Potential issues with javax.crypto under StructuredTaskScope/JDK22
Alan Bateman
Alan.Bateman at oracle.com
Thu May 2 18:59:40 UTC 2024
On 02/05/2024 19:33, Chris Marshall wrote:
> :
>
> Last week I upgraded the application to be compiled by JDK22, and run
> on JDK22. Immediately, we started to see failures from within the
> User-SRP auth code /only when it was run on a virtual thread from
> within a StructuredTaskScope./ The failures are merely that the code
> appears to have calculated the wrong authentication response (i.e. AWS
> Cognito returns a message to the effect that we have the wrong
> username or password). It is not possible that this could be the case,
> because the same application, using the same username/password combo
> is able to successfully authenticate to AWS Cognito using User-SRP
> auth from a platform thread.
>
Thanks for reporting a potential issue.
You say that the code was running correctly on JDK 21. Was this in the
context of virtual threads and using StructuredTaskScope? I'm trying to
understand from your mail if you were using virtual threads with JDK 21
and whether you were using StructuredTaskScope in JDK 21 too.
"wrong username or password" hints that maybe this is some kinda of
inheritance issue, I'm specifically thinking of the inherit access
control context. Would it be possible to search the code and libraries
that are in use here to see if they are using the
javax.security.auth.Subject API? It's just a wild guess at this point
but I think might give some clues as to where inheritance might be
coming from.
-Alan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20240502/d2557741/attachment.htm>
More information about the security-dev
mailing list