[security-dev 00262]: Code review: Failure when SPNEGO request non-Mutual

Weijun Wang Weijun.Wang at Sun.COM
Mon Aug 4 01:22:01 PDT 2008

Hi All

Please review this code fix:

    The bug: http://bugs.sun.com/view_bug.do?bug_id=6733095
    Synopsis: Failure when SPNEGO request non-Mutual
    Webrev URL: http://hgrev.appspot.com/show?id=201


    Using SPNEGO, when the client calls reqMutualAuth(false)
    with Kerberos as the mech, the current implementation fails.

    The reason is that when reqMutualAuth(false) is called,
    the negotiation process of the underlying mech contains
    only one token, which means the server's first call to
    Kerberos' acceptSecContext() already returns null.
    Unfortunately, the current SPNEGO implementation needs
    this output be non-null, therefore the failure.

    There's also a tiny error in byte[] acceptSecContext(byte[])
    of GSSContextImpl that returns an empty byte array when
    the correct output should have been null.

Sorry, no regression tests due to complicated server setup.


More information about the security-dev mailing list