Bug ID: JDK-8077155 LoginContext Subject ignored by jdk8 sun.net.www.protocol.http.HttpURLConnection

Type: Bug
Component: core-libs
Sub-Component: java.net
Affected Version: 8

Priority: P3
Status: Resolved
Resolution: Fixed

Submitted: 2015-04-07
Updated: 2016-05-27
Resolved: 2015-05-20

JDK 8	JDK 9
8u45Fixed	9 b66Fixed

When running with a security manager and a policy that grants "permission java.security.AllPermission;" an attempt to run HttpURLConnection.getInputStream as a logged in subject against a server requiring negotiate authentication will fail.

The root of the problem is described in the following stack trace. This indicates that the logged in subjects credentials are not available to the getInputStream calls. javax.security.auth.login.LoginException: No password provided at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:919) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:760) at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:587) at sun.security.jgss.GSSUtil.login(GSSUtil.java:258) at sun.security.jgss.krb5.Krb5Util.getTicket(Krb5Util.java:158) at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:335) at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:331) at java.security.AccessController.doPrivileged(Native Method) at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:330) at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:145) at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:122) at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:187) at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:224) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:212) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179) at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(SpNegoContext.java:882) at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:317) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248) at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179) at sun.net.www.protocol.http.spnego.NegotiatorImpl.init(NegotiatorImpl.java:107) at sun.net.www.protocol.http.spnego.NegotiatorImpl.<init>(NegotiatorImpl.java:116) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:422) at sun.net.www.protocol.http.Negotiator.getNegotiator(Negotiator.java:64) at sun.net.www.protocol.http.NegotiateAuthentication.isSupportedImpl(NegotiateAuthentication.java:130) at sun.net.www.protocol.http.NegotiateAuthentication.isSupported(NegotiateAuthentication.java:102) at sun.net.www.protocol.http.AuthenticationHeader.parse(AuthenticationHeader.java:180) at sun.net.www.protocol.http.AuthenticationHeader.<init>(AuthenticationHeader.java:126) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1670) at sun.net.www.protocol.http.HttpURLConnection.access$200(HttpURLConnection.java:90) at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1435) at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1433) at java.security.AccessController.doPrivileged(Native Method) at java.security.AccessController.doPrivileged(AccessController.java:713) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1432) at Bug_KerberosHttpAccess.connectToOozie(Bug_KerberosHttpAccess.java:78) at Bug_KerberosHttpAccess.access$000(Bug_KerberosHttpAccess.java:68) at Bug_KerberosHttpAccess$3.run(Bug_KerberosHttpAccess.java:164) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:422) at Bug_KerberosHttpAccess.main(Bug_KerberosHttpAccess.java:173)

20-05-2015