-
Bug
-
Resolution: Fixed
-
P4
-
8u5
-
b25
-
x86
-
windows_2008
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8056788 | emb-9 | Unassigned | P4 | Resolved | Fixed | b25 |
JDK-8063906 | 8u45 | Weijun Wang | P4 | Resolved | Fixed | b01 |
JDK-8059564 | 8u40 | Weijun Wang | P4 | Resolved | Fixed | b10 |
JDK-8069990 | emb-8u47 | Weijun Wang | P4 | Resolved | Fixed | team |
JDK-8134221 | openjdk7u | Weijun Wang | P4 | Resolved | Fixed | master |
java version "1.8.0_05"
Java(TM) SE Runtime Environment (build 1.8.0_05-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.5-b02, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.2.9200]
EXTRA RELEVANT SYSTEM CONFIGURATION :
Windows Server 2012 with IE 11.
A DESCRIPTION OF THE PROBLEM :
Seems like by default on Windows 2012 Server with IE 11, when it sends SPNEGO token, it contains the following:
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.10
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.48018.1.2.2
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.113554.1.2.2
SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.30
Since Java only supports 1.2.840.113554.1.2.2, SpNegoContext picked that as the mechanism:
SpNegoContext: negotiated mechanism = 1.2.840.113554.1.2.2
But because the initiator preferred mechanism is 1.3.6.1.4.1.311.2.2.10
The mech Token read is for that mech, and NOT 1.2.840.113554.1.2.2.
But the current code ignored that fact and resulted in parsing error.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
set up a server with SPNEGO (with HTTP), and try hitting it with IE from Windows 2012.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Expected it to work similar to IE from Windows 2008.
ACTUAL -
GSSContent.acceptSecContext failed with the following exception:
GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:98)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
ERROR MESSAGES/STACK TRACES THAT OCCUR :
GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:98)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
Here is the patch to that fixes the issue:
diff --git a/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java b/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java
--- a/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java
+++ b/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java
@@ -523,12 +523,8 @@
valid = false;
}
- // get the mechanism token
- byte[] mechToken = initToken.getMechToken();
- if (mechToken == null) {
- throw new GSSException(GSSException.FAILURE, -1,
- "mechToken is missing");
- }
+ // get the mechanism token (OPTIONAL)
+ byte[] mechToken = null;
/*
* Select the best match between the list of mechs
@@ -543,9 +539,15 @@
}
// save the desired mechanism
internal_mech = mech_wanted;
+
+ byte[] accept_token = null;
+ if (mechList[0] == mech_wanted) {
+ // mechToken is only for the first mech.
+ mechToken = initToken.getMechToken();
+ accept_token = GSS_acceptSecContext(mechToken);
+ }
// get the token for mechanism
- byte[] accept_token = GSS_acceptSecContext(mechToken);
// verify MIC
if (!GSSUtil.useMSInterop() && valid) {
@@ -584,7 +586,7 @@
// generate SPNEGO token
NegTokenTarg targToken = new NegTokenTarg(negoResult.ordinal(),
- mech_wanted, accept_token, null);
+ mech_wanted, accept_token, initToken.getMechListMIC());
if (DEBUG) {
System.out.println("SpNegoContext.acceptSecContext: " +
"sending token of type = " +
@@ -595,9 +597,24 @@
} else if (state == STATE_IN_PROCESS) {
// read the token
- byte[] client_token = new byte[is.available()];
- SpNegoToken.readFully(is, client_token);
- byte[] accept_token = GSS_acceptSecContext(client_token);
+ byte[] token = new byte[is.available()];
+ SpNegoToken.readFully(is, token);
+ if (DEBUG) {
+ System.out.println("SpNegoContext.acceptSecContext: " +
+ "receiving token = " +
+ SpNegoToken.getHexBytes(token));
+ }
+
+ // read the SPNEGO token
+ // token will be validated when parsing
+ NegTokenTarg respToken = new NegTokenTarg(token);
+
+ if (DEBUG) {
+ System.out.println("SpNegoContext.acceptSecContext: " +
+ "received token of type = " +
+ SpNegoToken.getTokenName(respToken.getType()));
+ }
+ byte[] accept_token = GSS_acceptSecContext(respToken.getResponseToken());
if (accept_token == null) {
valid = false;
}
@@ -618,7 +635,7 @@
// generate SPNEGO token
NegTokenTarg targToken = new NegTokenTarg(negoResult.ordinal(),
- null, accept_token, null);
+ null, accept_token, respToken.getMechListMIC());
if (DEBUG) {
System.out.println("SpNegoContext.acceptSecContext: " +
"sending token of type = " +
---------- END SOURCE ----------
- backported by
-
JDK-8056788 GSSContext.acceptSecContext fails when a supported mech is initiator preferred
- Resolved
-
JDK-8059564 GSSContext.acceptSecContext fails when a supported mech is initiator preferred
- Resolved
-
JDK-8063906 GSSContext.acceptSecContext fails when a supported mech is initiator preferred
- Resolved
-
JDK-8069990 GSSContext.acceptSecContext fails when a supported mech is initiator preferred
- Resolved
-
JDK-8134221 GSSContext.acceptSecContext fails when a supported mech is initiator preferred
- Resolved
- duplicates
-
JDK-8068516 Missing support for NEGOEX
- Closed
- relates to
-
JDK-8078439 SPNEGO auth fails if client proposes MS krb5 OID
- Closed