ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boris Dushanov (JIRA)" <j...@apache.org>
Subject [jira] [Created] (WSS-501) Kerberos token decoder default implementation fails to extract the session when validating a ticket issued by a KDC based on Active Directory
Date Mon, 19 May 2014 12:22:38 GMT
Boris Dushanov created WSS-501:
----------------------------------

             Summary: Kerberos token decoder default implementation fails to extract the session
when validating a ticket issued by a KDC based on Active Directory
                 Key: WSS-501
                 URL: https://issues.apache.org/jira/browse/WSS-501
             Project: WSS4J
          Issue Type: Bug
          Components: WSS4J Core
    Affects Versions: 2.0.1
            Reporter: Boris Dushanov
            Assignee: Colm O hEigeartaigh


This issue is related to WSS-500.After fixing the service name form from NT_HOSTBASED_SERVICE
to NT_USER_NAME in both Kerberos client/service actions I get the following exception while
the service ticket is being validated and the session key is extracted from it :

org.apache.wss4j.common.ext.WSSecurityException: org.apache.directory.server.kerberos.shared.exceptions.KerberosException:
Integrity check on decrypted field failed
Original Exception was org.apache.wss4j.common.kerberos.KerberosTokenDecoderException: org.apache.directory.server.kerberos.shared.exceptions.KerberosException:
Integrity check on decrypted field failed
	at org.apache.wss4j.dom.validate.KerberosTokenValidator.validate(KerberosTokenValidator.java:211)
	at org.apache.wss4j.dom.processor.BinarySecurityTokenProcessor.handleToken(BinarySecurityTokenProcessor.java:92)
	at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:427)
	at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:309)
	at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:254)
	at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:208)
	at org.apache.wss4j.integration.test.kerberos.KerberosTest.testKerberosCreationAndProcessing(KerberosTest.java:167)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:606)
	at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47)
	at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
	at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44)
	at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50)
	at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238)
	at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63)
	at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236)
	at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53)
	at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229)
	at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
	at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27)
	at org.junit.runners.ParentRunner.run(ParentRunner.java:309)
	at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50)
	at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467)
	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683)
	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390)
	at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197)
Caused by: org.apache.wss4j.common.kerberos.KerberosTokenDecoderException: org.apache.directory.server.kerberos.shared.exceptions.KerberosException:
Integrity check on decrypted field failed
	at org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl.parseServiceTicket(KerberosTokenDecoderImpl.java:153)
	at org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl.decodeServiceTicket(KerberosTokenDecoderImpl.java:107)
	at org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl.getSessionKey(KerberosTokenDecoderImpl.java:85)
	at org.apache.wss4j.dom.validate.KerberosTokenValidator.validate(KerberosTokenValidator.java:208)
	... 31 more
Caused by: org.apache.directory.server.kerberos.shared.exceptions.KerberosException: Integrity
check on decrypted field failed
	at org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler.unseal(CipherTextHandler.java:170)
	at org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl.parseServiceTicket(KerberosTokenDecoderImpl.java:150)
	... 34 more
Caused by: java.io.IOException: ERR_00018 DER length more than 4 bytes.
	at org.apache.directory.shared.asn1.der.ASN1InputStream.readLength(ASN1InputStream.java:130)
	at org.apache.directory.shared.asn1.der.ASN1InputStream.readObject(ASN1InputStream.java:408)
	at org.apache.directory.server.kerberos.shared.io.decoder.EncTicketPartDecoder.decode(EncTicketPartDecoder.java:60)
	at org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler.decode(CipherTextHandler.java:253)
	at org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler.unseal(CipherTextHandler.java:166)
	... 35 more

Since Java 7, an Extended JGSS API is provided which is capable of extracting the session
key in both retrieving and validating a service ticket.It is operable against both AD and
ApacheDS KDC. That is proven by running KerberosTest against both types of KDC implementation.

I'm attaching an eclipse patch based on wss4j trunk, which is a proposition for a fix of the
described defect based on the extended JGSS API. The patch also includes implementation for
resolving WSS-500.




--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message