Code review request: 7184815 (was Re: OpenJDK krb5 ignore /etc/krb5.conf?)
Weijun Wang
weijun.wang at oracle.com
Thu Aug 2 13:41:33 UTC 2012
Ping again.
On 07/18/2012 02:29 PM, Weijun Wang wrote:
> 7184815: [macosx] Need to read Kerberos config in files
>
> Please take a review:
>
> http://cr.openjdk.java.net/~weijun/7184815/webrev.00/
>
> I break the config setting to Java setting and native setting, and
> insert the reading of SCDynamicStoreConfig between the two. This should
> preserve the 6u behavior and add a fallback to legacy config files.
>
> No new regression test, because of SCDynamicStoreConfig and system
> config files, will ask SQE to create a manual test.
>
> Thanks
> Max
>
>
> On 07/18/2012 08:26 AM, Weijun Wang wrote:
>> I'm not familiar with how Mac does it, but normally there are two ways a
>> Kerberos authentication is performed, through the initial login and
>> through kinit. The former is integrated into the system (a pam module?)
>> and I guess in this case the config is inside SCDynamicStoreConfig. For
>> the latter, the Kerberos clients are regarded as standalone tools and a
>> /etc/krb5.conf is needed.
>>
>> Java works in both ways, if there is already a credentials cache it will
>> happily use it. On the other hand, it also includes the Krb5LoginModule
>> that does all the login itself. Therefore, it should read both styles of
>> config on a Mac.
>>
>> I've filed a new bug, It will appear soon at
>>
>> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7184815
>>
>> Thanks
>> Max
>>
>>
>> On 07/17/2012 10:35 PM, Mike Swingler wrote:
>>> On Jul 16, 2012, at 8:32 PM, Weijun Wang <weijun.wang at oracle.com> wrote:
>>>
>>>> Ping again.
>>>>
>>>> On 07/05/2012 04:34 PM, Weijun Wang wrote:
>>>>> Hi Scott
>>>>>
>>>>> On Mac since Lion, sun.security.krb5.Config tries to locate the config
>>>>> info in this order:
>>>>>
>>>>> 1. java.security.krb5.conf system property
>>>>> 2. ${jre}/lib/security/krb5.conf
>>>>> 3. SCDynamicStoreConfig
>>>>>
>>>>> The main difference from other platforms is that it will not try
>>>>> config
>>>>> files, say, /Library/Preferences/edu.mit.Kerberos or /etc/krb5.conf.
>>>>>
>>>>> On the other hand, even /usr/bin/kinit comes with Lion reads the
>>>>> config
>>>>> file (if there is no SCDynamicStoreConfig setting).
>>>>>
>>>>> Is there a special reason for the current Java behavior? I do notice
>>>>> that the Apple 6u33 already does this.
>>>
>>> No special reason I can think of, beyond simply swapping the
>>> implementation to read from the SCDynamicStoreConfig. Java SE 6 had
>>> previously had been relying on the system to write out a
>>> /Library/Preferences/edu.mit.Kerberos file, but that went away with OS
>>> X 10.7, so we didn't see much point in reading the file, since little
>>> else on the system would be paying attention to it either for the
>>> purposes of SSO.
>>>
>>> It seems perfectly reasonable that if there are no
>>> SCDynamicStoreConfig entries, falling back to reading the legacy
>>> config files may be a valid option. I'm actually somewhat surprised
>>> that they are consulted by kinit.
>>>
>>> Regards,
>>> Mike Swingler
>>> Apple Inc.
>>>
>>
>
More information about the security-dev
mailing list