See https://github.com/openjdk/jdk/pull/5176.
The krb5 debug warning is also quite verbose and I think it’s not worth printing out the whole stack trace. Also, no existing debug message starts with “WARNING". They are just plain flat text. Thanks, Weijun > On Aug 18, 2021, at 5:34 PM, Horváth Péter Gergely > <horvath.peter.gerg...@gmail.com> wrote: > > OK, I think we can agree on that. Please add the changes of KeyTab.java: it > should be helpful in future releases. > > Thanks, > Peter > > On Wed, Aug 18, 2021, 23:06 Wei-Jun Wang, <weijun.w...@oracle.com> wrote: > I think the new message in KeyTab.java is enough. The added lines in > Krb5LoginModule is a little too long with the try-catch structure. > > —Weijun > > > On Aug 18, 2021, at 1:50 PM, Horváth Péter Gergely > > <horvath.peter.gerg...@gmail.com> wrote: > > > > Hi Weijun, > > > > Many thanks for your response. I think that indeed it would make sense to > > log in KeyTab, since the FileNotFoundException there should even have the > > platform-specific reason message coming from the native layer. > > > > At the same time, I think it would make sense to emit a log message around > > the original "Key for the principal ... not available in ..." message as > > well. It is probably good to have more context when debugging. > > > > I have created a new patch combining the two approaches. Code in > > Krb5LoginModule now relies on the KeyTab exists() call: it is probably > > better like that. > > Please take a look and let me know what you think. > > > > Thanks, > > Peter > > > > > > > > > > Wei-Jun Wang <weijun.w...@oracle.com> ezt írta (időpont: 2021. aug. 17., K, > > 23:33): > > How do you think if we add some debug info at the internal KeyTab creation > > at [1]? > > > > For the 2 exceptions we can print out a line and the exception.toString(), > > then you will know if the filename doesn’t exist, or is a directory, or no > > permission to read. > > > > Of course, you will need to turn on -Dsun.security.krb5.debug=true to see > > this level of debug info. > > > > Thanks, > > Weijun > > > > [1] > > https://github.com/openjdk/jdk/blob/f4af0eadb6eaf9d9614431110ab7fc9c1588966d/src/java.security.jgss/share/classes/sun/security/krb5/internal/ktab/KeyTab.java#L93 > > > > > > > On Aug 17, 2021, at 4:19 PM, Horváth Péter Gergely > > > <horvath.peter.gerg...@gmail.com> wrote: > > > > > > Dear All, > > > > > > I am wondering if someone would be kind enough to sponsor the following > > > small change: > > > > > > When debugging is enabled for > > > com.sun.security.auth.module.Krb5LoginModule and the file specified by > > > "keyTab" is not found, Krb5LoginModule simply emits a generic message, > > > similar to this: > > > "Key for the principal foo...@acme.com not available in > > > /home/foobar/foobar.keytab" > > > > > > This message can be quite confusing and counterintuitive if the file is > > > actually not there, because, based on the message, one would think that > > > the JVM probed the file, found it, loaded the data, but still could not > > > use the keytab data for authentication. > > > > > > I would propose adding further debug logging to Krb5LoginModule so as to > > > emit a warning in case the key was not found, due to the file not being > > > present, readable or a being a directory. > > > > > > Please find attached the patch file: it is trivial, and only affects a > > > debug branch of the code. > > > > > > Please let me know what you think. > > > > > > Thanks, > > > Peter > > > <keyTab_file_checks.patch> > > > > <keyTab_file_checks2.patch> >
