Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8049520

FileCredentialsCache loads cache once and is never refreshed

    XMLWordPrintable

    Details

    • Type: Enhancement
    • Status: Resolved
    • Priority: P3
    • Resolution: Fixed
    • Affects Version/s: 7u51, 8
    • Fix Version/s: 18
    • Component/s: security-libs
    • Labels:
      None
    • Subcomponent:
    • Resolved In Build:
      b20
    • CPU:
      x86
    • OS:
      windows_7

      Description

      When using JAAS to perform Krb5 LoginModule authentication, the
      sun.security.krb5.internal.ccache.FileCredentialsCache loads the credentials
      from the file system when accessed.

      If this file is subsequently deleted or renewed, the FileCredentialsCache
      continues to return the first value, necessitating a restart of the Java
      process in order to gain the correct credentials.

      This is especially a problem when the cache contains stale data (i.e.
      the expiry/renew time has passed).

      The path is:

      Krb5LoginModule
       -> Credentials.acquireTGTFromCache()
       -> Credentials.acquireDefaultCreds()
       -> Credentials.cache
       -> CredentialCache
       -> FileCredentialsCache.getDefaultCreds()
       -> FileCredentialsCache.getCredsList()
       -> returns static credentialsList if it is not empty.

      The problem is that the sun.security.krb5.Credentials acquires the cache on demand,
      and then caches it in a static variable. This means that a single instance of
      FileCredentialCache is stored, bearing a snapshot of the file at that point.
      Therefore, if the original ticket has expired, and then subsequently renewed
      (maybe kinit outside of the java program) ,the Java program will continue to use
      the expired ticket.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              weijun Weijun Wang
              Reporter:
              thlenz Thomas Lenz (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: