JDK-8075305 : ConfigFile's Spi parseLoginEntry uses toUpperCase with no locale on controlFlags
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.security
  • Affected Version: 8
  • Priority: P3
  • Status: Closed
  • Resolution: Duplicate
  • OS: windows_7
  • CPU: x86_64
  • Submitted: 2015-03-02
  • Updated: 2015-03-17
  • Resolved: 2015-03-17
Related Reports
Duplicate :  
JDK-7065233 - To interpret case-insensitive string locale independently
Description
FULL PRODUCT VERSION :
1.8.0_31

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]

EXTRA RELEVANT SYSTEM CONFIGURATION :
Turkish language

A DESCRIPTION OF THE PROBLEM :
When changing security file implementations from Java 7 to 8, ConfigFile's Spi class introduces an OS language specific bug when parsing controlFlags.

This is specifically on OpenJDK's line 454 of sun.security.provider.ConfigFile.java

The problem is the .toUpperCase, which is provided no Locale. This specifically poses a problem in Turkish systems, where the Turkish locale will uppercase 'i' to '��'.

The larger stack trace is:
java.lang.SecurityException: java.io.IOException: Configuration Error:
	Invalid control flag, REQU��RED
	at sun.security.provider.ConfigFile$Spi.<init>(ConfigFile.java:137)
	at com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:98)
...

This issue can be addressed by ensuring that we upper case with the English locale, since the values we are comparing against are in English.

REGRESSION.  Last worked in version 7u65

ADDITIONAL REGRESSION INFORMATION: 
1.7.0_60

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1) Create a Turkish based Windows OS
2) Create a security config file with a property that is "required"
3) Attempt to use sun auth with that config file

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
The property should be properly read
ACTUAL -
The property is not properly read, and the following is thrown:
java.lang.SecurityException: java.io.IOException: Configuration Error:
	Invalid control flag, REQU��RED
	at sun.security.provider.ConfigFile$Spi.<init>(ConfigFile.java:137)
	at com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:98)

ERROR MESSAGES/STACK TRACES THAT OCCUR :
java.lang.SecurityException: java.io.IOException: Configuration Error:
	Invalid control flag, REQU��RED
	at sun.security.provider.ConfigFile$Spi.<init>(ConfigFile.java:137)
	at com.sun.security.auth.login.ConfigFile.<init>(ConfigFile.java:98)

REPRODUCIBILITY :
This bug can be reproduced always.

---------- BEGIN SOURCE ----------
You'll need to create something that uses sun auth with a config file. No easy solutions for this on hand, but you can look at Jaas for doing this.
---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
None currently for our environment.
Comments
This is fixed in JDK 9. We need to backport JDK-7065233 to 8u.
17-03-2015