Kerberos Bug Introduced in d777e2918a77?
Seán Coffey
sean.coffey at oracle.com
Wed Apr 22 16:27:47 UTC 2015
Daniel,
thanks for the report. It might be best to report this issue via
http://bugreport.java.com/
Your report will be triaged there. You could also mail the
security-dev at openjdk.java.net list which has a more suitable audience
for such reports.
Regards,
Sean.
On 22/04/15 05:10, Daniel Jones wrote:
> Hi all,
>
> Apologies if this is the wrong mailing list - please direct me to the
> correct one if so.
>
> I believe I've found a bug in OpenJDK 1.8.0_40, introduced in commit
> d777e2918a77:
> http://hg.openjdk.java.net/jdk8u/jdk8u40/jdk/file/d777e2918a77/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java
>
> The change introduced on line 548 means that an authentication mechanism is
> only accepted if the OID of the mechanism desired is the *first* in the
> list of mechanisms specified as acceptable in the incoming ticket.
>
> In the case of my current client their service tickets are specifying 4
> acceptable mechanism OIDs, but the only available mechanism's OID appears
> second on that list. So whilst the server *can *satisfy the ticket, the
> code change on line 548 prevents this from happening.
>
> Using the same server code, the same Kerberos KDC, and OpenJDK 1.8.0_31,
> everything works. Changing only the JDK results in the mechContext not
> being properly populated, which in turn causes a NullPointerException from
> some Spring Security Kerberos code.
>
> Has anyone else experienced this?
>
>
More information about the jdk8u-dev
mailing list