Code review request: 8012615: Realm.getRealmsList returns realms list in wrong
Weijun Wang
weijun.wang at oracle.com
Mon Jul 29 09:11:42 UTC 2013
Hi Valerie
Please review the capaths code change at
http://cr.openjdk.java.net/~weijun/8012615/webrev.01/
It includes:
Config.java
===========
Add method to check if a sub-stanza exists.
Realm.java
==========
Rewrite reading cross-realm path for both [capaths] and hierarchy. The
[capaths] part implements the chaining process.
CredentialsUtils.java
=====================
When reading cross-realm TGT for a path A->B->C->D->SERVERREALM, the
current impl first gets krbtgt/SERVERREALM at A, and then fallback to
krbtgt/D at A, krbtgt/C at A and krbtgt/B at A. In fact, since the capath is
already there, krbtgt/B at A should be the first to check. I don't know
about the history of this code and dare not change much. But I at least
reverse the order of the fallback (what the code calls inner loop) to
try krbtgt/B at A first.
Tried on a local setup of 5 MIT KDC realms configured with a
one-direction cross-auth from K1 to K5. The MIT kvno command starts with
kinit in K1 and goes thru krbtgt/K2 at K1, krbtgt/K3 at K2, krbtgt/K4 at K3,
krbtgt/K5 at K4 and finally get service ticket to host/host.k5 at K5. Now Java
can do the same with the same krb5.conf.
Thanks
Max
More information about the security-dev
mailing list