Description of problem: The configuration with SPNEGO works fine, however from time to time the authentication fails with the following error: ERROR (HTTP-341) [org.jboss.security.auth.spi.AbstractServerLoginModule] Unable to authenticate: java.lang.NullPointerException at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:420) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:356) Version-Release number of selected component (if applicable): JBoss Security Negotiation 2.3.3.Final How reproducible: This happens very rarely (20 times in a day on a system where about 50 users are working) and it is extremely hard to reproduce. Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: At line 420 in [1], the GSSToken is null ~~~~ if (respToken != null) { NegotiationMessage response; if (requestMessage instanceof KerberosMessage) { response = new KerberosMessage(Constants.KERBEROS_V5, respToken); } else { NegTokenTarg negTokenTarg = new NegTokenTarg(); negTokenTarg.setResponseToken(respToken); response = negTokenTarg; } ~~~~ It looks like a GSSToken can be or is null, check the line#344 as follows:- ~~~~~~~~~ public Object run() { try { // The message type will have already been checked before this point so we know it is // a SPNEGO message. NegotiationMessage requestMessage = negotiationContext.getRequestMessage(); // TODO - Ensure no way to fall through with gssToken still null. byte[] gssToken = null; if (requestMessage instanceof NegTokenInit) { ... ~~~~~~~~~ [1] : https://github.com/wildfly-security/jboss-negotiation/blob/2.3.3.Final/jboss-negotiation-spnego/src/main/java/org/jboss/security/negotiation/spnego/SPNEGOLoginModule.java
Overall does sound like someone has demonstrated there is a situation it can fall through and be null, code needs reviewing and modifying to make it null safe.
Darran Lofthouse <darran.lofthouse> updated the status of jira SECURITY-897 to Resolved
The PR for this BZ has been merged and a subsequent release has been tagged at: - https://github.com/wildfly-security/jboss-negotiation/tree/2.3.11.Final Note: This is the only fix in this tag since 2.3.10.Final. Adding a needinfo as I will leave you to send in the EAP 6 changes to switch to the latest release of JBoss Negotiation.
Retroactively bulk-closing issues from released EAP 6.4 cumulative patches.