[rfc][icedtea7] Handle alternative Kerberos credential cache locations

Elliott Baron ebaron at redhat.com
Tue Aug 13 15:07:27 PDT 2013


Hi,

Kerberos 1.11 introduced a new configuration variable to override the 
default location of the credential cache at build time. Fedora 18 and up 
have used this new configuration variable to define an alternate default 
cache location (/run/user/$UID/krb5cc/tkt). This bug was initially 
reported against Fedora [1].

On Linux and Solaris systems, FileCredentialsCache.getDefaultCacheName() 
defaults to the previously hard-coded location (/tmp/krb5cc_$UID). This 
location will be incorrect if Kerberos was built with an alternative 
credential cache location set. Since this credential cache location can 
be arbitrary, we need to query the Kerberos API for the correct 
location. This patch implements this query using a new JNI call, which 
adds a dependency on libkrb5 for Linux and Solaris systems.

This patch was prepared against icedtea7-forest/jdk, changeset afaedb56b499.

2013-08-12  Elliott Baron <ebaron at redhat.com>
     * make/sun/security/Makefile: Build krb5/internal/ccache on Linux 
and Solaris.
     * 
src/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java: 
Replace
     hard-coded cache location with native call to Kerberos API.
     * make/sun/security/krb5/internal/ccache/Makefile: New file; builds 
JNI wrapper for
     needed Kerberos API.
     * 
src/solaris/native/sun/security/krb5/internal/ccache/krb5ccache.c: New 
file; JNI function
     to query default cache location from Kerberos API.

Thanks,
Elliott

[1] https://bugzilla.redhat.com/show_bug.cgi?id=991170

-------------- next part --------------
A non-text attachment was scrubbed...
Name: jdk-krb5-default-ccache-fix.patch
Type: text/x-patch
Size: 12437 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20130813/8d93dafa/jdk-krb5-default-ccache-fix.patch 


More information about the distro-pkg-dev mailing list