-
Bug
-
Resolution: Duplicate
-
P3
-
None
-
8u40
-
x86
-
windows_8
FULL PRODUCT VERSION :
java version "1.8.0_40"
Java(TM) SE Runtime Environment (build 1.8.0_40-b25)
Java HotSpot(TM) 64-Bit Server VM (build 25.40-b25, mixed mode)
java version "1.8.0_60-ea"
Java(TM) SE Runtime Environment (build 1.8.0_60-ea-b10)
Java HotSpot(TM) 64-Bit Server VM (build 25.60-b10, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [version 6.3.9600]
(c) 2013 Microsoft Corporation. Tous droits réservés.
A DESCRIPTION OF THE PROBLEM :
the fix of "8048194: GSSContext.acceptSecContext fails when a supported mech is not initiator preferred" has added the following check in sun.security.jgss.spnego.SpNegoContext:
if (mechList[0].equals(mech_wanted)) {
// get the mechanism token
byte[] mechToken = initToken.getMechToken();
if (mechToken == null) {
throw new GSSException(GSSException.FAILURE, -1,
"mechToken is missing");
}
accept_token = GSS_acceptSecContext(mechToken);
} else {
accept_token = null;
}
this fails when mech_wanted is not mechList[0] but mechList[1]
a quick fix made by replacing it with the following code restore the functionality:
boolean mechFound = false;
for (int i=0;i<mechList.length && !mechFound; i++) {
mechFound = mechList[i].equals(mech_wanted);
}
if (mechFound) {
// get the mechanism token
byte[] mechToken = initToken.getMechToken();
if (mechToken == null) {
throw new GSSException(GSSException.FAILURE, -1,
"mechToken is missing");
}
accept_token = GSS_acceptSecContext(mechToken);
} else {
accept_token = null;
}
REGRESSION. Last worked in version 8u40
ADDITIONAL REGRESSION INFORMATION:
java version "1.8.0_31"
Java(TM) SE Runtime Environment (build 1.8.0_31-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.31-b07, mixed mode)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
setup a server with krb5 auth in a way that the best match between the list of mechs that the initiator requested and the list that the acceptor will support is not the first supported mechanism
request auth
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
authentication is correctly performed
ACTUAL -
authentication fails
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
rollback to jdk8-u31
SUPPORT :
YES
java version "1.8.0_40"
Java(TM) SE Runtime Environment (build 1.8.0_40-b25)
Java HotSpot(TM) 64-Bit Server VM (build 25.40-b25, mixed mode)
java version "1.8.0_60-ea"
Java(TM) SE Runtime Environment (build 1.8.0_60-ea-b10)
Java HotSpot(TM) 64-Bit Server VM (build 25.60-b10, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [version 6.3.9600]
(c) 2013 Microsoft Corporation. Tous droits réservés.
A DESCRIPTION OF THE PROBLEM :
the fix of "8048194: GSSContext.acceptSecContext fails when a supported mech is not initiator preferred" has added the following check in sun.security.jgss.spnego.SpNegoContext:
if (mechList[0].equals(mech_wanted)) {
// get the mechanism token
byte[] mechToken = initToken.getMechToken();
if (mechToken == null) {
throw new GSSException(GSSException.FAILURE, -1,
"mechToken is missing");
}
accept_token = GSS_acceptSecContext(mechToken);
} else {
accept_token = null;
}
this fails when mech_wanted is not mechList[0] but mechList[1]
a quick fix made by replacing it with the following code restore the functionality:
boolean mechFound = false;
for (int i=0;i<mechList.length && !mechFound; i++) {
mechFound = mechList[i].equals(mech_wanted);
}
if (mechFound) {
// get the mechanism token
byte[] mechToken = initToken.getMechToken();
if (mechToken == null) {
throw new GSSException(GSSException.FAILURE, -1,
"mechToken is missing");
}
accept_token = GSS_acceptSecContext(mechToken);
} else {
accept_token = null;
}
REGRESSION. Last worked in version 8u40
ADDITIONAL REGRESSION INFORMATION:
java version "1.8.0_31"
Java(TM) SE Runtime Environment (build 1.8.0_31-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.31-b07, mixed mode)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
setup a server with krb5 auth in a way that the best match between the list of mechs that the initiator requested and the list that the acceptor will support is not the first supported mechanism
request auth
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
authentication is correctly performed
ACTUAL -
authentication fails
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
rollback to jdk8-u31
SUPPORT :
YES
- duplicates
-
-
- Closed
-
-
-
- Closed
-