Kerberos Bug Introduced in d777e2918a77?
Daniel Jones
daniel.jones at engineerbetter.com
Wed Apr 22 12:10:51 UTC 2015
Hi all,
Apologies if this is the wrong mailing list - please direct me to the
correct one if so.
I believe I've found a bug in OpenJDK 1.8.0_40, introduced in commit
d777e2918a77:
http://hg.openjdk.java.net/jdk8u/jdk8u40/jdk/file/d777e2918a77/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java
The change introduced on line 548 means that an authentication mechanism is
only accepted if the OID of the mechanism desired is the *first* in the
list of mechanisms specified as acceptable in the incoming ticket.
In the case of my current client their service tickets are specifying 4
acceptable mechanism OIDs, but the only available mechanism's OID appears
second on that list. So whilst the server *can *satisfy the ticket, the
code change on line 548 prevents this from happening.
Using the same server code, the same Kerberos KDC, and OpenJDK 1.8.0_31,
everything works. Changing only the JDK results in the mechContext not
being properly populated, which in turn causes a NullPointerException from
some Spring Security Kerberos code.
Has anyone else experienced this?
--
Regards,
Daniel Jones
EngineerBetter.com
More information about the jdk8u-dev
mailing list