[jira] [Resolved] (DIRKRB-762) The AS request appears with an NPE when preauth_required is set to false
[ https://issues.apache.org/jira/browse/DIRKRB-762?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh resolved DIRKRB-762. Resolution: Fixed No worries [~wjc920] , and thanks for your contribution to the project. > The AS request appears with an NPE when preauth_required is set to false > > > Key: DIRKRB-762 > URL: https://issues.apache.org/jira/browse/DIRKRB-762 > Project: Directory Kerberos > Issue Type: Bug >Affects Versions: 2.0.0, 2.0.1, 2.0.2 >Reporter: Jichao Wang >Assignee: Colm O hEigeartaigh >Priority: Major > Fix For: 2.0.3 > > Attachments: kdc-npe.png > > Time Spent: 20m > Remaining Estimate: 0h > > If change the value of preauth_required in the kdc.conf file to false, then > using the following code to access the KDC causes an NPE error. > * Test.java > {code:java} > // Test.java Run on JDK8 or JDK11 > public class Test { > public static void main(String[] args) throws Exception { > System.setProperty("java.security.krb5.realm", "HADOOP.COM"); > System.setProperty("java.security.krb5.kdc", "wslhost"); > LoginContext lc = new LoginContext("SampleClient", > new Subject(), > null, > new CustomConfiguration("had...@hadoop.com", > "/root/wjc/hadoop.keytab")); > lc.login(); > System.out.println(lc.getSubject().toString()); > } > } {code} > * > CustomConfiguration.java > {code:java} > import javax.security.auth.login.AppConfigurationEntry; > import java.util.HashMap; > import java.util.Map; > class CustomConfiguration > extends javax.security.auth.login.Configuration { > private static final Map BASIC_JAAS_OPTIONS = > new HashMap(); > private static final Map KEYTAB_KERBEROS_OPTIONS = > new HashMap(); > private static final AppConfigurationEntry KEYTAB_KERBEROS_LOGIN = > new > AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", > AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, > KEYTAB_KERBEROS_OPTIONS); > private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF = > new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN}; > static { > KEYTAB_KERBEROS_OPTIONS.put("doNotPrompt", "true"); > KEYTAB_KERBEROS_OPTIONS.put("useKeyTab", "true"); > KEYTAB_KERBEROS_OPTIONS.put("storeKey", "true"); > KEYTAB_KERBEROS_OPTIONS.put("refreshKrb5Config", "true"); > KEYTAB_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS); > } > private String keytabPrincipal; > private String keytabFile; > public CustomConfiguration(String keytabPrincipal, String keytabFile) { > this.keytabPrincipal = keytabPrincipal; > this.keytabFile = keytabFile; > } > private CustomConfiguration() { > } > public String getKeytabFile() { > return keytabFile; > } > public String getKeytabPrincipal() { > return keytabPrincipal; > } > @Override > public AppConfigurationEntry[] getAppConfigurationEntry(String appName) { > KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile); > KEYTAB_KERBEROS_OPTIONS.put("principal", keytabPrincipal); > return KEYTAB_KERBEROS_CONF; > } > } {code} > Kerberos client error information is as follows: > {code:java} > Exception in thread "main" javax.security.auth.login.LoginException: null > (5001) > at > jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:781) > at > jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592) > at > java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726) > at > java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665) > at > java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663) > at java.base/java.security.AccessController.doPrivileged(Native Method) > at > java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663) > at > java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574) > at org.example.Main.main(Main.java:14) > Caused by: KrbException: null (5001) > at java.security.jgss/sun.security.krb5.KrbAsRep.(KrbAsRep.java:76) > at > java.security.jgss/sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:326) > at > java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:371) > at > jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:753) > ... 8 more > Caused by:
[jira] [Assigned] (DIRKRB-762) The AS request appears with an NPE when preauth_required is set to false
[ https://issues.apache.org/jira/browse/DIRKRB-762?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Colm O hEigeartaigh reassigned DIRKRB-762: -- Assignee: Colm O hEigeartaigh > The AS request appears with an NPE when preauth_required is set to false > > > Key: DIRKRB-762 > URL: https://issues.apache.org/jira/browse/DIRKRB-762 > Project: Directory Kerberos > Issue Type: Bug >Affects Versions: 2.0.0, 2.0.1, 2.0.2 >Reporter: Jichao Wang >Assignee: Colm O hEigeartaigh >Priority: Major > Fix For: 2.0.3 > > Attachments: kdc-npe.png > > Time Spent: 20m > Remaining Estimate: 0h > > If change the value of preauth_required in the kdc.conf file to false, then > using the following code to access the KDC causes an NPE error. > * Test.java > {code:java} > // Test.java Run on JDK8 or JDK11 > public class Test { > public static void main(String[] args) throws Exception { > System.setProperty("java.security.krb5.realm", "HADOOP.COM"); > System.setProperty("java.security.krb5.kdc", "wslhost"); > LoginContext lc = new LoginContext("SampleClient", > new Subject(), > null, > new CustomConfiguration("had...@hadoop.com", > "/root/wjc/hadoop.keytab")); > lc.login(); > System.out.println(lc.getSubject().toString()); > } > } {code} > * > CustomConfiguration.java > {code:java} > import javax.security.auth.login.AppConfigurationEntry; > import java.util.HashMap; > import java.util.Map; > class CustomConfiguration > extends javax.security.auth.login.Configuration { > private static final Map BASIC_JAAS_OPTIONS = > new HashMap(); > private static final Map KEYTAB_KERBEROS_OPTIONS = > new HashMap(); > private static final AppConfigurationEntry KEYTAB_KERBEROS_LOGIN = > new > AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", > AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, > KEYTAB_KERBEROS_OPTIONS); > private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF = > new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN}; > static { > KEYTAB_KERBEROS_OPTIONS.put("doNotPrompt", "true"); > KEYTAB_KERBEROS_OPTIONS.put("useKeyTab", "true"); > KEYTAB_KERBEROS_OPTIONS.put("storeKey", "true"); > KEYTAB_KERBEROS_OPTIONS.put("refreshKrb5Config", "true"); > KEYTAB_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS); > } > private String keytabPrincipal; > private String keytabFile; > public CustomConfiguration(String keytabPrincipal, String keytabFile) { > this.keytabPrincipal = keytabPrincipal; > this.keytabFile = keytabFile; > } > private CustomConfiguration() { > } > public String getKeytabFile() { > return keytabFile; > } > public String getKeytabPrincipal() { > return keytabPrincipal; > } > @Override > public AppConfigurationEntry[] getAppConfigurationEntry(String appName) { > KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile); > KEYTAB_KERBEROS_OPTIONS.put("principal", keytabPrincipal); > return KEYTAB_KERBEROS_CONF; > } > } {code} > Kerberos client error information is as follows: > {code:java} > Exception in thread "main" javax.security.auth.login.LoginException: null > (5001) > at > jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:781) > at > jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592) > at > java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726) > at > java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665) > at > java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663) > at java.base/java.security.AccessController.doPrivileged(Native Method) > at > java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663) > at > java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574) > at org.example.Main.main(Main.java:14) > Caused by: KrbException: null (5001) > at java.security.jgss/sun.security.krb5.KrbAsRep.(KrbAsRep.java:76) > at > java.security.jgss/sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:326) > at > java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:371) > at > jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:753) > ... 8 more > Caused by: KrbException: Identifier doesn't match expected value
[GitHub] [directory-kerby] coheigea merged pull request #114: [DIRKRB-762] The AS request appears with an NPE when preauth_required is set to false
coheigea merged PR #114: URL: https://github.com/apache/directory-kerby/pull/114 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org
[GitHub] [directory-scimple] bdemers opened a new pull request, #210: Add enforcer rule to ensure dependencies have compatible bytecode versions
bdemers opened a new pull request, #210: URL: https://github.com/apache/directory-scimple/pull/210 All non-spring modules require Java 11 (Spring modules Java 17) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org
[GitHub] [directory-scimple] bdemers opened a new pull request, #209: Fixed Wildfly related issues
bdemers opened a new pull request, #209: URL: https://github.com/apache/directory-scimple/pull/209 Testing with Wildfly uncovered a few issues: * Resource classes must have a public default constructor (CDI related requirements) * Resources cannot be added via a Feature * Removed up tomee refs in example until v10 is released -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org
[GitHub] [directory-kerby] wjc920 commented on pull request #114: [DIRKRB-762] The AS request appears with an NPE when preauth_required is set to false
wjc920 commented on PR #114: URL: https://github.com/apache/directory-kerby/pull/114#issuecomment-1359548573 > I think this change isn't quite right, as if isPreauthRequired() then it will never call the else statement. Instead it should be something like: > > ``` > if (preAuthData == null || preAuthData.isEmpty())) { > if (isPreauthRequred()) { > LOG.info("The preauth data is empty."); > KrbError krbError = makePreAuthenticationError(kdcContext, request, > KrbErrorCode.KDC_ERR_PREAUTH_REQUIRED, false); > throw new KdcRecoverableException(krbError); > } > } else { > ... > ``` > > If you make this change does it work properly? I modified the content of the PR by force push. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org
[jira] [Comment Edited] (DIRKRB-762) The AS request appears with an NPE when preauth_required is set to false
[ https://issues.apache.org/jira/browse/DIRKRB-762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17649803#comment-17649803 ] Jichao Wang edited comment on DIRKRB-762 at 12/20/22 2:38 PM: -- I have revised the problem description and made a more detailed explanation of the problem. [~coheigea] I think you are right on PR. In contrast, I have caused you trouble due to my negligence in work. was (Author: wjc920): I have revised the problem description and made a more detailed explanation of the problem. [~coheigea] > The AS request appears with an NPE when preauth_required is set to false > > > Key: DIRKRB-762 > URL: https://issues.apache.org/jira/browse/DIRKRB-762 > Project: Directory Kerberos > Issue Type: Bug >Affects Versions: 2.0.0, 2.0.1, 2.0.2 >Reporter: Jichao Wang >Priority: Major > Fix For: 2.0.3 > > Attachments: kdc-npe.png > > > If change the value of preauth_required in the kdc.conf file to false, then > using the following code to access the KDC causes an NPE error. > * Test.java > {code:java} > // Test.java Run on JDK8 or JDK11 > public class Test { > public static void main(String[] args) throws Exception { > System.setProperty("java.security.krb5.realm", "HADOOP.COM"); > System.setProperty("java.security.krb5.kdc", "wslhost"); > LoginContext lc = new LoginContext("SampleClient", > new Subject(), > null, > new CustomConfiguration("had...@hadoop.com", > "/root/wjc/hadoop.keytab")); > lc.login(); > System.out.println(lc.getSubject().toString()); > } > } {code} > * > CustomConfiguration.java > {code:java} > import javax.security.auth.login.AppConfigurationEntry; > import java.util.HashMap; > import java.util.Map; > class CustomConfiguration > extends javax.security.auth.login.Configuration { > private static final Map BASIC_JAAS_OPTIONS = > new HashMap(); > private static final Map KEYTAB_KERBEROS_OPTIONS = > new HashMap(); > private static final AppConfigurationEntry KEYTAB_KERBEROS_LOGIN = > new > AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", > AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, > KEYTAB_KERBEROS_OPTIONS); > private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF = > new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN}; > static { > KEYTAB_KERBEROS_OPTIONS.put("doNotPrompt", "true"); > KEYTAB_KERBEROS_OPTIONS.put("useKeyTab", "true"); > KEYTAB_KERBEROS_OPTIONS.put("storeKey", "true"); > KEYTAB_KERBEROS_OPTIONS.put("refreshKrb5Config", "true"); > KEYTAB_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS); > } > private String keytabPrincipal; > private String keytabFile; > public CustomConfiguration(String keytabPrincipal, String keytabFile) { > this.keytabPrincipal = keytabPrincipal; > this.keytabFile = keytabFile; > } > private CustomConfiguration() { > } > public String getKeytabFile() { > return keytabFile; > } > public String getKeytabPrincipal() { > return keytabPrincipal; > } > @Override > public AppConfigurationEntry[] getAppConfigurationEntry(String appName) { > KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile); > KEYTAB_KERBEROS_OPTIONS.put("principal", keytabPrincipal); > return KEYTAB_KERBEROS_CONF; > } > } {code} > Kerberos client error information is as follows: > {code:java} > Exception in thread "main" javax.security.auth.login.LoginException: null > (5001) > at > jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:781) > at > jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592) > at > java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726) > at > java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665) > at > java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663) > at java.base/java.security.AccessController.doPrivileged(Native Method) > at > java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663) > at > java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574) > at org.example.Main.main(Main.java:14) > Caused by: KrbException: null (5001) > at java.security.jgss/sun.security.krb5.KrbAsRep.(KrbAsRep.java:76) > at > java.security.jgss/sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:326) > at >
[jira] [Commented] (DIRKRB-762) The AS request appears with an NPE when preauth_required is set to false
[ https://issues.apache.org/jira/browse/DIRKRB-762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17649803#comment-17649803 ] Jichao Wang commented on DIRKRB-762: I have revised the problem description and made a more detailed explanation of the problem. [~coheigea] > The AS request appears with an NPE when preauth_required is set to false > > > Key: DIRKRB-762 > URL: https://issues.apache.org/jira/browse/DIRKRB-762 > Project: Directory Kerberos > Issue Type: Bug >Affects Versions: 2.0.0, 2.0.1, 2.0.2 >Reporter: Jichao Wang >Priority: Major > Fix For: 2.0.3 > > Attachments: kdc-npe.png > > > If change the value of preauth_required in the kdc.conf file to false, then > using the following code to access the KDC causes an NPE error. > * Test.java > {code:java} > // Test.java Run on JDK8 or JDK11 > public class Test { > public static void main(String[] args) throws Exception { > System.setProperty("java.security.krb5.realm", "HADOOP.COM"); > System.setProperty("java.security.krb5.kdc", "wslhost"); > LoginContext lc = new LoginContext("SampleClient", > new Subject(), > null, > new CustomConfiguration("had...@hadoop.com", > "/root/wjc/hadoop.keytab")); > lc.login(); > System.out.println(lc.getSubject().toString()); > } > } {code} > * > CustomConfiguration.java > {code:java} > import javax.security.auth.login.AppConfigurationEntry; > import java.util.HashMap; > import java.util.Map; > class CustomConfiguration > extends javax.security.auth.login.Configuration { > private static final Map BASIC_JAAS_OPTIONS = > new HashMap(); > private static final Map KEYTAB_KERBEROS_OPTIONS = > new HashMap(); > private static final AppConfigurationEntry KEYTAB_KERBEROS_LOGIN = > new > AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", > AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, > KEYTAB_KERBEROS_OPTIONS); > private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF = > new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN}; > static { > KEYTAB_KERBEROS_OPTIONS.put("doNotPrompt", "true"); > KEYTAB_KERBEROS_OPTIONS.put("useKeyTab", "true"); > KEYTAB_KERBEROS_OPTIONS.put("storeKey", "true"); > KEYTAB_KERBEROS_OPTIONS.put("refreshKrb5Config", "true"); > KEYTAB_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS); > } > private String keytabPrincipal; > private String keytabFile; > public CustomConfiguration(String keytabPrincipal, String keytabFile) { > this.keytabPrincipal = keytabPrincipal; > this.keytabFile = keytabFile; > } > private CustomConfiguration() { > } > public String getKeytabFile() { > return keytabFile; > } > public String getKeytabPrincipal() { > return keytabPrincipal; > } > @Override > public AppConfigurationEntry[] getAppConfigurationEntry(String appName) { > KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile); > KEYTAB_KERBEROS_OPTIONS.put("principal", keytabPrincipal); > return KEYTAB_KERBEROS_CONF; > } > } {code} > Kerberos client error information is as follows: > {code:java} > Exception in thread "main" javax.security.auth.login.LoginException: null > (5001) > at > jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:781) > at > jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592) > at > java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726) > at > java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665) > at > java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663) > at java.base/java.security.AccessController.doPrivileged(Native Method) > at > java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663) > at > java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574) > at org.example.Main.main(Main.java:14) > Caused by: KrbException: null (5001) > at java.security.jgss/sun.security.krb5.KrbAsRep.(KrbAsRep.java:76) > at > java.security.jgss/sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:326) > at > java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:371) > at > jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:753) > ... 8 more > Caused by: KrbException: Identifier doesn't match expected value (906) >
[jira] [Updated] (DIRKRB-762) The AS request appears with an NPE when preauth_required is set to false
[ https://issues.apache.org/jira/browse/DIRKRB-762?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jichao Wang updated DIRKRB-762: --- Description: If change the value of preauth_required in the kdc.conf file to false, then using the following code to access the KDC causes an NPE error. * Test.java {code:java} // Test.java Run on JDK8 or JDK11 public class Test { public static void main(String[] args) throws Exception { System.setProperty("java.security.krb5.realm", "HADOOP.COM"); System.setProperty("java.security.krb5.kdc", "wslhost"); LoginContext lc = new LoginContext("SampleClient", new Subject(), null, new CustomConfiguration("had...@hadoop.com", "/root/wjc/hadoop.keytab")); lc.login(); System.out.println(lc.getSubject().toString()); } } {code} * CustomConfiguration.java {code:java} import javax.security.auth.login.AppConfigurationEntry; import java.util.HashMap; import java.util.Map; class CustomConfiguration extends javax.security.auth.login.Configuration { private static final Map BASIC_JAAS_OPTIONS = new HashMap(); private static final Map KEYTAB_KERBEROS_OPTIONS = new HashMap(); private static final AppConfigurationEntry KEYTAB_KERBEROS_LOGIN = new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, KEYTAB_KERBEROS_OPTIONS); private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF = new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN}; static { KEYTAB_KERBEROS_OPTIONS.put("doNotPrompt", "true"); KEYTAB_KERBEROS_OPTIONS.put("useKeyTab", "true"); KEYTAB_KERBEROS_OPTIONS.put("storeKey", "true"); KEYTAB_KERBEROS_OPTIONS.put("refreshKrb5Config", "true"); KEYTAB_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS); } private String keytabPrincipal; private String keytabFile; public CustomConfiguration(String keytabPrincipal, String keytabFile) { this.keytabPrincipal = keytabPrincipal; this.keytabFile = keytabFile; } private CustomConfiguration() { } public String getKeytabFile() { return keytabFile; } public String getKeytabPrincipal() { return keytabPrincipal; } @Override public AppConfigurationEntry[] getAppConfigurationEntry(String appName) { KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile); KEYTAB_KERBEROS_OPTIONS.put("principal", keytabPrincipal); return KEYTAB_KERBEROS_CONF; } } {code} Kerberos client error information is as follows: {code:java} Exception in thread "main" javax.security.auth.login.LoginException: null (5001) at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:781) at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592) at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726) at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665) at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663) at java.base/java.security.AccessController.doPrivileged(Native Method) at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663) at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574) at org.example.Main.main(Main.java:14) Caused by: KrbException: null (5001) at java.security.jgss/sun.security.krb5.KrbAsRep.(KrbAsRep.java:76) at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:326) at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:371) at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:753) ... 8 more Caused by: KrbException: Identifier doesn't match expected value (906) at java.security.jgss/sun.security.krb5.internal.KDCRep.init(KDCRep.java:140) at java.security.jgss/sun.security.krb5.internal.ASRep.init(ASRep.java:64) at java.security.jgss/sun.security.krb5.internal.ASRep.(ASRep.java:59) at java.security.jgss/sun.security.krb5.KrbAsRep.(KrbAsRep.java:60) ... 11 more {code} The position where NPE occurs on kerby-kdc is as follows: !kdc-npe.png! was: If change the value of preauth_required in the kdc.conf file to false, then using the following code to access the KDC causes an NPE error. * Test.java {code:java} // Test.java Run on JDK8 or JDK11 public class Test { public static void main(String[] args) throws Exception { LoginContext lc = new LoginContext("SampleClient", new Subject(), null,
[jira] [Updated] (DIRKRB-762) The AS request appears with an NPE when preauth_required is set to false
[ https://issues.apache.org/jira/browse/DIRKRB-762?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jichao Wang updated DIRKRB-762: --- Description: If change the value of preauth_required in the kdc.conf file to false, then using the following code to access the KDC causes an NPE error. * Test.java {code:java} // Test.java Run on JDK8 or JDK11 public class Test { public static void main(String[] args) throws Exception { LoginContext lc = new LoginContext("SampleClient", new Subject(), null, new CustomConfiguration("had...@hadoop.com", "/root/wjc/hadoop.keytab")); lc.login(); System.out.println(lc.getSubject().toString()); } } {code} * CustomConfiguration.java {code:java} import javax.security.auth.login.AppConfigurationEntry; import java.util.HashMap; import java.util.Map; class CustomConfiguration extends javax.security.auth.login.Configuration { private static final Map BASIC_JAAS_OPTIONS = new HashMap(); private static final Map KEYTAB_KERBEROS_OPTIONS = new HashMap(); private static final AppConfigurationEntry KEYTAB_KERBEROS_LOGIN = new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, KEYTAB_KERBEROS_OPTIONS); private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF = new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN}; static { KEYTAB_KERBEROS_OPTIONS.put("doNotPrompt", "true"); KEYTAB_KERBEROS_OPTIONS.put("useKeyTab", "true"); KEYTAB_KERBEROS_OPTIONS.put("storeKey", "true"); KEYTAB_KERBEROS_OPTIONS.put("refreshKrb5Config", "true"); KEYTAB_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS); } private String keytabPrincipal; private String keytabFile; public CustomConfiguration(String keytabPrincipal, String keytabFile) { this.keytabPrincipal = keytabPrincipal; this.keytabFile = keytabFile; } private CustomConfiguration() { } public String getKeytabFile() { return keytabFile; } public String getKeytabPrincipal() { return keytabPrincipal; } @Override public