Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-22117

(7.3.z) JBJCA-1426 - OAUTH marshaling failure when connecting to Oracle database using Kerberos authentication

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 7.3.9.CR1, 7.3.9.GA
    • 7.3.8.GA
    • JCA, Security
    • None
    • False
    • False
    • Documentation (Ref Guide, User Guide, etc.), Release Notes, Compatibility/Configuration
    • Blocks Testing
    • +
    • Undefined
    • Hide

      Download and unzip [^oracle-krb.zip] and any EAP version.

      1. copy keytab KRBUSR01 to JBOSS_HOME
      2. copy krb5.conf to JBOSS_HOME
      3. copy standalone.xml to JBOSS_HOME/standalone/configuration
      4. download Oracle JDBC driver ojdbc8.jar and copy it to JBOSS_HOME/standalone/deployments
      5. start server
      6. run CLI 
        /subsystem=datasources/data-source=TestDatasource:test-connection-in-pool
      Show
      Download and unzip [^oracle-krb.zip] and any EAP version. copy keytab KRBUSR01 to JBOSS_HOME copy krb5.conf to JBOSS_HOME copy standalone.xml to JBOSS_HOME/standalone/configuration download Oracle JDBC driver ojdbc8.jar and copy it to JBOSS_HOME/standalone/deployments start server run CLI /subsystem=datasources/data-source=TestDatasource:test-connection-in-pool 

      Caused by: java.sql.SQLException: OAUTH marshaling failure
        at oracle.jdbc.driver.T4CTTIoauthenticate.validateO5ServerResponse(T4CTTIoauthenticate.java:1650)
        at oracle.jdbc.driver.T4CTTIoauthenticate.doOAUTHWithO5Logon(T4CTTIoauthenticate.java:1469)
        at oracle.jdbc.driver.T4CTTIoauthenticate.doOAUTH(T4CTTIoauthenticate.java:1219)
        at oracle.jdbc.driver.T4CTTIoauthenticate.doOAUTH(T4CTTIoauthenticate.java:1173)
        at oracle.jdbc.driver.T4CConnection.authenticateUserForLogon(T4CConnection.java:1030)
        at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:646)
        at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:1032)
        at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:90)
        at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:681)
        at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:602)
        at org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory.createLocalManagedConnection(LocalManagedConnectionFactory.java:321)
        ... 238 more

      IronJacamar automatically adds user and password properties to Driver/DataSource connection properties and Oracle JDBC driver (and/or database) seems to be sensitive to the presence of these properties.

      In the case of Kerberos authentication, the user is automatically extracted from Subject and password is set to an empty string. IJ does it on multiple places, I didn't look for the exact place in this case, but one example is BaseWrapperManagedConnectionFactory.java#L1434

      Here is an overview how Oracle Databases and Drivers behave with different combinations of connection properties

      Database version: Oracle 12cR1

      driver/props no properties user password both
      12.2.0.1​ ok ​ ok ​ ok ​ ok
      19.3 ok ​ ok ​ ok ​ ok
      19.10 ok ​ ok ​ ok ​ ok
      21.1 ok ​ ok ​ ok ​ ok

      Database version: Oracle 12cR2

      driver/props no properties user password both
      12.2.0.1​ ok ​ fail ​ ok ​ fail
      19.3 ok ​ fail ​ ok ​ fail
      19.10 ok ​ fail ​ ok ​ fail
      21.1 ok ​ ok ​ ok ​ fail

      Database version: Oracle 19cR3

      driver/props no properties user password both
      12.2.0.1 ​ ok ​ fail ​ ok ​ fail
      19.3 ok ​ fail ​ ok ​ fail
      19.10 ok ​ fail ​ ok ​ fail
      21.1 ok ​ ok ​ ok ​ fail

              rhn-support-ivassile Ilia Vassilev
              rhn-support-ivassile Ilia Vassilev
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: