diff --git a/appserver/security/ejb.security/src/main/java/com/sun/enterprise/iiop/security/GSSUtils.java b/appserver/security/ejb.security/src/main/java/com/sun/enterprise/iiop/security/GSSUtils.java
index f51fb1ec38d..c22fbe3cce2 100644
--- a/appserver/security/ejb.security/src/main/java/com/sun/enterprise/iiop/security/GSSUtils.java
+++ b/appserver/security/ejb.security/src/main/java/com/sun/enterprise/iiop/security/GSSUtils.java
@@ -376,9 +376,11 @@ private static int verifyTokenHeader(Oid oid, byte[] token) throws GSSException
         if (token[index] != 0x06)
             throw new GSSException(GSSException.DEFECTIVE_TOKEN);
 
-        byte[] buf = new byte[token.length - index];
+        // add first two bytes to the MECH_OID_LEN
+        int oidlen = token[index+1] + 2;
+        byte[] buf = new byte[oidlen];
 
-        System.arraycopy(token, index, buf, 0, token.length - index);
+        System.arraycopy(token, index, buf, 0, oidlen);
 
         Oid mechoid = getOID(buf);