Description of problem:
The configuration with SPNEGO works fine, however from time to time the authentication fails with the following error:
ERROR (HTTP-341) [org.jboss.security.auth.spi.AbstractServerLoginModule] Unable to authenticate: java.lang.NullPointerException
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:420)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:356)
Version-Release number of selected component (if applicable):
JBoss Security Negotiation 2.3.3.Final
How reproducible:
This happens very rarely (20 times in a day on a system where about 50 users are working) and it is extremely hard to reproduce.
Steps to Reproduce:
1.
2.
3.
Actual results:
Expected results:
Additional info:
At line 420 in [1], the GSSToken is null
~~~~
if (respToken != null)
{
NegotiationMessage response;
if (requestMessage instanceof KerberosMessage)
{
response = new KerberosMessage(Constants.KERBEROS_V5, respToken);
}
else
{
NegTokenTarg negTokenTarg = new NegTokenTarg();
negTokenTarg.setResponseToken(respToken);
response = negTokenTarg;
}
~~~~
It looks like a GSSToken can be or is null, check the line#344 as follows:-
~~~~~~~~~
public Object run()
{
try
{
// The message type will have already been checked before this point so we know it is
// a SPNEGO message.
NegotiationMessage requestMessage = negotiationContext.getRequestMessage();
// TODO - Ensure no way to fall through with gssToken still null.
byte[] gssToken = null;
if (requestMessage instanceof NegTokenInit)
{
...
~~~~~~~~~
[1] : https://github.com/wildfly-security/jboss-negotiation/blob/2.3.3.Final/jboss-negotiation-spnego/src/main/java/org/jboss/security/negotiation/spnego/SPNEGOLoginModule.java
Overall does sound like someone has demonstrated there is a situation it can fall through and be null, code needs reviewing and modifying to make it null safe.
Comment 11JBoss JIRA Server
2015-10-26 10:45:21 UTC
Darran Lofthouse <darran.lofthouse> updated the status of jira SECURITY-897 to Resolved
Comment 27Darran Lofthouse
2016-02-17 16:31:46 UTC
The PR for this BZ has been merged and a subsequent release has been tagged at: -
https://github.com/wildfly-security/jboss-negotiation/tree/2.3.11.Final
Note: This is the only fix in this tag since 2.3.10.Final.
Adding a needinfo as I will leave you to send in the EAP 6 changes to switch to the latest release of JBoss Negotiation.