[jira] [Resolved] (DIRKRB-762) The AS request appears with an NPE when preauth_required is set to false
[
https://issues.apache.org/jira/browse/DIRKRB-762?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh resolved DIRKRB-762.
Resolution: Fixed
No worries [~wjc920] , and thanks for your contribution to the project.
> The AS request appears with an NPE when preauth_required is set to false
>
>
> Key: DIRKRB-762
> URL: https://issues.apache.org/jira/browse/DIRKRB-762
> Project: Directory Kerberos
> Issue Type: Bug
>Affects Versions: 2.0.0, 2.0.1, 2.0.2
>Reporter: Jichao Wang
>Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 2.0.3
>
> Attachments: kdc-npe.png
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> If change the value of preauth_required in the kdc.conf file to false, then
> using the following code to access the KDC causes an NPE error.
> * Test.java
> {code:java}
> // Test.java Run on JDK8 or JDK11
> public class Test {
> public static void main(String[] args) throws Exception {
> System.setProperty("java.security.krb5.realm", "HADOOP.COM");
> System.setProperty("java.security.krb5.kdc", "wslhost");
> LoginContext lc = new LoginContext("SampleClient",
> new Subject(),
> null,
> new CustomConfiguration("had...@hadoop.com",
> "/root/wjc/hadoop.keytab"));
> lc.login();
> System.out.println(lc.getSubject().toString());
> }
> } {code}
> *
> CustomConfiguration.java
> {code:java}
> import javax.security.auth.login.AppConfigurationEntry;
> import java.util.HashMap;
> import java.util.Map;
> class CustomConfiguration
> extends javax.security.auth.login.Configuration {
> private static final Map BASIC_JAAS_OPTIONS =
> new HashMap();
> private static final Map KEYTAB_KERBEROS_OPTIONS =
> new HashMap();
> private static final AppConfigurationEntry KEYTAB_KERBEROS_LOGIN =
> new
> AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
> AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
> KEYTAB_KERBEROS_OPTIONS);
> private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF =
> new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN};
> static {
> KEYTAB_KERBEROS_OPTIONS.put("doNotPrompt", "true");
> KEYTAB_KERBEROS_OPTIONS.put("useKeyTab", "true");
> KEYTAB_KERBEROS_OPTIONS.put("storeKey", "true");
> KEYTAB_KERBEROS_OPTIONS.put("refreshKrb5Config", "true");
> KEYTAB_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS);
> }
> private String keytabPrincipal;
> private String keytabFile;
> public CustomConfiguration(String keytabPrincipal, String keytabFile) {
> this.keytabPrincipal = keytabPrincipal;
> this.keytabFile = keytabFile;
> }
> private CustomConfiguration() {
> }
> public String getKeytabFile() {
> return keytabFile;
> }
> public String getKeytabPrincipal() {
> return keytabPrincipal;
> }
> @Override
> public AppConfigurationEntry[] getAppConfigurationEntry(String appName) {
> KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile);
> KEYTAB_KERBEROS_OPTIONS.put("principal", keytabPrincipal);
> return KEYTAB_KERBEROS_CONF;
> }
> } {code}
> Kerberos client error information is as follows:
> {code:java}
> Exception in thread "main" javax.security.auth.login.LoginException: null
> (5001)
> at
> jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:781)
> at
> jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592)
> at
> java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726)
> at
> java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)
> at
> java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)
> at java.base/java.security.AccessController.doPrivileged(Native Method)
> at
> java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)
> at
> java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574)
> at org.example.Main.main(Main.java:14)
> Caused by: KrbException: null (5001)
> at java.security.jgss/sun.security.krb5.KrbAsRep.(KrbAsRep.java:76)
> at
> java.security.jgss/sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:326)
> at
> java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:371)
> at
> jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:753)
> ... 8 more
> Caused by:
[jira] [Assigned] (DIRKRB-762) The AS request appears with an NPE when preauth_required is set to false
[
https://issues.apache.org/jira/browse/DIRKRB-762?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh reassigned DIRKRB-762:
--
Assignee: Colm O hEigeartaigh
> The AS request appears with an NPE when preauth_required is set to false
>
>
> Key: DIRKRB-762
> URL: https://issues.apache.org/jira/browse/DIRKRB-762
> Project: Directory Kerberos
> Issue Type: Bug
>Affects Versions: 2.0.0, 2.0.1, 2.0.2
>Reporter: Jichao Wang
>Assignee: Colm O hEigeartaigh
>Priority: Major
> Fix For: 2.0.3
>
> Attachments: kdc-npe.png
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> If change the value of preauth_required in the kdc.conf file to false, then
> using the following code to access the KDC causes an NPE error.
