[jira] [Commented] (WSS-501) Kerberos token decoder default implementation fails to extract the session when validating a ticket issued by a KDC based on Active Directory

Mon, 26 May 2014 05:39:14 -0700 

    [ 
https://issues.apache.org/jira/browse/WSS-501?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14008802#comment-14008802
 ] 

Boris Dushanov commented on WSS-501:
------------------------------------

Hi Colm,

Thanks for processing the issue that quickly.

I verified the current trunk against my environment and it all works.

@Colm, how about porting that to the latest 1.6.x version of wss4j? The usage 
of wss4j on my side is through Axis2's rampart module which is depending on 
wss4j 1.6.4. My intention is that Axis2 guys will upgrade easier to the latest 
1.6.x version instead of 2.x. Thanks.

Regards,
Boris

> Kerberos token decoder default implementation fails to extract the session 
> when validating a ticket issued by a KDC based on Active Directory
> ---------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: WSS-501
>                 URL: https://issues.apache.org/jira/browse/WSS-501
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 2.0.1
>            Reporter: Boris Dushanov
>            Assignee: Colm O hEigeartaigh
>             Fix For: 2.0.1
>
>         Attachments: wss4j.patch
>
>
> This issue is related to WSS-500.After fixing the service name form from 
> NT_HOSTBASED_SERVICE to NT_USER_NAME in both Kerberos client/service actions 
> I get the following exception while the service ticket is being validated and 
> the session key is extracted from it :
> org.apache.wss4j.common.ext.WSSecurityException: 
> org.apache.directory.server.kerberos.shared.exceptions.KerberosException: 
> Integrity check on decrypted field failed
> Original Exception was 
> org.apache.wss4j.common.kerberos.KerberosTokenDecoderException: 
> org.apache.directory.server.kerberos.shared.exceptions.KerberosException: 
> Integrity check on decrypted field failed
>       at 
> org.apache.wss4j.dom.validate.KerberosTokenValidator.validate(KerberosTokenValidator.java:211)
>       at 
> org.apache.wss4j.dom.processor.BinarySecurityTokenProcessor.handleToken(BinarySecurityTokenProcessor.java:92)
>       at 
> org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:427)
>       at 
> org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:309)
>       at 
> org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:254)
>       at 
> org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:208)
>       at 
> org.apache.wss4j.integration.test.kerberos.KerberosTest.testKerberosCreationAndProcessing(KerberosTest.java:167)
>       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>       at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>       at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>       at java.lang.reflect.Method.invoke(Method.java:606)
>       at 
> org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
>       at 
> org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
>       at 
> org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
>       at 
> org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
>       at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271)
>       at 
> org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70)
>       at 
> org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50)
>       at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
>       at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
>       at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
>       at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
>       at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
>       at 
> org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
>       at 
> org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
>       at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
>       at 
> org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50)
>       at 
> org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
>       at 
> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467)
>       at 
> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683)
>       at 
> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390)
>       at 
> org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197)
> Caused by: org.apache.wss4j.common.kerberos.KerberosTokenDecoderException: 
> org.apache.directory.server.kerberos.shared.exceptions.KerberosException: 
> Integrity check on decrypted field failed
>       at 
> org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl.parseServiceTicket(KerberosTokenDecoderImpl.java:153)
>       at 
> org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl.decodeServiceTicket(KerberosTokenDecoderImpl.java:107)
>       at 
> org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl.getSessionKey(KerberosTokenDecoderImpl.java:85)
>       at 
> org.apache.wss4j.dom.validate.KerberosTokenValidator.validate(KerberosTokenValidator.java:208)
>       ... 31 more
> Caused by: 
> org.apache.directory.server.kerberos.shared.exceptions.KerberosException: 
> Integrity check on decrypted field failed
>       at 
> org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler.unseal(CipherTextHandler.java:170)
>       at 
> org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl.parseServiceTicket(KerberosTokenDecoderImpl.java:150)
>       ... 34 more
> Caused by: java.io.IOException: ERR_00018 DER length more than 4 bytes.
>       at 
> org.apache.directory.shared.asn1.der.ASN1InputStream.readLength(ASN1InputStream.java:130)
>       at 
> org.apache.directory.shared.asn1.der.ASN1InputStream.readObject(ASN1InputStream.java:408)
>       at 
> org.apache.directory.server.kerberos.shared.io.decoder.EncTicketPartDecoder.decode(EncTicketPartDecoder.java:60)
>       at 
> org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler.decode(CipherTextHandler.java:253)
>       at 
> org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler.unseal(CipherTextHandler.java:166)
>       ... 35 more
> Since Java 7, an Extended JGSS API is provided which is capable of extracting 
> the session key in both retrieving and validating a service ticket.It is 
> operable against both AD and ApacheDS KDC. That is proven by running 
> KerberosTest against both types of KDC implementation.
> I'm attaching an eclipse patch based on wss4j trunk, which is a proposition 
> for a fix of the described defect based on the extended JGSS API. The patch 
> also includes implementation for resolving WSS-500.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to