Comments (2)
Mike Wiesner said:
I can't reproduce that. There is a log statement in the catch AuthenticationException block with priority "warn".
In most of the cases this exception has a wrong server side Kerberos configuration as the root cause and therefore is an internal server error. But it can also happen when someone sends malicious input to the server, and therefore it is only logged as "warn" and not as "error".
from spring-security-kerberos.
Harald Radi said:
I only partially agree with you.
First, the proposed sample configuration in the javadoc of the same file doesn't include a failureHandler and hence would be 'a wrong server side Kerberos configuration' as you put it. It took me some time to figure this out although i should have been quite obvious.
Second, the "warn" is ok where it is, but there should additionally be an "error" in the else branch as an SC_INTERNAL_SERVER_ERROR is something fatal and not just a warning (and one might not have "warn" enabled by default).
Using the provided sample configuration one just sees 500 pages when accessing the webapp with a browser that doesn't send the "Negotiate" header. I don't think that this is ok.
from spring-security-kerberos.
Related Issues (20)
- Issue after Spring Boot upgrade to 3.0 HOT 1
- spring-security-kerberos not compatable for jakarta HOT 2
- Any road map to make it compatible with Jakarta HOT 1
- Reboot project with boot 3.x HOT 6
- Migrate docs to antora
- Upgrade gradle 8.x
- Conditional tests when krb env required
- Can we expect a tentative release of 2.0.0 HOT 2
- NTLM token sent from client after enabling AES HOT 4
- Getting error when using keytab-file for spnego HOT 9
- Migrate kdc testing
- Align sample code in docs
- Upgrade spring-security 6.1.0
- NotSerializableException on JaasSubjectHolder HOT 4
- Circular view path problem in sample sec-server-win-auth
- what is default username and password for the samples?
- What is the difference between actualToken and token in the getTokenValue method, and why does the value I pass in keep returning null
- Appendix E: chrome configuration with deprecated policies
- SpnegoAuthenticationProcessingFilter does not save the SecurityContext in the Session HOT 1
- Migrate samples to spring-security 6.x
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spring-security-kerberos.