Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-7077172

KerberosTime does not take into account system clock adjustement

    Details

    • Subcomponent:
    • Introduced In Build:
      b97
    • Introduced In Version:
      7
    • Resolved In Build:
      b15
    • CPU:
      x86
    • OS:
      linux
    • Verification:
      Verified

      Backports

        Description

        FULL PRODUCT VERSION :
        7

        A DESCRIPTION OF THE PROBLEM :
        Context
        -----------
        In the Kerberos procotol, current client timestamp is encapsulated in the Kerberos query sent to the KDC to obtain a TGT. The timestamp in the query must be accurate (The KDC timestamp accepts 5mn deviation in most case); if not the KDC return a "Clock too skew" error.

        Problem
        ------------
          To obtain the current Timestamp, previously in the JDK 6, the 'KerberosTime' 'setNow()' method instanciates a 'new Date()' object . A JDK 7 bug fix (http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6882687) introduces a major change in this class. The current timestamp is evaluated using the time elapsed since the JVM startup (use of System.nanoTime()).
        This implementation totally misses the fact that both client and server generally use a time server (NTP) to synchronize their clocks. Clock adjustement is not taking into account in the current implementation while the previous implementation does.

        REGRESSION. Last worked in version 6u26

        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        1. Develop a small Java client application that queries a KDC to obtain TGT each minutes. (Both client and KDC are hosted on the same machine)
        2. Run the Java application.
        3. Set the system clock and add 15 minutes to the current time

        EXPECTED VERSUS ACTUAL BEHAVIOR :
        EXPECTED -
        The KDC continues to deliver client TGT using the new time
        ACTUAL -
        The KDC returns an error 'Clock skew too great'

        ERROR MESSAGES/STACK TRACES THAT OCCUR :
        The Java application thrown an Exception javax.security.auth.login.LoginException: Clock skew too great (37) - PREAUTH_FAILED

        REPRODUCIBILITY :
        This bug can be reproduced always.

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  weijun Weijun Wang
                  Reporter:
                  webbuggrp Webbug Group
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:
                    Imported:
                    Indexed: