Kerberos Bug Introduced in d777e2918a77?
Daniel Jones
deejay at binarytweed.com
Wed Apr 22 18:39:58 UTC 2015
Thanks for the reply.
I've raised it as a bug through the online form, but sadly because of the
nature of the bug I couldn't provide a repeatable test in a reasonable
amount of time. Do you think it will still get taken seriously?
Thanks again.
On 22 Apr 2015 17:27, "Seán Coffey" <sean.coffey at oracle.com> wrote:
> Daniel,
>
> thanks for the report. It might be best to report this issue via
> http://bugreport.java.com/
> Your report will be triaged there. You could also mail the
> security-dev at openjdk.java.net list which has a more suitable audience for
> such reports.
>
> Regards,
> Sean.
>
> On 22/04/15 05:10, Daniel Jones wrote:
>
>> Hi all,
>>
>> Apologies if this is the wrong mailing list - please direct me to the
>> correct one if so.
>>
>> I believe I've found a bug in OpenJDK 1.8.0_40, introduced in commit
>> d777e2918a77:
>>
>> http://hg.openjdk.java.net/jdk8u/jdk8u40/jdk/file/d777e2918a77/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java
>>
>> The change introduced on line 548 means that an authentication mechanism
>> is
>> only accepted if the OID of the mechanism desired is the *first* in the
>> list of mechanisms specified as acceptable in the incoming ticket.
>>
>> In the case of my current client their service tickets are specifying 4
>> acceptable mechanism OIDs, but the only available mechanism's OID appears
>> second on that list. So whilst the server *can *satisfy the ticket, the
>> code change on line 548 prevents this from happening.
>>
>> Using the same server code, the same Kerberos KDC, and OpenJDK 1.8.0_31,
>> everything works. Changing only the JDK results in the mechContext not
>> being properly populated, which in turn causes a NullPointerException from
>> some Spring Security Kerberos code.
>>
>> Has anyone else experienced this?
>>
>>
>>
>
More information about the jdk8u-dev
mailing list