* Soós László [2015-02-03 21:48:25 +0100]: > Sorry for long turnaround I finally installed back Java 1.7 and that > didn't work out either. > > But I noticed another strange behaviour. If I change the krb5.ini to > default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 > default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 > > I get: > java.lang.ArrayIndexOutOfBoundsException: 13 > > WARNING: initial receipt of exception by jndi broker 13 > java.lang.ArrayIndexOutOfBoundsException: 13 > at sun.security.jgss.krb5.WrapToken.getPadding(Unknown Source)
Looking at the OpenJDK 7 source code my guess is that this happens when getPadding() gets called with a negative length argument… > at sun.security.jgss.krb5.WrapToken.<init>(Unknown Source) … which happens when the constructor gets called with a negative dataLen… > at sun.security.jgss.krb5.Krb5Context.wrap(Unknown Source) … which happens when wrap() gets called with len<0… > at sun.security.jgss.GSSContextImpl.wrap(Unknown Source) … ditto. And com.sun.security.sasl.gsskerb.GssKrb5Base.wrap also passes that argument right through. Which brings us to com.sun.jndi.ldap.sasl.SaslOutputStream.write, where I have trouble seeing how the length could ever be negative… unless rawSendSize is negative. The default value of rawSendSize is a safe 65536 but a different one can be negotiated in the SASL handshake. There ought to be client-side safeguards too, but is your LDAP server sane? > -- > If I comment these line out (eg let kerberos to use default setting) I get: > java.lang.NegativeArraySizeException which sounds rather similar to len<0. The superficial difference in behaviour is due to the newer (AES) enctypes being handled by a different code path (WrapToken_v2 vs. WrapToken), but the root cause is the same. > WARNING: Error opening connection > java.lang.NegativeArraySizeException > at sun.security.jgss.krb5.CipherHelper.aes128Encrypt(Unknown > Source) > at sun.security.jgss.krb5.CipherHelper.encryptData(Unknown Source) > at sun.security.jgss.krb5.WrapToken_v2.<init>(Unknown Source) > at sun.security.jgss.krb5.Krb5Context.wrap(Unknown Source) > > I run the debug batch with command: > "c:\Program Files\Java\jre1.8.0_31\bin\java.exe" -classpath > ".;jars/*;jasper/lib/*" -Dsun.security.krb5.debug=true > -Djava.security.krb5.conf=C:\windows\krb5.ini -Dfile.encoding=utf-8 > %JXOPTS% com.ca.directory.jxplorer.JXplorer %* > > but I do not get any new useful output. > Do you have any idea what else I can do here to get it back working > like it worked before? > > Thanks, > Laszlo > > On 2014.12.16. 23:21, Chris Betts wrote: > >Hi Laszlo, > > > > I think you might be right about changes in gsapi handling in > >java 1.8 - I don't know if this stuff is relevant but it sounds > >like others have had trouble recently with GSAPI? > > > >https://issues.apache.org/bugzilla/show_bug.cgi?id=57022 > > > > ... my problem is that the GSAPI code was very kindly > >contributed by a JX user, and I'm not familiar enough with how > >GSAPI operates to work on it safely :-/. So apart from obvious > >suggestions (like keep using java 1.7 for awhile and hope 1.8 > >sorts its problems out!) I'm not sure how to help you. If there > >are any GSAPI experts out there that can suggest a patch I'd be > >happy to take their advice! > > > > cheers, > > > > - Chris > > > >----- > >*Dr Christopher Betts* > >Australian Cloud Identity > >http://cloudidentity.com.au > >m: 0408 533 456 > > > >On 17 December 2014 at 08:55, Soós László > ><soos.las...@demonhost.hu <mailto:soos.las...@demonhost.hu>> > >wrote: > > > > Hi Chris, > > > > I believe there is something changed in jndi that jxplorer did not > > follow yet? > > > > It surely worked before on exactly same environment, except we did > > a couple of updates but all in once so I cannot tell which one > > exactly broke it down. > > (usual upgrades: windows updates, java update, on server openldap > > updates) > > > > Anyway -Djavaxnet.debug gives kinda the same. > > > > c:\Program Files (x86)\jxplorer>java -classpath > > ".;jars/*;jasper/lib/*" -Djavax.net.debug -Dfile.encoding=utf-8 > > com.ca.directory.jxplorer.JXplorer > > dec. 16, 2014 10:48:18 DU com.ca.directory.jxplorer.JXplorer