Mac OS X Kerberos SCDynamicStore

Weijun Wang weijun.wang at oracle.com
Thu Mar 14 21:10:37 PDT 2013 

>
>>> 2) Spurious output to stderr
>>
>> This was filed http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7151062.
>>
>> I was waiting for someone familiar with Objective-C to do this, but
>> maybe we can just remove those NSLog calls.
>
> I suppose I might qualify. Most of the usages of NSLog() there will only
> be triggered in unexpected circumstances, eg, the events they log should
> never occur outside of some sort of system failure in the
> SystemConfiguration framework.
>
> There are two cases where returning NULL are expected behavior (eg, not
> an error, there's just no registered configuration) and I don't think
> warrant logging in the native code:
>
> diff -r d79503c4c56f src/macosx/native/java/util/SCDynamicStoreConfig.m
> --- a/src/macosx/native/java/util/SCDynamicStoreConfig.mThu Mar 14
> 11:29:16 2013 -0700
> +++ b/src/macosx/native/java/util/SCDynamicStoreConfig.mThu Mar 14
> 23:08:44 2013 -0400
> @@ -183,7 +183,6 @@
>       CFTypeRef realms = SCDynamicStoreCopyValue(store, (CFStringRef)
> KERBEROS_DEFAULT_REALMS);
>       if (realms == NULL || CFGetTypeID(realms) != CFArrayGetTypeID()) {
> -        NSLog(@"Unable to load realm info from SCDynamicStore");
>           if (realms) CFRelease(realms);
>           CFRelease(store);
>           return NULL;
> @@ -192,7 +191,6 @@
>       CFTypeRef realmMappings = SCDynamicStoreCopyValue(store,
> (CFStringRef) KERBEROS_DEFAULT_REALM_MAPPINGS);
>       if (realmMappings == NULL || CFGetTypeID(realmMappings) !=
> CFArrayGetTypeID()) {
> -        NSLog(@"Unable to load realm mapping info from SCDynamicStore");
>           if (realmMappings) CFRelease(realmMappings);
>           CFRelease(realms);
>           CFRelease(store);
>
> The Java side could still check something like 'sun.security.krb5.debug'
> and log an error if SCDynamicStoreConfig.getKerberosConfig() returns
> NULL, I suppose?

Yes, I had thought there are several different places for returning 
NULL, so some sort of NSLog might be still useful if they can be 
controlled by the Java system property. But maybe SCDynamicStoreCreate 
should never fail?

Also I think the old code has a problem. It returns empty table when 
Kerberos-Default-Realms and Kerberos-Domain-Realm-Mappings keys exist 
but are empty. On my Mac server I turn on Open Directory and then turn 
it off and these two keys exist there with no content.

>
>> BTW, I'm also making changes to SCDynamicStoreConfig.m
>>
>> http://mail.openjdk.java.net/pipermail/security-dev/2013-March/006909.html
>
> For whatever it's worth -- adding a coercions for NSData and NSDate
> would cover the full gamut of the possible return types
> from SCDynamicStoreCopyValue(). All but dates and data are covered by
> your registered coercers (the returned CFPropertyListRef represents
> types of CFData, CFString, CFArray, CFDictionary, CFDate, CFBoolean,
> and/or CFNumber, with CFBoolean being a specialization/subclass of
> CFNumber).

Cool. Can you tell me the exact lines? I have never played with 
Objective-C before.

Thanks
Max

>
> -landonf
>
>
>

More information about the macosx-port-dev mailing list