RFR 8029994: Support "include" and "includedir" in krb5.conf

Sean Mullan sean.mullan at oracle.com
Thu Apr 17 18:22:15 UTC 2014


* Config.java

- update copyright year
[202] can you log the IOException?

will finish reviewing later ...

--Sean

On 04/10/2014 07:40 AM, Weijun Wang wrote:
> Hi All
>
> Please review the code changes at
>
>     http://cr.openjdk.java.net/~weijun/8029994/webrev.01/
>
> Two major changes made:
>
> 1. The include and includedir directives are supported now. Read
> http://web.mit.edu/kerberos/krb5-current/doc/admin/conf_files/krb5_conf.html
> for a description. The part we support in this RFE is:
>
> -----START-----
> The krb5.conf file can include other files using either of the following
> directives at the beginning of a line:
>
> include FILENAME
> includedir DIRNAME
>
> FILENAME or DIRNAME should be an absolute path. The named file or
> directory must exist and be readable. Including a directory includes all
> files within the directory whose names consist solely of alphanumeric
> characters, dashes, or underscores. Included profile files are
> syntactically independent of their parents, so each included file must
> begin with a section header.
> -----END-----
>
> 2. When the same key appears more than once in krb5.conf, Java used to
> choose the last value, while MIT krb5 chooses the first one. While it's
> debatable whether latecomers should be able to override earlier
> definitions or not, it's more important to have consistent behavior
> across implementations. Therefore we adopt the MIT krb5 way. The
> compatibility risk should be very low since it's very unlikely people
> assigns values to duplicate keys in a single krb5.conf file, which is
> what we support before this enhancement.
>
> One code change that might look strange is in the Config constructor:
>
>           } catch (IOException ioe) {
> -            // I/O error, mostly like krb5.conf missing.
> -            // No problem. We'll use DNS or system property etc.
> +            throw new KrbException(ioe);
>           }
>
> Before this, the only possible IOException thrown is
> FileNotFoundException when krb5.conf is not found, but now there can be
> much more. So I move the FNFE check inside the loadConfigFile() method as
>
> +                Path path = Paths.get(fileName);
> +                if (!Files.exists(path)) {
> +                    // This is OK. There are other ways to get
> +                    // Kerberos 5 settings
> +                    return null;
> +                } else {
> +                    return readConfigFileLines(
> +                            fullp, raw, dupsCheck);
> +                }
>
> Thanks
> Max



More information about the security-dev mailing list