feat: introduce new exception handling model for Kerberos failures wi…#108
Open
bedrin wants to merge 1 commit into
Open
feat: introduce new exception handling model for Kerberos failures wi…#108bedrin wants to merge 1 commit into
bedrin wants to merge 1 commit into
Conversation
…th diagnostics Signed-off-by: Dmitry Bedrin <dmitry.bedrin@gmail.com>
There was a problem hiding this comment.
Pull request overview
This PR introduces a new Kerberos failure diagnostic model across Kerb4J, translating provider-specific exceptions (JAAS/JGSS/Kerby) into stable, support-friendly runtime exceptions with machine-readable codes/categories, and propagates those diagnostics through client and Spring server integrations.
Changes:
- Added
KerberosFailureAnalyzer,KerberosDiagnostic, and a taxonomy of failure codes/categories plus typedKerb4JKerberosExceptionsubclasses for consistent classification and troubleshooting output. - Introduced “*OrThrow” convenience APIs in
SpnegoClient/SpnegoContextand updated server-side Spring components to wrap failures with Kerb4J diagnostics. - Added tests for diagnostic classification and documentation describing the new exception/diagnostic contract.
Reviewed changes
Copilot reviewed 27 out of 27 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| kerb4j-server/kerb4j-server-spring-security-core/.../SpnegoAuthenticationProvider.java | Wraps Kerberos/SPNEGO failures into diagnostic exceptions before rethrowing Spring auth exceptions. |
| kerb4j-server/kerb4j-server-spring-security-core/.../SunJaasKerberosTicketValidator.java | Uses new diagnostic model and new *OrThrow APIs to surface richer BadCredentials diagnostics. |
| kerb4j-server/kerb4j-server-common/.../Kerb4JException.java | Fixes checked exception cause handling by delegating to super(message, cause). |
| kerb4j-common/src/main/java/com/kerb4j/common/exception/* | Adds diagnostic types (codes/categories/diagnostic object/analyzer) and typed runtime exceptions. |
| kerb4j-common/src/main/java/com/kerb4j/common/jaas/sun/Krb5LoginContext.java | Replaces generic RuntimeException wrapping with diagnostic exceptions on login failures. |
| kerb4j-common/src/main/java/com/kerb4j/client/SpnegoClient.java | Adds *OrThrow + correctly-spelled createAuthorizationHeader* convenience APIs. |
| kerb4j-common/src/main/java/com/kerb4j/client/SpnegoContext.java | Adds *OrThrow convenience APIs for token creation/acceptance and correct header method spelling. |
| kerb4j-common/src/main/java/com/kerb4j/client/spi/* | Wraps login/refresh failures into diagnostic exceptions. |
| kerb4j-client-kerby/.../KerbySpnegoClientProvider.java | Replaces IllegalStateException cases with explicit Kerberos diagnostics. |
| kerb4j-client-jdk/.../JdkSpnegoClientProvider.java | Replaces UnsupportedOperationException with explicit provider diagnostics. |
| kerb4j-client-jdk/.../JdkSpnegoClientProviderTest.java | Updates tests to assert new provider diagnostic exception behavior. |
| kerb4j-common/src/test/.../KerberosFailureAnalyzerTest.java | Adds unit tests validating exception classification behavior. |
| docs/KERBEROS_FAILURE_DIAGNOSTICS.md | Documents the new diagnostic exception model and troubleshooting contract. |
Comment on lines
+84
to
88
| } finally { | ||
| if (!holdOnToGSSContext) { | ||
| acceptContext.close(); | ||
| } | ||
| } |
Comment on lines
+68
to
+72
| throw diagnosticBadCredentials(KerberosFailureAnalyzer.explicit( | ||
| "spnego.resolve-service-credentials", | ||
| KerberosFailureCode.KEYTAB_MISSING_PRINCIPAL, | ||
| KerberosFailureCategory.CREDENTIALS, | ||
| "No Kerberos service credentials are configured for validating this token.", |
Comment on lines
+251
to
+258
| public String createAuthorizationHeader(URL url) throws Kerb4JKerberosException, IOException { | ||
| SpnegoContext context = createContextOrThrow(url); | ||
| try { | ||
| return context.createTokenAsAuthorizationHeader(); | ||
| } finally { | ||
| context.close(); | ||
| } | ||
| } |
Comment on lines
+269
to
+276
| public String createAuthorizationHeaderForSPN(String spn) throws Kerb4JKerberosException, IOException { | ||
| SpnegoContext contextForSPN = createContextForSPNOrThrow(spn); | ||
| try { | ||
| return contextForSPN.createTokenAsAuthorizationHeader(); | ||
| } finally { | ||
| contextForSPN.close(); | ||
| } | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…th diagnostics