<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 09:01:57 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[JAVA-4389] Getting com.mongodb.MongoSecurityException: Failed to login Subject when connecting mongoDB</title>
                <link>https://jira.mongodb.org/browse/JAVA-4389</link>
                <project id="10006" key="JAVA">Java Driver</project>
                    <description>&lt;p&gt;Hi,&lt;/p&gt;

&lt;p&gt;To replace mongodb-java-driver 3.12.8, I am trying to make my code work this the following jars:&lt;/p&gt;

&lt;p&gt;mongodb-driver-sync-4.3.3.jar&lt;/p&gt;

&lt;p&gt;mongodb-driver-core-4.3.3.jar&lt;/p&gt;

&lt;p&gt;mongodb-driver-legacy-4.3.3.jar&lt;/p&gt;

&lt;p&gt;bson-4.3.3.jar&lt;/p&gt;

&lt;p&gt;I use the following code to connect:&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;&#160;System.setProperty(&quot;java.security.krb5.conf&quot;, &quot;krb5.conf&quot;);&#160;&lt;/p&gt;

&lt;p&gt;System.setProperty(&quot;java.security.krb5.conf&quot;, &quot;krb5.conf&quot;); &#160; &#160; System.setProperty(&quot;java.security.krb5.realm&quot;, &quot;&amp;lt;&amp;lt;my-domain&amp;gt;&amp;gt;&quot;); &#160; &#160; System.setProperty(&quot;java.security.krb5.kdc&quot;, &quot;&amp;lt;&amp;lt;my-domain&amp;gt;&amp;gt;&quot;&quot;); &#160; &#160; System.setProperty(&quot;javax.security.auth.useSubjectCredsOnly&quot;,&quot;false&quot;); &#160; &#160; System.setProperty(&quot;java.security.auth.login.config&quot;, &quot;jaas.conf&quot;); &#160; &#160;&lt;/p&gt;

&lt;p&gt;return new MongoClient(serverAddresses, MongoCredential.createGSSAPICredential(&quot;&amp;lt;&amp;lt;my-kerberos-id&amp;gt;&amp;gt;@&amp;lt;&amp;lt;my-domain&amp;gt;&amp;gt;&quot;), options);&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;my jaas.conf is as follows:&lt;/p&gt;

&lt;p&gt;com.sun.security.jgss.initiate &lt;/p&gt;
{
 com.sun.security.auth.module.Krb5LoginModule required
 useKeyTab=true
 useTicketCache=false
 doNotPrompt=true
 debug=true
 keyTab=&quot;mykeytab.kt&quot;
 principal=&quot;&amp;lt;&amp;lt;my-kerberos-id&amp;gt;&amp;gt;@&amp;lt;&amp;lt;my-domain&amp;gt;&amp;gt;;
}
&lt;p&gt;;&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;I am getting below errors:&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;INFO: Creating new LoginContext and logging in the principalException in thread &quot;main&quot; com.mongodb.MongoSecurityException: Failed to login Subject at com.mongodb.internal.connection.SaslAuthenticator.getSubject(SaslAuthenticator.java:200) at com.mongodb.internal.connection.SaslAuthenticator.doAsSubject(SaslAuthenticator.java:278) at com.mongodb.internal.connection.SaslAuthenticator.authenticate(SaslAuthenticator.java:57) at com.mongodb.internal.connection.InternalStreamConnectionInitializer.authenticate(InternalStreamConnectionInitializer.java:205) at com.mongodb.internal.connection.InternalStreamConnectionInitializer.finishHandshake(InternalStreamConnectionInitializer.java:79) at com.mongodb.internal.connection.InternalStreamConnection.open(InternalStreamConnection.java:170) at com.mongodb.internal.connection.UsageTrackingInternalConnection.open(UsageTrackingInternalConnection.java:53) at com.mongodb.internal.connection.DefaultConnectionPool$PooledConnection.open(DefaultConnectionPool.java:495) at com.mongodb.internal.connection.DefaultConnectionPool$OpenConcurrencyLimiter.openOrGetAvailable(DefaultConnectionPool.java:855) at com.mongodb.internal.connection.DefaultConnectionPool$OpenConcurrencyLimiter.openOrGetAvailable(DefaultConnectionPool.java:805) at com.mongodb.internal.connection.DefaultConnectionPool.get(DefaultConnectionPool.java:154) at com.mongodb.internal.connection.DefaultConnectionPool.get(DefaultConnectionPool.java:144) at com.mongodb.internal.connection.DefaultServer.getConnection(DefaultServer.java:92) at com.mongodb.internal.binding.ClusterBinding$ClusterBindingConnectionSource.getConnection(ClusterBinding.java:141) at com.mongodb.client.internal.ClientSessionBinding$SessionBindingConnectionSource.getConnection(ClientSessionBinding.java:163) at com.mongodb.internal.operation.ListCollectionsOperation$1.call(ListCollectionsOperation.java:233) at com.mongodb.internal.operation.ListCollectionsOperation$1.call(ListCollectionsOperation.java:230) at com.mongodb.internal.operation.OperationHelper.withReadConnectionSource(OperationHelper.java:583) at com.mongodb.internal.operation.ListCollectionsOperation.execute(ListCollectionsOperation.java:230) at com.mongodb.internal.operation.ListCollectionsOperation.execute(ListCollectionsOperation.java:86) at com.mongodb.client.internal.MongoClientDelegate$DelegateOperationExecutor.execute(MongoClientDelegate.java:184) at com.mongodb.client.internal.MongoIterableImpl.execute(MongoIterableImpl.java:135) at com.mongodb.client.internal.MongoIterableImpl.iterator(MongoIterableImpl.java:92) at com.mongodb.client.internal.MappingIterable.iterator(MappingIterable.java:39) at com.mongodb.client.internal.MappingIterable.iterator(MappingIterable.java:27) at MyGFMongoTest.main(MyGFMongoTest.java:81)Caused by: javax.security.auth.login.LoginException: No LoginModules configured for com.sun.security.jgss.krb5.initiate at javax.security.auth.login.LoginContext.init(LoginContext.java:264) at javax.security.auth.login.LoginContext.&amp;lt;init&amp;gt;(LoginContext.java:348) at com.mongodb.KerberosSubjectProvider.getSubject(KerberosSubjectProvider.java:84) at com.mongodb.internal.connection.SaslAuthenticator.getSubject(SaslAuthenticator.java:198) ... 25 more&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;The same code works with mongodb-java-driver-3.12.8.jar&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;Please advise.&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;</description>
                <environment></environment>
        <key id="1918551">JAVA-4389</key>
            <summary>Getting com.mongodb.MongoSecurityException: Failed to login Subject when connecting mongoDB</summary>
                <type id="3" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14718&amp;avatarType=issuetype">Task</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="9">Done</resolution>
                                        <assignee username="jeff.yemin@mongodb.com">Jeffrey Yemin</assignee>
                                    <reporter username="amy">Amy Cui</reporter>
                        <labels>
                            <label>external-user</label>
                    </labels>
                <created>Thu, 4 Nov 2021 20:14:18 +0000</created>
                <updated>Fri, 7 Apr 2023 15:36:56 +0000</updated>
                            <resolved>Mon, 8 Nov 2021 16:30:10 +0000</resolved>
                                                                    <component>Authentication</component>
                                        <votes>0</votes>
                                    <watches>4</watches>
                                                                                                                <comments>
                            <comment id="4175024" author="jeff.yemin" created="Mon, 8 Nov 2021 16:30:10 +0000"  >&lt;p&gt;Glad that you got it working.  I opened &lt;a href=&quot;https://jira.mongodb.org/browse/JAVA-4391&quot; title=&quot;Accept &amp;quot;com.sun.security.jgss.initiate&amp;quot; as a default login context name for GSSAPI&quot; class=&quot;issue-link&quot; data-issue-key=&quot;JAVA-4391&quot;&gt;&lt;del&gt;JAVA-4391&lt;/del&gt;&lt;/a&gt; to address the underlying issue.&lt;/p&gt;

&lt;p&gt;Thanks for reporting this!  I&apos;m sure the fix to &lt;a href=&quot;https://jira.mongodb.org/browse/JAVA-4391&quot; title=&quot;Accept &amp;quot;com.sun.security.jgss.initiate&amp;quot; as a default login context name for GSSAPI&quot; class=&quot;issue-link&quot; data-issue-key=&quot;JAVA-4391&quot;&gt;&lt;del&gt;JAVA-4391&lt;/del&gt;&lt;/a&gt; will help future users.&lt;/p&gt;</comment>
                            <comment id="4174889" author="amy" created="Mon, 8 Nov 2021 15:59:41 +0000"  >&lt;p&gt;Hi Jeff,&lt;/p&gt;

