code review request: 7184815 (was Re: OpenJDK krb5 ignore /etc/krb5.conf?)

Weijun Wang weijun.wang at oracle.com
Tue Jul 17 23:29:19 PDT 2012


7184815: [macosx] Need to read Kerberos config in files

Please take a review:

    http://cr.openjdk.java.net/~weijun/7184815/webrev.00/

I break the config setting to Java setting and native setting, and 
insert the reading of SCDynamicStoreConfig between the two. This should 
preserve the 6u behavior and add a fallback to legacy config files.

No new regression test, because of SCDynamicStoreConfig and system 
config files, will ask SQE to create a manual test.

Thanks
Max


On 07/18/2012 08:26 AM, Weijun Wang wrote:
> I'm not familiar with how Mac does it, but normally there are two ways a
> Kerberos authentication is performed, through the initial login and
> through kinit. The former is integrated into the system (a pam module?)
> and I guess in this case the config is inside SCDynamicStoreConfig. For
> the latter, the Kerberos clients are regarded as standalone tools and a
> /etc/krb5.conf is needed.
>
> Java works in both ways, if there is already a credentials cache it will
> happily use it. On the other hand, it also includes the Krb5LoginModule
> that does all the login itself. Therefore, it should read both styles of
> config on a Mac.
>
> I've filed a new bug, It will appear soon at
>
>     http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7184815
>
> Thanks
> Max
>
>
> On 07/17/2012 10:35 PM, Mike Swingler wrote:
>> On Jul 16, 2012, at 8:32 PM, Weijun Wang <weijun.wang at oracle.com> wrote:
>>
>>> Ping again.
>>>
>>> On 07/05/2012 04:34 PM, Weijun Wang wrote:
>>>> Hi Scott
>>>>
>>>> On Mac since Lion, sun.security.krb5.Config tries to locate the config
>>>> info in this order:
>>>>
>>>> 1. java.security.krb5.conf system property
>>>> 2. ${jre}/lib/security/krb5.conf
>>>> 3. SCDynamicStoreConfig
>>>>
>>>> The main difference from other platforms is that it will not try config
>>>> files, say, /Library/Preferences/edu.mit.Kerberos or /etc/krb5.conf.
>>>>
>>>> On the other hand, even /usr/bin/kinit comes with Lion reads the config
>>>> file (if there is no SCDynamicStoreConfig setting).
>>>>
>>>> Is there a special reason for the current Java behavior? I do notice
>>>> that the Apple 6u33 already does this.
>>
>> No special reason I can think of, beyond simply swapping the
>> implementation to read from the SCDynamicStoreConfig. Java SE 6 had
>> previously had been relying on the system to write out a
>> /Library/Preferences/edu.mit.Kerberos file, but that went away with OS
>> X 10.7, so we didn't see much point in reading the file, since little
>> else on the system would be paying attention to it either for the
>> purposes of SSO.
>>
>> It seems perfectly reasonable that if there are no
>> SCDynamicStoreConfig entries, falling back to reading the legacy
>> config files may be a valid option. I'm actually somewhat surprised
>> that they are consulted by kinit.
>>
>> Regards,
>> Mike Swingler
>> Apple Inc.
>>
>




More information about the security-dev mailing list