> * Test.java
> {code:java}
> // Test.java Run on JDK8 or JDK11
> public class Test {
> public static void main(String[] args) throws Exception {
> System.setProperty("java.security.krb5.realm", "HADOOP.COM");
> System.setProperty("java.security.krb5.kdc", "wslhost");
> LoginContext lc = new LoginContext("SampleClient",
> new Subject(),
> null,
> new CustomConfiguration("had...@hadoop.com",
> "/root/wjc/hadoop.keytab"));
> lc.login();
> System.out.println(lc.getSubject().toString());
> }
> } {code}
> *
> CustomConfiguration.java
> {code:java}
> import javax.security.auth.login.AppConfigurationEntry;
> import java.util.HashMap;
> import java.util.Map;
> class CustomConfiguration
> extends javax.security.auth.login.Configuration {
> private static final Map BASIC_JAAS_OPTIONS =
> new HashMap();
> private static final Map KEYTAB_KERBEROS_OPTIONS =
> new HashMap();
> private static final AppConfigurationEntry KEYTAB_KERBEROS_LOGIN =
> new
> AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
> AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
> KEYTAB_KERBEROS_OPTIONS);
> private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF =
> new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN};
> static {
> KEYTAB_KERBEROS_OPTIONS.put("doNotPrompt", "true");
> KEYTAB_KERBEROS_OPTIONS.put("useKeyTab", "true");
> KEYTAB_KERBEROS_OPTIONS.put("storeKey", "true");
> KEYTAB_KERBEROS_OPTIONS.put("refreshKrb5Config", "true");
> KEYTAB_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS);
> }
> private String keytabPrincipal;
> private String keytabFile;
> public CustomConfiguration(String keytabPrincipal, String keytabFile) {
> this.keytabPrincipal = keytabPrincipal;
> this.keytabFile = keytabFile;
> }
> private CustomConfiguration() {
> }
> public String getKeytabFile() {
> return keytabFile;
> }
> public String getKeytabPrincipal() {
> return keytabPrincipal;
> }
> @Override
> public AppConfigurationEntry[] getAppConfigurationEntry(String appName) {
> KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile);
> KEYTAB_KERBEROS_OPTIONS.put("principal", keytabPrincipal);
> return KEYTAB_KERBEROS_CONF;
> }
> } {code}
> Kerberos client error information is as follows:
> {code:java}
> Exception in thread "main" javax.security.auth.login.LoginException: null
> (5001)
> at
> jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:781)
> at
> jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592)
> at
> java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726)
> at
> java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)
> at
> java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)
> at java.base/java.security.AccessController.doPrivileged(Native Method)
> at
> java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)
> at
> java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574)
> at org.example.Main.main(Main.java:14)
> Caused by: KrbException: null (5001)
> at java.security.jgss/sun.security.krb5.KrbAsRep.(KrbAsRep.java:76)
> at
> java.security.jgss/sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:326)
> at
> java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:371)
> at
> jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:753)
> ... 8 more
> Caused by: KrbException: Identifier doesn't match expected value
[GitHub] [directory-kerby] coheigea merged pull request #114: [DIRKRB-762] The AS request appears with an NPE when preauth_required is set to false
coheigea merged PR #114: URL: https://github.com/apache/directory-kerby/pull/114 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org
[GitHub] [directory-scimple] bdemers opened a new pull request, #210: Add enforcer rule to ensure dependencies have compatible bytecode versions
bdemers opened a new pull request, #210: URL: https://github.com/apache/directory-scimple/pull/210 All non-spring modules require Java 11 (Spring modules Java 17) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org
[GitHub] [directory-scimple] bdemers opened a new pull request, #209: Fixed Wildfly related issues
bdemers opened a new pull request, #209: URL: https://github.com/apache/directory-scimple/pull/209 Testing with Wildfly uncovered a few issues: * Resource classes must have a public default constructor (CDI related requirements) * Resources cannot be added via a Feature * Removed up tomee refs in example until v10 is released -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org
