JDK-8080125 : SpNegoContext.acceptSecContext fails if mech_wanted is not the first mechanism
  • Type: Bug
  • Component: security-libs
  • Sub-Component: org.ietf.jgss
  • Affected Version: 8u40
  • Priority: P3
  • Status: Closed
  • Resolution: Duplicate
  • OS: windows_8
  • CPU: x86
  • Submitted: 2015-04-15
  • Updated: 2015-05-12
  • Resolved: 2015-05-12
Related Reports
Duplicate :  
JDK-8078439 - SPNEGO auth fails if client proposes MS krb5 OID
Duplicate :  
JDK-8078439 - SPNEGO auth fails if client proposes MS krb5 OID
Description
FULL PRODUCT VERSION :
java version "1.8.0_40"
Java(TM) SE Runtime Environment (build 1.8.0_40-b25)
Java HotSpot(TM) 64-Bit Server VM (build 25.40-b25, mixed mode)
java version "1.8.0_60-ea"
Java(TM) SE Runtime Environment (build 1.8.0_60-ea-b10)
Java HotSpot(TM) 64-Bit Server VM (build 25.60-b10, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [version 6.3.9600]
(c) 2013 Microsoft Corporation. Tous droits r��serv��s.

A DESCRIPTION OF THE PROBLEM :
the fix of "8048194: GSSContext.acceptSecContext fails when a supported mech is not initiator preferred" has added the following check in  sun.security.jgss.spnego.SpNegoContext:
                if (mechList[0].equals(mech_wanted)) {
                    // get the mechanism token
                    byte[] mechToken = initToken.getMechToken();
                    if (mechToken == null) {
                        throw new GSSException(GSSException.FAILURE, -1,
                                "mechToken is missing");
                    }
                    accept_token = GSS_acceptSecContext(mechToken);
                } else {
                    accept_token = null;
                }
this fails when mech_wanted is not mechList[0] but mechList[1]

a quick fix made by replacing it with the following code restore the functionality:
                boolean mechFound = false;
                for (int i=0;i<mechList.length && !mechFound; i++) {
                	mechFound = mechList[i].equals(mech_wanted);
                }
                if (mechFound) {
                    // get the mechanism token
                    byte[] mechToken = initToken.getMechToken();
                    if (mechToken == null) {
                        throw new GSSException(GSSException.FAILURE, -1,
                                "mechToken is missing");
                    }
                    accept_token = GSS_acceptSecContext(mechToken);
                } else {
                    accept_token = null;
                }

REGRESSION.  Last worked in version 8u40

ADDITIONAL REGRESSION INFORMATION: 
java version "1.8.0_31"
Java(TM) SE Runtime Environment (build 1.8.0_31-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.31-b07, mixed mode)

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
setup a server with krb5 auth in a way that the best match between the list of mechs that the initiator requested and the list that the acceptor will support is not the first supported mechanism
request auth

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
authentication is correctly performed
ACTUAL -
authentication fails

REPRODUCIBILITY :
This bug can be reproduced always.

CUSTOMER SUBMITTED WORKAROUND :
rollback to jdk8-u31

SUPPORT :
YES
Comments
Must be a duplicate of JDK-8078439. Recommend to move it to JDK and close it as a duplicate.
03-05-2015