Boris Dushanov created WSS-501:
----------------------------------
Summary: Kerberos token decoder default implementation fails to
extract the session when validating a ticket issued by a KDC based on Active
Directory
Key: WSS-501
URL: https://issues.apache.org/jira/browse/WSS-501
Project: WSS4J
Issue Type: Bug
Components: WSS4J Core
Affects Versions: 2.0.1
Reporter: Boris Dushanov
Assignee: Colm O hEigeartaigh
This issue is related to WSS-500.After fixing the service name form from
NT_HOSTBASED_SERVICE to NT_USER_NAME in both Kerberos client/service actions I
get the following exception while the service ticket is being validated and the
session key is extracted from it :
org.apache.wss4j.common.ext.WSSecurityException:
org.apache.directory.server.kerberos.shared.exceptions.KerberosException:
Integrity check on decrypted field failed
Original Exception was
org.apache.wss4j.common.kerberos.KerberosTokenDecoderException:
org.apache.directory.server.kerberos.shared.exceptions.KerberosException:
Integrity check on decrypted field failed
at
org.apache.wss4j.dom.validate.KerberosTokenValidator.validate(KerberosTokenValidator.java:211)
at
org.apache.wss4j.dom.processor.BinarySecurityTokenProcessor.handleToken(BinarySecurityTokenProcessor.java:92)
at
org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:427)
at
org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:309)
at
org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:254)
at
org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:208)
at
org.apache.wss4j.integration.test.kerberos.KerberosTest.testKerberosCreationAndProcessing(KerberosTest.java:167)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at
org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
at
org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
at
org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
at
org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271)
at
org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70)
at
org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
at
org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
at
org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
at
org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50)
at
org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197)
Caused by: org.apache.wss4j.common.kerberos.KerberosTokenDecoderException:
org.apache.directory.server.kerberos.shared.exceptions.KerberosException:
Integrity check on decrypted field failed
at
org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl.parseServiceTicket(KerberosTokenDecoderImpl.java:153)
at
org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl.decodeServiceTicket(KerberosTokenDecoderImpl.java:107)
at
org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl.getSessionKey(KerberosTokenDecoderImpl.java:85)
at
org.apache.wss4j.dom.validate.KerberosTokenValidator.validate(KerberosTokenValidator.java:208)
... 31 more
Caused by:
org.apache.directory.server.kerberos.shared.exceptions.KerberosException:
Integrity check on decrypted field failed
at
org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler.unseal(CipherTextHandler.java:170)
at
org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl.parseServiceTicket(KerberosTokenDecoderImpl.java:150)
... 34 more
Caused by: java.io.IOException: ERR_00018 DER length more than 4 bytes.
at
org.apache.directory.shared.asn1.der.ASN1InputStream.readLength(ASN1InputStream.java:130)
at
org.apache.directory.shared.asn1.der.ASN1InputStream.readObject(ASN1InputStream.java:408)
at
org.apache.directory.server.kerberos.shared.io.decoder.EncTicketPartDecoder.decode(EncTicketPartDecoder.java:60)
at
org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler.decode(CipherTextHandler.java:253)
at
org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler.unseal(CipherTextHandler.java:166)
... 35 more
Since Java 7, an Extended JGSS API is provided which is capable of extracting
the session key in both retrieving and validating a service ticket.It is
operable against both AD and ApacheDS KDC. That is proven by running
KerberosTest against both types of KDC implementation.
I'm attaching an eclipse patch based on wss4j trunk, which is a proposition for
a fix of the described defect based on the extended JGSS API. The patch also
includes implementation for resolving WSS-500.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