[GitHub] [directory-kerby] wjc920 commented on pull request #114: [DIRKRB-762] The AS request appears with an NPE when preauth_required is set to false
wjc920 commented on PR #114:
URL: https://github.com/apache/directory-kerby/pull/114#issuecomment-1359548573
> I think this change isn't quite right, as if isPreauthRequired() then it
will never call the else statement. Instead it should be something like:
>
> ```
> if (preAuthData == null || preAuthData.isEmpty())) {
> if (isPreauthRequred()) {
> LOG.info("The preauth data is empty.");
> KrbError krbError = makePreAuthenticationError(kdcContext,
request,
> KrbErrorCode.KDC_ERR_PREAUTH_REQUIRED, false);
> throw new KdcRecoverableException(krbError);
> }
> } else {
> ...
> ```
>
> If you make this change does it work properly?
I modified the content of the PR by force push.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org
[jira] [Comment Edited] (DIRKRB-762) The AS request appears with an NPE when preauth_required is set to false
[
https://issues.apache.org/jira/browse/DIRKRB-762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17649803#comment-17649803
]
Jichao Wang edited comment on DIRKRB-762 at 12/20/22 2:38 PM:
--
I have revised the problem description and made a more detailed explanation of
the problem. [~coheigea]
I think you are right on PR. In contrast, I have caused you trouble due to my
negligence in work.
was (Author: wjc920):
I have revised the problem description and made a more detailed explanation of
the problem. [~coheigea]
> The AS request appears with an NPE when preauth_required is set to false
>
>
> Key: DIRKRB-762
> URL: https://issues.apache.org/jira/browse/DIRKRB-762
> Project: Directory Kerberos
> Issue Type: Bug
>Affects Versions: 2.0.0, 2.0.1, 2.0.2
>Reporter: Jichao Wang
>Priority: Major
> Fix For: 2.0.3
>
> Attachments: kdc-npe.png
>
>
> If change the value of preauth_required in the kdc.conf file to false, then
> using the following code to access the KDC causes an NPE error.
> * Test.java
> {code:java}
> // Test.java Run on JDK8 or JDK11
> public class Test {
> public static void main(String[] args) throws Exception {
> System.setProperty("java.security.krb5.realm", "HADOOP.COM");
> System.setProperty("java.security.krb5.kdc", "wslhost");
> LoginContext lc = new LoginContext("SampleClient",
> new Subject(),
> null,
> new CustomConfiguration("had...@hadoop.com",
> "/root/wjc/hadoop.keytab"));
> lc.login();
> System.out.println(lc.getSubject().toString());
> }
> } {code}
> *
> CustomConfiguration.java
> {code:java}
> import javax.security.auth.login.AppConfigurationEntry;
> import java.util.HashMap;
> import java.util.Map;
> class CustomConfiguration
> extends javax.security.auth.login.Configuration {
> private static final Map BASIC_JAAS_OPTIONS =
> new HashMap();
> private static final Map KEYTAB_KERBEROS_OPTIONS =
> new HashMap();
> private static final AppConfigurationEntry KEYTAB_KERBEROS_LOGIN =
> new
> AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
> AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
> KEYTAB_KERBEROS_OPTIONS);
> private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF =
> new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN};
> static {
> KEYTAB_KERBEROS_OPTIONS.put("doNotPrompt", "true");
> KEYTAB_KERBEROS_OPTIONS.put("useKeyTab", "true");
> KEYTAB_KERBEROS_OPTIONS.put("storeKey", "true");
> KEYTAB_KERBEROS_OPTIONS.put("refreshKrb5Config", "true");
> KEYTAB_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS);
> }
> private String keytabPrincipal;
> private String keytabFile;
> public CustomConfiguration(String keytabPrincipal, String keytabFile) {
> this.keytabPrincipal = keytabPrincipal;
> this.keytabFile = keytabFile;
> }
> private CustomConfiguration() {
> }
> public String getKeytabFile() {
> return keytabFile;
> }
> public String getKeytabPrincipal() {
> return keytabPrincipal;
> }
> @Override
> public AppConfigurationEntry[] getAppConfigurationEntry(String appName) {
> KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile);
> KEYTAB_KERBEROS_OPTIONS.put("principal", keytabPrincipal);
> return KEYTAB_KERBEROS_CONF;
> }
> } {code}
> Kerberos client error information is as follows:
> {code:java}
> Exception in thread "main" javax.security.auth.login.LoginException: null
