-
Bug
-
Resolution: Fixed
-
P4
-
6
-
None
-
beta
-
generic
-
generic
When checking the service permission for creating non-default acceptor credentials, current java Kerberos impl (Krb5MechFactory) used the GSS name string instead of the canonicalized Kerberos name as target. Given that ServicePermission is specific for Kerberos mech, the target name should be Kerberos name instead of the generic GSS name.
For example:
========================================
GSSManager manager = GSSManager.getInstance();
GSSName acceptorName = manager.createName("sample@hoth", GSSName.NT_HOSTBASED_SERVICE);
...
GSSCredential cred = manager.createCredential(acceptorName, GSSContext.INDEFINITE_LIFETIME, (Oid[]) mechs, GSSCredential.ACCEPT_ONLY);
========================================
would produce the following stack trace:
Exception in thread "main" java.security.AccessControlException: access denied (javax.security.auth.kerberos.ServicePermission sample@hoth accept)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:296)
at java.security.AccessController.checkPermission(AccessController.java:441)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at sun.security.jgss.krb5.Krb5MechFactory.checkAcceptCredPermission(Krb5MechFactory.java:115)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:79)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:389)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:60)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:108)
at TestNativeSpi.getAcceptorContext(TestNativeSpi.java:182)
at TestNativeSpi.testContext(TestNativeSpi.java:227)
at TestNativeSpi.main(TestNativeSpi.java:374)
For example:
========================================
GSSManager manager = GSSManager.getInstance();
GSSName acceptorName = manager.createName("sample@hoth", GSSName.NT_HOSTBASED_SERVICE);
...
GSSCredential cred = manager.createCredential(acceptorName, GSSContext.INDEFINITE_LIFETIME, (Oid[]) mechs, GSSCredential.ACCEPT_ONLY);
========================================
would produce the following stack trace:
Exception in thread "main" java.security.AccessControlException: access denied (javax.security.auth.kerberos.ServicePermission sample@hoth accept)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:296)
at java.security.AccessController.checkPermission(AccessController.java:441)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at sun.security.jgss.krb5.Krb5MechFactory.checkAcceptCredPermission(Krb5MechFactory.java:115)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:79)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:389)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:60)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:108)
at TestNativeSpi.getAcceptorContext(TestNativeSpi.java:182)
at TestNativeSpi.testContext(TestNativeSpi.java:227)
at TestNativeSpi.main(TestNativeSpi.java:374)