[rfc][icedtea7] Handle alternative Kerberos credential cache locations

Weijun Wang weijun.wang at oracle.com
Wed Aug 14 16:06:15 PDT 2013 


On 8/14/13 11:41 PM, Elliott Baron wrote:
> Hi Max,
>
> On 08/13/2013 08:54 PM, Weijun Wang wrote:
>> Hi Elliott
>>
>> This is a very good feature. Can you contribute it to OpenJDK directly?
>
> Absolutely! I assume security-dev would be the correct list?

Correct.

>
>>
>> One thing I don't understand is the _GNU_SOURCE macro defined.
>
> This is needed in order to use asprintf. If this is problematic, I could
> replace the asprintf usage with a helper function that manually
> allocates and concatenates the strings. At the very least, I will add a
> comment stating that the #define is for asprintf.

I'm not sure if it works on Solaris. Will give a try.

Thanks
Max

>
>>
>> Thanks
>> Max
>>
>>
>> On 8/14/13 6:07 AM, Elliott Baron wrote:
>>> Hi,
>>>
>>> Kerberos 1.11 introduced a new configuration variable to override the
>>> default location of the credential cache at build time. Fedora 18 and up
>>> have used this new configuration variable to define an alternate default
>>> cache location (/run/user/$UID/krb5cc/tkt). This bug was initially
>>> reported against Fedora [1].
>>>
>>> On Linux and Solaris systems, FileCredentialsCache.getDefaultCacheName()
>>> defaults to the previously hard-coded location (/tmp/krb5cc_$UID). This
>>> location will be incorrect if Kerberos was built with an alternative
>>> credential cache location set. Since this credential cache location can
>>> be arbitrary, we need to query the Kerberos API for the correct
>>> location. This patch implements this query using a new JNI call, which
>>> adds a dependency on libkrb5 for Linux and Solaris systems.
>>>
>>> This patch was prepared against icedtea7-forest/jdk, changeset
>>> afaedb56b499.
>>>
>>> 2013-08-12  Elliott Baron <ebaron at redhat.com>
>>>      * make/sun/security/Makefile: Build krb5/internal/ccache on Linux
>>> and Solaris.
>>>      *
>>> src/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java:
>>>
>>> Replace
>>>      hard-coded cache location with native call to Kerberos API.
>>>      * make/sun/security/krb5/internal/ccache/Makefile: New file; builds
>>> JNI wrapper for
>>>      needed Kerberos API.
>>>      *
>>> src/solaris/native/sun/security/krb5/internal/ccache/krb5ccache.c: New
>>> file; JNI function
>>>      to query default cache location from Kerberos API.
>>>
>>> Thanks,
>>> Elliott
>>>
>>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=991170
>>>
>
> Thanks,
> Elliott

More information about the distro-pkg-dev mailing list