[security-dev 00262]: Code review: Failure when SPNEGO request non-Mutual

Weijun Wang Weijun.Wang at Sun.COM
Mon Aug 4 08:22:01 UTC 2008


Hi All

Please review this code fix:

    The bug: http://bugs.sun.com/view_bug.do?bug_id=6733095
    Synopsis: Failure when SPNEGO request non-Mutual
    Webrev URL: http://hgrev.appspot.com/show?id=201

    Description:

    Using SPNEGO, when the client calls reqMutualAuth(false)
    with Kerberos as the mech, the current implementation fails.

    The reason is that when reqMutualAuth(false) is called,
    the negotiation process of the underlying mech contains
    only one token, which means the server's first call to
    Kerberos' acceptSecContext() already returns null.
    Unfortunately, the current SPNEGO implementation needs
    this output be non-null, therefore the failure.

    There's also a tiny error in byte[] acceptSecContext(byte[])
    of GSSContextImpl that returns an empty byte array when
    the correct output should have been null.

Sorry, no regression tests due to complicated server setup.

Thanks
Weijun








More information about the security-dev mailing list