[jira] [Resolved] (WSS-501) Kerberos token decoder default implementation fails to extract the session when validating a ticket issued by a KDC based on Active Directory

Fri, 23 May 2014 07:27:33 -0700 

     [ 
https://issues.apache.org/jira/browse/WSS-501?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh resolved WSS-501.
-------------------------------------

    Resolution: Fixed


Patch applied, thanks! I changed the logic a bit in the DOM code to extract the 
session token, so it uses the new code first, and then falls back to the 
KerberosTokenDecoder. Could you verify that the latest code works with your 
test environment?

Colm.

> Kerberos token decoder default implementation fails to extract the session 
> when validating a ticket issued by a KDC based on Active Directory
> ---------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: WSS-501
>                 URL: https://issues.apache.org/jira/browse/WSS-501
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 2.0.1
>            Reporter: Boris Dushanov
>            Assignee: Colm O hEigeartaigh
>             Fix For: 2.0.1
>
>         Attachments: wss4j.patch
>
>
> This issue is related to WSS-500.After fixing the service name form from 
> NT_HOSTBASED_SERVICE to NT_USER_NAME in both Kerberos client/service actions 
> I get the following exception while the service ticket is being validated and 
> the session key is extracted from it :
> org.apache.wss4j.common.ext.WSSecurityException: 
> org.apache.directory.server.kerberos.shared.exceptions.KerberosException: 
> Integrity check on decrypted field failed
> Original Exception was 
> org.apache.wss4j.common.kerberos.KerberosTokenDecoderException: 
> org.apache.directory.server.kerberos.shared.exceptions.KerberosException: 
> Integrity check on decrypted field failed
>       at 
> org.apache.wss4j.dom.validate.KerberosTokenValidator.validate(KerberosTokenValidator.java:211)
>       at 
> org.apache.wss4j.dom.processor.BinarySecurityTokenProcessor.handleToken(BinarySecurityTokenProcessor.java:92)
>       at 
> org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:427)
>       at 
> org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:309)
>       at 
> org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:254)
>       at 
> org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:208)
>       at 
> org.apache.wss4j.integration.test.kerberos.KerberosTest.testKerberosCreationAndProcessing(KerberosTest.java:167)
>       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>       at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>       at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>       at java.lang.reflect.Method.invoke(Method.java:606)
>       at 
> org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
>       at 
> org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
>       at 
> org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
>       at 
> org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
>       at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271)
>       at 
> org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70)
>       at 
> org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50)
>       at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
>       at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
>       at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
>       at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
>       at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
>       at 
> org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
>       at 
> org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
>       at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
>       at 
> org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50)
>       at 
> org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
>       at 
> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467)
>       at 
> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683)
>       at 
> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390)
>       at 
> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197)
> Caused by: org.apache.wss4j.common.kerberos.KerberosTokenDecoderException: 
> org.apache.directory.server.kerberos.shared.exceptions.KerberosException: 
> Integrity check on decrypted field failed
>       at 
> org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl.parseServiceTicket(KerberosTokenDecoderImpl.java:153)
>       at 
> org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl.decodeServiceTicket(KerberosTokenDecoderImpl.java:107)
>       at 
> org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl.getSessionKey(KerberosTokenDecoderImpl.java:85)
>       at 
> org.apache.wss4j.dom.validate.KerberosTokenValidator.validate(KerberosTokenValidator.java:208)
>       ... 31 more
> Caused by: 
> org.apache.directory.server.kerberos.shared.exceptions.KerberosException: 
> Integrity check on decrypted field failed
>       at 
> org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler.unseal(CipherTextHandler.java:170)
>       at 
> org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl.parseServiceTicket(KerberosTokenDecoderImpl.java:150)
>       ... 34 more
> Caused by: java.io.IOException: ERR_00018 DER length more than 4 bytes.
>       at 
> org.apache.directory.shared.asn1.der.ASN1InputStream.readLength(ASN1InputStream.java:130)
>       at 
> org.apache.directory.shared.asn1.der.ASN1InputStream.readObject(ASN1InputStream.java:408)
>       at 
> org.apache.directory.server.kerberos.shared.io.decoder.EncTicketPartDecoder.decode(EncTicketPartDecoder.java:60)
>       at 
> org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler.decode(CipherTextHandler.java:253)
>       at 
> org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler.unseal(CipherTextHandler.java:166)
>       ... 35 more
> Since Java 7, an Extended JGSS API is provided which is capable of extracting 
> the session key in both retrieving and validating a service ticket.It is 
> operable against both AD and ApacheDS KDC. That is proven by running 
> KerberosTest against both types of KDC implementation.
> I'm attaching an eclipse patch based on wss4j trunk, which is a proposition 
> for a fix of the described defect based on the extended JGSS API. The patch 
> also includes implementation for resolving WSS-500.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to