Details
-
Bug
-
Resolution: Fixed
-
P4
-
7u76
-
b64
-
x86_64
-
windows_7
Backports
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8084832 | emb-9 | Weijun Wang | P4 | Resolved | Fixed | team |
| JDK-8133403 | 8u71 | Aleksej Efimov | P4 | Resolved | Fixed | b01 |
| JDK-8079294 | 8u66 | Aleksej Efimov | P4 | Resolved | Fixed | b02 |
| JDK-8143751 | emb-8u71 | Aleksej Efimov | P4 | Resolved | Fixed | b01 |
| JDK-8079296 | 7u95 | Aleksej Efimov | P4 | Closed | Fixed | b01 |
Description
FULL PRODUCT VERSION :
A DESCRIPTION OF THE PROBLEM :
The issue is that the native TGT credential read out from MS LSA is ignored even if the TGT is not expired. It turns out that the way the end time check of the TGT is wrong when determining whether the TGT is expired in NativeCreds.c.
The root cause is the time formats for the two times to be checked is inconsistent. The current system time is UTC time, while the local end time is a time depending the timezone setting of the system. How can these two times be compared? Why don't convert them to the same time format for comparison? e.g UTC time.
For example, if the native TGT start time is 03/25/2015 13:00:00(UTC) and the lifetime of the TGT is 1 hour. This means the end time of the TGT is 03/25/2015 14:00:00(UTC). Assuming the user starts to use JGSS to get the credential. See what will happen if the user is at different time zones.
For time zone ((UTC-05:00) Eastern Time (US & Canada)) :
TGT start time : 03/25/2015 13 :00:00(UTC)
TGT end time : 03/25/2015 14:00:00(UTC)
System time (Now) : 03/25/2015 13:00:00(UTC)
TGT local end time : 03/25/2015 09:00:00(Eastern Time (US & Canada))
The TGT will be "EXPIRED"
For time zone ((UTC+08:00) Beijing) :
TGT start time : 03/25/2015 13:00:00(UTC)
TGT end time : 03/25/2015 14:00:00(UTC)
System time (Now) : 03/25/2015 13:00:00(UTC)
TGT local end time : 03/25/2015 22:00:00(Beijing)
The TGT will be "VALID"
The native code should be fixed regarding this issue.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Having a Windows 7 client and Windows 2008 R2(AD);
2. Update the Group Policy on AD to set the user ticket lifetime to 1 hour(or 2)
3. Change the timezone of the Windows 7 client to UTC-5
4. Run below code :
Credentials cred = Credentials.acquireDefaultCreds();
System.out.println("==============CREDENTIAL START====================");
System.out.println("Client : " + cred.getClient().getName());
System.out.println("Server : " + cred.getServer().getName());
//Session key type
// DES_CBC_MD5 3
// RC4_HMAC 23
System.out.println("Session key type : " + cred.getSessionKey().getEType());
System.out.println("Start time : "+cred.getStartTime().getTime()+ " GMT time : "+cred.getStartTime().toGMTString()+ " Local time : "+cred.getStartTime().toLocaleString());
System.out.println("End time : "+cred.getEndTime().getTime()+ " GMT time : "+cred.getEndTime().toGMTString()+ " Local time : "+cred.getEndTime().toLocaleString());
System.out.println("AUth time : "+cred.getAuthTime().getTime() + " GMT time : "+cred.getAuthTime().toGMTString() + " Local time : " + cred.getAuthTime().toLocaleString());
//Print ticket info
Ticket tkt = cred.getTicket();
System.out.println("Ticket realm : "+tkt.realm);
System.out.println("Ticket server : "+tkt.sname.getName());
System.out.println("Ticket flags : "+cred.getTicketFlags());
// System.out.println("Ticket info : "+tkt.toString());
System.out.println("=============CREDENTIAL END=========================");
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
If the information printed out is different from the klist(Windows version of klist) output, then the issue is reproduced. It can always be reproduced.
REPRODUCIBILITY :
This bug can be reproduced always.
A DESCRIPTION OF THE PROBLEM :
The issue is that the native TGT credential read out from MS LSA is ignored even if the TGT is not expired. It turns out that the way the end time check of the TGT is wrong when determining whether the TGT is expired in NativeCreds.c.
The root cause is the time formats for the two times to be checked is inconsistent. The current system time is UTC time, while the local end time is a time depending the timezone setting of the system. How can these two times be compared? Why don't convert them to the same time format for comparison? e.g UTC time.
For example, if the native TGT start time is 03/25/2015 13:00:00(UTC) and the lifetime of the TGT is 1 hour. This means the end time of the TGT is 03/25/2015 14:00:00(UTC). Assuming the user starts to use JGSS to get the credential. See what will happen if the user is at different time zones.
For time zone ((UTC-05:00) Eastern Time (US & Canada)) :
TGT start time : 03/25/2015 13 :00:00(UTC)
TGT end time : 03/25/2015 14:00:00(UTC)
System time (Now) : 03/25/2015 13:00:00(UTC)
TGT local end time : 03/25/2015 09:00:00(Eastern Time (US & Canada))
The TGT will be "EXPIRED"
For time zone ((UTC+08:00) Beijing) :
TGT start time : 03/25/2015 13:00:00(UTC)
TGT end time : 03/25/2015 14:00:00(UTC)
System time (Now) : 03/25/2015 13:00:00(UTC)
TGT local end time : 03/25/2015 22:00:00(Beijing)
The TGT will be "VALID"
The native code should be fixed regarding this issue.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Having a Windows 7 client and Windows 2008 R2(AD);
2. Update the Group Policy on AD to set the user ticket lifetime to 1 hour(or 2)
3. Change the timezone of the Windows 7 client to UTC-5
4. Run below code :
Credentials cred = Credentials.acquireDefaultCreds();
System.out.println("==============CREDENTIAL START====================");
System.out.println("Client : " + cred.getClient().getName());
System.out.println("Server : " + cred.getServer().getName());
//Session key type
// DES_CBC_MD5 3
// RC4_HMAC 23
System.out.println("Session key type : " + cred.getSessionKey().getEType());
System.out.println("Start time : "+cred.getStartTime().getTime()+ " GMT time : "+cred.getStartTime().toGMTString()+ " Local time : "+cred.getStartTime().toLocaleString());
System.out.println("End time : "+cred.getEndTime().getTime()+ " GMT time : "+cred.getEndTime().toGMTString()+ " Local time : "+cred.getEndTime().toLocaleString());
System.out.println("AUth time : "+cred.getAuthTime().getTime() + " GMT time : "+cred.getAuthTime().toGMTString() + " Local time : " + cred.getAuthTime().toLocaleString());
//Print ticket info
Ticket tkt = cred.getTicket();
System.out.println("Ticket realm : "+tkt.realm);
System.out.println("Ticket server : "+tkt.sname.getName());
System.out.println("Ticket flags : "+cred.getTicketFlags());
// System.out.println("Ticket info : "+tkt.toString());
System.out.println("=============CREDENTIAL END=========================");
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
If the information printed out is different from the klist(Windows version of klist) output, then the issue is reproduced. It can always be reproduced.
REPRODUCIBILITY :
This bug can be reproduced always.
Attachments
Issue Links
- backported by
-
JDK-8079294 End time checking for native TGT is wrong
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Closed
-