On Mon, Oct 23, 2023 at 04:26:42PM +0100, Michael McMahon wrote: > Thanks for bringing this to our attention. You are right that this is a > misuse of the authentication cache in the case of Kerberos (Negotiate) > authentication. Though that is not the case for other auth schemes, because > normally what gets cached are credentials, rather than security tokens.
I see. I guess you could cache `GSSCredential` handles if the caller were using non-default GSS credentials. With password-based HTTP schemes the credentials aren't process-global like GSS credentials typically are, but rather can vary per request. > It makes no sense to cache GSS contexts either, outside the scope of any > individual request (being authenticated through multiple request/responses). > We don't need to cache it in this situation as it is already kept as a local > variable in the HttpURLConnection impl class. > > So, my first impression is that the fix here needs to disable the cache > permanently for the Negotiate scheme, which is basically what the system > property workaround is doing. But, we need to just be sure about that before > we publish a PR. For what it's worth, disabling the cache for Negotiate does indeed work right now as a workaround. You can reproduce both, the crashes and the workaround using the instructions I provided. Nico --
