Details

    • Type: Enhancement
    • Status: Closed
    • Priority: P4
    • Resolution: Duplicate
    • Affects Version/s: 8u25
    • Fix Version/s: None
    • Component/s: security-libs
    • Labels:

      Description

      A DESCRIPTION OF THE REQUEST :
      Microsoft has a new SPNEGO scheme NEGOEX
      see

      http://msdn.microsoft.com/en-us/library/ff468736.aspx
      http://tools.ietf.org/html/draft-zhu-negoex
      http://blogs.msdn.com/b/openspecification/archive/2011/07/01/a-quick-look-at-the-new-negotiation-mechanism-negoex-used-with-spnego-in-windows-7.aspx

      JUSTIFICATION :
      Newer version of Windows are sending NEGOEX before fallback back to the normal SPNEGO

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      Expect it to work.
      ACTUAL -
      it doesn't work, with error: "GSSHeader did not find the right tag"


      CUSTOMER SUBMITTED WORKAROUND :

      diff --git a/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java b/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java
      --- a/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java
      +++ b/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java
      @@ -523,12 +523,8 @@
                           valid = false;
                       }
       
      - // get the mechanism token
      - byte[] mechToken = initToken.getMechToken();
      - if (mechToken == null) {
      - throw new GSSException(GSSException.FAILURE, -1,
      - "mechToken is missing");
      - }
      + // get the mechanism token (OPTIONAL)
      + byte[] mechToken = null;
       
                       /*
                        * Select the best match between the list of mechs
      @@ -543,9 +539,15 @@
                       }
                       // save the desired mechanism
                       internal_mech = mech_wanted;
      +
      + byte[] accept_token = null;
      + if (mechList[0] == mech_wanted) {
      + // mechToken is only for the first mech.
      + mechToken = initToken.getMechToken();
      + accept_token = GSS_acceptSecContext(mechToken);
      + }
       
                       // get the token for mechanism
      - byte[] accept_token = GSS_acceptSecContext(mechToken);
       
                       // verify MIC
                       if (!GSSUtil.useMSInterop() && valid) {
      @@ -595,9 +597,24 @@
       
                   } else if (state == STATE_IN_PROCESS) {
                       // read the token
      - byte[] client_token = new byte[is.available()];
      - SpNegoToken.readFully(is, client_token);
      - byte[] accept_token = GSS_acceptSecContext(client_token);
      + byte[] token = new byte[is.available()];
      + SpNegoToken.readFully(is, token);
      + if (DEBUG) {
      + System.out.println("SpNegoContext.acceptSecContext: " +
      + "receiving token = " +
      + SpNegoToken.getHexBytes(token));
      + }
      +
      + // read the SPNEGO token
      + // token will be validated when parsing
      + NegTokenTarg respToken = new NegTokenTarg(token);
      +
      + if (DEBUG) {
      + System.out.println("SpNegoContext.acceptSecContext: " +
      + "received token of type = " +
      + SpNegoToken.getTokenName(respToken.getType()));
      + }
      + byte[] accept_token = GSS_acceptSecContext(respToken.getResponseToken());
                       if (accept_token == null) {
                           valid = false;
                       }


        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                weijun Weijun Wang
                Reporter:
                webbuggrp Webbug Group
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: