JDK-8004488 : wrong permissions checked in krb5
  • Type: Bug
  • Component: security-libs
  • Sub-Component: org.ietf.jgss:krb5
  • Affected Version: 7u79,7u80,7u85,8
  • Priority: P4
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2012-12-05
  • Updated: 2017-01-31
  • Resolved: 2012-12-11
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
7u80Fixed 8 b69Fixed
Related Reports
Relates :  
Relates :  
In JAAS, PrivateCredentialPermissions are needed to read various kinds of private credentials. For krb5, they are normally for KerberosTicket, KerberosKey and KeyTab classes. However, JDK 7 stores a special kind of sun.security.jgss.krb5.Krb5Util$KeysFromKeyTab objects which is not covered by the normal permissions.
Rules for Aurora: RULE SASL/CyrusJavaSASLServerGSSAPI Exception java.security.AccessControlException: access denied ("javax.security.auth.PrivateCredentialPermission" "javax.security.auth.kerberos.KerberosTicket" "read")

verified in build Java(TM) SE Runtime Environment 1.8.0 b86 (1.8.0-ea-langtools-nightly-h4014-20130415-b86-b00)

The class was created for compatibility reason, so that when the acceptor is using a keytab, its priv cred set contains both KerberosKey and KeyTab objects, and this KerberosKey is a special subclass that will be automatically refreshed when keys in keytabs are re-read. This turns out to be quite useless. The current javadoc on KeyTab and KerberosKey clearly specifies that KerberosKey is used when the credentials are derived from a password.