printTime > > INFO: main start > > TIME: Tue Dec 16 22:48:18 CET 2014 (411) > > > > dec. 16, 2014 10:48:18 DU com.ca.directory.jxplorer.JXplorer > > checkJavaEnvironment > > INFO: running java from: C:\Program Files (x86)\Java\jre1.8.0_25 > > dec. 16, 2014 10:48:18 DU com.ca.directory.jxplorer.JXplorer > > checkJavaEnvironment > > INFO: running java version 1.8.0_25 > > dec. 16, 2014 10:48:18 DU com.ca.commons.cbutil.CBUtility > > checkAndCreateWorkingDirectory > > WARNING: ERROR: unable to save config or store user data in > > c:\Program Files (x86)\jxplorer\ (may try elsewhere) > > unable to use user.dir > > On Windows > > dec. 16, 2014 10:48:18 DU com.ca.directory.jxplorer.JXConfig > > getConfigDirectory > > INFO: JX using configDirectory: > > C:\Users\<username>\AppData\Roaming\jxplorer\ > > dec. 16, 2014 10:48:18 DU com.ca.directory.jxplorer.JXConfig > > getConfigDirectory > > INFO: JX using configDirectory: > > C:\Users\<username>\AppData\Roaming\jxplorer\ > > dec. 16, 2014 10:48:18 DU com.ca.directory.jxplorer.JXConfig > > getConfigDirectory > > INFO: JX using configDirectory: > > C:\Users\<username>\AppData\Roaming\jxplorer\ > > dec. 16, 2014 10:48:18 DU com.ca.directory.jxplorer.JXConfig > > setupLogger > > INFO: setting up logger > > logging level set from config to: WARNING with 0 parents=true > > dec. 16, 2014 10:48:18 DU com.ca.commons.cbutil.CBUtility > > readPropertyFile > > WARNING: No property list: > > C:\Users\<username>\AppData\Roaming\jxplorer\search_filters.txt > > dec. 16, 2014 10:48:18 DU com.ca.commons.cbutil.CBUtility > > readPropertyFile > > WARNING: No property list: > > bookmarks.txt > > dec. 16, 2014 10:48:18 DU com.ca.commons.cbutil.CBUtility > > readPropertyFile > > WARNING: No property list: > > quicksearch.txt > > Debug is true storeKey false useTicketCache true useKeyTab false > > doNotPrompt false ticketCache is null isInitiator true KeyTab is > > null refreshKrb5Config is false principal is null tryFirstPass is fal > > se useFirstPass is false storePass is false clearPass is false > > Acquire TGT from Cache > > Principal is <username>@REALM.LAN > > Commit Succeeded > > > > dec. 16, 2014 10:48:23 DU > > com.ca.directory.jxplorer.broker.JNDIDataBroker openConnection > > WARNING: initial receipt of exception by jndi broker 13 > > java.lang.ArrayIndexOutOfBoundsException: 13 > > at sun.security.jgss.krb5.WrapToken.getPadding(Unknown Source) > > at sun.security.jgss.krb5.WrapToken.<init>(Unknown Source) > > at sun.security.jgss.krb5.Krb5Context.wrap(Unknown Source) > > at sun.security.jgss.GSSContextImpl.wrap(Unknown Source) > > at com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(Unknown > > Source) > > at com.sun.jndi.ldap.sasl.SaslOutputStream.write(Unknown > > Source) > > at com.sun.jndi.ldap.Connection.writeRequest(Unknown Source) > > at com.sun.jndi.ldap.LdapClient.search(Unknown Source) > > at com.sun.jndi.ldap.LdapCtx.doSearch(Unknown Source) > > at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source) > > at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source) > > at > > com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source) > > at > > com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown > > Source) > > at > > com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown > > Source) > > at javax.naming.directory.InitialDirContext.search(Unknown > > Source) > > at com.ca.commons.jndi.JNDIOps.exists(JNDIOps.java:702) > > at > > > > com.ca.directory.jxplorer.broker.JNDIDataBroker.openConnection(JNDIDataBroker.java:491) > > at > > > > com.ca.directory.jxplorer.broker.JNDIDataBroker.openConnection(JNDIDataBroker.java:422) > > at > > > > com.ca.directory.jxplorer.broker.JNDIDataBroker.processRequest(JNDIDataBroker.java:396) > > at > > > > com.ca.directory.jxplorer.broker.DataBroker.processQueue(DataBroker.java:200) > > at > > > > com.ca.directory.jxplorer.broker.JNDIDataBroker.processQueue(JNDIDataBroker.java:913) > > at > > com.ca.directory.jxplorer.broker.DataBroker.run(DataBroker.java:165) > > at java.lang.Thread.run(Unknown Source) > > dec. 16, 2014 10:48:49 DU com.ca.directory.jxplorer.JXOpenConWin > > dataReady > > WARNING: Error opening connection > > java.lang.ArrayIndexOutOfBoundsException: 13 > > at sun.security.jgss.krb5.WrapToken.getPadding(Unknown Source) > > at sun.security.jgss.krb5.WrapToken.