RFR 8029994: Support "include" and "includedir" in krb5.conf

Weijun Wang weijun.wang at oracle.com
Thu Apr 10 11:40:00 UTC 2014

Hi All

Please review the code changes at


Two major changes made:

1. The include and includedir directives are supported now. Read 
for a description. The part we support in this RFE is:

The krb5.conf file can include other files using either of the following 
directives at the beginning of a line:

include FILENAME
includedir DIRNAME

FILENAME or DIRNAME should be an absolute path. The named file or 
directory must exist and be readable. Including a directory includes all 
files within the directory whose names consist solely of alphanumeric 
characters, dashes, or underscores. Included profile files are 
syntactically independent of their parents, so each included file must 
begin with a section header.

2. When the same key appears more than once in krb5.conf, Java used to 
choose the last value, while MIT krb5 chooses the first one. While it's 
debatable whether latecomers should be able to override earlier 
definitions or not, it's more important to have consistent behavior 
across implementations. Therefore we adopt the MIT krb5 way. The 
compatibility risk should be very low since it's very unlikely people 
assigns values to duplicate keys in a single krb5.conf file, which is 
what we support before this enhancement.

One code change that might look strange is in the Config constructor:

          } catch (IOException ioe) {
-            // I/O error, mostly like krb5.conf missing.
-            // No problem. We'll use DNS or system property etc.
+            throw new KrbException(ioe);

Before this, the only possible IOException thrown is 
FileNotFoundException when krb5.conf is not found, but now there can be 
much more. So I move the FNFE check inside the loadConfigFile() method as

+                Path path = Paths.get(fileName);
+                if (!Files.exists(path)) {
+                    // This is OK. There are other ways to get
+                    // Kerberos 5 settings
+                    return null;
+                } else {
+                    return readConfigFileLines(
+                            fullp, raw, dupsCheck);
+                }


More information about the security-dev mailing list