Sspi.MAX_TOKEN_SIZE too small #261
Comments
|
I'd gladly take a pull request for this, please. |
|
Aside of raising the max, clients should be looping and allocating more memory until they no longer get |
|
See Waffle/waffle@ebedaf7 for an implementation example. |
|
IMHO, the loop-until-it-fits approach ist more like a workaround than having set the MAX_TOKEN_SIZE to a sufficiently large value. The MAX part in the constant's name implies to me, that there is no need for a bigger sized buffer. However, I suggest to check in a recent Windows SDK (sspi.h) what value for MAX_TOKEN_SIZE is defined by Microsoft and use that value for Sspi.MAX_TOKEN_SIZE. |
|
@ehrbar : where's my pull request with the updated value? :) |
|
I think there is no reason to keep this open - from my perspective any hardcoded value is bound to fail. The MSDN/technet articles all suggest, that the value is variable and subject to change. There is a dynamic option: The security package metadata comes with the necessary information:
There is one option in JNA 4.4 and before: With the enhancements from:
will become available and can report the information per package |
|
Per the resources referenced by michael-o, there is a good reason to consider increasing Please could the maintainers reopen this issue? I am happy to submit a PR; especially if a maintainer will provide guidance here as to
Background: after a day or two of remote debugging with a very large client, we have determined that we have run into https://issues.apache.org/jira/browse/HTTPCLIENT-1582 . We intend to temporarily fork the Apache code to work around the issue; we could even patch it to use code similar to Waffle, but this seems unnecessarily complicated, given that a reasonable maximum value exists. |
|
Why not use |
|
@michael-o - sorry, please can you say further what you mean? In our project, we are not calling JNA directly; we use the Apache httpcomponents-client, which contains code very similar to what Waffle had before the patch referred to above. We have tried building the httpclient-win-4.5.3.jar from source patched to use 48*1024 instead of Sspi.MAX_TOKEN_SIZE and this fixes our problem. I am not sure what |
|
I'll repeat my last comment: The required size can be queried from the security package (from MSDN): https://msdn.microsoft.com/en-us/library/windows/desktop/aa380097(v=vs.85).aspx
If you want to hardcode a certain value, you can do it - nobody is stopping apache http client to do exactly that. |
|
OK - I understand that, in principle, using a hard-coded value is a bad idea. However, as it stands, this library provides an obsolete value for this constant and documents it in a way that encourages its misuse. I propose that the documentation of And that the documentation of the If InitializeSecurityContext supports |
|
|
|
From pure JNA perspective the value of |
|
Good question :-) I looked into the header files I have installed and non contains such a definition. I only found references to registry entries, that define that value: https://blogs.technet.microsoft.com/shanecothran/2010/07/16/maxtokensize-and-kerberos-token-bloat/ 12.000 bytes is the default, 48.000 bytes is recommed in the above article. So - we could adjust the value, deprecate the value, remove the value. |
|
Did they remove it? We wouldn't have put this value in there without it existing in a header. If it's not there anymore I would remove it. |
|
I rethought this. 12 kB is the default MaxTokenSize (not present in the headers) and can be overridden in the registry. So the java file represents the "default" value. If someone wants to change it or remove it, I'm willing to review, but I won't do it. |
|
OK. It's your project after all. I can, and did "go reading" to find out why the Apache HttpClient throws an utterly inscrutable error when the token is bigger than it expects, but it would have really helped me if it was more obvious from your docs that this is their bug, not mine, or yours. For the very reason that these are security functions, the maintainers of such projects are reluctant to touch their code unless documentation exists that shows they are getting it wrong and at least hints at what to do about it. |
|
@rolandyoung I think what @matthiasblaesing is saying is that you should PR removal of this value with proper CHANGES if you think that's the right thing to do. The next major release is a good time to do it, this way developers will have to choose the default value and really think about it. Sounds reasonable to me. |
Motivation: We need to correctly mount the .m2/settings.xml file to be able to deploy Modifications: Add missing mounts Result: Be able to release / deploy again
We ran into the problem that a call to Secur32.INSTANCE.InitializeSecurityContext() returned error code W32Errors.SEC_E_INSUFFICIENT_MEMORY in the case one specific user. It turned out that the buffer for the token (argument pOutput) was too small, because that specific user has assigned a large number of group memberships. This was surprising since we used the constant Sspi.MAX_TOKEN_SIZE to allocate the buffer.
This Microsoft KB Article gives an explanantion to this behaviour:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;327825
In JNA, Sspi.MAX_TOKEN_SIZE ist set to 12kBytes, which is the maximum token size in Windows Server 2003. But since then, maximum token size has been increased up to 48kBytes in Windows Server 2012.
In order to allocate enough memory for token buffers, the value of Sspi.MAX_TOKEN_SIZE should be set to 49152.
The text was updated successfully, but these errors were encountered: