I am trying to interact with a SolrCloud cluster with Kerberos enabled. I have configured my client java process with jaas.conf and krb5.conf files using the options
-Djava.security.auth.login.config=<path to jaas.conf>
-Djavax.security.auth.useSubjectCredsOnly=false
-Djava.security.krb5.conf=<path to krb5.conf>
I receive a forbidden error in client logs. Server logs show the following error:
Authentication exception: GSSException: Defective token detected (Mechanism level: Invalid SPNEGO NegTokenInit token : extra data given to DerValue constructor)
On enabling debug logging in the client and server process, I see that the server is receiving a smaller token than what the client is sending. Example:
Found KeyTab solr.keytab for HTTP/<hostname>@REALM
Found KeyTab solr.keytab for HTTP/<hostname>@REALM
Entered SpNegoContext.acceptSecContext with state=STATE_NEW
SpNegoContext.acceptSecContext: receiving token = a0 82 04 b9 30 82 04 b5 a0 0d 30 0b 06 09 2a 86 48 86 f7 12 01 02 02 a1 04 03 02 01 f6 a2 82 04 9c 04 82 04 98 60 82 04 94 06 09 2a 86
Found KeyTab solr.keytab for HTTP/<hostname>@REALM
Found KeyTab solr.keytab for HTTP/<hostname>@REALM
Entered SpNegoContext.acceptSecContext with state=STATE_NEW
SpNegoContext.acceptSecContext: receiving token = a0 82 04 b9 30 82 04 b5 a0 0d 30 0b 06 09 2a 86 48 86 f7 12 01 02 02 a1 04 03 02 01 f6 a2 82 04 9c 04 82 04 98 60 82 04 94 06 09 2a 86
The client is sending a much longer token. I verified this by client debug logs where the sending token is much longer and by also looking at the HTTP request header.
By looking at the source code, I see that the error is caused by the following lines: https://github.com/frohoff/jdk8u-jdk/blob/master/src/share/classes/sun/security/util/DerValue.java#L383 https://github.com/frohoff/jdk8u-jdk/blob/master/src/share/classes/sun/security/jgss/spnego/NegTokenInit.java#L143 https://github.com/frohoff/jdk8u-jdk/blob/master/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java#L512
The same SOLR nodes that I am trying to connect programmatically are accessible via the browser and server logs show that they receive the full token. I am using Java 1.8.0_111 and also tried Java 1.8.0_11
After taking a TCP dump and looking at the request that was being sent from the client, I found out that the underlying HTTP client library was truncating the base64 encoded Kerberos token to 76 characters per line and then adding CRLF characters. More info in this answer. Using a newer version of commons-codec, which was used by Apache HttpClient library) fixed it.