code review request: 7144530: KeyTab.getInstance(String) no longer handles keyTabNames with "file:" prefix
Valerie (Yu-Ching) Peng
valerie.peng at oracle.com
Tue Feb 21 00:13:33 UTC 2012
Looks fine to me.
Thanks,
Valerie
On 02/19/12 20:37, Weijun Wang wrote:
> Hi Valerie
>
> Please take a review on this fix:
>
> http://cr.openjdk.java.net/~weijun/7144530/webrev.00/
>
> I plan to backport it to jdk7u6 once the dev workspace is re-opened.
>
> Thanks
> Max
>
> On 02/14/2012 06:01 PM, weijun.wang at oracle.com wrote:
>>
>> *Change Request ID*: 7144530
>>
>> *Synopsis*: KeyTab.getInstance(String) no longer handles keyTabNames
>> with "file:" prefix
>>
>>
>> === *Description*
>> ============================================================
>> FULL PRODUCT VERSION :
>> java version "1.7.0_02"
>> Java(TM) SE Runtime Environment (build 1.7.0_02-b13)
>> Java HotSpot(TM) 64-Bit Server VM (build 22.0-b10, mixed mode)
>>
>> ADDITIONAL OS VERSION INFORMATION :
>> Microsoft Windows [Version 6.1.7600]
>>
>> A DESCRIPTION OF THE PROBLEM :
>> Under JDK6, sun.security.krb5.internal.ktab.KeyTab.getInstance() used
>> to remove prefixes like "file:" from the keyTabName.
>>
>> Using JDK7 this is no longer the case. Passing a File URI like
>> "file:/..." now results in an empty KeyTab. What happens, is a
>> FileNotFoundException is thrown when reading from the FileInputStream
>> in the constructor. The exception is caught in the constructor and
>> the "isMissing" flag is set to true.
>>
>> However, when the default_keytab_name property is resolved in
>> getDefaultTabName(), prefixes like "file:" *are* removed (by calling
>> the parse method).
>>
>> STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
>> 1. Construct a dummy keytab file using ktab.exe.
>> ktab.exe -a host/user at DOMAIN password -k dummy.keytab
>>
>> 2. Construct a KeyTab using a File URI.
>> KeyTab keyTab = KeyTab.getInstance("file:/C:/workspace/dummy.keytab");
>>
>> 3. Retrieve the entries from the KeyTab.
>> keyTab.getEntries()
>>
>> EXPECTED VERSUS ACTUAL BEHAVIOR :
>> EXPECTED -
>> keyTab.getEntries() should contain the entries of the keytab.
>> ACTUAL -
>> keyTab.getEntries() is always empty, i.e. keyTab.getEntries().length
>> is always zero.
>>
>> However, when using with the absolute path to the same file, i.e.
>> KeyTab.getInstance("C:/workspace/dummy.keytab"), it will correctly
>> read its entries.
>>
>> REPRODUCIBILITY :
>> This bug can be reproduced always.
>>
>> ---------- BEGIN SOURCE ----------
>> import static org.junit.Assert.assertTrue;
>>
>> import org.junit.Test;
>>
>> import sun.security.krb5.internal.ktab.KeyTab;
>>
>> public class KeyTabPrefixBug {
>>
>> private static final String PATH_TO_KEY_TAB =
>> "C:/workspace/dummy.keytab";
>>
>> @Test
>> public void withUriPrefix() throws Exception {
>> KeyTab keyTab = KeyTab.getInstance("file:/" + PATH_TO_KEY_TAB);
>> assertTrue(keyTab.getEntries().length> 0); // fails
>> }
>>
>> @Test
>> public void withoutUriPrefix() throws Exception {
>> KeyTab keyTab = KeyTab.getInstance(PATH_TO_KEY_TAB);
>> assertTrue(keyTab.getEntries().length> 0); // succeeds
>> }
>> }
>> ---------- END SOURCE ----------
>>
>> CUSTOMER SUBMITTED WORKAROUND :
>> Always use file paths (never URIs) when using the Kerberos API.
More information about the security-dev
mailing list