[GR-44320] Unable to make Kerberos Authenticated http calls due to GSSManager Oid issue #5950
Comments
|
Hi, Thank you for reporting this issue, please share a complete reproducer of this issue. with steps to reproduce. Thank you |
|
I think I commented on #4700 that there should be all you need there to recreate the problem. There is a java class and steps to compile it into native. Is there anything else you'd like me to provide? |
|
Running the Sample class shared on #4700 throws the following which doesn't seem to be a bug on GraalVM. |
|
I see, I think you may need to specify the krb5 config. Sorry for this, I will get back to you later today |
|
It seems as though you've actually gotten past the point which is causing an issue for me: me - > at java.security.jgss/sun.security.jgss.GSSManagerImpl.getNameElement(GSSManagerImpl.java:183) Looking at the code provided in the previous ticket: javac Sample.java The middle java call should fail where you are seeing an exception without proper Kerberos configuration. Were you definitely running the native image? javac Sample.java I've just tried the above and am still seeing: Exception in thread "main" GSSException: Unsupported mechanism requested: 1.2.840.113554.1.2.2 |
|
Tracked internally on GR 44320 |
|
Thank you for a great reproducer! To make this work you need to add the flag We will work to provide a better user experience around this feature. |
Where can we find definitive reference to this flag? |
|
What is a definitive reference? We will document this better in the upcoming releases, but first, we need to revisit the defaults. I feel this one should be included by default. |
|
@vjovanov Where is the documentation to the flag |
|
I wish I had a good answer. We will be improving this feature for JDK 23. Until then the best I can say is that this is the list of possible values in the JDK is: I got this by running |
oubidar-Abderrahim
changed the title
|
In my case, graalvm is not respecting I tried Logged #8674 for this with more details |
|
Thank you very much for reporting the issue! We will look into it and see why it happens. |
|
If we have a way to create the instance of gssmanager by passing the "native" as parameter rather than using jvm arguments can help I guess. That would be a jdk change rather than graalvm. However, graalvm handling this also works. I wish they prioritise this. This is blocking a lot of enterprise software from using graalvm native compilation feature. |
|
@jovanstevanovic is working in this area now so we should be able to provide a fix in the next release. |
|
Wow that's a great news!! Thank you so much!! |
|
No worries. I can have a look. |
|
Hey @vjovanov , is there any alternative present at the moment for this kerberos auth issue in native image ? |
|
@yogeshkumar-1234 the solution in the comment does not help you? |
|
I tried it sometimes back. It didn't work for me. I can check once again. |
|
@jovanstevanovic It didn't work for me > @yogeshkumar-1234 the solution in the comment does not help you? |
|
Okay, just to double-check. |
Issue is caused by #4700
GraalVM and environment:
OS: Linux RHEL 8
GraalVM version 22.3.1 EE
JDK: 17
GSSException: Unsupported mechanism requested: 1.2.840.113554.1.2.2
at java.security.jgss@17.0.6/sun.security.jgss.ProviderList.getMechFactory(ProviderList.java:199)
at java.security.jgss@17.0.6/sun.security.jgss.ProviderList.getMechFactory(ProviderList.java:166)
at java.security.jgss@17.0.6/sun.security.jgss.GSSManagerImpl.getNameElement(GSSManagerImpl.java:183)
at java.security.jgss@17.0.6/sun.security.jgss.GSSNameImpl.getElement(GSSNameImpl.java:469)
at java.security.jgss@17.0.6/sun.security.jgss.GSSNameImpl.init(GSSNameImpl.java:202)
at java.security.jgss@17.0.6/sun.security.jgss.GSSNameImpl.(GSSNameImpl.java:171)
at java.security.jgss@17.0.6/sun.security.jgss.GSSNameImpl.(GSSNameImpl.java:152)
at java.security.jgss@17.0.6/sun.security.jgss.GSSManagerImpl.createName(GSSManagerImpl.java:109)
at java.security.jgss@17.0.6/sun.net.www.protocol.http.spnego.NegotiatorImpl.init(NegotiatorImpl.java:95)
at java.security.jgss@17.0.6/sun.net.www.protocol.http.spnego.NegotiatorImpl.(NegotiatorImpl.java:123)
at java.base@17.0.6/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499)
at java.base@17.0.6/java.lang.reflect.Constructor.newInstance(Constructor.java:480)
at java.base@17.0.6/sun.net.www.protocol.http.Negotiator.getNegotiator(Negotiator.java:65)
at java.base@17.0.6/sun.net.www.protocol.http.NegotiateAuthentication.isSupported(NegotiateAuthentication.java:120)
at java.base@17.0.6/sun.net.www.protocol.http.AuthenticationHeader.parse(AuthenticationHeader.java:201)
at java.base@17.0.6/sun.net.www.protocol.http.AuthenticationHeader.(AuthenticationHeader.java:144)
at java.base@17.0.6/sun.net.www.protocol.http.AuthenticationHeader.(AuthenticationHeader.java:124)
at java.base@17.0.6/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1818)
at java.base@17.0.6/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1589)
at java.base@17.0.6/java.net.URLConnection.getContent(URLConnection.java:753)
at java.base@17.0.6/sun.net.www.protocol.https.HttpsURLConnectionImpl.getContent(HttpsURLConnectionImpl.java:404)
Like the attached issue it is difficult to recreate the environment due to needing to set up an entire Active Directory / Kerberos environment - but the code in the attached issue should recreate the problem
Seems like the code below should populate providers but it doesn't
The text was updated successfully, but these errors were encountered: