JDK-6682516 : SPNEGO_HTTP_AUTH/WWW_KRB and SPNEGO_HTTP_AUTH/WWW_SPNEGO failed on all non-windows platforms
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: solaris_1
  • CPU: generic
  • Submitted: 2008-04-01
  • Updated: 2012-05-24
  • Resolved: 2009-06-22
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6 JDK 7
6u34Fixed 7 b62Fixed
Related Reports
Relates :  
Relates :  
Relates :  
Description
SPNEGO_HTTP_AUTH/WWW_KRB	execute_script
SPNEGO_HTTP_AUTH/WWW_SPNEGO	execute_script

These two tests failed with latest 7.0 nightly build , but pass with jdk 7 b24.
It looks like they are only failed on solaris/linux platforms.

Please see details at :

http://sqeweb.sfbay/net/sqenfs-1/export1/comp/jsn/keep_forbug/jsn_7.0_int-7.0_nightly_sec_lin_i586-2008-03-28-20-14-56-0246/dtftest.Linux.i386/WWW_KRB/WWW_KRB.eout

http://sqeweb.sfbay/net/sqenfs-1/export1/comp/jsn/keep_forbug/jsn_7.0_int-7.0_nightly_sec_lin_i586-2008-03-28-20-14-56-0246/dtftest.Linux.i386/WWW_SPNEGO/WWW_SPNEGO.eout

Comments
EVALUATION RFC4120 does not recommend canonicalizing a hostname. However, for compatibility reason, we canonicalizes it first. If canonicalized form is a longer format of the original hostname, it's accepted. Otherwise, the original hostname is used. For example: bunny -> bunny.rabbit.hole OK bunny -> 127.0.0.1 REJECT bunny -> wolf.rabbit.hole REJECT
20-05-2009

EVALUATION http://hg.openjdk.java.net/jdk7/tl/jdk/rev/4d607dc5cb22
20-05-2009

EVALUATION This is a regression after 6670362: HTTP/SPNEGO should work across realms. The new code creates principal name for a service using GSSManager.createName(name, NT_HOSTBASED_SERVICE). The method calls new PrincipalName(name, type), which then calls InetAddress.getCanonialHostName() to determine the FQDN of the host. Unfortunately, it fails to do so sometimes, especially with NIS configured machines inside Sun. Possible solutions: 1. Fix PrincipalName or change the way SPNEGO calls it, so that it's smarter in finding FQDNs. (or dumber, do not attempt to look for one at all, which means user must provide the correct FQDN. This is not as bad as it sounds since we request it before 6670362). 2. Ask the Networking Team to reconsider getCanonicalHostName().
03-04-2008