RFR: 8274205: Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC

Alexey Bakhtin abakhtin at openjdk.java.net
Fri Sep 24 05:33:47 UTC 2021


On Thu, 23 Sep 2021 19:31:32 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> The code change handles KDC_ERR_SVC_UNAVAILABLE error code (29) received from KDC and resends the initial request to the next KDC in the list. It aligns error code handling with the MIT Kerberos implementation.
>> sun/security/krb5 tests passed
>
> Here it is. Feel free to modify it.`test/jdk/sun/security/krb5/auto/Unavailable.java`:
> 
> 
> /*
>  * Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved.
>  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
>  *
>  * This code is free software; you can redistribute it and/or modify it
>  * under the terms of the GNU General Public License version 2 only, as
>  * published by the Free Software Foundation.
>  *
>  * This code is distributed in the hope that it will be useful, but WITHOUT
>  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
>  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
>  * version 2 for more details (a copy is included in the LICENSE file that
>  * accompanied this code).
>  *
>  * You should have received a copy of the GNU General Public License version
>  * 2 along with this work; if not, write to the Free Software Foundation,
>  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
>  *
>  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
>  * or visit www.oracle.com if you need additional information or have any
>  * questions.
>  */
> 
> /*
>  * @test
>  * @bug 8274205
>  * @summary Handle KDC_ERR_SVC_UNAVAILABLE error code from KDC
>  * @library /test/lib
>  * @compile -XDignore.symbol.file Unavailable.java
>  * @run main jdk.test.lib.FileInstaller TestHosts TestHosts
>  * @run main/othervm -Djdk.net.hosts.file=TestHosts Unavailable
>  */
> 
> import sun.security.krb5.Config;
> import sun.security.krb5.PrincipalName;
> import sun.security.krb5.internal.KRBError;
> import sun.security.krb5.internal.KerberosTime;
> 
> import java.nio.file.Files;
> import java.nio.file.Path;
> import java.util.Locale;
> 
> public class Unavailable {
> 
>     public static void main(String[] args) throws Exception {
> 
>         // Good KDC
>         KDC kdc1 = KDC.create(OneKDC.REALM);
>         kdc1.addPrincipal(OneKDC.USER, OneKDC.PASS);
>         kdc1.addPrincipalRandKey("krbtgt/" + OneKDC.REALM);
> 
>         // The "not available" KDC
>         KDC kdc2 = new KDC(OneKDC.REALM, "kdc." + OneKDC.REALM.toLowerCase(Locale.US), 0, true) {
>             @Override
>             protected byte[] processAsReq(byte[] in) throws Exception {
>                 KRBError err = new KRBError(null, null, null,
>                         KerberosTime.now(), 0,
>                         29, // KDC_ERR_SVC_UNAVAILABLE
>                         null, new PrincipalName("krbtgt/" + OneKDC.REALM),
>                         null, null);
>                 return err.asn1Encode();
>             }
>         };
> 
>         Files.write(Path.of(OneKDC.KRB5_CONF), String.format("""
>                 [libdefaults]
>                 default_realm = RABBIT.HOLE
> 
>                 [realms]
>                 RABBIT.HOLE = {
>                     kdc = kdc.rabbit.hole:%d
>                     kdc = kdc.rabbit.hole:%d
>                 }
>                 """, kdc2.getPort(), kdc1.getPort()).getBytes());
>         System.setProperty("java.security.krb5.conf", OneKDC.KRB5_CONF);
>         Config.refresh();
> 
>         Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false);
>     }
> }

@wangweij Thank you a lot for the quick review and test

-------------

PR: https://git.openjdk.java.net/jdk/pull/5658


More information about the security-dev mailing list