> (5001)
> at
> jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:781)
> at
> jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592)
> at
> java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726)
> at
> java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)
> at
> java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)
> at java.base/java.security.AccessController.doPrivileged(Native Method)
> at
> java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)
> at
> java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574)
> at org.example.Main.main(Main.java:14)
> Caused by: KrbException: null (5001)
> at java.security.jgss/sun.security.krb5.KrbAsRep.(KrbAsRep.java:76)
> at
> java.security.jgss/sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:326)
> at
>
[jira] [Commented] (DIRKRB-762) The AS request appears with an NPE when preauth_required is set to false
[
https://issues.apache.org/jira/browse/DIRKRB-762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17649803#comment-17649803
]
Jichao Wang commented on DIRKRB-762:
I have revised the problem description and made a more detailed explanation of
the problem. [~coheigea]
> The AS request appears with an NPE when preauth_required is set to false
>
>
> Key: DIRKRB-762
> URL: https://issues.apache.org/jira/browse/DIRKRB-762
> Project: Directory Kerberos
> Issue Type: Bug
>Affects Versions: 2.0.0, 2.0.1, 2.0.2
>Reporter: Jichao Wang
>Priority: Major
> Fix For: 2.0.3
>
> Attachments: kdc-npe.png
>
>
> If change the value of preauth_required in the kdc.conf file to false, then
> using the following code to access the KDC causes an NPE error.
> * Test.java
> {code:java}
> // Test.java Run on JDK8 or JDK11
> public class Test {
> public static void main(String[] args) throws Exception {
> System.setProperty("java.security.krb5.realm", "HADOOP.COM");
> System.setProperty("java.security.krb5.kdc", "wslhost");
> LoginContext lc = new LoginContext("SampleClient",
> new Subject(),
> null,
> new CustomConfiguration("had...@hadoop.com",
> "/root/wjc/hadoop.keytab"));
> lc.login();
> System.out.println(lc.getSubject().toString());
> }
> } {code}
> *
> CustomConfiguration.java
> {code:java}
> import javax.security.auth.login.AppConfigurationEntry;
> import java.util.HashMap;
> import java.util.Map;
> class CustomConfiguration
> extends javax.security.auth.login.Configuration {
> private static final Map BASIC_JAAS_OPTIONS =
> new HashMap();
> private static final Map KEYTAB_KERBEROS_OPTIONS =
> new HashMap();
> private static final AppConfigurationEntry KEYTAB_KERBEROS_LOGIN =
> new
> AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
> AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
> KEYTAB_KERBEROS_OPTIONS);
> private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF =
> new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN};
> static {
> KEYTAB_KERBEROS_OPTIONS.put("doNotPrompt", "true");
> KEYTAB_KERBEROS_OPTIONS.put("useKeyTab", "true");
> KEYTAB_KERBEROS_OPTIONS.put("storeKey", "true");
> KEYTAB_KERBEROS_OPTIONS.put("refreshKrb5Config", "true");
> KEYTAB_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS);
> }
> private String keytabPrincipal;
> private String keytabFile;
> public CustomConfiguration(String keytabPrincipal, String keytabFile) {
> this.keytabPrincipal = keytabPrincipal;
> this.keytabFile = keytabFile;
> }
> private CustomConfiguration() {
> }
> public String getKeytabFile() {
> return keytabFile;
> }
> public String getKeytabPrincipal() {
> return keytabPrincipal;
> }
> @Override
> public AppConfigurationEntry[] getAppConfigurationEntry(String appName) {
> KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile);
> KEYTAB_KERBEROS_OPTIONS.put("principal", keytabPrincipal);
> return KEYTAB_KERBEROS_CONF;
> }
> } {code}
> Kerberos client error information is as follows:
> {code:java}
> Exception in thread "main" javax.security.auth.login.LoginException: null
> (5001)
> at
> jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:781)
> at
> jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592)
> at
> java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726)
> at
> java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)
> at
> java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)
> at java.base/java.security.AccessController.doPrivileged(Native Method)
