Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8165668

Kerberos Keys stored in a keytab are no longer used/read in JGSS accept

XMLWordPrintable

      FULL PRODUCT VERSION :
      jdk7u80+ and it looks like jdk8 has exactly the same issue.

      ADDITIONAL OS VERSION INFORMATION :
      Windows, Linux

      EXTRA RELEVANT SYSTEM CONFIGURATION :
      Running a Java Server Process where the server credentials are stored in a keytab file.

      A DESCRIPTION OF THE PROBLEM :
      The patch for BUG 8004488, stopped inserting KerberosKey instances in to the private credentials set.

      Instead of checking for permission, the patch removed the compatibility workaround.

      Now there is ONLY a KeyTab instance in the the private credentials and not the credentials themselves.

      This breaks the JGSS implementation as the KeyTab type is NOT evaluated and checked as an "instanceof" for processing.

      REGRESSION. Last worked in version 7u79

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      Require any private credentials that are stored in a keytab file when accepting a GSS session.

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      The handshake works
      ACTUAL -
      The search Subject for the ACCEPT credential fails.

      REPRODUCIBILITY :
      This bug can be reproduced always.

      CUSTOMER SUBMITTED WORKAROUND :
      There is NO workaround, as such, I simply can not upgrade kerberos authenticating server instances past jdk7u79.

            coffeys Sean Coffey
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: