Bug ID: JDK-8068516 Missing support for NEGOEX

Type: Enhancement
Component: security-libs
Sub-Component: org.ietf.jgss
Affected Version: 8u25

Priority: P4
Status: Closed
Resolution: Duplicate
OS: windows_8
CPU: x86

Submitted: 2014-12-06
Updated: 2015-01-16
Resolved: 2015-01-16

A DESCRIPTION OF THE REQUEST :
Microsoft has a new SPNEGO scheme NEGOEX
see

http://msdn.microsoft.com/en-us/library/ff468736.aspx
http://tools.ietf.org/html/draft-zhu-negoex
http://blogs.msdn.com/b/openspecification/archive/2011/07/01/a-quick-look-at-the-new-negotiation-mechanism-negoex-used-with-spnego-in-windows-7.aspx

JUSTIFICATION :
Newer version of Windows are sending NEGOEX before fallback back to the normal SPNEGO

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Expect it to work.
ACTUAL -
it doesn't work, with error: "GSSHeader did not find the right tag"


CUSTOMER SUBMITTED WORKAROUND :

diff --git a/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java b/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java
--- a/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java
+++ b/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java
@@ -523,12 +523,8 @@
                     valid = false;
                 }
 
-                // get the mechanism token
-                byte[] mechToken = initToken.getMechToken();
-                if (mechToken == null) {
-                    throw new GSSException(GSSException.FAILURE, -1,
-                            "mechToken is missing");
-                }
+                // get the mechanism token (OPTIONAL)
+                byte[] mechToken = null;
 
                 /*
                  * Select the best match between the list of mechs
@@ -543,9 +539,15 @@
                 }
                 // save the desired mechanism
                 internal_mech = mech_wanted;
+                
+                byte[] accept_token = null;
+                if (mechList[0] == mech_wanted) {
+                    // mechToken is only for the first mech.
+                    mechToken = initToken.getMechToken();
+                    accept_token = GSS_acceptSecContext(mechToken);
+                }
 
                 // get the token for mechanism
-                byte[] accept_token = GSS_acceptSecContext(mechToken);
 
                 // verify MIC
                 if (!GSSUtil.useMSInterop() && valid) {
@@ -595,9 +597,24 @@
 
             } else if (state == STATE_IN_PROCESS) {
                 // read the token
-                byte[] client_token = new byte[is.available()];
-                SpNegoToken.readFully(is, client_token);
-                byte[] accept_token = GSS_acceptSecContext(client_token);
+                byte[] token = new byte[is.available()];
+                SpNegoToken.readFully(is, token);
+                if (DEBUG) {
+                    System.out.println("SpNegoContext.acceptSecContext: " +
+                                        "receiving token = " +
+                                        SpNegoToken.getHexBytes(token));
+                }
+
+                // read the SPNEGO token
+                // token will be validated when parsing
+                NegTokenTarg respToken = new NegTokenTarg(token);
+
+                if (DEBUG) {
+                    System.out.println("SpNegoContext.acceptSecContext: " +
+                                "received token of type = " +
+                                SpNegoToken.getTokenName(respToken.getType()));
+                }
+                byte[] accept_token = GSS_acceptSecContext(respToken.getResponseToken());
                 if (accept_token == null) {
                     valid = false;
                 }

JDK-8048194 is not about supporting NEGOEX. In fact, it's a fix to SPNEGO that allows NEGOEX be presented and bypassed. This is also what the reporter of this bug is suggesting.

16-01-2015

Seems like an enhancement to me.

08-01-2015