JDK-8160518 : Semicolon is not recognized as comment starting character (Kerberos)
  • Type: Bug
  • Component: security-libs
  • Sub-Component: org.ietf.jgss:krb5
  • Affected Version: 8
  • Priority: P4
  • Status: Closed
  • Resolution: Fixed
  • OS: linux
  • CPU: generic
  • Submitted: 2016-06-27
  • Updated: 2016-10-13
  • Resolved: 2016-07-08
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 6 JDK 7 JDK 8 JDK 9
6u131Fixed 7u121Fixed 8u112Fixed 9 b127Fixed
Description
FULL PRODUCT VERSION :
java version "1.8.0_66"
Java(TM) SE Runtime Environment (build 1.8.0_66-b17)
Java HotSpot(TM) 64-Bit Server VM (build 25.66-b17, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
Linux <host> 2.6.32-573.8.1.el6.x86_64 #1 SMP Wed Nov 11 15:27:45 CET 2015 x86_64 x86_64 x86_64 GNU/Linux

A DESCRIPTION OF THE PROBLEM :
Whenever the krb5.conf file has a comment starting with semicolon not in the beginning of file, for example:
[libdefaults]
 default_realm = EXAMPLE.COM
 ...
; comment
[realms]
 EXAMPLE.ORG = {
  ...
 }

When parsing the configuration, Java is throwing an exception:
KrbException: Illegal config content:; comment
	at sun.security.krb5.Config.parseStanzaTable(Config.java:609)
	at sun.security.krb5.Config.<init>(Config.java:177)
	at sun.security.krb5.Config.getInstance(Config.java:98)
	... 9 more

While checking the source code of Kerberos (the latest version), you can see that semicolon is a valid comment starting character. Check prof_parce.c file in src/util/profile directory.

Other sources suggest that semicolon should be accepted as comment starting character:
https://groups.google.com/forum/#!topic/comp.protocols.kerberos/i_Cl2d7TLGU


EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The krb5.conf file with semicolons should be parsed successfully.
ACTUAL -
Exception is being thrown:
KrbException: Illegal config content:; comment
	at sun.security.krb5.Config.parseStanzaTable(Config.java:609)
	at sun.security.krb5.Config.<init>(Config.java:177)
	at sun.security.krb5.Config.getInstance(Config.java:98)
	... 9 more

ERROR MESSAGES/STACK TRACES THAT OCCUR :
KrbException: Illegal config content:; comment
	at sun.security.krb5.Config.parseStanzaTable(Config.java:609)
	at sun.security.krb5.Config.<init>(Config.java:177)
	at sun.security.krb5.Config.getInstance(Config.java:98)
	... 9 more

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
Taken from Hadoop source code:


    Object kerbConf;
    Class<?> classRef;
    Method getInstanceMethod;
    Method getDefaultRealmMethod;
    if (IBM_JAVA) {
      classRef = Class.forName("com.ibm.security.krb5.internal.Config");
    } else {
      classRef = Class.forName("sun.security.krb5.Config");
    }
    getInstanceMethod = classRef.getMethod("getInstance", new Class[0]);
    kerbConf = getInstanceMethod.invoke(classRef, new Object[0]);
    getDefaultRealmMethod = classRef.getDeclaredMethod("getDefaultRealm",
         new Class[0]);
    return (String)getDefaultRealmMethod.invoke(kerbConf, new Object[0]);
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
Removing the comment starting with semicolon or replacing semicolon by #.


Comments
This is also consistent with MIT krb5: https://github.com/krb5/krb5/blob/0744026f06e8cbf477aa49cfe16b5fd28a9ddc9e/src/util/profile/prof_parse.c#L86
08-07-2016

Executed the attached test case in linux environment on: JDK 8u92 - Fail JDK 9ea - because of the new module system, , getting IllegalAccessException - so not sure if it fails or passes. Output on JDK8u92: ---------------------------- Exception in thread "main" java.lang.reflect.InvocationTargetException at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces sorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at JI9040891.main(JI9040891.java:16) Caused by: KrbException: Illegal config content:;comment at sun.security.krb5.Config.parseStanzaTable(Config.java:634) at sun.security.krb5.Config.<init>(Config.java:197) at sun.security.krb5.Config.getInstance(Config.java:98) ... 5 more Output on JDK 9 ----------------------- Exception in thread "main" java.lang.IllegalAccessException: class JI9040891 can not access class sun.security.krb5.Config (in module java.security.jgss) because module java.security.jgss does not export sun.security.krb5 to unnamed module @ 47f37ef1 at jdk.internal.reflect.Reflection.throwIllegalAccessException(java.base @9-ea/Reflection.java:405) at jdk.internal.reflect.Reflection.throwIllegalAccessException(java.base @9-ea/Reflection.java:396) at jdk.internal.reflect.Reflection.ensureMemberAccess(java.base@9-ea/Ref lection.java:98) at java.lang.reflect.AccessibleObject.slowCheckMemberAccess(java.base@9- ea/AccessibleObject.java:355) at java.lang.reflect.AccessibleObject.checkAccess(java.base@9-ea/Accessi bleObject.java:347) at java.lang.reflect.Method.invoke(java.base@9-ea/Method.java:527) at JI9040891.main(JI9040891.java:16)
29-06-2016