-
Bug
-
Resolution: Won't Fix
-
P4
-
None
-
None
-
None
When granting permissions to a KerberosPrincipal in a security policy file, the realm for each principal should be included. If the realm is omitted, an infinite recursion can occur when the KerberosPrincipal class invokes the SecurityManager to check the permission on the default realm.
https://github.com/openjdk/jdk/blob/master/src/java.security.jgss/share/classes/javax/security/auth/kerberos/KerberosPrincipal.java#L203
A temporary workaround is to use the system property:
-Dsun.security.krb5.autodeducerealm=true
Sample of the stack trace:
java.lang.Exception: Stack trace
at java.base/java.lang.Thread.dumpStack(Thread.java:2248)
at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:435)
at java.base/java.security.AccessController.checkPermission(AccessController.java:1071)
at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:411)
at java.security.jgss/javax.security.auth.kerberos.KerberosPrincipal.<init>(KerberosPrincipal.java:208)
at java.security.jgss/javax.security.auth.kerberos.KerberosPrincipal.<init>(KerberosPrincipal.java:142)
at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62)
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500)
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:484)
at java.base/sun.security.provider.PolicyFile.addPermissions(PolicyFile.java:1264)
at java.base/sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1149)
at java.base/sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1113)
at java.base/sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1053)
at java.base/java.security.ProtectionDomain.lambda$mergePermissions$0(ProtectionDomain.java:493)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:319)
at java.base/java.security.ProtectionDomain.mergePermissions(ProtectionDomain.java:492)
at java.base/java.security.ProtectionDomain.toString(ProtectionDomain.java:431)
at java.base/javax.security.auth.SubjectDomainCombiner$2.run(SubjectDomainCombiner.java:360)
at java.base/javax.security.auth.SubjectDomainCombiner$2.run(SubjectDomainCombiner.java:358)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:319)
at java.base/javax.security.auth.SubjectDomainCombiner.printDomain(SubjectDomainCombiner.java:358)
at java.base/javax.security.auth.SubjectDomainCombiner.combine(SubjectDomainCombiner.java:270)
at java.base/java.security.AccessControlContext.optimize(AccessControlContext.java:625)
at java.base/java.security.AccessController.checkPermission(AccessController.java:1070)
at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:411)
at java.security.jgss/javax.security.auth.kerberos.KerberosPrincipal.<init>(KerberosPrincipal.java:208)
at java.security.jgss/javax.security.auth.kerberos.KerberosPrincipal.<init>(KerberosPrincipal.java:142)
at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62)
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500)
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:484)
at java.base/sun.security.provider.PolicyFile.addPermissions(PolicyFile.java:1264)
https://github.com/openjdk/jdk/blob/master/src/java.security.jgss/share/classes/javax/security/auth/kerberos/KerberosPrincipal.java#L203
A temporary workaround is to use the system property:
-Dsun.security.krb5.autodeducerealm=true
Sample of the stack trace:
java.lang.Exception: Stack trace
at java.base/java.lang.Thread.dumpStack(Thread.java:2248)
at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:435)
at java.base/java.security.AccessController.checkPermission(AccessController.java:1071)
at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:411)
at java.security.jgss/javax.security.auth.kerberos.KerberosPrincipal.<init>(KerberosPrincipal.java:208)
at java.security.jgss/javax.security.auth.kerberos.KerberosPrincipal.<init>(KerberosPrincipal.java:142)
at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62)
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500)
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:484)
at java.base/sun.security.provider.PolicyFile.addPermissions(PolicyFile.java:1264)
at java.base/sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1149)
at java.base/sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1113)
at java.base/sun.security.provider.PolicyFile.getPermissions(PolicyFile.java:1053)
at java.base/java.security.ProtectionDomain.lambda$mergePermissions$0(ProtectionDomain.java:493)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:319)
at java.base/java.security.ProtectionDomain.mergePermissions(ProtectionDomain.java:492)
at java.base/java.security.ProtectionDomain.toString(ProtectionDomain.java:431)
at java.base/javax.security.auth.SubjectDomainCombiner$2.run(SubjectDomainCombiner.java:360)
at java.base/javax.security.auth.SubjectDomainCombiner$2.run(SubjectDomainCombiner.java:358)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:319)
at java.base/javax.security.auth.SubjectDomainCombiner.printDomain(SubjectDomainCombiner.java:358)
at java.base/javax.security.auth.SubjectDomainCombiner.combine(SubjectDomainCombiner.java:270)
at java.base/java.security.AccessControlContext.optimize(AccessControlContext.java:625)
at java.base/java.security.AccessController.checkPermission(AccessController.java:1070)
at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:411)
at java.security.jgss/javax.security.auth.kerberos.KerberosPrincipal.<init>(KerberosPrincipal.java:208)
at java.security.jgss/javax.security.auth.kerberos.KerberosPrincipal.<init>(KerberosPrincipal.java:142)
at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62)
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500)
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:484)
at java.base/sun.security.provider.PolicyFile.addPermissions(PolicyFile.java:1264)