On Wed, 30 Jul 2025 20:20:33 GMT, Weibing Xiao <wx...@openjdk.org> wrote:
> [webrev.zip](https://github.com/user-attachments/files/21517501/webrev.zip) > NPE thrown from SASL GSSAPI impl on Java 11+ when TLS is used with QOP > auth-int against Active Directory. > > When the exception is triggered, LDAP Connection will do "clean-up" operation > and output stream get flushed and closed the context while GssKrb5Client is > still wrapping the message and SaslOuput Stream is writing the content of the > buffer; and at the time GSSContext is disposed and it is null. That's the > reason to throw NPE. > > 1) Check if the context is null or not; then wrap the NPE. The change is done > in GssKrb5Base.java > > No test file is attached for this MR since it needs Sasl LDAP server with > security setup. Attached webrev for the reference. My "here" was > Not an LDAP expert, but I see that `abandonRequest()` still wants to write > into outStream. If the SASL/GSS context is already disposed by now what > stream should this be? Should it be reverted back to the raw stream? However, I'm not sure if this correct. This means the security guaranteed by the SASL layer is lost and I also don't know if the peer can parse it correctly. @michael-o What have JDK 8 and `ldapsearch` done? Did they send error messages in the clear? ------------- PR Comment: https://git.openjdk.org/jdk/pull/26566#issuecomment-3210553944
