[jboss-jira] [JBoss JIRA] (SECURITY-897) Unable to authenticate in SPNEGO Login Module with NullPointerException

Kunjan Rathod (JIRA) issues at jboss.org
Mon Jun 29 10:21:04 EDT 2015 

Kunjan Rathod created SECURITY-897:
--------------------------------------

             Summary: Unable to authenticate in SPNEGO Login Module with NullPointerException
                 Key: SECURITY-897
                 URL: https://issues.jboss.org/browse/SECURITY-897
             Project: PicketBox 
          Issue Type: Bug
          Components: Negotiation
    Affects Versions: Negotiation_2_3_3_Final, Negotiation_2_3_6_Final
         Environment: Red Hat JBoss EAP 6.3.2
            Reporter: Kunjan Rathod
            Assignee: Darran Lofthouse


Description of problem:

The configuration with SPNEGO works fine, however from time to time the authentication fails with the following error:


ERROR (HTTP-341)  [org.jboss.security.auth.spi.AbstractServerLoginModule] Unable to authenticate: java.lang.NullPointerException
        at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:420)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:356)


Version-Release number of selected component (if applicable):

JBoss Security Negotiation 2.3.3.Final

How reproducible:
This happens very rarely (20 times in a day on a system where about 50 users are working) and it is extremely hard to reproduce. 



Additional info:

At line 420 in [1], the GSSToken is null
~~~~
           if (respToken != null)
            {
               NegotiationMessage response;
               if (requestMessage instanceof KerberosMessage)
               {
                  response = new KerberosMessage(Constants.KERBEROS_V5, respToken);
               }
               else
               {
                  NegTokenTarg negTokenTarg = new NegTokenTarg();
                  negTokenTarg.setResponseToken(respToken);

                  response = negTokenTarg;
               }
~~~~

It looks like a GSSToken can be or is null, check the line#344 as follows:-
~~~~~~~~~
public Object run()
      {        
         try
         {
            // The message type will have already been checked before this point so we know it is
            // a SPNEGO message.
            NegotiationMessage requestMessage = negotiationContext.getRequestMessage();

            // TODO - Ensure no way to fall through with gssToken still null.
            byte[] gssToken = null;
            if (requestMessage instanceof NegTokenInit)
            {
            ...
~~~~~~~~~

[1] : https://github.com/wildfly-security/jboss-negotiation/blob/2.3.3.Final/jboss-negotiation-spnego/src/main/java/org/jboss/security/negotiation/spnego/SPNEGOLoginModule.java



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

More information about the jboss-jira mailing list