Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8029994

Support "include" and "includedir" in krb5.conf

    Details

    • Subcomponent:
    • Resolved In Build:
      b22
    • OS:
      linux
    • Verification:
      Verified

      Backports

        Description

        FULL PRODUCT VERSION :
        java version "1.8.0-ea"
        Java(TM) SE Runtime Environment (build 1.8.0-ea-b119)
        Java HotSpot(TM) 64-Bit Server VM (build 25.0-b61, mixed mode)


        ADDITIONAL OS VERSION INFORMATION :
        Linux XXX.deshaw.com 2.6.32-358.18.1.el6.4.deshaw.x86_64 #1 SMP Fri Oct 11 16:57:25 BST 2013 x86_64 x86_64 x86_64 GNU/Linux


        A DESCRIPTION OF THE PROBLEM :
        The changes in http://hg.openjdk.java.net/jdk8/jdk8/jdk/rev/33e29fbc3e5b cause the sun.security.krb5.Config class to fail to parse an /etc/krb5.conf file containing an "includedir" directive, because that directive will appear at the start of the file, before the first "section". This will result in an exception being thrown and the Kerberos operation failing.

        REGRESSION. Last worked in version 7u40

        ADDITIONAL REGRESSION INFORMATION:
        java version "1.7.0_40"
        Java(TM) SE Runtime Environment (build 1.7.0_40-b43)
        Java HotSpot(TM) 64-Bit Server VM (build 24.0-b56, mixed mode)


        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        Take an auth config file that looks like this, which we'll call jaas.config:

        -----------------
        KrbLogin {
            com.sun.security.auth.module.Krb5LoginModule sufficient
                useTicketCache="true";
        };

        com.sun.security.jgss.krb5.initiate
        {
                com.sun.security.auth.module.Krb5LoginModule required
                doNotPrompt=true
                useTicketCache=true
                debug=false;
        };
        -----------------

        Then use an /etc/krb5.conf file that contains an "includedir" directive at the top, as specified by http://web.mit.edu/~kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html. Run the KerberosBug class provided elsewhere in this request with those two files, using a command like the following:

        java -Djava.security.auth.login.config=jaas.config -Djava.security.krb5.conf=krb5.conf KerberosBug


        EXPECTED VERSUS ACTUAL BEHAVIOR :
        EXPECTED -
        I expect the program to run without printing anything. If you run with jdk7, this is what you'll see.
        ACTUAL -
        In jdk8, you see the following:

             [java] Exception in thread "main" javax.security.auth.login.LoginException: KrbException: Config file must starts with a section
             [java] at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
             [java] at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
             [java] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
             [java] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
             [java] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
             [java] at java.lang.reflect.Method.invoke(Method.java:483)
             [java] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:777)
             [java] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
             [java] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
             [java] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
             [java] at java.security.AccessController.doPrivileged(Native Method)
             [java] at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:688)
             [java] at javax.security.auth.login.LoginContext.login(LoginContext.java:586)
             [java] at KerberosBug.main(KerberosBug.java:26)
             [java] Caused by: KrbException: KrbException: Config file must starts with a section
             [java] at sun.security.krb5.Realm.getDefault(Realm.java:62)
             [java] at sun.security.krb5.PrincipalName.<init>(PrincipalName.java:451)
             [java] at sun.security.krb5.PrincipalName.<init>(PrincipalName.java:460)
             [java] at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:706)
             [java] ... 13 more
             [java] Caused by: KrbException: Config file must starts with a section
             [java] at sun.security.krb5.Config.loadConfigFile(Config.java:553)
             [java] at sun.security.krb5.Config.<init>(Config.java:176)
             [java] at sun.security.krb5.Config.getInstance(Config.java:98)
             [java] at sun.security.krb5.Realm.getDefault(Realm.java:58)
             [java] ... 16 more
             [java] Java Result: 1

        As a result of this error, the Kerberos operation fails.


        ERROR MESSAGES/STACK TRACES THAT OCCUR :
        You see the following exception:

             [java] Exception in thread "main" javax.security.auth.login.LoginException: KrbException: Config file must starts with a section
             [java] at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
             [java] at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
             [java] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
             [java] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
             [java] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
             [java] at java.lang.reflect.Method.invoke(Method.java:483)
             [java] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:777)
             [java] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
             [java] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
             [java] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
             [java] at java.security.AccessController.doPrivileged(Native Method)
             [java] at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:688)
             [java] at javax.security.auth.login.LoginContext.login(LoginContext.java:586)
             [java] at KerberosBug.main(KerberosBug.java:26)
             [java] Caused by: KrbException: KrbException: Config file must starts with a section
             [java] at sun.security.krb5.Realm.getDefault(Realm.java:62)
             [java] at sun.security.krb5.PrincipalName.<init>(PrincipalName.java:451)
             [java] at sun.security.krb5.PrincipalName.<init>(PrincipalName.java:460)
             [java] at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:706)
             [java] ... 13 more
             [java] Caused by: KrbException: Config file must starts with a section
             [java] at sun.security.krb5.Config.loadConfigFile(Config.java:553)
             [java] at sun.security.krb5.Config.<init>(Config.java:176)
             [java] at sun.security.krb5.Config.getInstance(Config.java:98)
             [java] at sun.security.krb5.Realm.getDefault(Realm.java:58)
             [java] ... 16 more
             [java] Java Result: 1


        REPRODUCIBILITY :
        This bug can be reproduced always.

        ---------- BEGIN SOURCE ----------
        import javax.security.auth.callback.Callback;
        import javax.security.auth.callback.CallbackHandler;
        import javax.security.auth.login.LoginContext;

        public class KerberosBug
        {
            private static class CBHandler implements CallbackHandler
            {
                @Override
                public void handle(Callback[] callbacks)
                {
                    // No need to do anything
                }
            }

            /**
             * Test method which will throw an exception
             * if there's a problem.
             */
            public static void main(String[] args) throws Exception
            {
                LoginContext loginContext = new LoginContext(
                    "KrbLogin",
                    new CBHandler()
                );
                loginContext.login();
            }
        }

        ---------- END SOURCE ----------

        CUSTOMER SUBMITTED WORKAROUND :
        The only workaround is to manually remove the includedir directive from the krb5.conf file before starting the JVM.

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  weijun Weijun Wang
                  Reporter:
                  webbuggrp Webbug Group
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Due:
                    Created:
                    Updated:
                    Resolved: