Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8308540

On Kerberos TGT referral, if krb5.conf is missing realm, bad exception message

    XMLWordPrintable

Details

    Description

      ADDITIONAL SYSTEM INFORMATION :
      Latest Java 8/11/17 all repro same. Windows 10 + Linux all repro same.

      A DESCRIPTION OF THE PROBLEM :
      This issue was discovered when using SPNEGO with HTTPS URL via java.net.URL(String url).openConnection().getInputStream(). During the Kerberos authentication procedure, multiple Kerberos referrals occurred to find final krbtgt server. (Sorry, my terminology may be slightly imprecise.) The krb5.conf file was missing one of the realms. As a result, one of the referrals failed with misleading exception message.

      JDK 8 stack trace:
      KrbException: Message stream modified (41)
           at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:69)
           at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:87)
           at sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:226)
           at sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:237)
           at sun.security.krb5.internal.CredentialsUtil.serviceCredsSingle(CredentialsUtil.java:482)
           at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:340)
           at sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:314)
           at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:169)
           at sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:490)
           at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:695)
           at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
           at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
           at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(SpNegoContext.java:882)
           at sun.security.jgss.spnego.SpNegoContext.initSecContext(SpNegoContext.java:317)
           at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:248)
           at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:179)
           at sun.net.www.protocol.http.spnego.NegotiatorImpl.init(NegotiatorImpl.java:108)
           at sun.net.www.protocol.http.spnego.NegotiatorImpl.&lt;init&gt;(NegotiatorImpl.java:117)
           at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
           at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
           at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
           at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
           at sun.net.www.protocol.http.Negotiator.getNegotiator(Negotiator.java:63)
           at sun.net.www.protocol.http.NegotiateAuthentication.isSupported(NegotiateAuthentication.java:111)
           at sun.net.www.protocol.http.AuthenticationHeader.parse(AuthenticationHeader.java:200)
           at sun.net.www.protocol.http.AuthenticationHeader.&lt;init&gt;(AuthenticationHeader.java:143)
           at sun.net.www.protocol.http.AuthenticationHeader.&lt;init&gt;(AuthenticationHeader.java:123)
           at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1720)
           at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498)
           at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:268)

      Suggestions:
      (1) Method sun.security.krb5.Config.getKDCList() should provide more helpful exception message: new KrbException("Cannot locate KDC for realm [" + realm + "])

      (1) Static method sun.security.krb5.internal.CredentialsUtil.serviceCreds(KDCOptions, Credentials, PrincipalName, PrincipalName, PrincipalName, Ticket[], PAData[], CredentialsUtil.S4U2Type) can throw better exceptions -- better message & stack trace. Also, it is impossible to view the caught KrbException in a debugger (at least in my IntelliJ debugger).

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      1. Create krb5.conf file that is missing realm required for Kerberos TGT referral.
      2. Do SPNEGO with HTTPS URL via java.net.URL(String url).openConnection().getInputStream(). The URL should induce a referrals that will fail.
      3. Exception is thrown with misleading message and stack trace.

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      More helpful / meaningful exception message. The message can be improved, and probably a better chain can be constructed to make debugging simpler.
      ACTUAL -
      Exception is thrown with misleading message and stack trace.

      FREQUENCY : always


      Attachments

        Issue Links

          Activity

            People

              weijun Weijun Wang
              webbuggrp Webbug Group
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: