Hi, I'd like to propose the following fix for JDK-8227437 [1] (*):
* http://cr.openjdk.java.net/~mbalao/webrevs/8227437/8227437.webrev.00/ JDK-8227437 bug appeared after the OpenJDK Kerberos client supported RFC-6806 [2]. When requesting a TGT (ticket-granting-ticket), there may be client name canonicalization and/or realm referrals. When requesting a TGS (ticket-granting-service), there may be realm referrals. As a result, the client or service names we use to request a ticket may be different than those we get in the returned ticket. I.e.: we may use the subject principal "subj...@realm-1.com" as a client name to request a TGT and get a ticket whose client name is "subject-canoni...@realm-2.com". Even though the ticket credentials belong to the subject, we are unable to locate them based on the client or service names when there is a change. In the previous example, we will use "subj...@realm-1.com" subject principal as a client name to find the ticket but the actual ticket has a "subject-canoni...@realm-2.com" client name. To fix this problem, we now save the original client and service names as "alias" fields in Credentials and KerberosTicket objects (if there is a change). This allows to find subject credentials properly. Note: client and service alias information is not populated (saved or retrieved) across credentials caches: file-based-caches [3][4], Windows native cache or macOS native cache. As a result, the client name must match the subject principal for the credential to be found (see Credentials::acquireTGTFromCache). If the credential is not found, a request to the KDC may be issued. Testing: * ReferralsTest extended to cover this bug * Regression testing on jdk/sun/security/krb5 passed * Tested in my local Windows 2016 referrals environment Look forward to your comments. Thanks, Martin.- -- [1] - https://bugs.openjdk.java.net/browse/JDK-8227437 [2] - https://bugs.openjdk.java.net/browse/JDK-8215032 [3] - https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html [4] - https://web.mit.edu/kerberos/krb5-devel/doc/formats/ccache_file_format.html (*) - we have worked together with Max (@weijun) during the last week to come up with this version.
