RFR 8048073: Cannot read ccache entry with a realm-less service name

Wang Weijun weijun.wang at oracle.com
Wed Jun 25 10:42:12 UTC 2014


On Jun 25, 2014, at 17:05, Xuelei Fan <xuelei.fan at oracle.com> wrote:

> On 6/25/2014 4:48 PM, Wang Weijun wrote:
>> Please review the fix at
>> 
>>   http://cr.openjdk.java.net/~weijun/8048073/webrev.00/
>> 
> Looks fine to me.  It would be nice to add more comment about why you
> want to ignore the principal
>   if (cpname == null || spname == null)

OK.

Thanks
Max

> 
> Xuelei
> 
>> Running native krb5 could generate a ccache file like this
>> 
>>  Valid starting     Expires            Service principal
>>  06/25/14 14:05:06  06/26/14 00:05:06  krbtgt/K1 at K1
>>  06/25/14 14:12:35  06/26/14 00:05:06  HTTP/localhost@
>>  06/25/14 14:12:35  06/26/14 00:05:06  HTTP/localhost at K1
>> 
>> Please note the 2nd ticket has a service principal with no realm. I guess it's a result of kerberos referral. Since OpenJDK does not support referral (yet), the PricipalName always has a realm and reading such a ccache throws out an exception. After this fix such entries are ignored and Java's klist would show
>> 
>>  [1]  Service Principal:  krbtgt/K1 at K1
>>       Valid starting:     Jun 25, 2014 14:05:06
>>       Expires:            Jun 26, 2014 00:05:06
>>  [2]  Service Principal:  HTTP/localhost at K1
>>       Valid starting:     Jun 25, 2014 14:12:35
>>       Expires:            Jun 26, 2014 00:05:06
>> 
>> Thanks
>> Max
>> 
> 




More information about the security-dev mailing list