RFR 8048073: Cannot read ccache entry with a realm-less service name
Wang Weijun
weijun.wang at oracle.com
Wed Jun 25 10:42:12 UTC 2014
On Jun 25, 2014, at 17:05, Xuelei Fan <xuelei.fan at oracle.com> wrote:
> On 6/25/2014 4:48 PM, Wang Weijun wrote:
>> Please review the fix at
>>
>> http://cr.openjdk.java.net/~weijun/8048073/webrev.00/
>>
> Looks fine to me. It would be nice to add more comment about why you
> want to ignore the principal
> if (cpname == null || spname == null)
OK.
Thanks
Max
>
> Xuelei
>
>> Running native krb5 could generate a ccache file like this
>>
>> Valid starting Expires Service principal
>> 06/25/14 14:05:06 06/26/14 00:05:06 krbtgt/K1 at K1
>> 06/25/14 14:12:35 06/26/14 00:05:06 HTTP/localhost@
>> 06/25/14 14:12:35 06/26/14 00:05:06 HTTP/localhost at K1
>>
>> Please note the 2nd ticket has a service principal with no realm. I guess it's a result of kerberos referral. Since OpenJDK does not support referral (yet), the PricipalName always has a realm and reading such a ccache throws out an exception. After this fix such entries are ignored and Java's klist would show
>>
>> [1] Service Principal: krbtgt/K1 at K1
>> Valid starting: Jun 25, 2014 14:05:06
>> Expires: Jun 26, 2014 00:05:06
>> [2] Service Principal: HTTP/localhost at K1
>> Valid starting: Jun 25, 2014 14:12:35
>> Expires: Jun 26, 2014 00:05:06
>>
>> Thanks
>> Max
>>
>
More information about the security-dev
mailing list