chaos of JAAS with multiple login modules, for example, unbound krb5 login

Weijun Wang weijun.wang at oracle.com
Tue Nov 13 05:23:23 UTC 2012 

A new getPrincipal() method is add. Here is the CCC:

    http://ccc.us.oracle.com/8001104

Please review it.

There is one style I am not sure of. Now it shows

     /*
      * ...
      * @throws NullPointerException if the {@code file} argument is null
      * @throws IllegalArgumentException if {@code princ} is null
      */
     public static KeyTab getInstance(KerberosPrincipal princ, File file);

So it throws different exceptions when either of the arguments is null. 
I don't want to change the old NPE for file, but it seems IAE is the 
correct behavior for this "optional" argument when there are overloaded 
methods.

Thanks
Max


On 11/13/2012 02:50 AM, Sean Mullan wrote:
> On 11/08/2012 09:53 PM, Weijun Wang wrote:
>> Hi All
>>
>> In JAAS where multiple login modules are required, after the login is
>> successful, all principals, public and private creds are stuffed inside
>> a subject with no order or pairing, and we have no clue to find out
>> which creds belongs to which principal.
>>
>> I'm talking about this because I'm working on 8001104, which is the
>> GSS/krb5 part of unbound SASL, and meet a problem.
>>
>> For example, support I have 2 Krb5LoginModules. In the first one,
>> principal is *, and keytab contains keys for A,B. The second one's
>> principal is C, and keytab contains keys for C, D, E. Therefore after
>> the login, it would allow a JGSS acceptor to act as either A, B or C
>> (unless keys dynamically appear in the first keytab later).
>>
>> After the login, the Subject will contain:
>>
>>     Principal: KerberosPrincipal(C)
>>     KeyTab: KeyTab1 (with A,B), KeyTab2 (with C,D,E)
>>
>> Now, if a connection to D is coming, I cannot reject it.
>>
>> Even if I add a KerberosPrincipal(*) there, I don't know it's meant for
>> A and B only.
>>
>> For this particular problem, I'm suggesting we add a new property to the
>> KeyTab object that serves as a who-am-i-for so that the KeyTab is
>> restricted to be used by someone. With this change, the KeyTab in the
>> Subject will be
>>
>>     KeyTab: KeyTab1 (with A,B for *), KeyTab2 (with C,D,E for C)
>>
>> Then I'll know A and B are welcomed but not D and E.
>>
>> This would need two new APIs:
>>
>> class javax.security.auth.kerberos.KeyTab {
>>     public static KeyTab getInstance(KerberosPrincipal princ, File file);
>>     public static KeyTab getInstance(KerberosPrincipal princ);
>> }
>>
>> If you think this is OK, I'll file a CCC.
>>
>> Of course, your opinion and suggestion on the generalized JAAS level are
>> more welcomed.
>
> Off-hand it seems fine to me. Wouldn't you also need a new KeyTab method
> to return the KerberosPrincipal?
>
> --Sean
>

More information about the security-dev mailing list