[jira] [Commented] (HADOOP-9363) AuthenticatedURL will NPE if server closes connection

Wed, 27 Mar 2013 08:31:16 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-9363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13615388#comment-13615388
 ] 

Daryn Sharp commented on HADOOP-9363:
-------------------------------------

This also occurs for unexpected kerberos errors such as a kvno version mismatch 
between the client's service ticket and the server's HTTP principal in its 
keytab.

{noformat}
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: 
Specified version of key is not available (44))
        at 
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:788)
        at 
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
        at 
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
        at 
sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(SpNegoContext.java:871)
        at 
sun.security.jgss.spnego.SpNegoContext.acceptSecContext(SpNegoContext.java:544)
        at 
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342)
        at 
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
        at 
org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:278)
        at 
org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:270)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:415)
        at 
org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:270)
        ... 23 more
Caused by: KrbException: Specified version of key is not available (44)
        at sun.security.krb5.EncryptionKey.findKey(EncryptionKey.java:588)
        at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:270)
        at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:144)
        at 
sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108)
        at 
sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:771)
{noformat}

I sniffed the packets and the SPNEGO exchange proceeds as expected: server 
sends 401 with WWW-Authenticate header, client responds with Authorization 
header, server responds with 401 with status message set to the kerberos 
exception - client then NPEs on that response.  It's unclear (I haven't 
investigated) if it's a JDK bug, or if AuthenticatedURL's twiddling of the 
URLConnection is causing the issue.
                
> AuthenticatedURL will NPE if server closes connection
> -----------------------------------------------------
>
>                 Key: HADOOP-9363
>                 URL: https://issues.apache.org/jira/browse/HADOOP-9363
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0
>            Reporter: Daryn Sharp
>
> A NPE occurs if the server unexpectedly closes the connection for an 
> {{AuthenticatedURL}} w/o sending a response.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to