Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8230095

Private Credential inaccessible for Kerberos with the Security Manager enabled

    Details

      Description

      ADDITIONAL SYSTEM INFORMATION :
      Tested with Java 12 on OSX 10.14.6 Mojave

      With the security manager disabled, or enabled with permission java.security.AllPermission, the KerberosTicket is being retrieved. The error occurs when one attempts to reduce the permissions to the minimal set required.

      A DESCRIPTION OF THE PROBLEM :
      A detailed report of the issue is provided at https://stackoverflow.com/questions/57540932/jaas-kerberos-authentication-keeps-failing-with-the-security-manager-enabled-de

      Despite the proper permission javax.security.auth.PrivateCredentialPermission granted in the policy file, the access to javax.security.auth.kerberos.KerberosTicket is denied.

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      Steps for reproducing the issue are provided at the link given above.

      In login.conf:

      Krb5LoginContext {
        com.sun.security.auth.module.Krb5LoginModule required useTicketCache=true;
      };

      In security.policy:

      grant {
          // more policies
          permission javax.security.auth.PrivateCredentialPermission "javax.security.auth.kerberos.KerberosTicket javax.security.auth.kerberos.Principal \"*\"", "read";
      }

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      access: access allowed ("javax.security.auth.AuthPermission" "modifyPrincipals")
      access: access allowed ("javax.security.auth.AuthPermission" "modifyPrivateCredentials")
      access: access allowed ("javax.security.auth.PrivateCredentialPermission" "javax.security.auth.kerberos.KerberosTicket" "read")

      ACTUAL -
      access: access allowed ("javax.security.auth.AuthPermission" "modifyPrincipals")
      access: access allowed ("javax.security.auth.AuthPermission" "modifyPrivateCredentials")
      access: access denied ("javax.security.auth.PrivateCredentialPermission" "javax.security.auth.kerberos.KerberosTicket" "read")


      ---------- BEGIN SOURCE ----------
      See link given above
      ---------- END SOURCE ----------

        Attachments

          Activity

            People

            • Assignee:
              weijun Weijun Wang
              Reporter:
              webbuggrp Webbug Group
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: