RFR 8181461: sun/security/krb5/auto/KdcPolicy.java fails with java.lang.Exception: Does not match

Tue Jun 6 07:25:06 UTC 2017

Please update the copyright year.  Otherwise, looks fine to me.

Xuelei

On 6/5/2017 10:53 PM, Weijun Wang wrote:
> Please take a review on this change:
> 
>     http://cr.openjdk.java.net/~weijun/8181461/webrev.00/
> 
> This is a test bug and the fix is simply:
> 
>           // 1. Default policy is tryLast
> ....
>           writeConf(1, 3000, p1, p3);
> -        test("a3000c3000c3000|a3000c3000-|a3000c3000c3000-");
> +        test("a3000c3000c3000|a3000c3000-|a3000c3000c3000a3000-");
> 
> Here, max_retries is 1 and timeout is 3000ms. A is a KDC that never 
> replies, and C is one that usually replies in time.
> 
> Here the test client might send out 2 AS_REQs, the initial one and the 
> one with preauth. We should observe these possible results:
> 
> (1). C always replies in time:
> 
>    1. Initial AS_REQ sent to A, timeout (a3000)
>    2. Initial AS_REQ sent to C, succeed (c3000)
>    3. AS_REQ with preauth sent to C (try last good), succeed (c3000)
> 
> (2). C fails the 1st time:
> 
>    1. Initial AS_REQ sent to A, timeout (a3000)
>    2. Initial AS_REQ sent to C, timeout (c3000)
>    3. Final result is failure (-)
> 
> (3). C succeeds for the 1st time but fails later:
> 
>    1. Initial AS_REQ sent to A, timeout (a3000)
>    2. Initial AS_REQ sent to C, succeed (c3000)
>    3. AS_REQ with preauth sent to C (try last good), timeout (c3000)
>    4. AS_REQ with preauth sent to A, timeout (a3000)
>    5. Final result is failure (-)
> 
> The original test code has a bug with case (3), where it assumes #4 
> above is not sent, this is wrong. AS_REQ with preauth is a new request 
> different from the initial AS_REQ. The order of preference is changed 
> according to the policy (set to tryLast) but all KDCs will still be tried.
> 
> Thanks
> Max