ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boris Dushanov (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WSS-501) Kerberos token decoder default implementation fails to extract the session when validating a ticket issued by a KDC based on Active Directory
Date Mon, 26 May 2014 12:39:01 GMT

    [ https://issues.apache.org/jira/browse/WSS-501?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14008802#comment-14008802
] 

Boris Dushanov commented on WSS-501:
------------------------------------

Hi Colm,

Thanks for processing the issue that quickly.

I verified the current trunk against my environment and it all works.

@Colm, how about porting that to the latest 1.6.x version of wss4j? The usage of wss4j on
my side is through Axis2's rampart module which is depending on wss4j 1.6.4. My intention
is that Axis2 guys will upgrade easier to the latest 1.6.x version instead of 2.x. Thanks.

Regards,
Boris

> Kerberos token decoder default implementation fails to extract the session when validating
a ticket issued by a KDC based on Active Directory
> ---------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: WSS-501
>                 URL: https://issues.apache.org/jira/browse/WSS-501
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 2.0.1
>            Reporter: Boris Dushanov
>            Assignee: Colm O hEigeartaigh
>             Fix For: 2.0.1
>
>         Attachments: wss4j.patch
>
>
> This issue is related to WSS-500.After fixing the service name form from NT_HOSTBASED_SERVICE
to NT_USER_NAME in both Kerberos client/service actions I get the following exception while
the service ticket is being validated and the session key is extracted from it :
> org.apache.wss4j.common.ext.WSSecurityException: org.apache.directory.server.kerberos.shared.exceptions.KerberosException:
Integrity check on decrypted field failed
> Original Exception was org.apache.wss4j.common.kerberos.KerberosTokenDecoderException:
org.apache.directory.server.kerberos.shared.exceptions.KerberosException: Integrity check
on decrypted field failed
> 	at org.apache.wss4j.dom.validate.KerberosTokenValidator.validate(KerberosTokenValidator.java:211)
> 	at org.apache.wss4j.dom.processor.BinarySecurityTokenProcessor.handleToken(BinarySecurityTokenProcessor.java:92)
> 	at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:427)
> 	at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:309)
> 	at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:254)
> 	at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:208)
> 	at org.apache.wss4j.integration.test.kerberos.KerberosTest.testKerberosCreationAndProcessing(KerberosTest.java:167)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> 	at java.lang.reflect.Method.invoke(Method.java:606)
> 	at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
> 	at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
> 	at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
> 	at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
> 	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271)
> 	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70)
> 	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50)
> 	at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
> 	at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
> 	at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
> 	at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
> 	at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
> 	at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
> 	at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
> 	at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
> 	at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50)
> 	at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
> 	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467)
> 	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683)
> 	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390)
> 	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197)
> Caused by: org.apache.wss4j.common.kerberos.KerberosTokenDecoderException: org.apache.directory.server.kerberos.shared.exceptions.KerberosException:
Integrity check on decrypted field failed
> 	at org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl.parseServiceTicket(KerberosTokenDecoderImpl.java:153)
> 	at org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl.decodeServiceTicket(KerberosTokenDecoderImpl.java:107)
> 	at org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl.getSessionKey(KerberosTokenDecoderImpl.java:85)
> 	at org.apache.wss4j.dom.validate.KerberosTokenValidator.validate(KerberosTokenValidator.java:208)
> 	... 31 more
> Caused by: org.apache.directory.server.kerberos.shared.exceptions.KerberosException:
Integrity check on decrypted field failed
> 	at org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler.unseal(CipherTextHandler.java:170)
> 	at org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl.parseServiceTicket(KerberosTokenDecoderImpl.java:150)
> 	... 34 more
> Caused by: java.io.IOException: ERR_00018 DER length more than 4 bytes.
> 	at org.apache.directory.shared.asn1.der.ASN1InputStream.readLength(ASN1InputStream.java:130)
> 	at org.apache.directory.shared.asn1.der.ASN1InputStream.readObject(ASN1InputStream.java:408)
> 	at org.apache.directory.server.kerberos.shared.io.decoder.EncTicketPartDecoder.decode(EncTicketPartDecoder.java:60)
> 	at org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler.decode(CipherTextHandler.java:253)
> 	at org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler.unseal(CipherTextHandler.java:166)
> 	... 35 more
> Since Java 7, an Extended JGSS API is provided which is capable of extracting the session
key in both retrieving and validating a service ticket.It is operable against both AD and
ApacheDS KDC. That is proven by running KerberosTest against both types of KDC implementation.
> I'm attaching an eclipse patch based on wss4j trunk, which is a proposition for a fix
of the described defect based on the extended JGSS API. The patch also includes implementation
for resolving WSS-500.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message