-
Enhancement
-
Resolution: Duplicate
-
P4
-
None
-
8u25
-
x86
-
windows_8
A DESCRIPTION OF THE REQUEST :
Microsoft has a new SPNEGO scheme NEGOEX
see
http://msdn.microsoft.com/en-us/library/ff468736.aspx
http://tools.ietf.org/html/draft-zhu-negoex
http://blogs.msdn.com/b/openspecification/archive/2011/07/01/a-quick-look-at-the-new-negotiation-mechanism-negoex-used-with-spnego-in-windows-7.aspx
JUSTIFICATION :
Newer version of Windows are sending NEGOEX before fallback back to the normal SPNEGO
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Expect it to work.
ACTUAL -
it doesn't work, with error: "GSSHeader did not find the right tag"
CUSTOMER SUBMITTED WORKAROUND :
diff --git a/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java b/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java
--- a/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java
+++ b/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java
@@ -523,12 +523,8 @@
valid = false;
}
- // get the mechanism token
- byte[] mechToken = initToken.getMechToken();
- if (mechToken == null) {
- throw new GSSException(GSSException.FAILURE, -1,
- "mechToken is missing");
- }
+ // get the mechanism token (OPTIONAL)
+ byte[] mechToken = null;
/*
* Select the best match between the list of mechs
@@ -543,9 +539,15 @@
}
// save the desired mechanism
internal_mech = mech_wanted;
+
+ byte[] accept_token = null;
+ if (mechList[0] == mech_wanted) {
+ // mechToken is only for the first mech.
+ mechToken = initToken.getMechToken();
+ accept_token = GSS_acceptSecContext(mechToken);
+ }
// get the token for mechanism
- byte[] accept_token = GSS_acceptSecContext(mechToken);
// verify MIC
if (!GSSUtil.useMSInterop() && valid) {
@@ -595,9 +597,24 @@
} else if (state == STATE_IN_PROCESS) {
// read the token
- byte[] client_token = new byte[is.available()];
- SpNegoToken.readFully(is, client_token);
- byte[] accept_token = GSS_acceptSecContext(client_token);
+ byte[] token = new byte[is.available()];
+ SpNegoToken.readFully(is, token);
+ if (DEBUG) {
+ System.out.println("SpNegoContext.acceptSecContext: " +
+ "receiving token = " +
+ SpNegoToken.getHexBytes(token));
+ }
+
+ // read the SPNEGO token
+ // token will be validated when parsing
+ NegTokenTarg respToken = new NegTokenTarg(token);
+
+ if (DEBUG) {
+ System.out.println("SpNegoContext.acceptSecContext: " +
+ "received token of type = " +
+ SpNegoToken.getTokenName(respToken.getType()));
+ }
+ byte[] accept_token = GSS_acceptSecContext(respToken.getResponseToken());
if (accept_token == null) {
valid = false;
}
Microsoft has a new SPNEGO scheme NEGOEX
see
http://msdn.microsoft.com/en-us/library/ff468736.aspx
http://tools.ietf.org/html/draft-zhu-negoex
http://blogs.msdn.com/b/openspecification/archive/2011/07/01/a-quick-look-at-the-new-negotiation-mechanism-negoex-used-with-spnego-in-windows-7.aspx
JUSTIFICATION :
Newer version of Windows are sending NEGOEX before fallback back to the normal SPNEGO
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Expect it to work.
ACTUAL -
it doesn't work, with error: "GSSHeader did not find the right tag"
CUSTOMER SUBMITTED WORKAROUND :
diff --git a/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java b/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java
--- a/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java
+++ b/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java
@@ -523,12 +523,8 @@
valid = false;
}
- // get the mechanism token
- byte[] mechToken = initToken.getMechToken();
- if (mechToken == null) {
- throw new GSSException(GSSException.FAILURE, -1,
- "mechToken is missing");
- }
+ // get the mechanism token (OPTIONAL)
+ byte[] mechToken = null;
/*
* Select the best match between the list of mechs
@@ -543,9 +539,15 @@
}
// save the desired mechanism
internal_mech = mech_wanted;
+
+ byte[] accept_token = null;
+ if (mechList[0] == mech_wanted) {
+ // mechToken is only for the first mech.
+ mechToken = initToken.getMechToken();
+ accept_token = GSS_acceptSecContext(mechToken);
+ }
// get the token for mechanism
- byte[] accept_token = GSS_acceptSecContext(mechToken);
// verify MIC
if (!GSSUtil.useMSInterop() && valid) {
@@ -595,9 +597,24 @@
} else if (state == STATE_IN_PROCESS) {
// read the token
- byte[] client_token = new byte[is.available()];
- SpNegoToken.readFully(is, client_token);
- byte[] accept_token = GSS_acceptSecContext(client_token);
+ byte[] token = new byte[is.available()];
+ SpNegoToken.readFully(is, token);
+ if (DEBUG) {
+ System.out.println("SpNegoContext.acceptSecContext: " +
+ "receiving token = " +
+ SpNegoToken.getHexBytes(token));
+ }
+
+ // read the SPNEGO token
+ // token will be validated when parsing
+ NegTokenTarg respToken = new NegTokenTarg(token);
+
+ if (DEBUG) {
+ System.out.println("SpNegoContext.acceptSecContext: " +
+ "received token of type = " +
+ SpNegoToken.getTokenName(respToken.getType()));
+ }
+ byte[] accept_token = GSS_acceptSecContext(respToken.getResponseToken());
if (accept_token == null) {
valid = false;
}
- duplicates
-
JDK-8048194 GSSContext.acceptSecContext fails when a supported mech is initiator preferred
-
- Resolved
-