Comparing name-type in KerberosPrincipal

Weijun Wang weijun.wang at oracle.com
Thu Jun 6 01:54:30 PDT 2013


Hi All

Recently we fixed a bug in OpenJDK:

    http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7061379
    http://hg.openjdk.java.net/jdk8/tl/jdk/rev/e68db408d08c

Here name-type equality is not checked anymore in the 
PrincipalName::equals() method. Since RFC 4120 6.2 says

    ... The name-type SHOULD be
    treated only as a hint to interpreting the meaning of a name. It is
    not significant when checking for equivalence.

It turns out the same problem also exists in the 
javax.security.auth.kerberos.KerberosPrincipal::equals() method, where 
the spec has

    More formally two KerberosPrincipal instances are equal if the
    values returned by getName() are equal and the values returned by
    getNameType() are equal.

 
http://docs.oracle.com/javase/7/docs/api/javax/security/auth/kerberos/KerberosPrincipal.html#equals%28java.lang.Object%29

I'm thinking about fixing it also. However, the classes inside the 
javax.security.auth.kerberos package are mostly used internal by the 
JAAS Krb5LoginModule and I'm not sure how people are using it outside 
JDK. Do you create objects of these classes in your applications or 
libraries? Is there any compatibility issue if it also ignores the 
name-type check?

Thanks
Max


More information about the security-dev mailing list