-
Bug
-
Resolution: Fixed
-
P3
-
6
-
b18
-
x86
-
windows_2003, windows_xp
-
Verified
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-2150248 | 6u4 | Weijun Wang | P3 | Resolved | Fixed | b03 |
| JDK-2150249 | 5.0u14 | Abhijit Saha | P3 | Resolved | Fixed | b02 |
| JDK-2151021 | 1.4.2_18 | Abhijit Saha | P3 | Resolved | Fixed | b05 |
FULL PRODUCT VERSION :
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_11-b03)
jdk-6u1-windows-i586-p.exe
ADDITIONAL OS VERSION INFORMATION :
Windows Server 2003 SP2
A DESCRIPTION OF THE PROBLEM :
We're using Kerberos for authentication since Java 1.4 against Windwos ActiveDirectory.
After our last update from 1.5_06 to 1.5_11 (1.5_12 was also checked) the Krb5LoginModule doesn't set the error cause for an Locked our or disabled user account in the KrbException any more.
To make things more clear I put a part of the stack-trace after a login attempt against a locked out (wrong pws to often tried):
1) How it's expected (1.5_06):
...
Caused by: javax.security.auth.login.LoginException: Clients credentials have been revoked (18)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:652)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:512)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at de.siemens.med.pacs.ssc.access.authentication.BasicAuthentication.authenticate(BasicAuthentication.java:151)
at de.siemens.med.pacs.ssc.access.authentication.KerberosAuthentication.authenticateUser(KerberosAuthentication.java:370)
... 31 more
Caused by: KrbException: Clients credentials have been revoked (18)
at sun.security.krb5.KrbAsRep.<init>(DashoA12275:64)
at sun.security.krb5.KrbAsReq.getReply(DashoA12275:345)
at sun.security.krb5.Credentials.acquireTGT(DashoA12275:370)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:642)
... 44 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.aj.a(DashoA12275:133)
at sun.security.krb5.internal.ax.a(DashoA12275:58)
at sun.security.krb5.internal.ax.<init>(DashoA12275:53)
at sun.security.krb5.KrbAsRep.<init>(DashoA12275:50)
... 47 more
2) How it is since 1.5_11:
at java.lang.Thread.run(Thread.java:595)
Caused by: javax.security.auth.login.LoginException: Identifier doesn't match expected value (906)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at de.siemens.med.pacs.ssc.access.authentication.BasicAuthentication.authenticate(BasicAuthentication.java:151)
at de.siemens.med.pacs.ssc.access.authentication.KerberosAuthentication.authenticateUser(KerberosAuthentication.java:370)
... 31 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.PAData.<init>(PAData.java:80)
at sun.security.krb5.internal.KRBError.<init>(KRBError.java:192)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:53)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:486)
at sun.security.krb5.Credentials.sendASRequest(Credentials.java:405)
at sun.security.krb5.Credentials.acquireTGT(Credentials.java:355)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
... 44 more
The part "Caused by: KrbException: Clients credentials have been revoked (18)" is missing and it's not possible to get the desired informarion (account locked out or disabled) from the exception any more.
The other reasons (e.g. wrong credential = 24) are still working.
It would be nice, if the "good old" behaviour would work with the next release.
Thanks a lot,
Marc
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Implement a Kerberos authentication module against a Windows AD.
Lock the user out (within AD or simply try wrong password often enough) and check the LoginException.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Set the correct cause-error for a locked out or disabled user.
ACTUAL -
Instead of the error code 18 (locked out user), the error 906 is set.
REPRODUCIBILITY :
This bug can be reproduced always.
Release Regression From : 5.0u6
The above release value was the last known release where this
bug was not reproducible. Since then there has been a regression.
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_11-b03)
jdk-6u1-windows-i586-p.exe
ADDITIONAL OS VERSION INFORMATION :
Windows Server 2003 SP2
A DESCRIPTION OF THE PROBLEM :
We're using Kerberos for authentication since Java 1.4 against Windwos ActiveDirectory.
After our last update from 1.5_06 to 1.5_11 (1.5_12 was also checked) the Krb5LoginModule doesn't set the error cause for an Locked our or disabled user account in the KrbException any more.
To make things more clear I put a part of the stack-trace after a login attempt against a locked out (wrong pws to often tried):
1) How it's expected (1.5_06):
...
Caused by: javax.security.auth.login.LoginException: Clients credentials have been revoked (18)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:652)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:512)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at de.siemens.med.pacs.ssc.access.authentication.BasicAuthentication.authenticate(BasicAuthentication.java:151)
at de.siemens.med.pacs.ssc.access.authentication.KerberosAuthentication.authenticateUser(KerberosAuthentication.java:370)
... 31 more
Caused by: KrbException: Clients credentials have been revoked (18)
at sun.security.krb5.KrbAsRep.<init>(DashoA12275:64)
at sun.security.krb5.KrbAsReq.getReply(DashoA12275:345)
at sun.security.krb5.Credentials.acquireTGT(DashoA12275:370)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:642)
... 44 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.aj.a(DashoA12275:133)
at sun.security.krb5.internal.ax.a(DashoA12275:58)
at sun.security.krb5.internal.ax.<init>(DashoA12275:53)
at sun.security.krb5.KrbAsRep.<init>(DashoA12275:50)
... 47 more
2) How it is since 1.5_11:
at java.lang.Thread.run(Thread.java:595)
Caused by: javax.security.auth.login.LoginException: Identifier doesn't match expected value (906)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at de.siemens.med.pacs.ssc.access.authentication.BasicAuthentication.authenticate(BasicAuthentication.java:151)
at de.siemens.med.pacs.ssc.access.authentication.KerberosAuthentication.authenticateUser(KerberosAuthentication.java:370)
... 31 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.PAData.<init>(PAData.java:80)
at sun.security.krb5.internal.KRBError.<init>(KRBError.java:192)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:53)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:486)
at sun.security.krb5.Credentials.sendASRequest(Credentials.java:405)
at sun.security.krb5.Credentials.acquireTGT(Credentials.java:355)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
... 44 more
The part "Caused by: KrbException: Clients credentials have been revoked (18)" is missing and it's not possible to get the desired informarion (account locked out or disabled) from the exception any more.
The other reasons (e.g. wrong credential = 24) are still working.
It would be nice, if the "good old" behaviour would work with the next release.
Thanks a lot,
Marc
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Implement a Kerberos authentication module against a Windows AD.
Lock the user out (within AD or simply try wrong password often enough) and check the LoginException.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Set the correct cause-error for a locked out or disabled user.
ACTUAL -
Instead of the error code 18 (locked out user), the error 906 is set.
REPRODUCIBILITY :
This bug can be reproduced always.
Release Regression From : 5.0u6
The above release value was the last known release where this
bug was not reproducible. Since then there has been a regression.
- backported by
-
JDK-2150248 Kerberos authentication regression
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
- duplicates
-
-
- Closed
-