-
Enhancement
-
Resolution: Won't Fix
-
P4
-
None
-
11
-
generic
-
generic
A DESCRIPTION OF THE PROBLEM :
In modern infrastructures, random KDC failures (planned, or unplanned) are bound to happen and applications are expected to handle such failures gracefully. During such failures, KDC can be either completely unreachable, or not properly responding. In these cases, KDC auth queries might most likely encounter SocketTimeoutException, but not necessarily only restricted to this IOException response. It’s possible to expect few KDC auth might also return “Connection Refused" (TCP) or "ICMP Port Unreachable" (UDP) responses.
And this is in accordance with RFC792 https://datatracker.ietf.org/doc/html/rfc792
> if, in the destination host, the IP module cannot deliver the datagram because the indicated protocol module or process port is not active, the destination host may send a destination unreachable message to the source host.
In this context, it is desired to broaden and catch all SocketExceptions, so that clients can rely on the same retry mechanism as SocketTimeoutException. We believe this will improve overall resiliency of such Java applications relying on Kerberos.
Code: https://github.com/openjdk/jdk11/blob/jdk-11+14/src/java.security.jgss/share/classes/sun/security/krb5/KdcComm.java#L406
In modern infrastructures, random KDC failures (planned, or unplanned) are bound to happen and applications are expected to handle such failures gracefully. During such failures, KDC can be either completely unreachable, or not properly responding. In these cases, KDC auth queries might most likely encounter SocketTimeoutException, but not necessarily only restricted to this IOException response. It’s possible to expect few KDC auth might also return “Connection Refused" (TCP) or "ICMP Port Unreachable" (UDP) responses.
And this is in accordance with RFC792 https://datatracker.ietf.org/doc/html/rfc792
> if, in the destination host, the IP module cannot deliver the datagram because the indicated protocol module or process port is not active, the destination host may send a destination unreachable message to the source host.
In this context, it is desired to broaden and catch all SocketExceptions, so that clients can rely on the same retry mechanism as SocketTimeoutException. We believe this will improve overall resiliency of such Java applications relying on Kerberos.
Code: https://github.com/openjdk/jdk11/blob/jdk-11+14/src/java.security.jgss/share/classes/sun/security/krb5/KdcComm.java#L406