Thanks for following up Weijun. It helps to have this information for
record purposes. Approved.
regards,
Sean.
On 05/12/2013 09:50, Weijun Wang wrote:
Hi All
This is a request to backport a jdk8 fix into jdk7u60.
8028351: JWS doesn't get authenticated when using kerberos auth proxy
https://bugs.openjdk.java.net/browse/JDK-8028351
The bug is about a useless but harmful Kerberos login when no password
was given to a username, which could lead to account blocking. Several
customers have reported either on the web or directly to us.
The fix is already included in jdk8 as:
http://hg.openjdk.java.net/jdk8/tl/jdk/rev/e1bc55ddf1ad
The review thread was
http://mail.openjdk.java.net/pipermail/security-dev/2013-November/009730.html
The fix for 7uX is at
http://cr.openjdk.java.net/~weijun/8028351/7u/webrev.00/
which is almost identical to the fix for jdk8 except for a tiny
difference in the test.
The fix is low-risk, and isolated. New regression test added. Existing
tests also run fine.
Thanks
Weijun
