-
Enhancement
-
Resolution: Fixed
-
P3
-
7u51, 8, 11, 17
-
b20
-
x86
-
windows_7
When using JAAS to perform Krb5 LoginModule authentication, the
sun.security.krb5.internal.ccache.FileCredentialsCache loads the credentials
from the file system when accessed.
If this file is subsequently deleted or renewed, the FileCredentialsCache
continues to return the first value, necessitating a restart of the Java
process in order to gain the correct credentials.
This is especially a problem when the cache contains stale data (i.e.
the expiry/renew time has passed).
The path is:
Krb5LoginModule
-> Credentials.acquireTGTFromCache()
-> Credentials.acquireDefaultCreds()
-> Credentials.cache
-> CredentialCache
-> FileCredentialsCache.getDefaultCreds()
-> FileCredentialsCache.getCredsList()
-> returns static credentialsList if it is not empty.
The problem is that the sun.security.krb5.Credentials acquires the cache on demand,
and then caches it in a static variable. This means that a single instance of
FileCredentialCache is stored, bearing a snapshot of the file at that point.
Therefore, if the original ticket has expired, and then subsequently renewed
(maybe kinit outside of the java program) ,the Java program will continue to use
the expired ticket.
sun.security.krb5.internal.ccache.FileCredentialsCache loads the credentials
from the file system when accessed.
If this file is subsequently deleted or renewed, the FileCredentialsCache
continues to return the first value, necessitating a restart of the Java
process in order to gain the correct credentials.
This is especially a problem when the cache contains stale data (i.e.
the expiry/renew time has passed).
The path is:
Krb5LoginModule
-> Credentials.acquireTGTFromCache()
-> Credentials.acquireDefaultCreds()
-> Credentials.cache
-> CredentialCache
-> FileCredentialsCache.getDefaultCreds()
-> FileCredentialsCache.getCredsList()
-> returns static credentialsList if it is not empty.
The problem is that the sun.security.krb5.Credentials acquires the cache on demand,
and then caches it in a static variable. This means that a single instance of
FileCredentialCache is stored, bearing a snapshot of the file at that point.
Therefore, if the original ticket has expired, and then subsequently renewed
(maybe kinit outside of the java program) ,the Java program will continue to use
the expired ticket.
