5 Replies Latest reply on Oct 12, 2011 6:22 AM by mehul.kapadia

SPNEGOLoginModule : NullPointerException - Unable to authenticate

mehul.kapadia Oct 11, 2011 11:48 AM

Hello Everyone,

I have Configured JBOSS and My Application to enable Kerberos SSO Using JBOSS SPNEGO. Its working fine as expected. I have also tested the JBOSS Negotiation Toolkit and all test are passed successfully.

But sometimes I am getting NullPointerException in SPNEGOLoginModule Class as given below. (I have enabled the Debug Log on JBoss)

2011-10-11 20:05:29,270 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-172.19.102.45-8080-2) Logged in 'host' LoginContext

2011-10-11 20:05:29,270 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-172.19.102.45-8080-2) Creating new GSSContext.

2011-10-11 20:05:29,270 ERROR [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-172.19.102.45-8080-2) Unable to authenticate

java.lang.NullPointerException

at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:294)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.Subject.doAs(Unknown Source)

at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:118)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

at java.lang.reflect.Method.invoke(Unknown Source)

at javax.security.auth.login.LoginContext.invoke(Unknown Source)

at javax.security.auth.login.LoginContext.access$000(Unknown Source)

at javax.security.auth.login.LoginContext$4.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)

at javax.security.auth.login.LoginContext.login(Unknown Source)

at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)

at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)

at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)

at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)

at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384)

at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127)

at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)

at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)

at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)

at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)

at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:402)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)

at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)

at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)

at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)

at java.lang.Thread.run(Unknown Source)

2011-10-11 20:05:29,286 DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator] (http-172.19.102.45-8080-1) Header - Negotiate YIIEyAYGKwYBBQUCoIIEvDCCBLigJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBI4EggSKYIIEhgYJKoZIhvcSAQICAQBuggR1MIIEcaADAgEFoQMCAQ6iBwMFACAAAACjggOhYYIDnTCCA5mgAwIBBaENGwtET01BSU4xLkNPTaIpMCegAwIBAqEgMB4bBEhUVFAbFjAxaHcxMTM4NTguZG9tYWluMS5jb22jggNWMIIDUqADAgEDoQMCASGiggNEBIIDQAgbBfizpfTPLx21eq57h8tv8mOuu72J6uaqaLcw2CB9YSxIxckSs12XyrB7AUrD5VgGOKIXxW1rlQbWOMDFeFll6ntBoNlu71pA4kpAARGSb1Ec+wbreHK6aHRhxHwFTQDnXst78GwAJKropAuNmhEJvbHiqIcZGFomsKfkbWgVWqUwYtmifuNpEjpzCMpEgUunpthp3hZKFQ9o9WgHEiwNilWHzN5Dv6IoxKOgZ5yWXTcJER/zp7L3BYLg0APWT3ONfCVO09hE0Xi46uYoJpYkkU+2NcA9cM+ubLVa6O8izdQIxfwII9bW8CAP++gOk9dx+HesgbA1plU3bJc7ROCFIiZhJlwOHxiFGpMsGxP+sIdDGjevk+hOW57uyS4XFuJCVXBfuX6svKyC/JCJGALjzGQP9Gy7/QP9yrOQdfQX782/Ng8LAaxSFSJqU0Nq04oT5Xx5opUZkH7eFBQCiF+fOFjuaL9M1BliX75Usdd+l25KF7ibMx3ktm3p/uR9qwWDgrZVdXnT5y8D3bQpq5BSE+DjkyuK7h1WRIYlZ3yrLk/Wd5ydP5XsAMCf/HzBD6TmwQxAgQkYwBbRn7jwu42MEj1Z9JTvA0mRb6ZRgMGD8afZX2/rN6j1t8RQR2V06feYzkv56CNSv3ruEKTSyhWAH50GlBdnmryGKUD87RFiEz84CqfqxYTBqQ2cdk1rKkkG2JfIPfp73FCLNtTNOTCG5r0/4bkS49wGm69O86dd0xybJcB9c/2+dL6KHfIb3/aLfwDhtOaj47v2msd5cLeNTsgIPBbckw0WvN0caImox1P745CNYpl1okFOaukO3UnReh0wXI6cDdVivg1EN8prD5TN+Zn4F5KrL1sGOp1VYyXJ96MqXLXRJcmQR9+IfGu61W1Yt1LUlOM8h7iUvg2CheqIM0rslGL/A74OS7UIaAJ9/+LoPlGywzLHQPMmrr4TLu6IbdJ9vfVQrTBUmTTujcLkjSvMw7PX8Pc0yMXOTb2tbRLEET7lTTSwZ3SwuDxpsSL+9AdBNwn/SethSdLcjdTD0JPRKx826JefBaFkx9MwdNTRHDcffnjnmPCvbiblxd9gKjqiAWies5qcmiykgbYwgbOgAwIBA6KBqwSBqAXlB/6/pufb4IYT4UxsAXmoCusfQC/TIsCx77YeUyvdrc60vcC1hwPagXN3MRQ+cr36qO+q4BzInSkosuud798COaYGEnfin75cTiOs3bShFNSWT7snLkaN4zGfzrmN4c8xFO3LRbAFaa/7dwwhbIA+bzXbuHQpj0lJwkhmG5vdyX0GXU/EZFZ45HZ3JVNwnthTZTl1NPPinzhTwHDvpxsWjhhsAFeReg==

2011-10-11 20:05:29,286 INFO [STDOUT] (http-172.19.102.45-8080-2) [Krb5LoginModule]: Entering logout

2011-10-11 20:05:29,286 INFO [STDOUT] (http-172.19.102.45-8080-2) [Krb5LoginModule]: logged out Subject

2011-10-11 20:05:29,286 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-172.19.102.45-8080-1) serverSecurityDomain=host

2011-10-11 20:05:29,286 INFO [STDOUT] (http-172.19.102.45-8080-1) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is C:/WINDOWS/516502.keytab refreshKrb5Config is false principal is HTTP/01HW113858.DOMAIN1.COM@DOMAIN1.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false

Once above error comes up, login page(jsp) of my application doesnt render properly. and I am not able to use my application.

when I trace back to Jboss SPNEGO I found that following code where it failed in SPNEGOLoginModule Class.

try

{

Subject server = getServerSubject();

AcceptSecContext action = new AcceptSecContext(negotiationContext);

Object result = Subject.doAs(server, action); // This code result object "result" as Object of Exception. and its complaining that object action that I am passing is sometimes "null"

this.log.trace("Result - " + result);

      if (result instanceof Boolean)
      {
        if (Boolean.TRUE.equals(result))
        {
          this.loginOk = true;
          if (getUseFirstPass() == true)
          {
            String userName = this.identity.getName();
            this.log.debug("Storing username '" + userName + "' and empty password");

            this.sharedState.put("javax.security.auth.login.name", this.identity);
            this.sharedState.put("javax.security.auth.login.password", "");
          }
        }
      }
      else if (result instanceof Exception)
      {
        Exception e = (Exception)result;
       this.log.error("Unable to authenticate", e);      //////   Its failing here as its not able to get the correct object "result"
        throw new LoginException("Unable to authenticate - " + e.getMessage());
      }

Really appriciate your help and support.

Thanks in advance.

Regards,

Mehul Kapadia

1. Re: SPNEGOLoginModule : NullPointerException - Unable to authenticate

dlofthouse Oct 11, 2011 12:16 PM (in response to mehul.kapadia)

Which version of JBoss Negotiation is this?
Actions
2. Re: SPNEGOLoginModule : NullPointerException - Unable to authenticate

mehul.kapadia Oct 11, 2011 1:49 PM (in response to dlofthouse)

Hi Darran,

The JBoss Negotiation Version that I am using is : JBoss Negotiation 2.0.3.SP1 {Which bydefault comes with JBoss AS 5.1.0 GA}.

Also - Please let me know if you need anyother environment information, I would be more than happy to share with you.
Actions
3. Re: SPNEGOLoginModule : NullPointerException - Unable to authenticate

mehul.kapadia Oct 12, 2011 3:07 AM (in response to dlofthouse)

Hi Darran,

The Exception that I am getting is propagated from following native call in the "AccessController" Class(In Jar Jboss-negotiation.jar Version 2.0.3.SP1).

public static native <T> T doPrivileged(PrivilegedAction<T> paramPrivilegedAction, AccessControlContext paramAccessControlContext);

java.lang.NullPointerException
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:294)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Unknown Source)

and the exception(Mentioned above and in Initially) The Exception is generated from JBoss-Negotiation.jar only.

I am suspecting some internal Bug Or Jar version Compatibility Issue.

Darran - I really appricate your reply. your input is very much important for me to rid of this bug.
Actions
4. Re: SPNEGOLoginModule : NullPointerException - Unable to authenticate

dlofthouse Oct 12, 2011 6:18 AM (in response to mehul.kapadia)

Will it be possible for you to try using version 2.1.0 of JBoss Negotiation?

https://repository.jboss.org/nexus/content/groups/public/org/jboss/security/jboss-negotiation/2.1.0.GA/jboss-negotiation-2.1.0.GA.jar

Looking at the error reported there appears to be an issue extracing the GSSAPI message from the SPNEGO wrapper, I know from the past we already have some bug fixes in regarding message parsing so it would be good to eliminate if that is the cause. If that does not fix it from your post we appear to have the message that is failing to parse so I a can try passing that through a debugger to double check if there is a different parsing issue.
Actions
5. Re: SPNEGOLoginModule : NullPointerException - Unable to authenticate

mehul.kapadia Oct 12, 2011 6:22 AM (in response to dlofthouse)

Sure Darran - Let me try using the Negotiation Jar version that you have mentioned above, I will udpate you as soon as I am done with my testing.

Thank you very much.

Regards,
Mehul Kapadia
Actions

Go to original post