RFR 8078439: Kerberos auth fails if client proposes MS krb5 OID
Weijun Wang
weijun.wang at oracle.com
Sat Apr 25 04:19:37 UTC 2015
Hi All
Please review a fix at
http://cr.openjdk.java.net/~weijun/8078439
This is a regression triggered by JDK-8048194. In SPNEGO, a client might
send NegTokenInit with OIDs being {MS_KRB5_OID, KRB5_OID} along with a
krb5 AP-REQ as mechToken. Java did not understand MS_KRB5_OID but before
JDK-8048194 it blindly accepted the mechToken and everything just went
on fine. After JDK-8048194, it rejects the unknown OID and cannot
establish a security context.
The fix adds a tweak to recognize the MS_KRB5_OID.
*Ivan*:
Can you try out the patch on jdk8u?
Thanks
Max
More information about the security-dev
mailing list