-
Type:
Bug
-
Resolution: Fixed
-
Priority:
P4
-
Affects Version/s: 6, 7
-
Component/s: security-libs
-
None
-
b79
-
generic, sparc
-
generic, solaris_10
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-2184130 | 6u21 | Weijun Wang | P2 | Closed | Fixed | b01 |
Curently, AS-REQ acts like this:
try {
send AS-REQ and wait for AS-REP
} catch (KRB-ERROR needs PREAUTH) {
send AS-REQ with PREAUTH and wait for AS-REP
}
and the send-wait process looks like:
for (all KDCs configed) {
for (try 3 times) {
try {
send AS-REQ and wait for AS-REP
return
} catch (IOError) {
continue
}
}
}
The two processes are independent, which means when the first configured KDC is not accessible anymore, something like this is performed:
1. Send AS-REQ to KDC1
2. Send AS-REQ to KDC1
3. Send AS-REQ to KDC1
4. Send AS-REQ to KDC2
KDC2 replies: KRB-ERROR needs PREAUTH
5. Send AS-REQ with PREAUTH to KDC1
6. Send AS-REQ with PREAUTH to KDC1
7. Send AS-REQ with PREAUTH to KDC1
8. Send AS-REQ with PREAUTH to KDC2
KDC2 replies: AS-REP
Here, request #5-#7 is a waste of time.
Suggestion: maintaining a list of KDCs with the initial order according to config. When any of them is not accessible at run time, move it to the last place.
try {
send AS-REQ and wait for AS-REP
} catch (KRB-ERROR needs PREAUTH) {
send AS-REQ with PREAUTH and wait for AS-REP
}
and the send-wait process looks like:
for (all KDCs configed) {
for (try 3 times) {
try {
send AS-REQ and wait for AS-REP
return
} catch (IOError) {
continue
}
}
}
The two processes are independent, which means when the first configured KDC is not accessible anymore, something like this is performed:
1. Send AS-REQ to KDC1
2. Send AS-REQ to KDC1
3. Send AS-REQ to KDC1
4. Send AS-REQ to KDC2
KDC2 replies: KRB-ERROR needs PREAUTH
5. Send AS-REQ with PREAUTH to KDC1
6. Send AS-REQ with PREAUTH to KDC1
7. Send AS-REQ with PREAUTH to KDC1
8. Send AS-REQ with PREAUTH to KDC2
KDC2 replies: AS-REP
Here, request #5-#7 is a waste of time.
Suggestion: maintaining a list of KDCs with the initial order according to config. When any of them is not accessible at run time, move it to the last place.
- backported by
-
JDK-2184130 krb5 should not try to access unavailable kdc too often
-
- Closed
-
- relates to
-
-
- Closed
-
-
-
- Closed
-