<init>(Unknown Source) > > at sun.security.jgss.krb5.Krb5Context.wrap(Unknown Source) > > at sun.security.jgss.GSSContextImpl.wrap(Unknown Source) > > at com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(Unknown > > Source) > > at com.sun.jndi.ldap.sasl.SaslOutputStream.write(Unknown > > Source) > > at com.sun.jndi.ldap.Connection.writeRequest(Unknown Source) > > at com.sun.jndi.ldap.LdapClient.search(Unknown Source) > > at com.sun.jndi.ldap.LdapCtx.doSearch(Unknown Source) > > at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source) > > at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source) > > at > > com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source) > > at > > com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown > > Source) > > at > > com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown > > Source) > > at javax.naming.directory.InitialDirContext.search(Unknown > > Source) > > at com.ca.commons.jndi.JNDIOps.exists(JNDIOps.java:702) > > at > > > > com.ca.directory.jxplorer.broker.JNDIDataBroker.openConnection(JNDIDataBroker.java:491) > > at > > > > com.ca.directory.jxplorer.broker.JNDIDataBroker.openConnection(JNDIDataBroker.java:422) > > at > > > > com.ca.directory.jxplorer.broker.JNDIDataBroker.processRequest(JNDIDataBroker.java:396) > > at > > > > com.ca.directory.jxplorer.broker.DataBroker.processQueue(DataBroker.java:200) > > at > > > > com.ca.directory.jxplorer.broker.JNDIDataBroker.processQueue(JNDIDataBroker.java:913) > > at > > com.ca.directory.jxplorer.broker.DataBroker.run(DataBroker.java:165) > > at java.lang.Thread.run(Unknown Source) > > > > Regards, > > Laszlo > > > > On 2014.12.16. 22:42, Chris Betts wrote: > >> Hi Laszio, > >> > >> I'm a bit out of my depth here myself; JX is calling the > >> jndi library to open the connection, and it looks like deep in > >> the processing there's a problem with the kerberos token? > >> > >> You could try adding "-Djavax.net.debug" in the jxplorer.bat > >> file and see if the trace information gives you any more detail? > >> > >> cheers, > >> > >> - Chris > >> > >> ----- > >> *Dr Christopher Betts* > >> Australian Cloud Identity > >> http://cloudidentity.com.au > >> m: 0408 533 456 > >> > >> On 17 December 2014 at 08:16, Soós László > >> <soos.las...@demonhost.hu <mailto:soos.las...@demonhost.hu>> wrote: > >> > >> Dear Members, > >> > >> Any of you experience the following issue: > >> When I try to connect to an LDAP server (no SSL, port 389, > >> LDAP v3) with > >> GSSAPI I get the following message: > >> "java.lang.ArrayIndexOutOfBoundsException: 13 > >> at sun.security.jgss.krb5.WrapToken.getPadding(Unknown > >> Source) > >> at sun.security.jgss.krb5.WrapToken.<init>(Unknown Source) > >> at sun.security.jgss.krb5.Krb5Context.wrap(Unknown Source) > >> at sun.security.jgss.GSSContextImpl.wrap(Unknown Source) > >> at > >> com.sun.security.sasl.gsskerb.GssKrb5Base.wrap(Unknown Source) > >> at com.sun.jndi.ldap.sasl.SaslOutputStream.write(Unknown > >> Source) > >> at com.sun.jndi.ldap.Connection.writeRequest(Unknown Source) > >> at com.sun.jndi.ldap.LdapClient.search(Unknown Source) > >> at com.sun.jndi.ldap.LdapCtx.doSearch(Unknown Source) > >> at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source) > >> at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source) > >> at > >> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown > >> Source) > >> at > >> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown > >> Source) > >> at > >> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown > >> Source) > >> at > >> javax.naming.directory.InitialDirContext.search(Unknown Source) > >> at com.ca.commons.jndi.JNDIOps.exists(JNDIOps.java:702) > >> at > >> > >> com.ca.directory.jxplorer.broker.JNDIDataBroker.openConnection(JNDIDataBroker.java:491) > >> at > >> > >> com.ca.directory.jxplorer.broker.JNDIDataBroker.openConnection(JNDIDataBroker.java:422) > >> at > >> > >> com.ca.directory.jxplorer.broker.JNDIDataBroker.processRequest(JNDIDataBroker.java:396) > >> at > >> > >> com.ca.directory.jxplorer.broker.DataBroker.processQueue(DataBroker.java:200) > >> at > >> > >> com.ca.directory.jxplorer.broker.JNDIDataBroker.processQueue(JNDIDataBroker.java:913) > >> at > >> com.ca.directory.jxplorer.broker.DataBroker.run(DataBroker.java:165) > >> at java.lang.Thread.run(Unknown Source)" > >> > >> > >> System is Windows Server 2012 R2 > >> > >> java version "1.8.0_25" > >> Java(TM) SE Runtime Environment (build 1.8.0_25-b18) > >> Java HotSpot(TM) Client VM (build 25.25-b02, mixed mode) > >> > >> I have my KRB5 credcache in %USERPROFILE%\krb5cc_%USERNAME% > >> > >> I'm not exactly sure what happened when it stopped working > >> but it worked > >> before (either a windows update or java update or openldap > >> server upgrade) > >> > >> It still works without GSSAPI (plain user/pass) > >> > >> I'm open for any suggestions how to troubleshoot further as > >> I'm out of > >> ideas. > >> > >> Regards, > >> Laszlo > >> > >> > >> ------------------------------------------------------------------------------ > >> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > >> from Actuate! Instantly Supercharge Your Business Reports and > >> Dashboards > >> with Interactivity, Sharing, Native Excel Exports, App > >> Integration & more > >> Get technology previously reserved for billion-dollar > >> corporations, FREE > >> > >> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk > >> _______________________________________________ > >> Jxplorer-users mailing list > >> Jxplorer-users@lists.sourceforge.net > >> <mailto:Jxplorer-users@lists.sourceforge.net> > >> https://lists.sourceforge.net/lists/listinfo/jxplorer-users > >> > >> > >> > >> > >> ------------------------------------------------------------------------------ > >> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > >> from Actuate! Instantly Supercharge Your Business Reports and Dashboards > >> with Interactivity, Sharing, Native Excel Exports, App Integration & > >> more > >> Get technology previously reserved for billion-dollar corporations, FREE > >> > >> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk > >> > >> > >> _______________________________________________ > >> Jxplorer-users mailing list > >> Jxplorer-users@lists.sourceforge.net > >> <mailto:Jxplorer-users@lists.sourceforge.net> > >> https://lists.sourceforge.net/lists/listinfo/jxplorer-users > > > > > > > > ------------------------------------------------------------------------------ > > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > > from Actuate! Instantly Supercharge Your Business Reports and > > Dashboards > > with Interactivity, Sharing, Native Excel Exports, App Integration > > & more > > Get technology previously reserved for billion-dollar > > corporations, FREE > > > > http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk > > _______________________________________________ > > Jxplorer-users mailing list > > Jxplorer-users@lists.sourceforge.net > > <mailto:Jxplorer-users@lists.sourceforge.net> > > https://lists.sourceforge.net/lists/listinfo/jxplorer-users > > > > > > > >------------------------------------------------------------------------------ > >Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > >from Actuate! Instantly Supercharge Your Business Reports and Dashboards > >with Interactivity, Sharing, Native Excel Exports, App Integration & more > >Get technology previously reserved for billion-dollar corporations, FREE > >http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk > > > > > >_______________________________________________ > >Jxplorer-users mailing list > >Jxplorer-users@lists.sourceforge.net > >https://lists.sourceforge.net/lists/listinfo/jxplorer-users > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming. The Go Parallel Website, > sponsored by Intel and developed in partnership with Slashdot Media, is your > hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials and more. Take a > look and join the conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > Jxplorer-users mailing list > Jxplorer-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/jxplorer-users ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Jxplorer-users mailing list Jxplorer-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jxplorer-users
