code review request: 7144530: KeyTab.getInstance(String) no longer handles keyTabNames with "file:" prefix
Weijun Wang
weijun.wang at oracle.com
Mon Feb 20 04:37:01 UTC 2012
Hi Valerie
Please take a review on this fix:
http://cr.openjdk.java.net/~weijun/7144530/webrev.00/
I plan to backport it to jdk7u6 once the dev workspace is re-opened.
Thanks
Max
On 02/14/2012 06:01 PM, weijun.wang at oracle.com wrote:
>
> *Change Request ID*: 7144530
>
> *Synopsis*: KeyTab.getInstance(String) no longer handles keyTabNames with "file:" prefix
>
>
> === *Description* ============================================================
> FULL PRODUCT VERSION :
> java version "1.7.0_02"
> Java(TM) SE Runtime Environment (build 1.7.0_02-b13)
> Java HotSpot(TM) 64-Bit Server VM (build 22.0-b10, mixed mode)
>
> ADDITIONAL OS VERSION INFORMATION :
> Microsoft Windows [Version 6.1.7600]
>
> A DESCRIPTION OF THE PROBLEM :
> Under JDK6, sun.security.krb5.internal.ktab.KeyTab.getInstance() used to remove prefixes like "file:" from the keyTabName.
>
> Using JDK7 this is no longer the case. Passing a File URI like "file:/..." now results in an empty KeyTab. What happens, is a FileNotFoundException is thrown when reading from the FileInputStream in the constructor. The exception is caught in the constructor and the "isMissing" flag is set to true.
>
> However, when the default_keytab_name property is resolved in getDefaultTabName(), prefixes like "file:" *are* removed (by calling the parse method).
>
> STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
> 1. Construct a dummy keytab file using ktab.exe.
> ktab.exe -a host/user at DOMAIN password -k dummy.keytab
>
> 2. Construct a KeyTab using a File URI.
> KeyTab keyTab = KeyTab.getInstance("file:/C:/workspace/dummy.keytab");
>
> 3. Retrieve the entries from the KeyTab.
> keyTab.getEntries()
>
> EXPECTED VERSUS ACTUAL BEHAVIOR :
> EXPECTED -
> keyTab.getEntries() should contain the entries of the keytab.
> ACTUAL -
> keyTab.getEntries() is always empty, i.e. keyTab.getEntries().length is always zero.
>
> However, when using with the absolute path to the same file, i.e. KeyTab.getInstance("C:/workspace/dummy.keytab"), it will correctly read its entries.
>
> REPRODUCIBILITY :
> This bug can be reproduced always.
>
> ---------- BEGIN SOURCE ----------
> import static org.junit.Assert.assertTrue;
>
> import org.junit.Test;
>
> import sun.security.krb5.internal.ktab.KeyTab;
>
> public class KeyTabPrefixBug {
>
> private static final String PATH_TO_KEY_TAB = "C:/workspace/dummy.keytab";
>
> @Test
> public void withUriPrefix() throws Exception {
> KeyTab keyTab = KeyTab.getInstance("file:/" + PATH_TO_KEY_TAB);
> assertTrue(keyTab.getEntries().length> 0); // fails
> }
>
> @Test
> public void withoutUriPrefix() throws Exception {
> KeyTab keyTab = KeyTab.getInstance(PATH_TO_KEY_TAB);
> assertTrue(keyTab.getEntries().length> 0); // succeeds
> }
> }
> ---------- END SOURCE ----------
>
> CUSTOMER SUBMITTED WORKAROUND :
> Always use file paths (never URIs) when using the Kerberos API.
More information about the security-dev
mailing list