AppConfigurationEntry[] getAppConfigurationEntry(String appName) { KEYTAB_KERBEROS_OPTIONS.put("keyTab", keytabFile); KEYTAB_KERBEROS_OPTIONS.put("principal", keytabPrincipal); return KEYTAB_KERBEROS_CONF; } } {code} Kerberos client error information is as follows: {code:java} Exception in thread "main" javax.security.auth.login.LoginException: null (5001) at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:781) at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:592) at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:726) at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665) at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663) at java.base/java.security.AccessController.doPrivileged(Native Method) at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663) at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:574) at org.example.Main.main(Main.java:14) Caused by: KrbException: null (5001) at java.security.jgss/sun.security.krb5.KrbAsRep.(KrbAsRep.java:76) at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:326) at java.security.jgss/sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:371) at jdk.security.auth/com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:753) ... 8 more Caused by: KrbException: Identifier doesn't match expected value (906) at java.security.jgss/sun.security.krb5.internal.KDCRep.init(KDCRep.java:140) at java.security.jgss/sun.security.krb5.internal.ASRep.init(ASRep.java:64) at java.security.jgss/sun.security.krb5.internal.ASRep.(ASRep.java:59) at java.security.jgss/sun.security.krb5.KrbAsRep.(KrbAsRep.java:60) ... 11 more {code} The position where NPE occurs on kerby-kdc is as follows: !kdc-npe.png! was: If change the value of preauth_required in the kdc.conf file to false, then using the following code to access the KDC causes an NPE error. {code:java} // Run on JDK8 or JDK11 public class Test { public static void main(String[] args) throws Exception { LoginContext lc = new LoginContext("SampleClient", new Subject(), null, new CustomConfiguration("had...@hadoop.com", "/root/wjc/hadoop.keytab")); lc.login(); System.out.println(lc.getSubject().toString()); } }
[jira] [Updated] (DIRKRB-762) The AS request appears with an NPE when preauth_required is set to false
[ https://issues.apache.org/jira/browse/DIRKRB-762?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jichao Wang updated DIRKRB-762: --- Attachment: kdc-npe.png > The AS request appears with an NPE when preauth_required is set to false > > > Key: DIRKRB-762 > URL: https://issues.apache.org/jira/browse/DIRKRB-762 > Project: Directory Kerberos > Issue Type: Bug >Affects Versions: 2.0.0, 2.0.1, 2.0.2 >Reporter: Jichao Wang >Priority: Major > Fix For: 2.0.3 > > Attachments: kdc-npe.png > > > If change the value of preauth_required in the kdc.conf file to false, then > using the following code to access the KDC causes an NPE error. > {code:java} > // Run on JDK8 or JDK11 > public class Test { > public static void main(String[] args) throws Exception { > LoginContext lc = new LoginContext("SampleClient", > new Subject(), > null, > new CustomConfiguration("had...@hadoop.com", > "/root/wjc/hadoop.keytab")); > lc.login(); > System.out.println(lc.getSubject().toString()); > } > } {code} > Here is a fix to the problem: > {code:java} > Index: > kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java > IDEA additional info: > Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP > <+>UTF-8 > === > diff --git > a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java > > b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java > --- > a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java > (revision 03784fcde8e94fedbe789606d2f328104c20b33f) > +++ > b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/KdcRequest.java > (date 1670208307220) > @@ -678,11 +678,13 @@ > } > > PaData preAuthData = request.getPaData(); > - if (isPreauthRequired() && (preAuthData == null || > preAuthData.isEmpty())) { > - LOG.info("The preauth data is empty."); > - KrbError krbError = makePreAuthenticationError(kdcContext, > request, > - KrbErrorCode.KDC_ERR_PREAUTH_REQUIRED, false); > - throw new KdcRecoverableException(krbError); > + if (isPreauthRequired()) { > + if (preAuthData == null || preAuthData.isEmpty()) { > + LOG.info("The preauth data is empty."); > + KrbError krbError = makePreAuthenticationError(kdcContext, > request, > + KrbErrorCode.KDC_ERR_PREAUTH_REQUIRED, false); > + throw new KdcRecoverableException(krbError); > + } > } else { > getPreauthHandler().verify(this, preAuthData); > } > {code} > -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org
[GitHub] [directory-kerby] jonathan-albrecht-ibm commented on pull request #111: Fix checks for ibm security classes to work with recent IBM Semeru JDKs
jonathan-albrecht-ibm commented on PR #111: URL: https://github.com/apache/directory-kerby/pull/111#issuecomment-1359409919 Thanks @coheigea! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org