[jboss-jira] [JBoss JIRA] (SECURITY-897) Unable to authenticate in SPNEGO Login Module with NullPointerException

Mon Oct 26 06:44:00 EDT 2015

     [ https://issues.jboss.org/browse/SECURITY-897?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Darran Lofthouse updated SECURITY-897:
--------------------------------------
    Fix Version/s: Negotiation_3_0_0_Final


> Unable to authenticate in SPNEGO Login Module with NullPointerException
> -----------------------------------------------------------------------
>
>                 Key: SECURITY-897
>                 URL: https://issues.jboss.org/browse/SECURITY-897
>             Project: PicketBox 
>          Issue Type: Bug
>          Components: Negotiation
>    Affects Versions: Negotiation_2_3_6_Final
>         Environment: Red Hat JBoss EAP 6.3.2
>            Reporter: Kunjan Rathod
>            Assignee: Darran Lofthouse
>              Labels: jboss, jboss-as
>             Fix For: Negotiation_3_0_0_Final
>
>
> Description of problem:
> The configuration with SPNEGO works fine, however from time to time the authentication fails with the following error:
> ERROR (HTTP-341)  [org.jboss.security.auth.spi.AbstractServerLoginModule] Unable to authenticate: java.lang.NullPointerException
>         at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:420)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAs(Subject.java:356)
> Version-Release number of selected component (if applicable):
> JBoss Security Negotiation 2.3.3.Final
> How reproducible:
> This happens very rarely (20 times in a day on a system where about 50 users are working) and it is extremely hard to reproduce. 
> Additional info:
> At line 420 in [1], the GSSToken is null
> ~~~~
>            if (respToken != null)
>             {
>                NegotiationMessage response;
>                if (requestMessage instanceof KerberosMessage)
>                {
>                   response = new KerberosMessage(Constants.KERBEROS_V5, respToken);
>                }
>                else
>                {
>                   NegTokenTarg negTokenTarg = new NegTokenTarg();
>                   negTokenTarg.setResponseToken(respToken);
>                   response = negTokenTarg;
>                }
> ~~~~
> It looks like a GSSToken can be or is null, check the line#344 as follows:-
> ~~~~~~~~~
> public Object run()
>       {        
>          try
>          {
>             // The message type will have already been checked before this point so we know it is
>             // a SPNEGO message.
>             NegotiationMessage requestMessage = negotiationContext.getRequestMessage();
>             // TODO - Ensure no way to fall through with gssToken still null.
>             byte[] gssToken = null;
>             if (requestMessage instanceof NegTokenInit)
>             {
>             ...
> ~~~~~~~~~
> [1] : https://github.com/wildfly-security/jboss-negotiation/blob/2.3.3.Final/jboss-negotiation-spnego/src/main/java/org/jboss/security/negotiation/spnego/SPNEGOLoginModule.java


--
This message was sent by Atlassian JIRA
(v6.4.11#64026)