> at
> java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)
> at
> java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574)
> at org.example.Main.main(Main.java:14)
> Caused by: KrbException: null (5001)
> at java.security.jgss/sun.security.krb5.KrbAsRep.(KrbAsRep.java:76)
> at
> java.security.jgss/sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:326)
> at
> java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:371)
> at
> jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:753)
> ... 8 more
> Caused by: KrbException: Identifier doesn't match expected value (906)
>
[jira] [Updated] (DIRKRB-762) The AS request appears with an NPE when preauth_required is set to false
[
https://issues.apache.org/jira/browse/DIRKRB-762?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jichao Wang updated DIRKRB-762:
---
Description:
If change the value of preauth_required in the kdc.conf file to false, then
using the following code to access the KDC causes an NPE error.
* Test.java
{code:java}
// Test.java Run on JDK8 or JDK11
public class Test {
public static void main(String[] args) throws Exception {
System.setProperty("java.security.krb5.realm", "HADOOP.COM");
System.setProperty("java.security.krb5.kdc", "wslhost");
LoginContext lc = new LoginContext("SampleClient",
new Subject(),
null,
new CustomConfiguration("had...@hadoop.com",
"/root/wjc/hadoop.keytab"));
lc.login();
System.out.println(lc.getSubject().toString());
}
} {code}
*
CustomConfiguration.java
{code:java}
import javax.security.auth.login.AppConfigurationEntry;
import java.util.HashMap;
import java.util.Map;
class CustomConfiguration
extends javax.security.auth.login.Configuration {
private static final Map BASIC_JAAS_OPTIONS =
new HashMap();
private static final Map KEYTAB_KERBEROS_OPTIONS =
new HashMap();
private static final AppConfigurationEntry KEYTAB_KERBEROS_LOGIN =
new
AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
KEYTAB_KERBEROS_OPTIONS);
private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF =
new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN};
static {
KEYTAB_KERBEROS_OPTIONS.put("doNotPrompt", "true");
KEYTAB_KERBEROS_OPTIONS.put("useKeyTab", "true");
KEYTAB_KERBEROS_OPTIONS.put("storeKey", "true");
KEYTAB_KERBEROS_OPTIONS.put("refreshKrb5Config", "true");
KEYTAB_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS);
}
private String keytabPrincipal;
private String keytabFile;
public CustomConfiguration(String keytabPrincipal, String keytabFile) {
this.keytabPrincipal = keytabPrincipal;
this.keytabFile = keytabFile;
}
private CustomConfiguration() {
}
public String getKeytabFile() {
return keytabFile;
}
public String getKeytabPrincipal() {
return keytabPrincipal;
}
@Override
public AppConfigurationEntry[] getAppConfigurationEntry(String appName) {
KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile);
KEYTAB_KERBEROS_OPTIONS.put("principal", keytabPrincipal);
return KEYTAB_KERBEROS_CONF;
}
} {code}
Kerberos client error information is as follows:
{code:java}
Exception in thread "main" javax.security.auth.login.LoginException: null (5001)
at
jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:781)
at
jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592)
at
java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726)
at
java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)
at
java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at
java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)
at
java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574)
at org.example.Main.main(Main.java:14)
Caused by: KrbException: null (5001)
at java.security.jgss/sun.security.krb5.KrbAsRep.(KrbAsRep.java:76)
at
java.security.jgss/sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:326)
at
java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:371)
at
jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:753)
... 8 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at
java.security.jgss/sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
at java.security.jgss/sun.security.krb5.internal.ASRep.init(ASRep.java:64)
at java.security.jgss/sun.security.krb5.internal.ASRep.(ASRep.java:59)
at java.security.jgss/sun.security.krb5.KrbAsRep.(KrbAsRep.java:60)
... 11 more {code}
The position where NPE occurs on kerby-kdc is as follows:
!kdc-npe.png!
