JDK-6716534 : Krb5LoginModule has not cleaned temp info between authentication attempts
  • Type: Bug
  • Component: security-libs
  • Sub-Component: org.ietf.jgss:krb5
  • Affected Version: 7
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2008-06-19
  • Updated: 2015-03-17
  • Resolved: 2011-03-07
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7
7 b31Fixed
Related Reports
Relates :  
JDK-8075299 - Additional tests for krb5 settings
Description
Krb5LoginModule's cleanState() has not clean all temp info. In the case of using tryFirstPass=true, this means if the password given in the sharedState is not correct, the encryption keys generated from the wrong password will not be cleaned before the second try. On the other hand, the class simply uses the existence of the keys to determine if they need to be generated again. Hence even if the correct password is provided in the second try, it will be never used and the authentication will always fail.
Comments
EVALUATION A test for this bug is added in 6706974. See http://hg.openjdk.java.net/jdk7/jsn-gate/jdk/rev/3f051f3ba5bb
17-10-2008
EVALUATION Fixed as http://hg.openjdk.java.net/jdk7/jsn-gate/jdk/rev/3a7345910333 No regression test since a KDC is needed. Will ask SQE to create a test including these lines: Krb5LoginModule krb5 = new Krb5LoginModule(); final String name = "user"; final String password = "correct"; String badpassword = "false"; Map<String,String> map = new HashMap<String,String>(); map.put("useTicketCache", "false"); map.put("doNotPrompt", "false"); map.put("tryFirstPass", "true"); Map<String,Object> shared = new HashMap<String,Object>(); shared.put("javax.security.auth.login.name", name); shared.put("javax.security.auth.login.password", badpassword.toCharArray()); krb5.initialize(new Subject(), new CallbackHandler() { public void handle(Callback[] callbacks) { for(Callback callback: callbacks) { if (callback instanceof NameCallback) { ((NameCallback)callback).setName(name); } if (callback instanceof PasswordCallback) { ((PasswordCallback)callback).setPassword( password.toCharArray()); } } } }, shared, map); krb5.login();
20-06-2008
EVALUATION Should clean all temp info before the second try.
19-06-2008