[9] RFR: 8075299: Additional tests for 6857795
Artem Smotrakov
artem.smotrakov at oracle.com
Thu Sep 10 12:18:30 UTC 2015
Hi Max,
It seems that kinit doesn't print any info about ticket flags [1] (I am
not sure that it is a good idea to rely on
-Dsun.security.krb5.debug=true here). But klist does. I updated the test
to run klist which checks tickets for forwardable and proxiable flags.
http://cr.openjdk.java.net/~asmotrak/8075299/webrev.02/
[1] http://docs.oracle.com/javase/8/docs/technotes/tools/windows/kinit.html
Artem
On 09/10/2015 11:48 AM, Wang Weijun wrote:
> Everything is fine. Some answers inline:
>
>> On Aug 6, 2015, at 9:42 PM, Artem Smotrakov <artem.smotrakov at oracle.com> wrote:
>>
>> By the way, as far as I know, currently it is not possible to specify a port number in "java.security.krb5.kdc”.
> Yep.
>
>> What do you think?
> I have thought about analyzing the strings and treat one as port if it’s only digits. For example, a:1:b:c means a:1, b and c. a:1:2 looks invalid but accept it for compatibility and treat it as a:1 and 2, at least if a:1 works 2 will not be touched.
>
>>> The conf file only contains realm and kdc and nothing else. If both conf file and system properties are provided, how do you prove the conf file is also read and not ignored?
>> The test doesn't check it. I see the following ways to check it:
>> - Corrupt krb5 conf, and run kinit with it. I suppose it should fail.
>> - Add some extra parameters to krb5, run kinit, and then try to use obtained data, and check that those extra parameters were used (I am not sure about details right now, need to do some experiments)
>>
>> What do you think?
> You can add forwardable=true and check if the output is indeed forwardable. In case it’s default true, try again with forwardable=false. :-)
>
> Thanks
> Max
>
More information about the security-dev
mailing list