HttpURLConnection cache issues leading to crashes in JGSS w/ native GSS introduced by 8303809

Nico Williams Nico.Williams at
Mon Oct 23 18:50:11 UTC 2023

On Mon, Oct 23, 2023 at 04:26:42PM +0100, Michael McMahon wrote:
> Thanks for bringing this to our attention. You are right that this is a
> misuse of the authentication cache in the case of Kerberos (Negotiate)
> authentication. Though that is not the case for other auth schemes, because
> normally what gets cached are credentials, rather than security tokens.

I see.  I guess you could cache `GSSCredential` handles if the caller
were using non-default GSS credentials.  With password-based HTTP
schemes the credentials aren't process-global like GSS credentials
typically are, but rather can vary per request.

> It makes no sense to cache GSS contexts either, outside the scope of any
> individual request (being authenticated through multiple request/responses).
> We don't need to cache it in this situation as it is already kept as a local
> variable in the HttpURLConnection impl class.
> So, my first impression is that the fix here needs to disable the cache
> permanently for the Negotiate scheme, which is basically what the system
> property workaround is doing. But, we need to just be sure about that before
> we publish a PR.

For what it's worth, disabling the cache for Negotiate does indeed work
right now as a workaround.  You can reproduce both, the crashes and the
workaround using the instructions I provided.


More information about the security-dev mailing list