was:
If change the value of preauth_required in the kdc.conf file to false, then
using the following code to access the KDC causes an NPE error.
* Test.java
{code:java}
// Test.java Run on JDK8 or JDK11
public class Test {
public static void main(String[] args) throws Exception {
LoginContext lc = new LoginContext("SampleClient",
new Subject(),
null,
[jira] [Updated] (DIRKRB-762) The AS request appears with an NPE when preauth_required is set to false
[
https://issues.apache.org/jira/browse/DIRKRB-762?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jichao Wang updated DIRKRB-762:
---
Description:
If change the value of preauth_required in the kdc.conf file to false, then
using the following code to access the KDC causes an NPE error.
* Test.java
{code:java}
// Test.java Run on JDK8 or JDK11
public class Test {
public static void main(String[] args) throws Exception {
LoginContext lc = new LoginContext("SampleClient",
new Subject(),
null,
new CustomConfiguration("had...@hadoop.com",
"/root/wjc/hadoop.keytab"));
lc.login();
System.out.println(lc.getSubject().toString());
}
} {code}
*
CustomConfiguration.java
{code:java}
import javax.security.auth.login.AppConfigurationEntry;
import java.util.HashMap;
import java.util.Map;
class CustomConfiguration
extends javax.security.auth.login.Configuration {
private static final Map BASIC_JAAS_OPTIONS =
new HashMap();
private static final Map KEYTAB_KERBEROS_OPTIONS =
new HashMap();
private static final AppConfigurationEntry KEYTAB_KERBEROS_LOGIN =
new
AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
KEYTAB_KERBEROS_OPTIONS);
private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF =
new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN};
static {
KEYTAB_KERBEROS_OPTIONS.put("doNotPrompt", "true");
KEYTAB_KERBEROS_OPTIONS.put("useKeyTab", "true");
KEYTAB_KERBEROS_OPTIONS.put("storeKey", "true");
KEYTAB_KERBEROS_OPTIONS.put("refreshKrb5Config", "true");
KEYTAB_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS);
}
private String keytabPrincipal;
private String keytabFile;
public CustomConfiguration(String keytabPrincipal, String keytabFile) {
this.keytabPrincipal = keytabPrincipal;
this.keytabFile = keytabFile;
}
private CustomConfiguration() {
}
public String getKeytabFile() {
return keytabFile;
}
public String getKeytabPrincipal() {
return keytabPrincipal;
}
@Override
public AppConfigurationEntry[] getAppConfigurationEntry(String appName) {
KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile);
KEYTAB_KERBEROS_OPTIONS.put("principal", keytabPrincipal);
return KEYTAB_KERBEROS_CONF;
}
} {code}
Kerberos client error information is as follows:
{code:java}
Exception in thread "main" javax.security.auth.login.LoginException: null (5001)
at
jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:781)
at
jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592)
at
java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726)
at
java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)
at
java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at
java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)
at
java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574)
at org.example.Main.main(Main.java:14)
Caused by: KrbException: null (5001)
at java.security.jgss/sun.security.krb5.KrbAsRep.(KrbAsRep.java:76)
at
java.security.jgss/sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:326)
at
java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:371)
at
jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:753)
... 8 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at
java.security.jgss/sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
at java.security.jgss/sun.security.krb5.internal.ASRep.init(ASRep.java:64)
at java.security.jgss/sun.security.krb5.internal.ASRep.(ASRep.java:59)
at java.security.jgss/sun.security.krb5.KrbAsRep.(KrbAsRep.java:60)
... 11 more {code}
The position where NPE occurs on kerby-kdc is as follows:
!kdc-npe.png!
