fix(sso/spnego): harden Windows SSO defaults and fix login failure handling#3181
Merged
Conversation
…ndling Review and hardening of the SPNEGO (Windows SSO) implementation. Security hardening (changes insecure-by-default behavior): - spnego.allow.localhost now defaults to false. When enabled, the underlying library authenticates same-host requests as the server OS user without Kerberos verification, which is unsafe behind a same-host reverse proxy. - spnego.allow.unsecure.basic now defaults to false, so Basic credentials are never offered over plain HTTP (Basic is still offered over HTTPS). - Add optional Kerberos realm validation: only the server realm and realms listed in the new spnego.allowed.realms property are accepted, preventing cross-realm principals from collapsing onto the same local user. Single-realm setups are unaffected. Bug fixes / correctness: - SsoAction.index() now catches SsoLoginException so SSO authentication failures (SPNEGO/EntraID) redirect to the login page with an error instead of returning HTTP 500. - Remove the non-functional spnego.initialized re-init flag (dead logic that also wrote to system.properties); document that SPNEGO settings require a restart because the library config is a JVM-wide singleton. - Release SPNEGO server credentials/login context on shutdown via @PreDestroy. - Fix keytab authentication: preauth username/password now default to empty so keytab-based server login is used when configured (previously placeholder values forced username/password mode). - Remove the no-op spnego.exclude.dirs setting from the admin UI (only the unused servlet filter consumed it). - Throw a clear "configuration file not found" error instead of a misleading "missing init param" message when krb5.conf/login.conf cannot be resolved. - Ignore non-numeric spnego.logger.level (warn and auto-detect) instead of failing SPNEGO initialization. - Remove a duplicate debug log line. Tests: - Replace placeholder SpnegoAuthenticatorTest assertions with real coverage for the secure defaults, realm validation, logger-level fallback, and the config-file-not-found path (15 tests). NOTE for upgraders: deployments that relied on localhost bypass or plain-HTTP Basic will now require authentication / HTTPS. Intentional cross-realm trust setups must list the additional realms in spnego.allowed.realms.
marevol
added a commit
to codelibs/fess-docs
that referenced
this pull request
Jul 5, 2026
…de (#429) Update the 15.8 General admin guide across all languages to match the SPNEGO (Windows SSO) hardening in codelibs/fess#3181: - Remove the "Exclude Directories" field, which was removed from the admin UI (only an unused servlet filter consumed it). - Add a note that SPNEGO settings require a Fess restart, since the underlying library config is a JVM-wide singleton. - Document the secure-by-default behavior of "Allow Localhost" and "Allow Unsecure Basic Auth" (both now default to disabled). - Note that leaving the pre-auth username/password empty enables keytab-based server login. - Clarify that the logger level is a 0-7 value and is auto-detected when empty or non-numeric. Languages: ja, en, de, es, fr, ko, zh-cn
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Review and hardening of the SPNEGO (Windows SSO) implementation. Each finding was verified against the code before fixing.
Security hardening (insecure-by-default changes)
spnego.allow.localhostnow defaults tofalse. When enabled, the underlying library authenticates same-host requests as the server OS user without Kerberos verification — unsafe behind a same-host reverse proxy.spnego.allow.unsecure.basicnow defaults tofalse, so Basic credentials are never offered over plain HTTP (Basic is still offered over HTTPS).spnego.allowed.realmsproperty are accepted, preventing cross-realm principals from collapsing onto the same local user. Single-realm setups are unaffected.Bug fixes / correctness
SsoAction.index()now catchesSsoLoginException, so SSO auth failures (SPNEGO/EntraID) redirect to the login page with an error instead of returning HTTP 500.spnego.initializedre-init flag (dead logic that also pollutedsystem.properties); documented that SPNEGO settings require a restart because the library config is a JVM-wide singleton.@PreDestroy.spnego.preauth.username/passwordnow default to empty so keytab-based server login is used when configured (previously placeholder values forced username/password mode).spnego.exclude.dirssetting from the admin UI (only the unused servlet filter consumed it).krb5.conf/login.confcannot be resolved.spnego.logger.levelis ignored (warn + auto-detect) instead of failing SPNEGO initialization.Tests
Replaced the placeholder
SpnegoAuthenticatorTestassertions with real coverage (15 tests): secure defaults, realm validation, logger-level fallback, and the config-file-not-found path.mvn test -Dtest=SpnegoAuthenticatorTestpasses (15/15).Upgrade notes
Deployments that relied on localhost bypass or plain-HTTP Basic will now require authentication / HTTPS. Intentional cross-realm trust setups must list the additional realms in
spnego.allowed.realms.