Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8028687

noaddresses flag doesn't work for forwardable tickets using spnego negotiation

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: P3 P3
    • None
    • 7u45
    • security-libs

      FULL PRODUCT VERSION :
      java version "1.7.0_45"
      Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
      Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode);

      java version "1.7.0_45"
      OpenJDK Runtime Environment (rhel-2.4.3.1.el5_10-x86_64 u45-b15)
      OpenJDK 64-Bit Server VM (build 24.45-b08, mixed mode)

      ADDITIONAL OS VERSION INFORMATION :
      Linux dellirium 3.11.0-12-generic #19-Ubuntu SMP Wed Oct 9 16:20:46 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux;
      Linux c2n1 2.6.18-194.32.1.el5 #1 SMP Wed Jan 5 17:52:25 EST 2011 x86_64 x86_64 x86_64 GNU/Linux

      EXTRA RELEVANT SYSTEM CONFIGURATION :
      tested on Centos5, Centos6, Ubuntu 13.04, Ubuntu 13.10


      A DESCRIPTION OF THE PROBLEM :
      It seem that some issues with addressful(less) tickets were already solved as mentioned in https://bugs.openjdk.java.net/browse/JDK-4501327. Unfortunately that fix applies only to AS requests. I found out that when you're using forwardable tickets 'noaddress' flag is ignored and forwarded tickets are always addressless.

      ADDITIONAL REGRESSION INFORMATION:
      java version "1.7.0_45"
      Java(TM) SE Runtime Environment (build 1.7.0_45-b18)
      Java HotSpot(TM) 64-Bit Server VM (build 24.45-b08, mixed mode);

      java version "1.7.0_45"
      OpenJDK Runtime Environment (rhel-2.4.3.1.el5_10-x86_64 u45-b15)
      OpenJDK 64-Bit Server VM (build 24.45-b08, mixed mode)

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      On client side - follow instructions from http://hc.apache.org/httpcomponents-client-4.2.x/tutorial/html/authentication.html#spnego and run example httpclient code with SPNEGO/Kerberos Authentication.
      In addition to above instruction in [libdefaults] section of clients /etc/krb5.conf we defined:
      >>>>>>>>>>>>>>>>
      [libdefaults]
       default_realm = C2MGMT.COM
       dns_lookup_realm = false
       kdc_timeout = 1000
       udp_preference_limit = 0
       dns_lookup_kdc = false
       forwardable = yes
       noaddresses = false
      <<<<<<<<<<<<<<<<<<<

      On server side - use any spnego-ready server which allow looging/validating tickets - we used apache with mod_auth_kerb and bash script cgi with below code:
      >>>>>>>>>>>>>>>>
      #!/bin/bash

      echo "---------------------------------" >> /tmp/k.log
      echo "KRB5CCNAME=$KRB5CCNAME" >> /tmp/k.log
      if [ "x$KRB5CCNAME" != "x" ]; then
        klist -fan -c ${KRB5CCNAME:5} >> /tmp/k.log
      fi
      <<<<<<<<<<<<<<<<

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      No matter what if we used noaddresses = false or noaddresses = true on server we're getting (/tmp/k.log) :
      ---------------------------------
      KRB5CCNAME=FILE:/tmp/krb5cc_apache_4EGT8w
      Ticket cache: FILE:/tmp/krb5cc_apache_4EGT8w
      Default principal: portal@C2MGMT.COM

      Valid starting Expires Service principal
      11/05/13 15:33:40 11/06/13 15:33:40 krbtgt/C2MGMT.COM@C2MGMT.COM
      Flags: FfT
      Addresses: (none)

      ACTUAL -
      I would expect that if noaddresses = true above result is expected:
      Addresses: (none)
      but in case you set noaddresses = false, you should get something like
      Addresses: 10.105.56.136

      REPRODUCIBILITY :
      This bug can be reproduced always.

      CUSTOMER SUBMITTED WORKAROUND :
      Here is my patch base on openjdk7 sources (/openjdk/jdk/src/share/classes/sun/security/krb5/KrbCred.java):

      # This patch file was generated by NetBeans IDE
      # This patch can be applied using context Tools: Apply Diff Patch action on respective folder.
      # It uses platform neutral UTF-8 encoding.
      # Above lines and this line are ignored by the patching process.
      81,82c81,82
      < if (server.getNameType() == PrincipalName.KRB_NT_SRV_HST)
      < sAddrs= new HostAddresses(server);
      ---
      > //if (server.getNameType() == PrincipalName.KRB_NT_SRV_HST)
      > // sAddrs= new HostAddresses(server);
      83a84,95
      > /* amg:tibor */
      > // I commented out two above lines as I'm not sure what it does ;)
      > // My understanding is that we should add address or not base on what is set in configuration.
      > // On our environmant KDC replays KrbTgsRep with type set to 0, that's why I allow it here
      > // - I wasn't able to find any information if this can be configured. I force this type to
      > // allow HostAddresses constructor work properly, maybe this validation there is also not required.
      > if((server.getNameType() == PrincipalName.KRB_NT_UNKNOWN || server.getNameType() == PrincipalName.KRB_NT_SRV_HST) && Config.getInstance().useAddresses() ) {
      > PrincipalName newServer = new PrincipalName(server.getName(), PrincipalName.KRB_NT_SRV_HST);
      > sAddrs= new HostAddresses(newServer);
      > }
      > /* amg:tibor */
      >

            weijun Weijun Wang
            coffeys Sean Coffey
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: