[jira] [Created] (DIRKRB-744) Add possibility to use custom ReplayCache implementation

Thu, 25 Jun 2020 02:02:24 -0700 

Josef Cacek created DIRKRB-744:
----------------------------------

             Summary: Add possibility to use custom ReplayCache implementation
                 Key: DIRKRB-744
                 URL: https://issues.apache.org/jira/browse/DIRKRB-744
             Project: Directory Kerberos
          Issue Type: Improvement
            Reporter: Josef Cacek


Add the possibility to configure the ReplayCache implementation (or disable 
replay cache) in KDC.

When the KdcServer is used in embedded tests, and tests run in parallel, they 
intermittently fail with "Request is a replay (34) - Request is a replay".

I saw the problematic behavior in JBoss AS testsuite:

[https://issues.redhat.com/browse/JBPAPP-10974]

 

And also in Hazelcast Enterprise tests:

[https://github.com/hazelcast/hazelcast-enterprise/issues/3646]

 

JBoss resolves it by injecting dummy ReplayCache implementation by using 
reflection: [https://source.jboss.org/changelog/JBossAS6?cs=114679&_sscc=t]

 

We will probably disable parallel test execution in Hazelcast to workaround it.

It would be great to have a possibility to configure the implementing class in 
the {{@CreateKdcServer annotation.}}
h3. {{Stacktrace from a failing test}}

 

{{KrbException: Request is a replay (34) - Request is a replayKrbException: 
Request is a replay (34) - Request is a replay at 
java.security.jgss/sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:73) at 
java.security.jgss/sun.security.krb5.KrbTgsReq.getReply(KrbTgsReq.java:250) at 
java.security.jgss/sun.security.krb5.KrbTgsReq.sendAndGetCreds(KrbTgsReq.java:261)
 at 
java.security.jgss/sun.security.krb5.internal.CredentialsUtil.serviceCreds(CredentialsUtil.java:308)
 at 
java.security.jgss/sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(CredentialsUtil.java:126)
 at 
java.security.jgss/sun.security.krb5.Credentials.acquireServiceCreds(Credentials.java:458)
 at 
java.security.jgss/sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:695)
 at 
java.security.jgss/sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:265)
 at 
java.security.jgss/sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:196)
 at 
com.hazelcast.security.impl.KerberosCredentialsFactory.createTokenCredentials(KerberosCredentialsFactory.java:163)
 at 
com.hazelcast.security.impl.KerberosCredentialsFactory.lambda$0(KerberosCredentialsFactory.java:127)
 at java.base/java.security.AccessController.doPrivileged(Native Method) at 
java.base/javax.security.auth.Subject.doAs(Subject.java:361) at 
com.hazelcast.security.impl.KerberosCredentialsFactory.newCredentials(KerberosCredentialsFactory.java:127)
 at 
com.hazelcast.security.impl.KerberosCredentialsFactory.newCredentials(KerberosCredentialsFactory.java:148)
 at 
com.hazelcast.security.loginimpl.GssApiLoginModuleTest.getKerberosCredentials(GssApiLoginModuleTest.java:169)
 at 
com.hazelcast.security.loginimpl.GssApiLoginModuleTest.testCutOffRealmFromName(GssApiLoginModuleTest.java:132)
 at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native 
Method) at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
 at 
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 at java.base/java.lang.reflect.Method.invoke(Method.java:564) at 
org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
 at 
org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
 at 
org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
 at 
org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
 at 
com.hazelcast.test.FailOnTimeoutStatement$CallableStatement.call(FailOnTimeoutStatement.java:114)
 at 
com.hazelcast.test.FailOnTimeoutStatement$CallableStatement.call(FailOnTimeoutStatement.java:1)
 at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at 
java.base/java.lang.Thread.run(Thread.java:844)Caused by: KrbException: 
Identifier doesn't match expected value (906) at 
java.security.jgss/sun.security.krb5.internal.KDCRep.init(KDCRep.java:140) at 
java.security.jgss/sun.security.krb5.internal.TGSRep.init(TGSRep.java:65) at 
java.security.jgss/sun.security.krb5.internal.TGSRep.<init>(TGSRep.java:60) at 
java.security.jgss/sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:55) ... 28 
more}}{{ }}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to