-
Enhancement
-
Resolution: Fixed
-
P4
-
None
-
b04
-
generic
-
generic
ADDITIONAL SYSTEM INFORMATION :
Latest Java 8/11/17 all repro same. Windows 10 + Linux all repro same.
A DESCRIPTION OF THE PROBLEM :
This issue was discovered when using SPNEGO with HTTPS URL via java.net.URL(String url).openConnection().getInputStream(). During the Kerberos authentication procedure, multiple Kerberos referrals occurred to find final krbtgt server. (Sorry, my terminology may be slightly imprecise.) The krb5.conf file was missing one of the realms. As a result, one of the referrals failed with misleading exception message.
JDK 8 stack trace:
KrbException: Message stream modified (41)
at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:69)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:87)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:226)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:237)
at sun.security.krb5.internal.CredentialsUtil.serviceCredsSingle(CredentialsUtil.java:482)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:340)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:314)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:169)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:490)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:695)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(SpNegoContext.java:882)
at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:317)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at sun.net.www.protocol.http.spnego.NegotiatorImpl.init(NegotiatorImpl.java:108)
at sun.net.www.protocol.http.spnego.NegotiatorImpl.<init>(NegotiatorImpl.java:117)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at sun.net.www.protocol.http.Negotiator.getNegotiator(Negotiator.java:63)
at sun.net.www.protocol.http.NegotiateAuthentication.isSupported(NegotiateAuthentication.java:111)
at sun.net.www.protocol.http.AuthenticationHeader.parse(AuthenticationHeader.java:200)
at sun.net.www.protocol.http.AuthenticationHeader.<init>(AuthenticationHeader.java:143)
at sun.net.www.protocol.http.AuthenticationHeader.<init>(AuthenticationHeader.java:123)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1720)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:268)
Suggestions:
(1) Method sun.security.krb5.Config.getKDCList() should provide more helpful exception message: new KrbException("Cannot locate KDC for realm [" + realm + "])
(1) Static method sun.security.krb5.internal.CredentialsUtil.serviceCreds(KDCOptions, Credentials, PrincipalName, PrincipalName, PrincipalName, Ticket[], PAData[], CredentialsUtil.S4U2Type) can throw better exceptions -- better message & stack trace. Also, it is impossible to view the caught KrbException in a debugger (at least in my IntelliJ debugger).
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Create krb5.conf file that is missing realm required for Kerberos TGT referral.
2. Do SPNEGO with HTTPS URL via java.net.URL(String url).openConnection().getInputStream(). The URL should induce a referrals that will fail.
3. Exception is thrown with misleading message and stack trace.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
More helpful / meaningful exception message. The message can be improved, and probably a better chain can be constructed to make debugging simpler.
ACTUAL -
Exception is thrown with misleading message and stack trace.
FREQUENCY : always
Latest Java 8/11/17 all repro same. Windows 10 + Linux all repro same.
A DESCRIPTION OF THE PROBLEM :
This issue was discovered when using SPNEGO with HTTPS URL via java.net.URL(String url).openConnection().getInputStream(). During the Kerberos authentication procedure, multiple Kerberos referrals occurred to find final krbtgt server. (Sorry, my terminology may be slightly imprecise.) The krb5.conf file was missing one of the realms. As a result, one of the referrals failed with misleading exception message.
JDK 8 stack trace:
KrbException: Message stream modified (41)
at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:69)
at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:87)
at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:226)
at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:237)
at sun.security.krb5.internal.CredentialsUtil.serviceCredsSingle(CredentialsUtil.java:482)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:340)
at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:314)
at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:169)
at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:490)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:695)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(SpNegoContext.java:882)
at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:317)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
at sun.net.www.protocol.http.spnego.NegotiatorImpl.init(NegotiatorImpl.java:108)
at sun.net.www.protocol.http.spnego.NegotiatorImpl.<init>(NegotiatorImpl.java:117)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at sun.net.www.protocol.http.Negotiator.getNegotiator(Negotiator.java:63)
at sun.net.www.protocol.http.NegotiateAuthentication.isSupported(NegotiateAuthentication.java:111)
at sun.net.www.protocol.http.AuthenticationHeader.parse(AuthenticationHeader.java:200)
at sun.net.www.protocol.http.AuthenticationHeader.<init>(AuthenticationHeader.java:143)
at sun.net.www.protocol.http.AuthenticationHeader.<init>(AuthenticationHeader.java:123)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1720)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:268)
Suggestions:
(1) Method sun.security.krb5.Config.getKDCList() should provide more helpful exception message: new KrbException("Cannot locate KDC for realm [" + realm + "])
(1) Static method sun.security.krb5.internal.CredentialsUtil.serviceCreds(KDCOptions, Credentials, PrincipalName, PrincipalName, PrincipalName, Ticket[], PAData[], CredentialsUtil.S4U2Type) can throw better exceptions -- better message & stack trace. Also, it is impossible to view the caught KrbException in a debugger (at least in my IntelliJ debugger).
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Create krb5.conf file that is missing realm required for Kerberos TGT referral.
2. Do SPNEGO with HTTPS URL via java.net.URL(String url).openConnection().getInputStream(). The URL should induce a referrals that will fail.
3. Exception is thrown with misleading message and stack trace.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
More helpful / meaningful exception message. The message can be improved, and probably a better chain can be constructed to make debugging simpler.
ACTUAL -
Exception is thrown with misleading message and stack trace.
FREQUENCY : always