was:
If change the value of preauth_required in the kdc.conf file to false, then
using the following code to access the KDC causes an NPE error.
{code:java}
// Run on JDK8 or JDK11
public class Test {
public static void main(String[] args) throws Exception {
LoginContext lc = new LoginContext("SampleClient",
new Subject(),
null,
new CustomConfiguration("had...@hadoop.com",
"/root/wjc/hadoop.keytab"));
lc.login();
System.out.println(lc.getSubject().toString());
}
}
[jira] [Updated] (DIRKRB-762) The AS request appears with an NPE when preauth_required is set to false
[
https://issues.apache.org/jira/browse/DIRKRB-762?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jichao Wang updated DIRKRB-762:
---
Attachment: kdc-npe.png
> The AS request appears with an NPE when preauth_required is set to false
>
>
> Key: DIRKRB-762
> URL: https://issues.apache.org/jira/browse/DIRKRB-762
> Project: Directory Kerberos
> Issue Type: Bug
>Affects Versions: 2.0.0, 2.0.1, 2.0.2
>Reporter: Jichao Wang
>Priority: Major
> Fix For: 2.0.3
>
> Attachments: kdc-npe.png
>
>
> If change the value of preauth_required in the kdc.conf file to false, then
> using the following code to access the KDC causes an NPE error.
> {code:java}
> // Run on JDK8 or JDK11
> public class Test {
> public static void main(String[] args) throws Exception {
> LoginContext lc = new LoginContext("SampleClient",
> new Subject(),
> null,
> new CustomConfiguration("had...@hadoop.com",
> "/root/wjc/hadoop.keytab"));
> lc.login();
> System.out.println(lc.getSubject().toString());
> }
> } {code}
> Here is a fix to the problem:
> {code:java}
> Index:
> kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
> IDEA additional info:
> Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
> <+>UTF-8
> ===
> diff --git
> a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
>
> b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
> ---
> a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
> (revision 03784fcde8e94fedbe789606d2f328104c20b33f)
> +++
> b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
> (date 1670208307220)
> @@ -678,11 +678,13 @@
> }
>
> PaData preAuthData = request.getPaData();
> - if (isPreauthRequired() && (preAuthData == null ||
> preAuthData.isEmpty())) {
> - LOG.info("The preauth data is empty.");
> - KrbError krbError = makePreAuthenticationError(kdcContext,
> request,
> - KrbErrorCode.KDC_ERR_PREAUTH_REQUIRED, false);
> - throw new KdcRecoverableException(krbError);
> + if (isPreauthRequired()) {
> + if (preAuthData == null || preAuthData.isEmpty()) {
> + LOG.info("The preauth data is empty.");
> + KrbError krbError = makePreAuthenticationError(kdcContext,
> request,
> + KrbErrorCode.KDC_ERR_PREAUTH_REQUIRED, false);
> + throw new KdcRecoverableException(krbError);
> + }
> } else {
> getPreauthHandler().verify(this, preAuthData);
> }
> {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
-
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org
[GitHub] [directory-kerby] jonathan-albrecht-ibm commented on pull request #111: Fix checks for ibm security classes to work with recent IBM Semeru JDKs
jonathan-albrecht-ibm commented on PR #111: URL: https://github.com/apache/directory-kerby/pull/111#issuecomment-1359409919 Thanks @coheigea! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org
