Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8049520

FileCredentialsCache loads cache once and is never refreshed

    XMLWordPrintable

Details

    • Enhancement
    • Resolution: Fixed
    • P3
    • 18
    • 7u51, 8, 11, 17
    • security-libs
    • b20
    • x86
    • windows_7

    Description

      When using JAAS to perform Krb5 LoginModule authentication, the
      sun.security.krb5.internal.ccache.FileCredentialsCache loads the credentials
      from the file system when accessed.

      If this file is subsequently deleted or renewed, the FileCredentialsCache
      continues to return the first value, necessitating a restart of the Java
      process in order to gain the correct credentials.

      This is especially a problem when the cache contains stale data (i.e.
      the expiry/renew time has passed).

      The path is:

      Krb5LoginModule
       -> Credentials.acquireTGTFromCache()
       -> Credentials.acquireDefaultCreds()
       -> Credentials.cache
       -> CredentialCache
       -> FileCredentialsCache.getDefaultCreds()
       -> FileCredentialsCache.getCredsList()
       -> returns static credentialsList if it is not empty.

      The problem is that the sun.security.krb5.Credentials acquires the cache on demand,
      and then caches it in a static variable. This means that a single instance of
      FileCredentialCache is stored, bearing a snapshot of the file at that point.
      Therefore, if the original ticket has expired, and then subsequently renewed
      (maybe kinit outside of the java program) ,the Java program will continue to use
      the expired ticket.

      Attachments

        Issue Links

          Activity

            People

              weijun Weijun Wang
              thlenz Thomas Lenz (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: