SSO fails with OpenJDK 8u40 (1.8) due to bug with SPNEGO library in Red Hat Enterprise Linux

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL) 6
  • openjdk-1.8.0.u40 and java-1.8.0-openjdk-1.8.0.45-28.b13.el6_6

Issue

SSO with OpenJDK8u45 does not work

Starting from JRE 8u40 Java contains bug that prevents from proper interaction with SPNEGO library that is used for negotiating kerberos ticket used for SSO. Issue is described here but looks to be with the OpenJDK library:

http://sourceforge.net/p/spnego/discussion/1003769/thread/ceda9998
http://sourceforge.net/p/spnego/discussion/1003769/thread/700b6941

The following exception was provided to me:
Jun 11, 2015 12:40:09 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [jersey-serlvet] in context with path [/ipcap] threw exception [GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)] with root cause
GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
at sun.security.jgss.GSSHeader.(GSSHeader.java:97)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:452)
at net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:284)
at net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:234)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:612)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:312)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)

This is affecting multiple different servers within Motorola right now. I will be working with our app teams such that they can provide an SOS report and additional technical information as necessary.

Resolution

This is resolved in update u51 (java-1.8.0-openjdk-1.8.0.51-0.b16.el6_6) by patches in upstream and delivered as part of [Errata RHSA-2015-1228}(https://rhn.redhat.com/errata/RHSA-2015-1228.html).

Root Cause

public static final Oid GSS_KRB5_MECH_OID_MS =
            GSSUtil.createOid("1.2.840.48018.1.2.2");

The patch can be found upstream here:

http://hg.openjdk.java.net/jdk8u/jdk8u60/jdk/rev/906d298f5f1b

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.