[
https://issues.apache.org/jira/browse/DIRKRB-762?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jichao Wang updated DIRKRB-762:
-------------------------------
Description:
If change the value of preauth_required in the kdc.conf file to false, then
using the following code to access the KDC causes an NPE error.
* Test.java
{code:java}
// Test.java Run on JDK8 or JDK11
public class Test {
public static void main(String[] args) throws Exception {
LoginContext lc = new LoginContext("SampleClient",
new Subject(),
null,
new CustomConfiguration("had...@hadoop.com",
"/root/wjc/hadoop.keytab"));
lc.login();
System.out.println(lc.getSubject().toString());
}
} {code}
*
CustomConfiguration.java
{code:java}
import javax.security.auth.login.AppConfigurationEntry;
import java.util.HashMap;
import java.util.Map;
class CustomConfiguration
extends javax.security.auth.login.Configuration {
private static final Map<String, String> BASIC_JAAS_OPTIONS =
new HashMap<String, String>();
private static final Map<String, String> KEYTAB_KERBEROS_OPTIONS =
new HashMap<String, String>();
private static final AppConfigurationEntry KEYTAB_KERBEROS_LOGIN =
new
AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
KEYTAB_KERBEROS_OPTIONS);
private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF =
new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN};
static {
KEYTAB_KERBEROS_OPTIONS.put("doNotPrompt", "true");
KEYTAB_KERBEROS_OPTIONS.put("useKeyTab", "true");
KEYTAB_KERBEROS_OPTIONS.put("storeKey", "true");
KEYTAB_KERBEROS_OPTIONS.put("refreshKrb5Config", "true");
KEYTAB_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS);
}
private String keytabPrincipal;
private String keytabFile;
public CustomConfiguration(String keytabPrincipal, String keytabFile) {
this.keytabPrincipal = keytabPrincipal;
this.keytabFile = keytabFile;
}
private CustomConfiguration() {
}
public String getKeytabFile() {
return keytabFile;
}
public String getKeytabPrincipal() {
return keytabPrincipal;
}
@Override
public AppConfigurationEntry[] getAppConfigurationEntry(String appName) {
KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile);
KEYTAB_KERBEROS_OPTIONS.put("principal", keytabPrincipal);
return KEYTAB_KERBEROS_CONF;
}
} {code}
Kerberos client error information is as follows:
{code:java}
Exception in thread "main" javax.security.auth.login.LoginException: null (5001)
at
jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:781)
at
jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592)
at
java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726)
at
java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)
at
java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at
java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)
at
java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574)
at org.example.Main.main(Main.java:14)
Caused by: KrbException: null (5001)
at java.security.jgss/sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
at
java.security.jgss/sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:326)
at
java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:371)
at
jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:753)
... 8 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at
java.security.jgss/sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
at java.security.jgss/sun.security.krb5.internal.ASRep.init(ASRep.java:64)
at java.security.jgss/sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
at java.security.jgss/sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
... 11 more {code}
The position where NPE occurs on kerby-kdc is as follows:
!kdc-npe.png!
was:
If change the value of preauth_required in the kdc.conf file to false, then
using the following code to access the KDC causes an NPE error.
{code:java}
// Run on JDK8 or JDK11
public class Test {
public static void main(String[] args) throws Exception {
LoginContext lc = new LoginContext("SampleClient",
new Subject(),
null,
new CustomConfiguration("had...@hadoop.com",
"/root/wjc/hadoop.keytab"));
lc.login();
System.out.println(lc.getSubject().toString());
}
} {code}
Here is a fix to the problem:
{code:java}
Index:
kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git
a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
---
a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
(revision 03784fcde8e94fedbe789606d2f328104c20b33f)
+++
b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java
(date 1670208307220)
@@ -678,11 +678,13 @@
}
PaData preAuthData = request.getPaData();
- if (isPreauthRequired() && (preAuthData == null ||
preAuthData.isEmpty())) {
- LOG.info("The preauth data is empty.");
- KrbError krbError = makePreAuthenticationError(kdcContext, request,
- KrbErrorCode.KDC_ERR_PREAUTH_REQUIRED, false);
- throw new KdcRecoverableException(krbError);
+ if (isPreauthRequired()) {
+ if (preAuthData == null || preAuthData.isEmpty()) {
+ LOG.info("The preauth data is empty.");
+ KrbError krbError = makePreAuthenticationError(kdcContext,
request,
+ KrbErrorCode.KDC_ERR_PREAUTH_REQUIRED, false);
+ throw new KdcRecoverableException(krbError);
+ }
} else {
getPreauthHandler().verify(this, preAuthData);
}
{code}
> The AS request appears with an NPE when preauth_required is set to false
> ------------------------------------------------------------------------
>
> Key: DIRKRB-762
> URL: https://issues.apache.org/jira/browse/DIRKRB-762
> Project: Directory Kerberos
> Issue Type: Bug
> Affects Versions: 2.0.0, 2.0.1, 2.0.2
> Reporter: Jichao Wang
> Priority: Major
> Fix For: 2.0.3
>
> Attachments: kdc-npe.png
>
>
> If change the value of preauth_required in the kdc.conf file to false, then
> using the following code to access the KDC causes an NPE error.
