JDK-8154889 : NPE if kerberos debug is turned on
  • Type: Bug
  • Component: security-libs
  • Sub-Component: org.ietf.jgss:krb5
  • Affected Version: 8
  • Priority: P3
  • Status: Closed
  • Resolution: Duplicate
  • OS: generic
  • CPU: generic
  • Submitted: 2016-04-21
  • Updated: 2016-08-03
  • Resolved: 2016-08-03
Related Reports
Duplicate :  
JDK-8147772 - Update KerberosTicket to describe behavior if it has been destroyed and fix NullPointerExceptions
Description
Report from submitter :

If we use -Dsun.security.krb5.debug=true, and if one of the service ticket is
destroyed, the endTime on service ticket is null - it ends up throwing NPE.
This blocks us from reaching root cause of other issues we are trying to
debug.

2016-01-28 22:51:46.171 b.s.s.a.k.KerberosSaslTransportPlugin [ERROR] Client failed to open SaslClientTransport to interact with a server during session initiation: java.lang.NullPointerException java.lang.NullPointerException
at javax.security.auth.kerberos.KerberosTicket.getEndTime(KerberosTicket.java:482) ~[?:1.8.0_40]
  at sun.security.jgss.krb5.SubjectComber.findAux(SubjectComber.java:160)
~[?:1.8.0_40]
Comments
JDK-8147772 tightened up checks for NPE in this area. We should backport that change to JDK 8u (minus the javadoc edits). Will open a backport on that bug.
03-08-2016
The NPE is occurring in the javax.security.auth.kerberos.KerberosTicket.getEndTime() call ; public final java.util.Date getEndTime() { return (Date) endTime.clone(); } The JDK constructor prevents the endTime field being null : if (endTime == null) throw new IllegalArgumentException("End time for ticket validity" + " cannot be null"); this.endTime = new Date(endTime.getTime()); Given the RFC spec : https://tools.ietf.org/html/rfc1510#section-5.3.1 - I believe the JDK is operating correctly. This application must have received a Ticket from a 3rd party library which appears to be non-compliant with the Spec. I'll revert back to submitter for extra detail.
16-05-2016
Full stack trace : 2016-02-11 20:25:01.257 b.s.s.a.k.KerberosSaslTransportPlugin [ERROR] Client failed to open SaslClientTransport to interact with a server during session initiation: java.lang.NullPointerException java.lang.NullPointerException at javax.security.auth.kerberos.KerberosTicket.getEndTime(KerberosTicket.java:482) ~[?:1.8.0_40] at sun.security.jgss.krb5.SubjectComber.findAux(SubjectComber.java:160) ~[?:1.8.0_40] at sun.security.jgss.krb5.SubjectComber.find(SubjectComber.java:61) ~[?:1.8.0_40] at sun.security.jgss.krb5.Krb5Util.getTicket(Krb5Util.java:153) ~[?:1.8.0_40] at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:335) ~[?:1.8.0_40] at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:331) ~[?:1.8.0_40] at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_40] at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:330) ~[?:1.8.0_40] at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:145) ~[?:1.8.0_40] at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122) ~[?:1.8.0_40] at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187) ~[?:1.8.0_40] at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:224) ~[?:1.8.0_40] at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212) ~[?:1.8.0_40] at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179) ~[?:1.8.0_40] at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(GssKrb5Client.java:192) ~[?:1.8.0_40] at org.apache.thrift7.transport.TSaslClientTransport.handleSaslStartMessage(TSaslClientTransport.java:94) ~[storm-core-0.10.1.y.jar:0.10.1.y] at org.apache.thrift7.transport.TSaslTransport.open(TSaslTransport.java:271) ~[storm-core-0.10.1.y.jar:0.10.1.y] at org.apache.thrift7.transport.TSaslClientTransport.open(TSaslClientTransport.java:37) ~[storm-core-0.10.1.y.jar:0.10.1.y] at backtype.storm.security.auth.kerberos.KerberosSaslTransportPlugin$1.run(KerberosSaslTransportPlugin.java:195) [storm-core-0.10.1.y.jar:0.10.1.y] at backtype.storm.security.auth.kerberos.KerberosSaslTransportPlugin$1.run(KerberosSaslTransportPlugin.java:191) [storm-core-0.10.1.y.jar:0.10.1.y] at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_40]
16-05-2016