Removed illegal reflection access in kerberos authentication #839
Conversation
lilgreenbird
commented
Oct 20, 2018
•
- Removed illegal reflection access, DNSKerberosLocator will handle validation
- removed unused test
…Test to be consistent with other tests
Codecov Report
@@ Coverage Diff @@
## dev #839 +/- ##
============================================
+ Coverage 48.29% 48.58% +0.29%
- Complexity 2781 2790 +9
============================================
Files 116 116
Lines 27877 27867 -10
Branches 4651 4649 -2
============================================
+ Hits 13462 13539 +77
+ Misses 12200 12127 -73
+ Partials 2215 2201 -14
Continue to review full report at Codecov.
|
| @@ -350,8 +315,8 @@ private String findRealmFromHostname(RealmValidator realmValidator, String hostn | |||
| int index = 0; | |||
| while (index != -1 && index < hostname.length() - 2) { | |||
| String realm = hostname.substring(index); | |||
| if (authLogger.isLoggable(Level.FINEST)) { | |||
| authLogger.finest(toString() + " looking up REALM candidate " + realm); | |||
| if (authLogger.isLoggable(Level.FINER)) { | |||
There was a problem hiding this comment.
to make it consistent with the rest of the logging in this file
src/main/java/com/microsoft/sqlserver/jdbc/dns/DNSKerberosLocator.java
Outdated
Show resolved
Hide resolved
| if (realmName.startsWith(".")) { | ||
| realmName = realmName.substring(1); | ||
| } | ||
| try { | ||
| Set<DNSRecordSRV> records = DNSUtilities.findSrvRecords("_kerberos._udp." + realmName); | ||
| return !records.isEmpty(); | ||
| } catch (NameNotFoundException wrongDomainException) { | ||
| // config error - domain controller can not be located via DNS |
| @@ -30,13 +32,15 @@ public static boolean isRealmValid(String realmName) throws NamingException { | |||
| if (realmName == null || realmName.length() < 2) { | |||
| return false; | |||
| } | |||
|
|
|||
fixed typo
removed change of logging level
cosmetics
removed stupid tab!!
|
This code removal will break Kerberos cross DC authentication on many JVMs, most notably on Windows |
|
Hi @pierresouchay, Starting from JDK 9, users get a massive warning in their applications complaining about illegal reflective access when doing Kerberos authentication. Unfortunately, it seemed like there was no alternative that would let us preserve the same functionality and we removed the piece of code that contained the reflection. It is, however in our backlog to revisit PR #40 in the future and we would appreciate if you could give us suggestions on how to achieve the same functionality without illegal reflective access. I should also mention that, the removal of reflection did not break any tests in our test lab and it would be really helpful if you guided us to reproduce the regression with exact test scenario and environment details. |
|
@ulvii Yes, I explained a bit the reason, but it is clear it will break the feature. I will blacklist next versions of the driver in our company then. See my comments here: #918 (comment) |