[
https://issues.apache.org/jira/browse/DIRKRB-620?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15881383#comment-15881383
]
Maciej Miklas commented on DIRKRB-620:
--------------------------------------
I think that your loop might throw an timeout, because in the first iteration
you will read whole message and second iteration will wait for data that never
arrives. Normally you should get -1 on second loop, but I've observed that at
least in my case KDC does not indicate end of stream.
Since _in_ is instance of _DataInputStream_ you could try replacing loop with
such simple call: _in.readFully(tmp)_ - it has also loop inside but this one
keeps track of read data so it does not try read next byte after message is
over. I will test it tomorrow and let you know how it works.
> KerberosChannel does not read whole response
> --------------------------------------------
>
> Key: DIRKRB-620
> URL: https://issues.apache.org/jira/browse/DIRKRB-620
> Project: Directory Kerberos
> Issue Type: Bug
> Components: changepw
> Reporter: Maciej Miklas
>
> We have in production some customers who cannot change their password. In log
> we observe following exception:
> {noformat}
> 20.02.2017 10:59:11,987 DEBUG [http-bio-127.22.1.62-80-exec-383]
> org.apache.directory.api.asn1.ber.Asn1Decoder -
> <<<==========================================
> 20.02.2017 10:59:11,987 ERROR [http-bio-127.22.1.62-80-exec-383]
> org.apache.directory.kerberos.client.KdcConnection - Authentication failed :
> timeout occured
> 20.02.2017 10:59:11,987 WARN [http-bio-127.22.1.62-80-exec-383]
> org.apache.directory.kerberos.client.KdcConnection - failed to change the
> password
> org.apache.directory.shared.kerberos.exceptions.KerberosException: TimeOut
> occured
> at
> org.apache.directory.kerberos.client.KdcConnection._getTgt(KdcConnection.java:294)
> at
> org.apache.directory.kerberos.client.KdcConnection.getTgt(KdcConnection.java:181)
> at
> org.apache.directory.kerberos.client.KdcConnection.changePassword(KdcConnection.java:535)
> {noformat}
> Real reason for this error is incorrect socket implementation:
> {code:title=org.apache.directory.kerberos.client.KerberosChannel|borderStyle=solid}
> byte[] tmp = new byte[ 1024 * 8 ];
> while ( in.available() > 0 )
> {
> int read = in.read( tmp );
> repData.put( tmp, 0, read );
> }
> {code}
> You should not relay on _available()_ - it returns only assumption. In our
> case for some users it returns 0 before whole message has been consumed.
> In order to fix it, you should first read header of the message in order to
> figure out its size. Now use _in.read(...)_ until you consume expected amount
> of bytes. Eventually you will run into timeout, which is fine and happens if
> server does not keep its promise from header and cuts the message.
> I've changed code into this:
> {code:title=org.apache.directory.kerberos.client.KerberosChannel|borderStyle=solid}
> byte[] tmp = new byte[1024 * 8];
> int read;
> try {
> while ((read = in.read(tmp)) > 0) {
> repData.put(tmp, 0, read);
> }
> }
> catch (SocketTimeoutException e) {
> // OK
> }
> {code}
> and customers now can change their password. Obviously this implementation is
> *incorrect*, because it runs into timeout with every call. Bu it proves that
> using _available()_ does not work.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
