Result of :test() operation for Kerberos in security-realm for http management does not contain Kerberos Principal even if it is correctly configured. Result of :test() operation for correctly configured keytab is the same as result for wrong keytab. However authentication with this correct keytab works fine, only result of test() operation does not contain Kerberos Principal. This happens only for JDK 1.8. How to reproduce: 1) Set correctly working Kerberos authentication in security-realm for http management with correct keytab. 2) start server with JDK 1.7 and then run :test() operation => result contains Kerberos Principal 3) start server with JDK 1.8 and then run :test() operation => result contains only reference to the keytab location
I will have a look but TBH cosmetic differences of the output of this method on different JDKs is to be expected, this method's sole purpose is to verify the JAAS based login works without error and to display the contents of the resulting Subject - the different JVMs have different ways of handling this so the resulting output will be different. Alternatively we could remove this method but that would mean administrators have no option to perform this call.
Main point of this issue is that :test() operation gives absolutely same results for correct and wrong configured keytab in jdk 1.8. It is not only cosmetic difference since administrator has no option how to evaluate :test() operation result.
Ok no need to be having this conversation in private - we are not revealing any sensitive information here. I will try on JDK 8 but if we can not determine the difference between a success and failure the operation may just have to be removed, it is not really a part of the feature just a utility method to help them initiate a login attempt without requiring the client to trigger authentication.
You are right. This operation is not required for this feature. On the other hand adding this operation was good idea because it brings simple solution for administrators to determine whether keytab configuration is correctly set. I will be happy if you will succeed with solving this issue. However, if it will not work for JDK 8 it is probably better to remove it.
If this is not a blocker I am going to NACK from an engineering perspective as there is insufficient time to review this further. The ACK previously granted was on the basis this was being proposed as a blocker.
There is no documentation and nothing to be verified, hence this BZ is returned back to NEW state. Also documentation for this functionality does not exist. In case this issue would not be fixed, it needs to be documented in release notes, hence requesting requires_doc_text flag. @Carlo, feel free to close this BZ as WONTFIX in case you think it would not affect the customer.
John Doyle <jdoyle> updated the status of jira EAP6-253 to Closed
qa_acking test fix/ignore on jdk8
Verified on EAP 6.4.2.CP.CR1. Test is ignored on jdk8.
Retroactively bulk-closing issues from released EAP 6.4 cumulative patches.