Comparing name-type in KerberosPrincipal
Weijun Wang
weijun.wang at oracle.com
Thu Jun 6 08:54:30 UTC 2013
Hi All
Recently we fixed a bug in OpenJDK:
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7061379
http://hg.openjdk.java.net/jdk8/tl/jdk/rev/e68db408d08c
Here name-type equality is not checked anymore in the
PrincipalName::equals() method. Since RFC 4120 6.2 says
... The name-type SHOULD be
treated only as a hint to interpreting the meaning of a name. It is
not significant when checking for equivalence.
It turns out the same problem also exists in the
javax.security.auth.kerberos.KerberosPrincipal::equals() method, where
the spec has
More formally two KerberosPrincipal instances are equal if the
values returned by getName() are equal and the values returned by
getNameType() are equal.
http://docs.oracle.com/javase/7/docs/api/javax/security/auth/kerberos/KerberosPrincipal.html#equals%28java.lang.Object%29
I'm thinking about fixing it also. However, the classes inside the
javax.security.auth.kerberos package are mostly used internal by the
JAAS Krb5LoginModule and I'm not sure how people are using it outside
JDK. Do you create objects of these classes in your applications or
libraries? Is there any compatibility issue if it also ignores the
name-type check?
Thanks
Max
More information about the security-dev
mailing list