RFR 8181461: sun/security/krb5/auto/KdcPolicy.java fails with java.lang.Exception: Does not match
Sibabrata Sahoo
sibabrata.sahoo at oracle.com
Tue Jun 6 06:57:43 UTC 2017
Change looks fine to me. But I am not the reviewer yet.
Thanks,
Siba
-----Original Message-----
From: Weijun Wang
Sent: Tuesday, June 06, 2017 11:23 AM
To: Security Dev OpenJDK
Cc: Gustavo Galimberti; Sibabrata Sahoo
Subject: RFR 8181461: sun/security/krb5/auto/KdcPolicy.java fails with java.lang.Exception: Does not match
Please take a review on this change:
http://cr.openjdk.java.net/~weijun/8181461/webrev.00/
This is a test bug and the fix is simply:
// 1. Default policy is tryLast ....
writeConf(1, 3000, p1, p3);
- test("a3000c3000c3000|a3000c3000-|a3000c3000c3000-");
+ test("a3000c3000c3000|a3000c3000-|a3000c3000c3000a3000-");
Here, max_retries is 1 and timeout is 3000ms. A is a KDC that never replies, and C is one that usually replies in time.
Here the test client might send out 2 AS_REQs, the initial one and the one with preauth. We should observe these possible results:
(1). C always replies in time:
1. Initial AS_REQ sent to A, timeout (a3000)
2. Initial AS_REQ sent to C, succeed (c3000)
3. AS_REQ with preauth sent to C (try last good), succeed (c3000)
(2). C fails the 1st time:
1. Initial AS_REQ sent to A, timeout (a3000)
2. Initial AS_REQ sent to C, timeout (c3000)
3. Final result is failure (-)
(3). C succeeds for the 1st time but fails later:
1. Initial AS_REQ sent to A, timeout (a3000)
2. Initial AS_REQ sent to C, succeed (c3000)
3. AS_REQ with preauth sent to C (try last good), timeout (c3000)
4. AS_REQ with preauth sent to A, timeout (a3000)
5. Final result is failure (-)
The original test code has a bug with case (3), where it assumes #4 above is not sent, this is wrong. AS_REQ with preauth is a new request different from the initial AS_REQ. The order of preference is changed according to the policy (set to tryLast) but all KDCs will still be tried.
Thanks
Max
More information about the security-dev
mailing list