code review request: 7144530: KeyTab.getInstance(String) no longer handles keyTabNames with "file:" prefix

Valerie (Yu-Ching) Peng valerie.peng at oracle.com
Tue Feb 21 00:13:33 UTC 2012


Looks fine to me.
Thanks,
Valerie

On 02/19/12 20:37, Weijun Wang wrote:
> Hi Valerie
>
> Please take a review on this fix:
>
>    http://cr.openjdk.java.net/~weijun/7144530/webrev.00/
>
> I plan to backport it to jdk7u6 once the dev workspace is re-opened.
>
> Thanks
> Max
>
> On 02/14/2012 06:01 PM, weijun.wang at oracle.com wrote:
>>
>> *Change Request ID*: 7144530
>>
>> *Synopsis*: KeyTab.getInstance(String) no longer handles keyTabNames 
>> with "file:" prefix
>>
>>
>> === *Description* 
>> ============================================================
>> FULL PRODUCT VERSION :
>> java version "1.7.0_02"
>> Java(TM) SE Runtime Environment (build 1.7.0_02-b13)
>> Java HotSpot(TM) 64-Bit Server VM (build 22.0-b10, mixed mode)
>>
>> ADDITIONAL OS VERSION INFORMATION :
>> Microsoft Windows [Version 6.1.7600]
>>
>> A DESCRIPTION OF THE PROBLEM :
>> Under JDK6, sun.security.krb5.internal.ktab.KeyTab.getInstance() used 
>> to remove prefixes like "file:" from the keyTabName.
>>
>> Using JDK7 this is no longer the case. Passing a File URI like 
>> "file:/..." now results in an empty KeyTab. What happens, is a 
>> FileNotFoundException is thrown when reading from the FileInputStream 
>> in the constructor. The exception is caught in the constructor and 
>> the "isMissing" flag is set to true.
>>
>> However, when the default_keytab_name property is resolved in 
>> getDefaultTabName(), prefixes like "file:" *are* removed (by calling 
>> the parse method).
>>
>> STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
>> 1. Construct a dummy keytab file using ktab.exe.
>> ktab.exe -a host/user at DOMAIN password -k dummy.keytab
>>
>> 2. Construct a KeyTab using a File URI.
>> KeyTab keyTab = KeyTab.getInstance("file:/C:/workspace/dummy.keytab");
>>
>> 3. Retrieve the entries from the KeyTab.
>> keyTab.getEntries()
>>
>> EXPECTED VERSUS ACTUAL BEHAVIOR :
>> EXPECTED -
>> keyTab.getEntries() should contain the entries of the keytab.
>> ACTUAL -
>> keyTab.getEntries() is always empty, i.e. keyTab.getEntries().length 
>> is always zero.
>>
>> However, when using with the absolute path to the same file, i.e. 
>> KeyTab.getInstance("C:/workspace/dummy.keytab"), it will correctly 
>> read its entries.
>>
>> REPRODUCIBILITY :
>> This bug can be reproduced always.
>>
>> ---------- BEGIN SOURCE ----------
>> import static org.junit.Assert.assertTrue;
>>
>> import org.junit.Test;
>>
>> import sun.security.krb5.internal.ktab.KeyTab;
>>
>> public class KeyTabPrefixBug {
>>
>>     private static final String PATH_TO_KEY_TAB = 
>> "C:/workspace/dummy.keytab";
>>
>>     @Test
>>     public void withUriPrefix() throws Exception {
>>         KeyTab keyTab = KeyTab.getInstance("file:/" + PATH_TO_KEY_TAB);
>>         assertTrue(keyTab.getEntries().length>  0); // fails
>>     }
>>
>>     @Test
>>     public void withoutUriPrefix() throws Exception {
>>         KeyTab keyTab = KeyTab.getInstance(PATH_TO_KEY_TAB);
>>         assertTrue(keyTab.getEntries().length>  0); // succeeds
>>     }
>> }
>> ---------- END SOURCE ----------
>>
>> CUSTOMER SUBMITTED WORKAROUND :
>> Always use file paths (never URIs) when using the Kerberos API.




More information about the security-dev mailing list