Details
-
Bug
-
Resolution: Not an Issue
-
P4
-
None
-
5.0
-
x86
-
windows_xp
Description
FULL PRODUCT VERSION :
java version "1.5.0_06"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_06-b05)
Java HotSpot(TM) Client VM (build 1.5.0_06-b05, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Windows -XP
A DESCRIPTION OF THE PROBLEM :
While communicating to an Active Directory server via SSL and also exuting the application with a security manager in place javax.naming.CommunicationException exception is thrown.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Include the root certificate of Active Direcotry into the cacerts of the JAVA_HOME/jre/lib/security folder.
2.Create a class file from the attached testcase
3. JAR this class file. Make sure that a policy file exists to grant it all the permissions. Excute it via the command prompt and use
java -Djava.security.manager <class file>
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
I was expecting the user to be successfully authenticated and no exceptions to be thrown.
ACTUAL -
javax.naming.CommunicationException: simple bind failed: <server ip>:636 [Root
xception is javax.net.ssl.SSLKeyException: RSA premaster secret error]
ERROR MESSAGES/STACK TRACES THAT OCCUR :
javax.naming.CommunicationException: simple bind failed: <server ip>:636 [Root
xception is javax.net.ssl.SSLKeyException: RSA premaster secret error]
at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
at com.docfinity.loginmodule.OitJndiLoginModule.getContext(OitJndiLogin
odule.java:138)
at com.docfinity.loginmodule.OitJndiLoginModule.login(OitJndiLoginModul
.java:81)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at com.docfinity.application.LoginManager.authenticateJndi(LoginManager
java:260)
at com.docfinity.application.LoginManager.actionPerformed(LoginManager.
ava:129)
at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(Unknown Sou
ce)
at java.awt.Component.processMouseEvent(Unknown Source)
at javax.swing.JComponent.processMouseEvent(Unknown Source)
at java.awt.Component.processEvent(Unknown Source)
at java.awt.Container.processEvent(Unknown Source)
at java.awt.Component.dispatchEventImpl(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Window.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.EventQueue.dispatchEvent(Unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForHierarchy(Unknown Source
at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.run(Unknown Source)
Caused by: javax.net.ssl.SSLKeyException: RSA premaster secret error
at com.sun.net.ssl.internal.ssl.PreMasterSecret.<init>(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(Unknow
Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Sourc
)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(U
known Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown Sourc
)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
at java.io.BufferedOutputStream.flush(Unknown Source)
at com.sun.jndi.ldap.Connection.writeRequest(Unknown Source)
at com.sun.jndi.ldap.LdapClient.ldapBind(Unknown Source)
... 50 more
Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider sup
orting RSA/ECB/PKCS1Padding
at javax.crypto.Cipher.getInstance(DashoA12275)
at com.sun.net.ssl.internal.ssl.JsseJce.getCipher(Unknown Source)
at com.sun.net.ssl.internal.ssl.RSACipher.<init>(Unknown Source)
at com.sun.net.ssl.internal.ssl.RSACipher.getInstance(Unknown Source)
... 63 more
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.io.IOException;
import java.util.Hashtable;
import javax.naming.ldap.*;
import javax.naming.directory.*;
import javax.naming.*;
public class searchssl
{
public static void main (String[] args)
{
Hashtable env = new Hashtable();
String adminName = "<username>";
String adminPassword = "<passoword>";
String ldapURL = "ldap://<serverip>:636";
//Access the keystore, this is where the Root CA public key cert was installed
//Could also do this via the command line option java -Djavax.net.ssl.trustStore....
//No need to specifiy the keystore password for read operations
System.out.println(System.getProperty("java.home"));
System.out.println(System.getProperty("user.home"));
String keystore = System.getProperty("java.home") + "/lib/security/cacerts";
System.setProperty("javax.net.ssl.trustStore",keystore);
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
//set security credentials
env.put(Context.SECURITY_AUTHENTICATION,"simple");
env.put(Context.SECURITY_PRINCIPAL,adminName);
env.put(Context.SECURITY_CREDENTIALS,adminPassword);
//specify use of ssl
env.put(Context.SECURITY_PROTOCOL,"ssl");
//connect to my domain controller
env.put(Context.PROVIDER_URL,ldapURL);
try {
// Create the initial directory context
LdapContext ctx = new InitialLdapContext(env,null);
//Create the critical Sort control that sorts based on "cn"
Control[] ctxCtls = new Control[]{
new SortControl(new String[]{"cn"}, Control.CRITICAL)
};
//Set the context's request controls to be ctxCtls
ctx.setRequestControls(ctxCtls);
//Create the search controls
SearchControls searchCtls = new SearchControls();
//Specify the attributes to return
String returnedAtts[]={"sn","givenName","mail"};
searchCtls.setReturningAttributes(returnedAtts);
//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
//specify the LDAP search filter
String searchFilter = "(&(objectClass=user)(mail=*))";
//Specify the Base for the search
String searchBase = "DC=OIT,DC=DocFinity,DC=com";
//initialize counter to total the results
int totalResults = 0;
// Search for objects using the filter
NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
//Loop through the search results
while (answer.hasMoreElements()) {
SearchResult sr = (SearchResult)answer.next();
totalResults++;
System.out.println(">>>" + sr.getName());
// Print out some of the attributes, catch the exception if the attributes have no values
Attributes attrs = sr.getAttributes();
if (attrs != null) {
try {
System.out.println(" surname: " + attrs.get("sn").get());
System.out.println(" firstname: " + attrs.get("givenName").get());
System.out.println(" mail: " + attrs.get("mail").get());
System.out.println(" password: " + attrs.get("userPassword"));
}
catch (NullPointerException e) {
System.out.println("Errors listing attributes: " + e);
}
}
}
System.out.println("Total results: " + totalResults);
ctx.close();
}
catch (NamingException e) {
System.err.println("Problem searching directory: " + e);
} catch (IOException e) {
// TODO Auto-generated catch block
System.err.println("IO Exception while setting the sort control: " + e);
}
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Use Jdk1.4.2
java version "1.5.0_06"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_06-b05)
Java HotSpot(TM) Client VM (build 1.5.0_06-b05, mixed mode, sharing)
ADDITIONAL OS VERSION INFORMATION :
Windows -XP
A DESCRIPTION OF THE PROBLEM :
While communicating to an Active Directory server via SSL and also exuting the application with a security manager in place javax.naming.CommunicationException exception is thrown.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Include the root certificate of Active Direcotry into the cacerts of the JAVA_HOME/jre/lib/security folder.
2.Create a class file from the attached testcase
3. JAR this class file. Make sure that a policy file exists to grant it all the permissions. Excute it via the command prompt and use
java -Djava.security.manager <class file>
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
I was expecting the user to be successfully authenticated and no exceptions to be thrown.
ACTUAL -
javax.naming.CommunicationException: simple bind failed: <server ip>:636 [Root
xception is javax.net.ssl.SSLKeyException: RSA premaster secret error]
ERROR MESSAGES/STACK TRACES THAT OCCUR :
javax.naming.CommunicationException: simple bind failed: <server ip>:636 [Root
xception is javax.net.ssl.SSLKeyException: RSA premaster secret error]
at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
at com.docfinity.loginmodule.OitJndiLoginModule.getContext(OitJndiLogin
odule.java:138)
at com.docfinity.loginmodule.OitJndiLoginModule.login(OitJndiLoginModul
.java:81)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at com.docfinity.application.LoginManager.authenticateJndi(LoginManager
java:260)
at com.docfinity.application.LoginManager.actionPerformed(LoginManager.
