spring-projects / spring-security-kerberos

Spring Security Kerberos
https://spring.io/projects/spring-security-kerberos
185 stars 227 forks source link

the keytab file cannot be found if there are spaces in the path... #188

Open mau-gog opened 7 months ago

mau-gog commented 7 months ago

After switching to Spring-Boot 3, the Kerberos connection no longer worked. After lengthy analysis and debugging, it turned out that the problem was not the Kerberos API (with its encryption etc.), but much simpler: there is a problem if the absolute path of the keytab file has a space.

Here is my analysis:

  1. As in the textbook, the keytab location is passed to the validator as a resource... SunJaasKerberosTicketValidator validator = new SunJaasKerberosTicketValidator(); validator.setKeyTabLocation(bssSecurityConfigurationProperties.getKeyTabLocationAsResource());

  2. After the settings, the method #afterPropertiesSet() is called in the SunJaasKerberosTicketValidator... BUT there the following sucrile is made: String keyTabLocationAsString = this.keyTabLocation.getURL().toExternalForm(); if (keyTabLocationAsString.startsWith("file:")) { keyTabLocationAsString = keyTabLocationAsString.substring(5); }

    getURL().toExternalForm() returns "%20" instead of " "...

  3. But in the depths of the Kerberos API, more precisely in the class: sun.security.krb5.internal.ktab.KeyTab the broken URL file path is used as a normal file path:

private KeyTab(String filename) { tabName = filename; try { lastModified = new File(tabName).lastModified(); try (KeyTabInputStream kis = new KeyTabInputStream(new FileInputStream(filename))) { load(kis); } ....

IMHO: I think the error is in the lines in the #afterPropertiesSet() method. The keytab file should always be in the local file system. That is why you should not work with the tinkered URL file path. As far as I know, a path such as "abc%20xyz/edf ghi/my.keytab" is also possible under Linux. This should also work properly in the end.

Currently I'm patching the problem by using the deprecated constructor of new URL(String), but that can't be the solution for a long time.

Many thanks for your help in advance... Greetings Clemens