<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 08:57:04 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[JAVA-2385] GSSAPI authentication fails against Windows MongoDB server</title>
                <link>https://jira.mongodb.org/browse/JAVA-2385</link>
                <project id="10006" key="JAVA">Java Driver</project>
                    <description>&lt;p&gt;&lt;a href=&quot;https://tools.ietf.org/html/rfc4752#section-3.1&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;RFC 4752 section 4.3.1&lt;/a&gt; states that:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;The client then constructs data, with the first octet containing the bit-mask specifying the selected security layer, the second through fourth octets containing in network byte order the maximum size output_message the client is able to receive (which MUST be 0 if the client does not support any security layer)&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;There is a bug in the JDK where by default it does &lt;em&gt;not&lt;/em&gt; send 0 for the maximum size output_message, even when it indicates no support for any security layer.  Rather, it sends the default value for the javax.security.sasl.Sasl#MAX_BUFFER property, which is not specified but is generally set to 65,536 in the Oracle JDK.&lt;/p&gt;

&lt;p&gt;The SSPI implementation in the server checks this and fails with the following error:&lt;/p&gt;

&lt;p/&gt;
&lt;div id=&quot;syntaxplugin&quot; class=&quot;syntaxplugin&quot; style=&quot;border: 1px dashed #bbb; border-radius: 5px !important; overflow: auto; max-height: 30em;&quot;&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot; width=&quot;100%&quot; style=&quot;font-size: 1em; line-height: 1.4em !important; font-weight: normal; font-style: normal; color: black;&quot;&gt;
		&lt;tbody &gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;  margin-top: 10px;   margin-bottom: 10px;  width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;2016-11-05T15:44:19.426+0530 E ACCESS [conn6] SSPI: wrong security layer from client&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
			&lt;/tbody&gt;
&lt;/table&gt;
&lt;/div&gt;
&lt;p/&gt;

&lt;p&gt;The corresponding code in the Linux version of MongoDB does not make such a stringent check, and therefore GSSAPI authentication from a Java client succeeds when connecting to a Linux-based MongoDB server.&lt;/p&gt;

&lt;p&gt;The driver can work around the server check by setting the javax.security.sasl.Sasl#MAX_BUFFER property to &quot;0&quot;.&lt;/p&gt;

&lt;p&gt;Note that this issue prevents &lt;em&gt;any&lt;/em&gt; Java client from authenticating via GSSAPI to a MongoDB server running on Windows.&lt;/p&gt;

</description>
                <environment>Java on any platform connected to a MongoDB server running on Windows</environment>
        <key id="332237">JAVA-2385</key>
            <summary>GSSAPI authentication fails against Windows MongoDB server</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="9">Done</resolution>
                                        <assignee username="jeff.yemin@mongodb.com">Jeffrey Yemin</assignee>
                                    <reporter username="rgoteti">rajesh</reporter>
                        <labels>
                    </labels>
                <created>Wed, 16 Nov 2016 12:10:30 +0000</created>
                <updated>Tue, 27 Dec 2016 00:04:47 +0000</updated>
                            <resolved>Fri, 2 Dec 2016 16:18:35 +0000</resolved>
                                    <version>2.12.0</version>
                    <version>3.0.0</version>
                                    <fixVersion>3.4.1</fixVersion>
                                    <component>Authentication</component>
                                        <votes>0</votes>
                                    <watches>3</watches>
                                                                                                                <comments>
                            <comment id="1465153" author="jeff.yemin" created="Tue, 27 Dec 2016 00:04:47 +0000"  >&lt;p&gt;JDK code review link: &lt;a href=&quot;http://cr.openjdk.java.net/~weijun/8170732/webrev.00/&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;http://cr.openjdk.java.net/~weijun/8170732/webrev.00/&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="1461023" author="jeff.yemin" created="Mon, 19 Dec 2016 14:45:00 +0000"  >&lt;p&gt;Hi Rajesh,&lt;/p&gt;

&lt;p&gt;No matter what you&apos;re going to have to change your dependency, as 3.2.2 by definition cannot contain this fix, since it&apos;s already been released.  Given that, I&apos;m not sure what exactly you&apos;re asking.  Since you have to change the dependency regardless, you can either&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;Upgrade to 3.4.1 when you&apos;re able&lt;/li&gt;
	&lt;li&gt;Build your own release based on 3.2.2 with this one change applied, and update your dependency to your own release.&lt;/li&gt;
&lt;/ul&gt;
</comment>
                            <comment id="1455021" author="rgoteti" created="Mon, 12 Dec 2016 10:27:45 +0000"  >&lt;p&gt;Hi Jeff,&lt;/p&gt;

&lt;p&gt;   As of now we cannot upgrade to 3.4.1, upgrade is planned for future release. We have made the changes in 3.2.2 source and built the jar and tested it, its working fine for us. But the problem is with hosting the 3.2.2 source with the fix. Can we host the source jar in maven central? If yes what namespace can we use, I assume we cannot use the existing org.mongodb namespace. Hosting the source jar is needed as we build a Eclipse Orbit bundle using the groupid and artifact id from maven central.  Please let me know how to proceed with this.&lt;/p&gt;

&lt;p&gt;Thanks,&lt;br/&gt;
Rajesh&lt;/p&gt;</comment>
                            <comment id="1453757" author="jeff.yemin" created="Fri, 9 Dec 2016 13:02:30 +0000"  >&lt;p&gt;We have no plans to backport this to the 3.2 or 3.3 release branch.  As BIRT would have to be upgraded to 3.2.3 anyway, I suggest you take the opportunity to upgrade instead to 3.4.1 when it is released.&lt;/p&gt;</comment>
                            <comment id="1453756" author="rgoteti" created="Fri, 9 Dec 2016 12:52:24 +0000"  >&lt;p&gt;Hi Jeff,&lt;/p&gt;

&lt;p&gt;     Will this fix be back ported to mongodb 3.2.2 driver? we are using monongdb 3.2.2 in our BIRT mongo db plugin. we create a eclipse orbit bundle for mongodb jar and include it in BIRT designer.&lt;/p&gt;</comment>
                            <comment id="1453755" author="jeff.yemin" created="Fri, 9 Dec 2016 12:35:32 +0000"  >&lt;p&gt;Reference to JDK bug reported as the root cause of this issue: &lt;a href=&quot;http://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8170732&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;JDK-8170732&lt;/a&gt;.&lt;/p&gt;</comment>
                            <comment id="1449378" author="rgoteti" created="Mon, 5 Dec 2016 17:06:07 +0000"  >&lt;p&gt;Hi Jeff, Thanks for the quick fix. It works in my environment.&lt;/p&gt;</comment>
                            <comment id="1448296" author="jeff.yemin" created="Fri, 2 Dec 2016 21:52:11 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=rgoteti&quot; class=&quot;user-hover&quot; rel=&quot;rgoteti&quot;&gt;rgoteti&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;A snapshot build is available &lt;a href=&quot;http://jenkins.bci.10gen.cc:8080/job/mongo-java-driver-snapshot-release-3.4.x/&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;here&lt;/a&gt; or &lt;a href=&quot;https://oss.sonatype.org/content/repositories/snapshots/org/mongodb/mongo-java-driver/3.4.1-SNAPSHOT/&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;here&lt;/a&gt; if you&apos;d like to test out this fix and let us know if it works in your environment.&lt;/p&gt;</comment>
                            <comment id="1447806" author="xgen-internal-githook" created="Fri, 2 Dec 2016 16:18:18 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{u&apos;username&apos;: u&apos;jyemin&apos;, u&apos;name&apos;: u&apos;Jeff Yemin&apos;, u&apos;email&apos;: u&apos;jeff.yemin@10gen.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/JAVA-2385&quot; title=&quot;GSSAPI authentication fails against Windows MongoDB server&quot; class=&quot;issue-link&quot; data-issue-key=&quot;JAVA-2385&quot;&gt;&lt;del&gt;JAVA-2385&lt;/del&gt;&lt;/a&gt;: Set javax.security.sasl.Sasl#MAX_BUFFER property to &quot;0&quot; in GSSAPIAuthenticator in order to work around a strict check in the Windows implementation of GSSAPI in the MongoDB server.&lt;br/&gt;
Branch: 3.4.x&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-java-driver/commit/26d4bcedc61b5f2e6919ef0230eff35e7f50cddb&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-java-driver/commit/26d4bcedc61b5f2e6919ef0230eff35e7f50cddb&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="1447801" author="xgen-internal-githook" created="Fri, 2 Dec 2016 16:15:32 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{u&apos;username&apos;: u&apos;jyemin&apos;, u&apos;name&apos;: u&apos;Jeff Yemin&apos;, u&apos;email&apos;: u&apos;jeff.yemin@10gen.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/JAVA-2385&quot; title=&quot;GSSAPI authentication fails against Windows MongoDB server&quot; class=&quot;issue-link&quot; data-issue-key=&quot;JAVA-2385&quot;&gt;&lt;del&gt;JAVA-2385&lt;/del&gt;&lt;/a&gt;: Set javax.security.sasl.Sasl#MAX_BUFFER property to &quot;0&quot; in GSSAPIAuthenticator in order to work around a strict check in the Windows implementation of GSSAPI in the MongoDB server.&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-java-driver/commit/ca2f1979dfeb6c1f1eb02fb771791bbe4b8a6bd4&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-java-driver/commit/ca2f1979dfeb6c1f1eb02fb771791bbe4b8a6bd4&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="1435762" author="jeff.yemin" created="Wed, 16 Nov 2016 17:58:06 +0000"  >&lt;p&gt;We will address this issue in scope of &lt;a href=&quot;https://jira.mongodb.org/browse/JAVA-2320&quot; title=&quot;Add test automation for GSSAPI authentication on Windows&quot; class=&quot;issue-link&quot; data-issue-key=&quot;JAVA-2320&quot;&gt;&lt;del&gt;JAVA-2320&lt;/del&gt;&lt;/a&gt;.&lt;/p&gt;</comment>
                            <comment id="1435656" author="rgoteti" created="Wed, 16 Nov 2016 16:17:32 +0000"  >&lt;p&gt;I have found this issue in MongoDB jira and updated it my comments, &lt;br/&gt;
&lt;a href=&quot;https://jira.mongodb.org/browse/JAVA-2320&quot; class=&quot;external-link&quot; rel=&quot;nofollow&quot;&gt;https://jira.mongodb.org/browse/JAVA-2320&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="1435654" author="rgoteti" created="Wed, 16 Nov 2016 16:16:40 +0000"  >&lt;p&gt;Hi Jeff,&lt;br/&gt;
we are facing this issue when connecting to MongoDB with javadriver using GSSAPI on windows environment. Connections through mongoshell and python driver seemes to be working fine. This problem is specific to windows environment as we were able to succesfully authenticate on centos. we are currently stuck due to this issue. is there any workaround for this issue ?&lt;br/&gt;
mongodb log:&lt;br/&gt;
-----------------&lt;br/&gt;
2016-11-05T15:44:19.426+0530 D ACCESS &lt;span class=&quot;error&quot;&gt;&amp;#91;conn6&amp;#93;&lt;/span&gt; SSPI authenticated name: mongoClient@IHUBTEST.COM&lt;br/&gt;
2016-11-05T15:44:19.426+0530 D ACCESS &lt;span class=&quot;error&quot;&gt;&amp;#91;conn6&amp;#93;&lt;/span&gt; auxprop matched no properties&lt;br/&gt;
2016-11-05T15:44:19.426+0530 D ACCESS &lt;span class=&quot;error&quot;&gt;&amp;#91;conn6&amp;#93;&lt;/span&gt; SSPI encrypted size: 74 decrypted size: 28 encrypted msg pointer: 000000DCE8F52990 decrypted msg pointer: 000000DCE8F529BD&lt;br/&gt;
2016-11-05T15:44:19.426+0530 E ACCESS &lt;span class=&quot;error&quot;&gt;&amp;#91;conn6&amp;#93;&lt;/span&gt; SSPI: wrong security layer from client&lt;br/&gt;
2016-11-05T15:44:19.426+0530 D ACCESS &lt;span class=&quot;error&quot;&gt;&amp;#91;conn6&amp;#93;&lt;/span&gt; Was not able to acquire authorization username from Cyrus SASL. Falling back to authentication name.&lt;br/&gt;
2016-11-05T15:44:19.426+0530 I ACCESS &lt;span class=&quot;error&quot;&gt;&amp;#91;conn6&amp;#93;&lt;/span&gt; GSSAPI authentication failed for mongoClient@IHUBTEST.COM on $external from client 10.96.45.144 ; ProtocolError: SASL(-1): generic failure: SSPI: wrong security layer from client&lt;br/&gt;
2016-11-05T15:44:19.426+0530 D ACCESS &lt;span class=&quot;error&quot;&gt;&amp;#91;conn6&amp;#93;&lt;/span&gt; Was not able to acquire authorization username from Cyrus SASL. Falling back to authentication name.&lt;br/&gt;
Thanks,&lt;br/&gt;
Rajesh&lt;/p&gt;</comment>
                            <comment id="1435513" author="jeff.yemin" created="Wed, 16 Nov 2016 13:44:01 +0000"  >&lt;p&gt;Hi Rajesh,&lt;/p&gt;

&lt;p&gt;Can you provide the full exception stack trace as well as any relevant mongod server logs?&lt;/p&gt;

&lt;p&gt;Thanks,&lt;br/&gt;
Jeff&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10011">
                    <name>Depends</name>
                                                                <inwardlinks description="is depended on by">
                                                        </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                        <issuelink>
            <issuekey id="318440">JAVA-2320</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="335553">SERVER-27252</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hsscvb:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10557" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="1409">JVM Sprint 37</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>