JDK-8044214 : Kerberos Constrained delegation
- Type: Bug
- Component: security-libs
- Sub-Component: org.ietf.jgss:krb5
- Affected Version: 8
- Priority: P4
- Status: Closed
- Resolution: Duplicate
- OS: windows_2008
- CPU: x86
- Submitted: 2014-05-09
- Updated: 2014-10-14
- Resolved: 2014-10-14
The Version table provides details related to the release that this issue/RFE will be addressed.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
| JDK 7 | JDK 8 | JDK 9 |
|---|---|---|
| 7-poolResolved | 8-poolResolved | 9Resolved  |
Related Reports
|
Duplicate :
|
|
|
Relates :
|
Description
FULL PRODUCT VERSION :
java version "1.8.0_05"
Java(TM) SE Runtime Environment (build 1.8.0_05-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.5-b02, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]
A DESCRIPTION OF THE PROBLEM :
In a Kerberos Constrained delegation suitation (client -> server -> b)
if the client didn't call requestCredDeleg(true);
when server calls getDelegCred() will return a Krb5ProxyCredentials wrapped.
and when the server calls requestCredDeleg(true);
iniSecContext will throw the following exception:
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Generic error (description in e-text) (60) - Client principal does not match)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(Unknown Source)
... 408 more
Caused by: KrbException: Generic error (description in e-text) (60) - Client principal does not match
at sun.security.krb5.KrbCred.<init>(Unknown Source)
at sun.security.jgss.krb5.InitialToken$OverloadedChecksum.<init>(Unknown Source)
at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
... 412 more
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
see attached source
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
expect it to work
ACTUAL -
an example was raised from the client side.
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Generic error (description in e-text) (60) - Client principal does not match)
at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.GSS_initSecContext(Unknown Source)
... 408 more
Caused by: KrbException: Generic error (description in e-text) (60) - Client principal does not match
at sun.security.krb5.KrbCred.<init>(Unknown Source)
at sun.security.jgss.krb5.InitialToken$OverloadedChecksum.<init>(Unknown Source)
at sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source)
... 412 more
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
// the structure of this test uses a lot of the names and methods from the Krb5 tests in openjdk: test/sun/security/krb5/auto/S4U2proxy.java
// it uses the Context class from there as well.
@Test
public void testCredDelegeNY() throws Exception {
try {
c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_SPNEGO_MECH_OID);
s.startAsServer(null, new Oid[] {GSSUtil.GSS_SPNEGO_MECH_OID, GSSUtil.GSS_KRB5_MECH_OID}, false);
Context.handshake(c, s);
Context p = s.delegated();
p.startAsClient(OneKDC.BACKEND, GSSUtil.GSS_SPNEGO_MECH_OID);
b.startAsServer(null, new Oid[] {GSSUtil.GSS_SPNEGO_MECH_OID}, false);
p.getCredential().requestCredDeleg(true);
System.out.println("--- handshake p -> b");
Context.handshake(p, b);
} catch(Exception e) {
e.printStackTrace();
throw e;
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
don't call requestCredDeleg(true);
but because the server cannot tell that from the GSSContext if it should, it needs to be done for all requests.
Alternatively, patch KrbCred, and comment out the following lines in the contractor:
/*
if (!serviceTicket.getClient().equals(client))
throw new KrbException(Krb5.KRB_ERR_GENERIC,
"Client principal does not match");
*/
Comments
|