RFR 8231508: Spec Clarification : KeyTab:exist() method does not specify about the fallback details

Sean Mullan sean.mullan at oracle.com
Mon Oct 28 13:07:23 UTC 2019


On 10/24/19 10:15 PM, Weijun Wang wrote:
> I added a CSR at https://bugs.openjdk.java.net/browse/JDK-8232994, please take a review.
> 
> My point is that not only it's useless but it also be misleading, so better remove than ignore.

It's fine with me to remove this, but from my reading of the bug report, 
the submitter was more concerned that it is underspecified as to whether 
exist() will return true or false if it is not created with a keytab 
file. Maybe what is also needed is a better description of how a keytab 
file is found. I think that would better address the issue. In your 
comment in the bug report, you actually described how that works, so I 
think it would might be a good idea to add that to the KeyTab.exist() 
specification.

--Sean

> 
> Thanks,
> Max
> 
> 
>> On Oct 24, 2019, at 4:16 PM, Weijun Wang <weijun.wang at oracle.com> wrote:
>>
>> Please review the patch below:
>>
>> --- a/src/java.security.jgss/share/classes/javax/security/auth/kerberos/KeyTab.java
>> +++ b/src/java.security.jgss/share/classes/javax/security/auth/kerberos/KeyTab.java
>> @@ -303,13 +303,11 @@
>>   
>>       /**
>>        * Checks if the keytab file exists. Implementation of this method
>>        * should make sure that the result matches the latest status of the
>>        * keytab file.
>> -     * <p>
>> -     * The caller can use the result to determine if it should fallback to
>> -     * another mechanism to read the keys.
>> +     *
>>        * @return true if the keytab file exists; false otherwise.
>>        * @throws SecurityException if a security manager exists and the read
>>        * access to the keytab file is not permitted
>>        */
>>       public boolean exists() {
>>
>> The spec here is not clear and even our own JGSS SubjectComber looks into both KeyTab and KerberosKey and there is no fallback of any kind.
>>
>> Do you think this is worth a CSR?
>>
>> Thanks,
>> Max
>>
> 



More information about the security-dev mailing list