ava:129)
at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(Unknown Sou
ce)
at java.awt.Component.processMouseEvent(Unknown Source)
at javax.swing.JComponent.processMouseEvent(Unknown Source)
at java.awt.Component.processEvent(Unknown Source)
at java.awt.Container.processEvent(Unknown Source)
at java.awt.Component.dispatchEventImpl(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
at java.awt.Container.dispatchEventImpl(Unknown Source)
at java.awt.Window.dispatchEventImpl(Unknown Source)
at java.awt.Component.dispatchEvent(Unknown Source)
at java.awt.EventQueue.dispatchEvent(Unknown Source)
at java.awt.EventDispatchThread.pumpOneEventForHierarchy(Unknown Source
at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
at java.awt.EventDispatchThread.run(Unknown Source)
Caused by: javax.net.ssl.SSLKeyException: RSA premaster secret error
at com.sun.net.ssl.internal.ssl.PreMasterSecret.<init>(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(Unknow
Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Sourc
)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(U
known Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown Sourc
)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
at java.io.BufferedOutputStream.flush(Unknown Source)
at com.sun.jndi.ldap.Connection.writeRequest(Unknown Source)
at com.sun.jndi.ldap.LdapClient.ldapBind(Unknown Source)
... 50 more
Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider sup
orting RSA/ECB/PKCS1Padding
at javax.crypto.Cipher.getInstance(DashoA12275)
at com.sun.net.ssl.internal.ssl.JsseJce.getCipher(Unknown Source)
at com.sun.net.ssl.internal.ssl.RSACipher.<init>(Unknown Source)
at com.sun.net.ssl.internal.ssl.RSACipher.getInstance(Unknown Source)
... 63 more
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.io.IOException;
import java.util.Hashtable;
import javax.naming.ldap.*;
import javax.naming.directory.*;
import javax.naming.*;
public class searchssl
{
public static void main (String[] args)
{
Hashtable env = new Hashtable();
String adminName = "<username>";
String adminPassword = "<passoword>";
String ldapURL = "ldap://<serverip>:636";
//Access the keystore, this is where the Root CA public key cert was installed
//Could also do this via the command line option java -Djavax.net.ssl.trustStore....
//No need to specifiy the keystore password for read operations
System.out.println(System.getProperty("java.home"));
System.out.println(System.getProperty("user.home"));
String keystore = System.getProperty("java.home") + "/lib/security/cacerts";
System.setProperty("javax.net.ssl.trustStore",keystore);
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
//set security credentials
env.put(Context.SECURITY_AUTHENTICATION,"simple");
env.put(Context.SECURITY_PRINCIPAL,adminName);
env.put(Context.SECURITY_CREDENTIALS,adminPassword);
//specify use of ssl
env.put(Context.SECURITY_PROTOCOL,"ssl");
//connect to my domain controller
env.put(Context.PROVIDER_URL,ldapURL);
try {
// Create the initial directory context
LdapContext ctx = new InitialLdapContext(env,null);
//Create the critical Sort control that sorts based on "cn"
Control[] ctxCtls = new Control[]{
new SortControl(new String[]{"cn"}, Control.CRITICAL)
};
//Set the context's request controls to be ctxCtls
ctx.setRequestControls(ctxCtls);
//Create the search controls
SearchControls searchCtls = new SearchControls();
//Specify the attributes to return
String returnedAtts[]={"sn","givenName","mail"};
searchCtls.setReturningAttributes(returnedAtts);
//Specify the search scope
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
//specify the LDAP search filter
String searchFilter = "(&(objectClass=user)(mail=*))";
//Specify the Base for the search
String searchBase = "DC=OIT,DC=DocFinity,DC=com";
//initialize counter to total the results
int totalResults = 0;
// Search for objects using the filter
NamingEnumeration answer = ctx.search(searchBase, searchFilter, searchCtls);
//Loop through the search results
while (answer.hasMoreElements()) {
SearchResult sr = (SearchResult)answer.next();
totalResults++;
System.out.println(">>>" + sr.getName());
// Print out some of the attributes, catch the exception if the attributes have no values
Attributes attrs = sr.getAttributes();
if (attrs != null) {
try {
System.out.println(" surname: " + attrs.get("sn").get());
System.out.println(" firstname: " + attrs.get("givenName").get());
System.out.println(" mail: " + attrs.get("mail").get());
System.out.println(" password: " + attrs.get("userPassword"));
}
catch (NullPointerException e) {
System.out.println("Errors listing attributes: " + e);
}
}
}
System.out.println("Total results: " + totalResults);
ctx.close();
}
catch (NamingException e) {
System.err.println("Problem searching directory: " + e);
} catch (IOException e) {
// TODO Auto-generated catch block
System.err.println("IO Exception while setting the sort control: " + e);
}
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Use Jdk1.4.2