> * Test.java
> {code:java}
> // Test.java Run on JDK8 or JDK11
> public class Test {
> public static void main(String[] args) throws Exception {
> LoginContext lc = new LoginContext("SampleClient",
> new Subject(),
> null,
> new CustomConfiguration("had...@hadoop.com",
> "/root/wjc/hadoop.keytab"));
> lc.login();
> System.out.println(lc.getSubject().toString());
> }
> } {code}
> *
> CustomConfiguration.java
> {code:java}
> import javax.security.auth.login.AppConfigurationEntry;
> import java.util.HashMap;
> import java.util.Map;
> class CustomConfiguration
> extends javax.security.auth.login.Configuration {
> private static final Map<String, String> BASIC_JAAS_OPTIONS =
> new HashMap<String, String>();
> private static final Map<String, String> KEYTAB_KERBEROS_OPTIONS =
> new HashMap<String, String>();
> private static final AppConfigurationEntry KEYTAB_KERBEROS_LOGIN =
> new
> AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule",
> AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
> KEYTAB_KERBEROS_OPTIONS);
> private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF =
> new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN};
> static {
> KEYTAB_KERBEROS_OPTIONS.put("doNotPrompt", "true");
> KEYTAB_KERBEROS_OPTIONS.put("useKeyTab", "true");
> KEYTAB_KERBEROS_OPTIONS.put("storeKey", "true");
> KEYTAB_KERBEROS_OPTIONS.put("refreshKrb5Config", "true");
> KEYTAB_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS);
> }
> private String keytabPrincipal;
> private String keytabFile;
> public CustomConfiguration(String keytabPrincipal, String keytabFile) {
> this.keytabPrincipal = keytabPrincipal;
> this.keytabFile = keytabFile;
> }
> private CustomConfiguration() {
> }
> public String getKeytabFile() {
> return keytabFile;
> }
> public String getKeytabPrincipal() {
> return keytabPrincipal;
> }
> @Override
> public AppConfigurationEntry[] getAppConfigurationEntry(String appName) {
> KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile);
> KEYTAB_KERBEROS_OPTIONS.put("principal", keytabPrincipal);
> return KEYTAB_KERBEROS_CONF;
> }
> } {code}
> Kerberos client error information is as follows:
> {code:java}
> Exception in thread "main" javax.security.auth.login.LoginException: null
> (5001)
> at
> jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:781)
> at
> jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592)
> at
> java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726)
> at
> java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)
> at
> java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)
> at java.base/java.security.AccessController.doPrivileged(Native Method)
> at
> java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)
> at
> java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574)
> at org.example.Main.main(Main.java:14)
> Caused by: KrbException: null (5001)
> at java.security.jgss/sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
> at
> java.security.jgss/sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:326)
> at
> java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:371)
> at
> jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:753)
> ... 8 more
> Caused by: KrbException: Identifier doesn't match expected value (906)
> at
> java.security.jgss/sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
> at java.security.jgss/sun.security.krb5.internal.ASRep.init(ASRep.java:64)
> at
> java.security.jgss/sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
> at java.security.jgss/sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
> ... 11 more {code}
> The position where NPE occurs on kerby-kdc is as follows:
> !kdc-npe.png!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org
