JDK-8012615 : Realm.getRealmsList returns realms list in wrong
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 6u37,7,7u21,8
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2013-04-18
  • Updated: 2017-05-17
  • Resolved: 2013-09-18
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 7 JDK 8
7u60Fixed 8 b110Fixed
Related Reports
Relates :  
JDK-7019384 - Realm.getRealmsList returns realms list in wrong (reverse) order
Description
FULL PRODUCT VERSION :
java version  " 1.7.0_21 " 
Java(TM) SE Runtime Environment (build 1.7.0_21-b11)
Java HotSpot(TM) 64-Bit Server VM (build 23.21-b01, mixed mode)

I also tried 1.60_37.

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]

EXTRA RELEVANT SYSTEM CONFIGURATION :
Active directory forest that I am trying to authenticate against using kerberos

A DESCRIPTION OF THE PROBLEM :
I found this bug in the bug_db.
http://bugs.sun.com/view_bug.do?bug_id=7019384

The capaths section in the krb,conf file is still parsed incorrectly.
This is my cpatahs section:

[capaths]
QA.DOM = {
D100.D1.W2K8.CORP.ME = D1.W2K8.CORP.ME
QA100.QA.DOM = .
G1.D100.D1.W2K8.CORP.ME = D1.W2K8.CORP.ME
G1.D100.D1.W2K8.CORP.ME = D100.D1.W2K8.CORP.ME
D1.W2K8.CORP.ME = .
D201.D200.D1.W2K8.CORP.ME = D1.W2K8.CORP.ME
D201.D200.D1.W2K8.CORP.ME = D200.D1.W2K8.CORP.ME
D200.D1.W2K8.CORP.ME = D1.W2K8.CORP.ME
}

output in 1_6_37: (The order is incorrect.)
>>> Realm parseCapaths [0]=QA.DOM
>>> Realm parseCapaths [1]=D100.D1.W2K8.CORP.ME
>>> Realm parseCapaths [2]=D1.W2K8.CORP.ME

output in (build 1.7.0_21-b11): (intermidiate realm is missing).
>>> Realm parseCapaths [0]=QA.DOM
>>> Realm parseCapaths [1]=D1.W2K8.CORP.ME





STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
parse the following capaths:
[capaths]
QA.DOM = {
D100.D1.W2K8.CORP.ME = D1.W2K8.CORP.ME
QA100.QA.DOM = .
G1.D100.D1.W2K8.CORP.ME = D1.W2K8.CORP.ME
G1.D100.D1.W2K8.CORP.ME = D100.D1.W2K8.CORP.ME
D1.W2K8.CORP.ME = .
D201.D200.D1.W2K8.CORP.ME = D1.W2K8.CORP.ME
D201.D200.D1.W2K8.CORP.ME = D200.D1.W2K8.CORP.ME
D200.D1.W2K8.CORP.ME = D1.W2K8.CORP.ME
}


EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
>>> Realm parseCapaths [0]=QA.DOM
>>> Realm parseCapaths [2]=D1.W2K8.CORP.ME
>>> Realm parseCapaths [1]=D100.D1.W2K8.CORP.ME
ACTUAL -
>>> Realm parseCapaths [0]=QA.DOM
>>> Realm parseCapaths [1]=D1.W2K8.CORP.ME

REPRODUCIBILITY :
This bug can be reproduced always.
Comments
Regression test has cover this issue,it passed in aurora see result: http://aurora.ru.oracle.com/functional/faces/RunDetails.xhtml?names=303128.CORELIBS-JDK8-NIGHTLY-JTREG-13
12-10-2013
Release note entry suggested: Java Kerberos now supports multiple intermediate realms defined in the [capaths] section of krb5.conf. It does not support alternative intermediate realms anymore.
18-09-2013
There is a bug parsing [capaths] in Java when a sub-key has multiple values (either on the same line or on multiple lines). "A = B C" inside "R" is regarded as: In order for a client in R to go to A, he should either reach B or C, and then he can go to A. This means both B and C has shared keys with A. Therefore, if the path is R1->R2->R3->R4, we should have [capaths] R1 = { R4 = R3 R3 = R2 } However, the correct meaning (according to the rest of the world) is In order for a client in R to go to A, he should go B and then C, and then he can go to A. This means R and B has a shared key, B and C has a shared key, and C and A has a shared key. Now the same path should be [capaths] R1 = { R4 = R2 R3 } We would fix it so that the meaning becomes In order for a client in R to go to A, he should go B and then C, and then he can go to A. This means B and C has a shared key, and C and A has a shared key. Please note the new Java meaning does not require R and B having a shared key. This makes sure both the original Java style and the correct style could be correctly parsed. The only behavior change is that multiple-valued sub-tags will be parsed differently. But since it's practically useless, there will be no compatibility problems. A workaround is to always provide single-valued sub-tags, so A = B C will be written as A = C and C = B. Unfortunately, this is not supported by MIT krb5.
26-04-2013