JDK-7077172 : KerberosTime does not take into account system clock adjustement
  • Type: Bug
  • Component: security-libs
  • Sub-Component: org.ietf.jgss:krb5
  • Affected Version: 7
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: linux
  • CPU: x86
  • Submitted: 2011-08-10
  • Updated: 2012-09-11
  • Resolved: 2012-09-11
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7 JDK 8
7u4Fixed 8 b15Fixed
Related Reports
Relates :  
JDK-6882687 - KerberosTime too imprecise
Description
FULL PRODUCT VERSION :
7

A DESCRIPTION OF THE PROBLEM :
Context
-----------
In the Kerberos procotol, current client timestamp is encapsulated in the Kerberos query sent to the KDC to obtain a TGT. The timestamp in the query must be accurate (The KDC timestamp  accepts 5mn deviation in most case); if not the KDC return a "Clock too skew" error.

Problem
------------
  To obtain the current Timestamp, previously in the JDK 6, the 'KerberosTime' 'setNow()' method  instanciates a 'new Date()' object . A JDK 7 bug fix (http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6882687) introduces a major change in this class. The current timestamp is evaluated using the time elapsed since the JVM startup (use of System.nanoTime()).
This implementation totally misses the fact that both client and server generally use a time server (NTP) to synchronize their clocks. Clock adjustement is not taking into account in the current implementation while the previous implementation does.

REGRESSION.  Last worked in version 6u26

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Develop a small Java client application that queries a KDC to obtain TGT each minutes. (Both client and KDC are hosted on the same machine)
2. Run the Java application.
3. Set the system clock and add 15 minutes to the current time

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The KDC continues to deliver client TGT using the new time
ACTUAL -
The KDC returns an error 'Clock skew too great'

ERROR MESSAGES/STACK TRACES THAT OCCUR :
The Java application thrown an Exception javax.security.auth.login.LoginException: Clock skew too great (37) - PREAUTH_FAILED

REPRODUCIBILITY :
This bug can be reproduced always.
Comments
EVALUATION In order to verify the fix, you need to manually adjust the system clock during the execution of a program. This seems quite impossible in an automatic test. Noreg-hard added.
09-05-2012
EVALUATION Add a time check, if calculated time and the clock time has a difference of more than 100ms, adjust to the clock time.
18-11-2011
EVALUATION http://hg.openjdk.java.net/jdk8/tl/jdk/rev/5bfff9616b86
18-11-2011