graal
graal copied to clipboard
oracle
[GR-44320] Unable to make Kerberos Authenticated http calls due to GSSManager Oid issue
Issue is caused by https://github.com/oracle/graal/issues/4700
GraalVM and environment:
OS: Linux RHEL 8 GraalVM version 22.3.1 EE JDK: 17
GSSException: Unsupported mechanism requested: 1.2.840.113554.1.2.2
at [email protected]/sun.security.jgss.ProviderList.getMechFactory(ProviderList.java:199)
at [email protected]/sun.security.jgss.ProviderList.getMechFactory(ProviderList.java:166)
at [email protected]/sun.security.jgss.GSSManagerImpl.getNameElement(GSSManagerImpl.java:183)
at [email protected]/sun.security.jgss.GSSNameImpl.getElement(GSSNameImpl.java:469)
at [email protected]/sun.security.jgss.GSSNameImpl.init(GSSNameImpl.java:202)
at [email protected]/sun.security.jgss.GSSNameImpl.
Like the attached issue it is difficult to recreate the environment due to needing to set up an entire Active Directory / Kerberos environment - but the code in the attached issue should recreate the problem
Seems like the code below should populate providers but it doesn't
public GSSManagerImpl(GSSCaller caller) {
list = new ProviderList(caller, USE_NATIVE);
}
Hi, Thank you for reporting this issue, please share a complete reproducer of this issue. with steps to reproduce. Thank you
I think I commented on #4700 that there should be all you need there to recreate the problem. There is a java class and steps to compile it into native. Is there anything else you'd like me to provide?
Running the Sample class shared on #4700 throws the following
Exception in thread "main" GSSException: Invalid name provided (Mechanism level: KrbException: Cannot locate default realm)
at java.security.jgss/sun.security.jgss.krb5.Krb5NameElement.getInstance(Krb5NameElement.java:127)
at java.security.jgss/sun.security.jgss.krb5.Krb5MechFactory.getNameElement(Krb5MechFactory.java:99)
at java.security.jgss/sun.security.jgss.GSSManagerImpl.getNameElement(GSSManagerImpl.java:184)
at java.security.jgss/sun.security.jgss.GSSNameImpl.getElement(GSSNameImpl.java:469)
at java.security.jgss/sun.security.jgss.GSSNameImpl.init(GSSNameImpl.java:202)
at java.security.jgss/sun.security.jgss.GSSNameImpl.<init>(GSSNameImpl.java:171)
at java.security.jgss/sun.security.jgss.GSSNameImpl.<init>(GSSNameImpl.java:152)
at java.security.jgss/sun.security.jgss.GSSManagerImpl.createName(GSSManagerImpl.java:109)
at Sample.main(Sample.java:7)
which doesn't seem to be a bug on GraalVM.
I see, I think you may need to specify the krb5 config. Sorry for this, I will get back to you later today
It seems as though you've actually gotten past the point which is causing an issue for me:
me - > at java.security.jgss/sun.security.jgss.GSSManagerImpl.getNameElement(GSSManagerImpl.java:183) you -> at java.security.jgss/sun.security.jgss.GSSManagerImpl.getNameElement(GSSManagerImpl.java:184)
Looking at the code provided in the previous ticket:
javac Sample.java java -agentlib:native-image-agent=config-output-dir=META-INF/native-image Sample native-image --no-fallback Sample
The middle java call should fail where you are seeing an exception without proper Kerberos configuration.
Were you definitely running the native image?
javac Sample.java native-image --no-fallback Sample ./sample
I've just tried the above and am still seeing:
Exception in thread "main" GSSException: Unsupported mechanism requested: 1.2.840.113554.1.2.2
at [email protected]/sun.security.jgss.ProviderList.getMechFactory(ProviderList.java:199)
at [email protected]/sun.security.jgss.ProviderList.getMechFactory(ProviderList.java:166)
at [email protected]/sun.security.jgss.GSSManagerImpl.getNameElement(GSSManagerImpl.java:183)
at [email protected]/sun.security.jgss.GSSNameImpl.getElement(GSSNameImpl.java:469)
at [email protected]/sun.security.jgss.GSSNameImpl.init(GSSNameImpl.java:202)
at [email protected]/sun.security.jgss.GSSNameImpl.
Thank you for a great reproducer! To make this work you need to add the flag -H:AdditionalSecurityProviders=sun.security.jgss.SunProvider the image build.
We will work to provide a better user experience around this feature.
Thank you for a great reproducer! To make this work you need to add the flag
-H:AdditionalSecurityProviders=sun.security.jgss.SunProviderthe image build.We will work to provide a better user experience around this feature.
Where can we find definitive reference to this flag?
What is a definitive reference? We will document this better in the upcoming releases, but first, we need to revisit the defaults. I feel this one should be included by default.
@vjovanov Where is the documentation to the flag -H:AdditionalSecurityProviders?
I wish I had a good answer. We will be improving this feature for JDK 23. Until then the best I can say is that this is the list of possible values in the JDK is:
['sun.security.provider.Sun', 'sun.security.rsa.SunRsaSign', 'sun.security.ec.SunEC', 'sun.security.ssl.SunJSSE', 'com.sun.crypto.provider.SunJCE', 'sun.security.jgss.SunProvider', 'com.sun.security.sasl.Provider', 'org.jcp.xml.dsig.internal.dom.XMLDSigRI', 'sun.security.smartcardio.SunPCSC', 'sun.security.provider.certpath.ldap.JdkLDAP', 'com.sun.security.sasl.gsskerb.JdkSASL']
I got this by running sun.security.jca.Providers.getProviderList() and inspecting class names.
In my case, graalvm is not respecting sun.security.jgss.native=true. (ref: native gss)
I tried buildArgs.add('-J-Dsun.security.jgss.native=true') and buildArgs.add('-Dsun.security.jgss.native=true') as well.
Logged https://github.com/oracle/graal/issues/8674 for this with more details
Thank you very much for reporting the issue! We will look into it and see why it happens.