JDK-7144530 : KeyTab.getInstance(String) no longer handles keyTabNames with "file:" prefix
- Type: Bug
- Component: security-libs
- Sub-Component: java.security
- Affected Version: 7
- Priority: P3
- Status: Closed
- Resolution: Fixed
- OS: windows_7
- CPU: x86
- Submitted: 2012-02-10
- Updated: 2012-09-06
- Resolved: 2012-09-06
The Version table provides details related to the release that this issue/RFE will be addressed.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
| JDK 7 | JDK 8 |
|---|---|
7u6Fixed  |
8 b28Fixed |
Description
FULL PRODUCT VERSION :
java version "1.7.0_02"
Java(TM) SE Runtime Environment (build 1.7.0_02-b13)
Java HotSpot(TM) 64-Bit Server VM (build 22.0-b10, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7600]
A DESCRIPTION OF THE PROBLEM :
Under JDK6, sun.security.krb5.internal.ktab.KeyTab.getInstance() used to remove prefixes like "file:" from the keyTabName.
Using JDK7 this is no longer the case. Passing a File URI like "file:/..." now results in an empty KeyTab. What happens, is a FileNotFoundException is thrown when reading from the FileInputStream in the constructor. The exception is caught in the constructor and the "isMissing" flag is set to true.
However, when the default_keytab_name property is resolved in getDefaultTabName(), prefixes like "file:" *are* removed (by calling the parse method).
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Construct a dummy keytab file using ktab.exe.
ktab.exe -a host/user@DOMAIN password -k dummy.keytab
2. Construct a KeyTab using a File URI.
KeyTab keyTab = KeyTab.getInstance("file:/C:/workspace/dummy.keytab");
3. Retrieve the entries from the KeyTab.
keyTab.getEntries()
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
keyTab.getEntries() should contain the entries of the keytab.
ACTUAL -
keyTab.getEntries() is always empty, i.e. keyTab.getEntries().length is always zero.
However, when using with the absolute path to the same file, i.e. KeyTab.getInstance("C:/workspace/dummy.keytab"), it will correctly read its entries.
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import static org.junit.Assert.assertTrue;
import org.junit.Test;
import sun.security.krb5.internal.ktab.KeyTab;
public class KeyTabPrefixBug {
private static final String PATH_TO_KEY_TAB = "C:/workspace/dummy.keytab";
@Test
public void withUriPrefix() throws Exception {
KeyTab keyTab = KeyTab.getInstance("file:/" + PATH_TO_KEY_TAB);
assertTrue(keyTab.getEntries().length > 0); // fails
}
@Test
public void withoutUriPrefix() throws Exception {
KeyTab keyTab = KeyTab.getInstance(PATH_TO_KEY_TAB);
assertTrue(keyTab.getEntries().length > 0); // succeeds
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Always use file paths (never URIs) when using the Kerberos API.
Comments
|