&lt;p&gt;Thank you for your quick response. I tried what you suggested with 4.3.3 version and I am able to get it working.&#160; Code snippet:&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;&#160;com.mongodb.KerberosSubjectProvider provider= new KerberosSubjectProvider(&quot;com.sun.security.jgss.initiate&quot;); &#160; &#160;&lt;/p&gt;

&lt;p&gt;MongoCredential credential = MongoCredential.createGSSAPICredential(&quot;&amp;lt;&amp;lt;my-kerberos-id&amp;gt;&amp;gt;@&amp;lt;&amp;lt;my-domain&amp;gt;&amp;gt;); &#160; &#160;&lt;/p&gt;

&lt;p&gt;credential.withMechanismProperty(MongoCredential.JAVA_SUBJECT_PROVIDER_KEY, provider); &#160; &#160;&lt;/p&gt;

&lt;p&gt;return new MongoClient(serverAddresses,credential,options);&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;Thank you&#160;&lt;/p&gt;

&lt;p&gt;Amy&lt;/p&gt;</comment>
                            <comment id="4173163" author="jeff.yemin" created="Sat, 6 Nov 2021 12:28:05 +0000"  >&lt;p&gt;I think I understand what&apos;s going on. In the 4.2 release, we introduced a new feature for caching Kerberos tickets: &lt;a href=&quot;https://jira.mongodb.org/browse/JAVA-3836&quot; title=&quot;Support a Kerberos ticket cache&quot; class=&quot;issue-link&quot; data-issue-key=&quot;JAVA-3836&quot;&gt;&lt;del&gt;JAVA-3836&lt;/del&gt;&lt;/a&gt;. One of the consequences of that work is that the driver now by default always creates the Subject instance itself instead of relying on the JDK to do so. The LoginContext is now configured &lt;a href=&quot;https://github.com/mongodb/mongo-java-driver/blob/r4.3.4/driver-core/src/main/com/mongodb/KerberosSubjectProvider.java#L62&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;here&lt;/a&gt;. Note that the default is to use &quot;com.sun.security.jgss.krb5.initiate&quot; as the default login context name. In contrast, the JDK looks for both &quot;com.sun.security.jgss.krb5.initiate&quot; &lt;em&gt;and&lt;/em&gt; &quot;com.sun.security.jgss.initiate&quot; (for reasons I&apos;m not sure of). You can find that code &lt;a href=&quot;https://github.com/openjdk/jdk/blob/jdk-17+35/src/java.security.jgss/share/classes/sun/security/jgss/LoginConfigImpl.java#L103-L107&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;here&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;I think we should change the driver to also accept both, but until then you can work around it in a number of ways:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;Change your jaas.conf to configure &quot;com.sun.security.jgss.krb5.initiate&quot;, as mentioned above&lt;/li&gt;
	&lt;li&gt;Configure &lt;tt&gt;com.mongodb.MongoCredential#JAVA_SUBJECT_PROVIDER_KEY&lt;/tt&gt; with an instance of &lt;tt&gt;com.mongodb.KerberosSubjectProvider&lt;/tt&gt; constructed like &lt;tt&gt;new KerberosSubjectProvider(&quot;com.sun.security.jgss.initiate&quot;)&lt;/tt&gt;&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;CC &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=luke.prochazka&quot; class=&quot;user-hover&quot; rel=&quot;luke.prochazka&quot;&gt;luke.prochazka&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="4172970" author="jeff.yemin" created="Fri, 5 Nov 2021 23:19:49 +0000"  >&lt;p&gt;Also, can you try changing your jaas.conf to configure &lt;tt&gt;com.sun.security.jgss.krb5.initiate&lt;/tt&gt; instead of &lt;tt&gt;com.sun.security.jgss.initiate&lt;/tt&gt;?&lt;/p&gt;</comment>
                            <comment id="4172966" author="jeff.yemin" created="Fri, 5 Nov 2021 23:16:13 +0000"  >&lt;p&gt;Hi &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=tcui%40pershing.com&quot; class=&quot;user-hover&quot; rel=&quot;tcui@pershing.com&quot;&gt;tcui@pershing.com&lt;/a&gt;,&lt;/p&gt;

&lt;p&gt;Can you try with 4.1 driver, and then either 4.0 (if 4.1 fails) or 4.2 (if 4.1 succeeds)? That will help narrow down where the problem was introduced.&lt;/p&gt;

&lt;p&gt;Thanks,&lt;br/&gt;
Jeff&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                        <issuelink>
            <issuekey id="1467452">JAVA-3836</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="1920518">JAVA-4391</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hzsn7r:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>