JDK-5102695 : REGRESSION: JNDI example with SASL/GSSAPI does not work with J2SE 5.0
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 5.0,5.0u6
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: linux_redhat_3.0,windows_2000
  • CPU: x86
  • Submitted: 2004-09-15
  • Updated: 2006-02-04
  • Resolved: 2006-02-04
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other JDK 6
5.0u7Fixed 6 b71Fixed
Related Reports
Duplicate :  
Duplicate :  
Description
Name: jl125535			Date: 09/15/2004


URL OF FAULTY DOCUMENTATION :
http://java.sun.com/products/jndi/tutorial/ldap/security/gssapi.html

A DESCRIPTION OF THE PROBLEM :
The example works fine with J2SE 1.4, but with J2SE 5.0 the following exception is thrown:


javax.naming.NamingException: [LDAP: error code 80 - GSSAPI: gss_unwrap:  A token had an invalid MIC; Success; ]
	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3029)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2931)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2732)
	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2646)
	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
	at javax.naming.InitialContext.init(InitialContext.java:223)
	at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:134)
	at JndiAction.performJndiOperation(GssExample.java:144)
	at JndiAction.run(GssExample.java:105)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAs(Subject.java:337)
	at GssExample.main(GssExample.java:90)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:585)
	at com.intellij.rt.execution.application.AppMain.main(AppMain.java:78)



I am using OpenLDAP 2.1.4 .

Release Regression From : 1.4.2
The above release value was the last known release where this 
bug was known to work. Since then there has been a regression.

(Incident Review ID: 310807) 
======================================================================

Comments
EVALUATION Fixed the signing algorithm in Java GSS when using "des-cbc-crc" as the encryption type. JNDI example works correctly now.
24-01-2006

EVALUATION NOTE: This bug causes compatibility problem, and also results on interop issue. **Should be fixed**
10-01-2006

EVALUATION This problem is only seen when using "des-cbc-crc" as the encryption type. The underlying problem is in Java GSS, with the signing algroithm used, when using "des-cbc-crc" as the encryption type. Plan to fix this shortly.
09-01-2006

EVALUATION example worked in 1.4.2, does not work in 1.5.0 ###@###.### 2004-09-16
16-09-2004