.KerberosException: Integrity \
> check on decrypted field failed  at \
> org.apache.wss4j.dom.validate.KerberosTokenValidator.validate(KerberosTokenValidator.java:211)
>   at org.apache.wss4j.dom.processor.BinarySecurityTokenProcessor.handleToken(BinarySecurityTokenProcessor.java:92)
>   at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:427)
>   at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:309)
>   at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:254)
>   at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:208)
>   at org.apache.wss4j.integration.test.kerberos.KerberosTest.testKerberosCreationAndProcessing(KerberosTest.java:167)
>   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>   at java.lang.reflect.Method.invoke(Method.java:606)
> 	at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
>   at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
>   at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
>   at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
>   at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271)
> 	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70)
>   at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50)
>   at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
> 	at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
> 	at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
> 	at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
> 	at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
> 	at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
> 	at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
> 	at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
> 	at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50)
>   at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
> 	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467)
>   at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683)
>   at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390)
>   at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197)
>  Caused by: org.apache.wss4j.common.kerberos.KerberosTokenDecoderException: \
> org.apache.directory.server.kerberos.shared.exceptions.KerberosException: Integrity \
> check on decrypted field failed  at \
> org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl.parseServiceTicket(KerberosTokenDecoderImpl.java:153)
>   at org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl.decodeServiceTicket(KerberosTokenDecoderImpl.java:107)
>   at org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl.getSessionKey(KerberosTokenDecoderImpl.java:85)
>   at org.apache.wss4j.dom.validate.KerberosTokenValidator.validate(KerberosTokenValidator.java:208)
>                 
> 	... 31 more
> Caused by: org.apache.directory.server.kerberos.shared.exceptions.KerberosException: \
> Integrity check on decrypted field failed  at \
> org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler.unseal(CipherTextHandler.java:170)
>   at org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl.parseServiceTicket(KerberosTokenDecoderImpl.java:150)
>                 
> 	... 34 more
> Caused by: java.io.IOException: ERR_00018 DER length more than 4 bytes.
> 	at org.apache.directory.shared.asn1.der.ASN1InputStream.readLength(ASN1InputStream.java:130)
>   at org.apache.directory.shared.asn1.der.ASN1InputStream.readObject(ASN1InputStream.java:408)
>   at org.apache.directory.server.kerberos.shared.io.decoder.EncTicketPartDecoder.decode(EncTicketPartDecoder.java:60)
>   at org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler.decode(CipherTextHandler.java:253)
>   at org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler.unseal(CipherTextHandler.java:166)
>                 
> 	... 35 more
> Since Java 7, an Extended JGSS API is provided which is capable of extracting the \
> session key in both retrieving and validating a service ticket.It is operable \
> against both AD and ApacheDS KDC. That is proven by running KerberosTest against \
> both types of KDC implementation. I'm attaching an eclipse patch based on wss4j \
> trunk, which is a proposition for a fix of the described defect based on the \
> extended JGSS API. The patch also includes implementation for resolving WSS-500.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic