Skip to content

fix(sso/spnego): harden Windows SSO defaults and fix login failure handling#3181

Merged
marevol merged 1 commit into
masterfrom
fix/spnego-windows-sso-hardening
Jul 5, 2026
Merged

fix(sso/spnego): harden Windows SSO defaults and fix login failure handling#3181
marevol merged 1 commit into
masterfrom
fix/spnego-windows-sso-hardening

Conversation

@marevol

@marevol marevol commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Summary

Review and hardening of the SPNEGO (Windows SSO) implementation. Each finding was verified against the code before fixing.

Security hardening (insecure-by-default changes)

  • spnego.allow.localhost now defaults to false. When enabled, the underlying library authenticates same-host requests as the server OS user without Kerberos verification — unsafe behind a same-host reverse proxy.
  • spnego.allow.unsecure.basic now defaults to false, so Basic credentials are never offered over plain HTTP (Basic is still offered over HTTPS).
  • Kerberos realm validation. Only the server realm and realms listed in the new spnego.allowed.realms property are accepted, preventing cross-realm principals from collapsing onto the same local user. Single-realm setups are unaffected.

Bug fixes / correctness

  • SsoAction.index() now catches SsoLoginException, so SSO auth failures (SPNEGO/EntraID) redirect to the login page with an error instead of returning HTTP 500.
  • Removed the non-functional spnego.initialized re-init flag (dead logic that also polluted system.properties); documented that SPNEGO settings require a restart because the library config is a JVM-wide singleton.
  • Release server credentials/login context on shutdown via @PreDestroy.
  • Fixed keytab authentication: spnego.preauth.username/password now default to empty so keytab-based server login is used when configured (previously placeholder values forced username/password mode).
  • Removed the no-op spnego.exclude.dirs setting from the admin UI (only the unused servlet filter consumed it).
  • Clearer "configuration file not found" error when krb5.conf/login.conf cannot be resolved.
  • Non-numeric spnego.logger.level is ignored (warn + auto-detect) instead of failing SPNEGO initialization.
  • Removed a duplicate debug log line.

Tests

Replaced the placeholder SpnegoAuthenticatorTest assertions with real coverage (15 tests): secure defaults, realm validation, logger-level fallback, and the config-file-not-found path. mvn test -Dtest=SpnegoAuthenticatorTest passes (15/15).

Upgrade notes

Deployments that relied on localhost bypass or plain-HTTP Basic will now require authentication / HTTPS. Intentional cross-realm trust setups must list the additional realms in spnego.allowed.realms.

…ndling

Review and hardening of the SPNEGO (Windows SSO) implementation.

Security hardening (changes insecure-by-default behavior):
- spnego.allow.localhost now defaults to false. When enabled, the underlying
  library authenticates same-host requests as the server OS user without
  Kerberos verification, which is unsafe behind a same-host reverse proxy.
- spnego.allow.unsecure.basic now defaults to false, so Basic credentials are
  never offered over plain HTTP (Basic is still offered over HTTPS).
- Add optional Kerberos realm validation: only the server realm and realms
  listed in the new spnego.allowed.realms property are accepted, preventing
  cross-realm principals from collapsing onto the same local user. Single-realm
  setups are unaffected.

Bug fixes / correctness:
- SsoAction.index() now catches SsoLoginException so SSO authentication
  failures (SPNEGO/EntraID) redirect to the login page with an error instead
  of returning HTTP 500.
- Remove the non-functional spnego.initialized re-init flag (dead logic that
  also wrote to system.properties); document that SPNEGO settings require a
  restart because the library config is a JVM-wide singleton.
- Release SPNEGO server credentials/login context on shutdown via @PreDestroy.
- Fix keytab authentication: preauth username/password now default to empty so
  keytab-based server login is used when configured (previously placeholder
  values forced username/password mode).
- Remove the no-op spnego.exclude.dirs setting from the admin UI (only the
  unused servlet filter consumed it).
- Throw a clear "configuration file not found" error instead of a misleading
  "missing init param" message when krb5.conf/login.conf cannot be resolved.
- Ignore non-numeric spnego.logger.level (warn and auto-detect) instead of
  failing SPNEGO initialization.
- Remove a duplicate debug log line.

Tests:
- Replace placeholder SpnegoAuthenticatorTest assertions with real coverage for
  the secure defaults, realm validation, logger-level fallback, and the
  config-file-not-found path (15 tests).

NOTE for upgraders: deployments that relied on localhost bypass or plain-HTTP
Basic will now require authentication / HTTPS. Intentional cross-realm trust
setups must list the additional realms in spnego.allowed.realms.
@marevol marevol added this to the 15.8.0 milestone Jul 3, 2026
@marevol marevol self-assigned this Jul 3, 2026
@marevol marevol merged commit b72379e into master Jul 5, 2026
1 check passed
marevol added a commit to codelibs/fess-docs that referenced this pull request Jul 5, 2026
…de (#429)

Update the 15.8 General admin guide across all languages to match the
SPNEGO (Windows SSO) hardening in codelibs/fess#3181:

- Remove the "Exclude Directories" field, which was removed from the
  admin UI (only an unused servlet filter consumed it).
- Add a note that SPNEGO settings require a Fess restart, since the
  underlying library config is a JVM-wide singleton.
- Document the secure-by-default behavior of "Allow Localhost" and
  "Allow Unsecure Basic Auth" (both now default to disabled).
- Note that leaving the pre-auth username/password empty enables
  keytab-based server login.
- Clarify that the logger level is a 0-7 value and is auto-detected
  when empty or non-numeric.

Languages: ja, en, de, es, fr, ko, zh-cn
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant