1

I'm upgrading a project to Java 11. I realized that some of the internal packages such as sun.security.krb5.Config & sun.security.krb5.KrbException are no longer "visible" due to modules. Few examples of how the codebase is consuming these packages are below:

Exception cause = ExceptionUtils.findCause(ne, KrbException.class);

LoginException le = (LoginException) ne.getCause();
                if (le.getCause() instanceof KrbException) {
                    KrbException ke = (KrbException) le.getCause();

try {
                    sun.security.krb5.Config.refresh();
                } catch (KrbException e) {
//log something
}

I read that these internal packages are supposed to be implemented using GSS APIs.

I have been going through the GSS classes and tutorials but couldn't find anything on replacing the internal packages mentioned above.

Vivek Shankar
  • 770
  • 1
  • 15
  • 37

1 Answers1

0

Take the LoginException as-is. JAAS is supposed to abstract from everything. You just have bad code.

Michael-O
  • 18,123
  • 6
  • 55
  • 121
  • Could you please explain what you mean by taking the LoginException as-is? Do you mean I should just replace KrbException with LoginException? Also, what about `sun.security.krb5.Config.refresh();` this is an internal API refernce as well. – Vivek Shankar Apr 29 '19 at 06:53
  • 1
    First of all, there is now a refresh config property on the `Krb5LoginModule`: `refreshKrb5Config`. You are going through several levels of abstraction. You don't interact with Kerberos directly, therefore you must *not* use internal exceptions or even worse internal APIs. This makes code non-portable or brittle. [Here](http://tomcatspnegoad.sourceforge.net/xref/net/sf/michaelo/tomcat/authenticator/SpnegoAuthenticator.html#L117) is a sample how one should use it. When you are using MIT Kerberos you never get Kerberos internal errors too, just GSS-API status codes and some mech-specific ones. – Michael-O Apr 29 '19 at 09:15
  • Thanks for sharing that implementation. I think I understand it a bit better now. However, from official docs I see `refreshKrb5Config: Set this to true, if you want the configuration to be refreshed before the login method is called.` Is there a way to manually trigger config refresh apart from the login flow? – Vivek Shankar Apr 29 '19 at 11:16
  • I understand now, I can just trigger a dummy login to reload the config file. – Vivek Shankar Apr 29 '19 at 11:29
  • 1
    There is none and why do you need it if the module refresh before login anyway? – Michael-O Apr 29 '19 at 11:55
  • Yeah, that makes sense. I got it now. Just one last this is there a way to extract the underlying kerberos error code and the exception message from Login Exception? – Vivek Shankar Apr 30 '19 at 05:00
  • 1
    Unless `getCause()` does not contain it, no. You can also check the source code of the `Krb5LoginModule` on Github. Note that using GSS-API does not give you access to low level Kerberos errors too. – Michael-O Apr 30 '19 at 09:55
  • I think GssException.getMinor() does just that. From it's javadoc: `Returns the mechanism level error code for the problem causing this exception to be thrown. The minor code is set by the underlying mechanism.` – Vivek Shankar Jul 11 '19 at 07:33
  • Yes, in a limited fashion. – Michael-O Jul 11 '19 at 09:27