RFR: 8362268 : NPE thrown from SASL GSSAPI impl when TLS is used with QOP auth-int against Active Directory [v6]

Weibing Xiao wxiao at openjdk.org
Mon Oct 20 13:04:15 UTC 2025


> [webrev.zip](https://github.com/user-attachments/files/22605072/webrev.zip)
> NPE thrown from SASL GSSAPI impl when TLS is used with QOP auth-int against Active Directory.
> 
> When the exception is triggered, LDAP Connection will do "clean-up" operation and output stream get flushed and closed the context while GssKrb5Client is still wrapping the message, and tried to send the abandoned info to the client at line  https://github.com/openjdk/jdk/blob/master/src/jdk.security.jgss/share/classes/com/sun/security/sasl/gsskerb/GssKrb5Base.java#L140. That's the reason to throw NPE.
> 
> The change is going to close socket and output stream in LdapClient.java. It would allow SASL client code to send the abandoned request to client; then dispose GSS context. This will avoid NPE to thrown at line 140 of GssKrb5Base.java.
> 
> No test file is attached for this MR since it needs Sasl LDAP server with security setup. Attached the updated webrev for the reference.

Weibing Xiao has updated the pull request incrementally with one additional commit since the last revision:

  add new method to handle connection cleaning

-------------

Changes:
  - all: https://git.openjdk.org/jdk/pull/26566/files
  - new: https://git.openjdk.org/jdk/pull/26566/files/4dd20668..c69d484b

Webrevs:
 - full: https://webrevs.openjdk.org/?repo=jdk&pr=26566&range=05
 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=26566&range=04-05

  Stats: 41 lines in 2 files changed: 19 ins; 20 del; 2 mod
  Patch: https://git.openjdk.org/jdk/pull/26566.diff
  Fetch: git fetch https://git.openjdk.org/jdk.git pull/26566/head:pull/26566

PR: https://git.openjdk.org/jdk/pull/26566


More information about the core-libs-dev mailing list