Skip to content

Commit

Permalink
8308540: On Kerberos TGT referral, if krb5.conf is missing realm, bad…
Browse files Browse the repository at this point in the history
… exception message

Reviewed-by: xuelei
  • Loading branch information
wangweij committed Jun 26, 2023
1 parent 5ff42d1 commit e624484
Show file tree
Hide file tree
Showing 3 changed files with 47 additions and 29 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -1268,7 +1268,7 @@ public String run() {
if (defaultKDC != null) {
return defaultKDC;
}
KrbException ke = new KrbException("Cannot locate KDC");
KrbException ke = new KrbException("Cannot locate KDC for " + realm);
if (cause != null) {
ke.initCause(cause);
}
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2001, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2001, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand Down Expand Up @@ -326,18 +326,30 @@ private static Credentials serviceCreds(
PrincipalName user, Credentials additionalCreds,
PAData[] extraPAs, S4U2Type s4u2Type)
throws KrbException, IOException {
KrbException ke = null;
if (!Config.DISABLE_REFERRALS) {
try {
return serviceCredsReferrals(options, asCreds, cname, sname,
s4u2Type, user, additionalCreds, extraPAs);
} catch (KrbException e) {
ke = e;
// Server may raise an error if CANONICALIZE is true.
// Try CANONICALIZE false.
}
}
return serviceCredsSingle(options, asCreds, cname,
asCreds.getClientAlias(), sname, sname, s4u2Type,
user, additionalCreds, extraPAs);
try {
return serviceCredsSingle(options, asCreds, cname,
asCreds.getClientAlias(), sname, sname, s4u2Type,
user, additionalCreds, extraPAs);
} catch (KrbException ke2) {
if (ke != null) {
// Still throw original exception
ke.addSuppressed(ke2);
throw ke;
} else {
throw ke2;
}
}
}

/*
Expand Down
54 changes: 30 additions & 24 deletions test/jdk/sun/security/krb5/auto/ReferralsTest.java
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2019, 2021, Red Hat, Inc.
* Copyright (c) 2019, 2023, Red Hat, Inc.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand All @@ -23,13 +23,12 @@

/*
* @test
* @bug 8215032
* @bug 8215032 8308540
* @library /test/lib
* @run main/othervm/timeout=120 -Dsun.security.krb5.debug=true ReferralsTest
* @summary Test Kerberos cross-realm referrals (RFC 6806)
*/

import java.io.File;
import java.security.Principal;
import java.util.Arrays;
import java.util.HashMap;
Expand All @@ -51,6 +50,8 @@ public class ReferralsTest {
private static final String krbConfigName = "krb5-localkdc.conf";
private static final String krbConfigNameNoCanonicalize =
"krb5-localkdc-nocanonicalize.conf";
private static final String krbConfigNameOnlyOne =
"krb5-localkdc-onlyone.conf";
private static final String realmKDC1 = "RABBIT.HOLE";
private static final String realmKDC2 = "DEV.RABBIT.HOLE";
private static final char[] password = "123qwe@Z".toCharArray();
Expand Down Expand Up @@ -98,16 +99,13 @@ public class ReferralsTest {
PrincipalName.NAME_REALM_SEPARATOR_STR + realmKDC2;

public static void main(String[] args) throws Exception {
try {
initializeKDCs();
testSubjectCredentials();
testDelegation();
testImpersonation();
testDelegationWithReferrals();
testNoCanonicalize();
} finally {
cleanup();
}
initializeKDCs();
testSubjectCredentials();
testDelegation();
testImpersonation();
testDelegationWithReferrals();
testNoCanonicalize();
testOnlyOne();
}

private static void initializeKDCs() throws Exception {
Expand Down Expand Up @@ -147,20 +145,11 @@ private static void initializeKDCs() throws Exception {
"forwardable=true", "canonicalize=true");
KDC.saveConfig(krbConfigNameNoCanonicalize, kdc1, kdc2,
"forwardable=true");
KDC.saveConfig(krbConfigNameOnlyOne, kdc1,
"forwardable=true", "canonicalize=true");
System.setProperty("java.security.krb5.conf", krbConfigName);
}

private static void cleanup() {
String[] configFiles = new String[]{krbConfigName,
krbConfigNameNoCanonicalize};
for (String configFile : configFiles) {
File f = new File(configFile);
if (f.exists()) {
f.delete();
}
}
}

/*
* The client subject (whose principal is
* test@RABBIT.HOLE@RABBIT.HOLE) will obtain a TGT after
Expand Down Expand Up @@ -375,4 +364,21 @@ private static void testNoCanonicalize() throws Exception {
// expected
}
}

// For JDK-8308540. When a KDC is not found, provide better error info.
private static void testOnlyOne() throws Exception {
System.setProperty("java.security.krb5.conf", krbConfigNameOnlyOne);
Config.refresh();
Context c = Context.fromUserPass(userKDC1Name, password, false);
c.startAsClient(serviceName, GSSUtil.GSS_KRB5_MECH_OID);
try {
Context.handshake(c, null);
throw new RuntimeException("Should not succeed");
} catch (Exception le) {
if (le.getMessage().contains("Cannot locate KDC for DEV.RABBIT.HOLE")) {
return;
}
throw le;
}
}
}

1 comment on commit e624484

@openjdk-notifier
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.