Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[jetty-dev] NPE in SpnegoLoginService(2) 
Dear devs,

<2nd try because (at)@ got replaced with @ xxxxxx>

I got this NPE exception when a client who logged in to his client machine using a smartcard.
Our inhouse tests using SPNEGO in a small  ActiveDirectory setup with-out using smartcard we didn't face this issue.
I expect it has something to do with the SPN because "CT" isn't in the fqdn of the hostname ; "HTTP/aa.abc140.bb.net (at) CT.BB.NET"

We're using jetty embedded/programmatically setup
Version: jetty-9.0.z-SNAPSHOT
I appreciate pointers in the right direction for solving this.


Jan 05, 2016 10:26:58 AM org.eclipse.jetty.util.log.JavaUtilLog debug
FINE: context=/auth||/test @ o.e.j.w.WebAppContext@4f1a55{/auth,file:/C:/Users/Public/ [..] /wap/webapps/auth/,AVAILABLE}{C:\Users\Public\ [..] \wap\webapps\auth} Jan 05, 2016 10:26:58 AM org.eclipse.jetty.util.log.JavaUtilLog debug
FINE: sessionManager=org.eclipse.jetty.server.session.HashSessionManager@1c27487
Jan 05, 2016 10:26:58 AM org.eclipse.jetty.util.log.JavaUtilLog debug
FINE: session=null
Jan 05, 2016 10:26:58 AM org.eclipse.jetty.util.log.JavaUtilLog debug
FINE: servlet /auth|/test|null -> test@364492==spnego.TestServlet,-1,false
Jan 05, 2016 10:26:58 AM org.eclipse.jetty.util.log.JavaUtilLog debug
FINE: loaded class sun.security.provider.ConfigFile from null Jan 05, 2016 10:26:58 AM org.eclipse.jetty.util.log.JavaUtilLog debug
FINE: loaded class com.sun.security.auth.module.Krb5LoginModule from null Jan 05, 2016 10:26:58 AM org.eclipse.jetty.util.log.JavaUtilLog warn
WARNING: /auth/test
java.lang.NullPointerException
	at org.eclipse.jetty.security.SpnegoLoginService.login(SpnegoLoginService.java:141)
	at org.eclipse.jetty.security.authentication.LoginAuthenticator.login(LoginAuthenticator.java:52)
	at org.eclipse.jetty.security.authentication.SpnegoAuthenticator.validateRequest(SpnegoAuthenticator.java:99)
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:499)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:213)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1083)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:379)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:175)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1017)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:136)
	at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:258)
	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:109)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
	at org.eclipse.jetty.server.Server.handle(Server.java:445)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:260)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:225)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.run(AbstractConnection.java:358)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:596)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:527)
	at java.lang.Thread.run(Thread.java:745)

the source as listed in http://download.eclipse.org/jetty/stable-9/xref/org/eclipse/jetty/security/SpnegoLoginService.html#134
points to 

==SpnegoLoginService.java======================
140                 if (gContext.isEstablished())
141                 {
142                     String clientName = gContext.getSrcName().toString();
143                     String role = clientName.substring(clientName.indexOf('@') + 1);
144
-----------------------------------------------
I expect it to be the     getSrcName().toString();


online I found a piece of software which tests for null, and replying the next warning message:
===unknown source==============================
    if (gssContext.getSrcName() == null) {
        log.warn("GSS Context accepted, but no context initiator recognized. Check your kerberos configuration and reverse DNS lookup configuration");
        return false;
    }
-----------------------------------------------


My configuration files are:
==spnego.conf=============================================
com.sun.security.jgss.initiate{
   com.sun.security.auth.module.Krb5LoginModule required 
   useTicketCache="true" 
   doNotPrompt="false"
   renewTGT="true"
   debug="false";
  };
 
com.sun.security.jgss.accept {
     com.sun.security.auth.module.Krb5LoginModule required
     principal="HTTP/aa.abc140.bb.net (at) CT.BB.NET" 
     useKeyTab=true
     keyTab="C:/Users/Public/Company/wap/webapps/auth/WEB-INF/ftsso.keytab" 
     storeKey=true 
     debug=true 
     isInitiator=false;
};
==krb5.ini=============================================
[libdefaults]
default_realm = CT.BB.NET
[realms]
CT.BB.NET = {
    kdc = ct.bb.net
}
==web.xml=============================================
    <auth-constraint>
      <role-name>CT.BB.NET</role-name>
    </auth-constraint>
===spnego.properties===========================
targetName = HTTP/aa.abc140.bb.net
-----------------------------------------------

Back to the top