[GR-44320] Unable to make Kerberos Authenticated http calls due to GSSManager Oid issue

[louis2845]

Issue is caused by #4700

GraalVM and environment:

OS: Linux RHEL 8
GraalVM version 22.3.1 EE
JDK: 17

GSSException: Unsupported mechanism requested: 1.2.840.113554.1.2.2
at java.security.jgss@17.0.6/sun.security.jgss.ProviderList.getMechFactory(ProviderList.java:199)
at java.security.jgss@17.0.6/sun.security.jgss.ProviderList.getMechFactory(ProviderList.java:166)
at java.security.jgss@17.0.6/sun.security.jgss.GSSManagerImpl.getNameElement(GSSManagerImpl.java:183)
at java.security.jgss@17.0.6/sun.security.jgss.GSSNameImpl.getElement(GSSNameImpl.java:469)
at java.security.jgss@17.0.6/sun.security.jgss.GSSNameImpl.init(GSSNameImpl.java:202)
at java.security.jgss@17.0.6/sun.security.jgss.GSSNameImpl.(GSSNameImpl.java:171)
at java.security.jgss@17.0.6/sun.security.jgss.GSSNameImpl.(GSSNameImpl.java:152)
at java.security.jgss@17.0.6/sun.security.jgss.GSSManagerImpl.createName(GSSManagerImpl.java:109)
at java.security.jgss@17.0.6/sun.net.www.protocol.http.spnego.NegotiatorImpl.init(NegotiatorImpl.java:95)
at java.security.jgss@17.0.6/sun.net.www.protocol.http.spnego.NegotiatorImpl.(NegotiatorImpl.java:123)
at java.base@17.0.6/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499)
at java.base@17.0.6/java.lang.reflect.Constructor.newInstance(Constructor.java:480)
at java.base@17.0.6/sun.net.www.protocol.http.Negotiator.getNegotiator(Negotiator.java:65)
at java.base@17.0.6/sun.net.www.protocol.http.NegotiateAuthentication.isSupported(NegotiateAuthentication.java:120)
at java.base@17.0.6/sun.net.www.protocol.http.AuthenticationHeader.parse(AuthenticationHeader.java:201)
at java.base@17.0.6/sun.net.www.protocol.http.AuthenticationHeader.(AuthenticationHeader.java:144)
at java.base@17.0.6/sun.net.www.protocol.http.AuthenticationHeader.(AuthenticationHeader.java:124)
at java.base@17.0.6/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1818)
at java.base@17.0.6/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1589)
at java.base@17.0.6/java.net.URLConnection.getContent(URLConnection.java:753)
at java.base@17.0.6/sun.net.www.protocol.https.HttpsURLConnectionImpl.getContent(HttpsURLConnectionImpl.java:404)

Like the attached issue it is difficult to recreate the environment due to needing to set up an entire Active Directory / Kerberos environment - but the code in the attached issue should recreate the problem

Seems like the code below should populate providers but it doesn't

    public GSSManagerImpl(GSSCaller caller) {
        list = new ProviderList(caller, USE_NATIVE);
    }

[oubidar-Abderrahim]

Hi, Thank you for reporting this issue, please share a complete reproducer of this issue. with steps to reproduce. Thank you

[louis2845]

I think I commented on #4700 that there should be all you need there to recreate the problem. There is a java class and steps to compile it into native. Is there anything else you'd like me to provide?

[oubidar-Abderrahim]

Running the Sample class shared on #4700 throws the following

Exception in thread "main" GSSException: Invalid name provided (Mechanism level: KrbException: Cannot locate default realm)
	at java.security.jgss/sun.security.jgss.krb5.Krb5NameElement.getInstance(Krb5NameElement.java:127)
	at java.security.jgss/sun.security.jgss.krb5.Krb5MechFactory.getNameElement(Krb5MechFactory.java:99)
	at java.security.jgss/sun.security.jgss.GSSManagerImpl.getNameElement(GSSManagerImpl.java:184)
	at java.security.jgss/sun.security.jgss.GSSNameImpl.getElement(GSSNameImpl.java:469)
	at java.security.jgss/sun.security.jgss.GSSNameImpl.init(GSSNameImpl.java:202)
	at java.security.jgss/sun.security.jgss.GSSNameImpl.<init>(GSSNameImpl.java:171)
	at java.security.jgss/sun.security.jgss.GSSNameImpl.<init>(GSSNameImpl.java:152)
	at java.security.jgss/sun.security.jgss.GSSManagerImpl.createName(GSSManagerImpl.java:109)
	at Sample.main(Sample.java:7)

which doesn't seem to be a bug on GraalVM.

[louis2845]

I see, I think you may need to specify the krb5 config. Sorry for this, I will get back to you later today

[louis2845]

It seems as though you've actually gotten past the point which is causing an issue for me:

me - > at java.security.jgss/sun.security.jgss.GSSManagerImpl.getNameElement(GSSManagerImpl.java:183)
you -> at java.security.jgss/sun.security.jgss.GSSManagerImpl.getNameElement(GSSManagerImpl.java:184)

Looking at the code provided in the previous ticket:

javac Sample.java
java -agentlib:native-image-agent=config-output-dir=META-INF/native-image Sample
native-image --no-fallback Sample

The middle java call should fail where you are seeing an exception without proper Kerberos configuration.

Were you definitely running the native image?

javac Sample.java
native-image --no-fallback Sample
./sample

I've just tried the above and am still seeing:

Exception in thread "main" GSSException: Unsupported mechanism requested: 1.2.840.113554.1.2.2
at java.security.jgss@17.0.6/sun.security.jgss.ProviderList.getMechFactory(ProviderList.java:199)
at java.security.jgss@17.0.6/sun.security.jgss.ProviderList.getMechFactory(ProviderList.java:166)
at java.security.jgss@17.0.6/sun.security.jgss.GSSManagerImpl.getNameElement(GSSManagerImpl.java:183)
at java.security.jgss@17.0.6/sun.security.jgss.GSSNameImpl.getElement(GSSNameImpl.java:469)
at java.security.jgss@17.0.6/sun.security.jgss.GSSNameImpl.init(GSSNameImpl.java:202)
at java.security.jgss@17.0.6/sun.security.jgss.GSSNameImpl.(GSSNameImpl.java:171)
at java.security.jgss@17.0.6/sun.security.jgss.GSSNameImpl.(GSSNameImpl.java:152)
at java.security.jgss@17.0.6/sun.security.jgss.GSSManagerImpl.createName(GSSManagerImpl.java:109)
at Sample.main(Sample.java:9)

[oubidar-Abderrahim]

Tracked internally on GR 44320

[vjovanov]

Thank you for a great reproducer! To make this work you need to add the flag -H:AdditionalSecurityProviders=sun.security.jgss.SunProvider the image build.

We will work to provide a better user experience around this feature.

[autodidacticon]

Thank you for a great reproducer! To make this work you need to add the flag -H:AdditionalSecurityProviders=sun.security.jgss.SunProvider the image build.

We will work to provide a better user experience around this feature.

Where can we find definitive reference to this flag?

[vjovanov]

What is a definitive reference? We will document this better in the upcoming releases, but first, we need to revisit the defaults. I feel this one should be included by default.

[autodidacticon]

@vjovanov Where is the documentation to the flag -H:AdditionalSecurityProviders?