code review request (Re: Some Mac JDK codes not open sourced (was Fwd: Re: Kerberos codes in Apple's Java))
Weijun Wang
weijun.wang at oracle.com
Thu Dec 29 21:05:15 PST 2011
Hi Scott
Webrev updated:
http://cr.openjdk.java.net/~weijun/7123107/webrev.01/
I've renamed MacOSXCredentials.c to nativeccache.c and put it into
share. The native calls inside should apply to all memory based ccache.
The lib is now only compiled for macosx, but it will easy to extend it
to another platform later.
Thanks
Max
On 12/22/2011 12:32 AM, Scott Kovatch wrote:
> Oh, sorry, I didn't realize you were waiting on me.
>
> I think you can just add a "FILES_c =" directive and use the file as a .c file.
>
> However, I think this needs it's own library, as we are using a JNI_OnLoad to find a number of Kerberos-related classes. I suspect a lot of bundled apps will be using FileManager, which means they will end up loading Kerberos and keystore code as well. That's not necessary.
>
> I would change the comment in Credentials.java that talks about Windows not having a ticket file (line 288) since the logic has changed to include Mac OS x.
>
> Sent from my iPad
>
> On Dec 21, 2011, at 2:41 AM, Weijun Wang<weijun.wang at oracle.com> wrote:
>
>> Hi Scott
>>
>> Ping again. I main want you to see if the Makefile is good. As for the c file, I rename it to .m to have a similar look with the others, of course that means I need to s/#include/#import/. Also, I need your opinion if stuffing it inside the libosx.dylib is a good idea.
>>
>> Thanks
>> Max
>>
>> On 12/20/2011 04:54 PM, Weijun Wang wrote:
>>> None of you review my code changes. :(
>>>
>>> Here is the final version:
>>>
>>> http://cr.openjdk.java.net/~weijun/7123107/webrev.00/
>>>
>>> I guess with the current bylaw. The jdk7u-osx belongs to the "jdk7u -
>>> JDK 7 Updates Project" and skovatch is not listed there. So I guess I
>>> will be the committer and you will be the author, and then I can add my
>>> name as reviewer if you review it for me. Hopefully I can get that
>>> correct. I've never commit something with another people's name as author.
>>>
>>> Thanks
>>> Max
>>>
>>>
>>> On 12/20/2011 02:50 PM, Scott Kovatch wrote:
>>>> Be sure to mark me as author/contributor/whatever so I can get my 8
>>>> checkmarks for commit rights. :-)
>>>>
>>>>
>>>> -- Scott
>>>>
>>>> On Dec 19, 2011, at 10:23 PM, Weijun Wang wrote:
>>>>
>>>>> Hi All
>>>>>
>>>>> I've created a webrev. Please anyone take a review:
>>>>>
>>>>> http://cr.openjdk.java.net/~weijun/9999999/webrev.12/
>>>>>
>>>>> *Jeannette*:
>>>>>
>>>>> Is a formal donate-to-openjdk process needed? The file in my webrev
>>>>> still has the Apple copyright line. IANAL and I do not want to make
>>>>> any change to it myself.
>>>>>
>>>>> Thanks
>>>>> Max
>>>>>
>>>>>
>>>>> On 12/20/2011 09:58 AM, Mike Swingler wrote:
>>>>>> This is just a .c file. No Objective-C here.
>>>>>>
>>>>>> ~Mike
>>>>>>
>>>>>> On Dec 19, 2011, at 5:56 PM, Weijun Wang wrote:
>>>>>>
>>>>>>> Hi Bino
>>>>>>>
>>>>>>> Thank you for locating it. I would be glad if you or Scott can do
>>>>>>> an integration. I guess this .m file is almost a pure .c file but
>>>>>>> I'm really unfamiliar with compiler settings on Mac.
>>>>>>>
>>>>>>> -Max
>>>>>>>
>>>>>>>
>>>>>>> On 12/20/2011 09:51 AM, Bino George wrote:
>>>>>>>> Hi Weijun,
>>>>>>>>
>>>>>>>> It looks like we did not port over some of the native code that
>>>>>>>> Scott Kovatch wrote for the Mac. Attached is the native file for
>>>>>>>> JDK6 that implements the missing JNI method. Can you or Scott try
>>>>>>>> to integrate it to JDK 7 ? If you have difficulty, let me know and
>>>>>>>> I will take care of it some time this week.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Bino.
>>>>>>>>
>>>>>>>>
>>>>>>>> On Dec 19, 2011, at 5:19 PM, Weijun Wang wrote:
>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 12/20/2011 09:10 AM, Bino George wrote:
>>>>>>>>>> Hi Weijun,
>>>>>>>>>>
>>>>>>>>>>> I'm testing on 10.6.
>>>>>>>>>>
>>>>>>>>>> Does JDK6 (Apple JVM) work for your test on 10.6 ???
>>>>>>>>>>
>>>>>>>>>> The SCDynamicStoreConfig implementation only works on Lion (10.7).
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> In fact, in
>>>>>>>>>>> src/share/classes/sun/security/krb5/Credentials.java, the
>>>>>>>>>>> native method declaration still exists:
>>>>>>>>>>>
>>>>>>>>>>> private static native Credentials acquireDefaultNativeCreds();
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> We don't do anything native on 10.6 and before we find the
>>>>>>>>>> config file
>>>>>>>>>> using this logic and simply parse it in Config.java :
>>>>>>>>>
>>>>>>>>> I'm not talking about the config part at all. That part has no
>>>>>>>>> problem.
>>>>>>>>>
>>>>>>>>> What I said is credential cache, i.e. the little piece of private
>>>>>>>>> info stored on local computer (either a file or a block in
>>>>>>>>> memory) after kinit is called. The info is generated by kinit and
>>>>>>>>> can be viewed either by the native klist tool or thru the Java call
>>>>>>>>>
>>>>>>>>> sun.security.krb5,Credentials.acquireTGTFromCache()
>>>>>>>>>
>>>>>>>>> What I observed is that in Apple JDK 6 both these 2 methods
>>>>>>>>> return the same info but in macosx-port the Java method does not
>>>>>>>>> return anything.
>>>>>>>>>
>>>>>>>>> That's what I mentioned in the "Thu, 01 Dec 2011 22:54:57 +0800"
>>>>>>>>> mail. (scroll down to 2/3 place).
>>>>>>>>>
>>>>>>>>> Thanks
>>>>>>>>> Max
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> private String findMacosConfigFile() {
>>>>>>>>>> String userHome = getProperty("user.home");
>>>>>>>>>> finalString PREF_FILE = "/Library/Preferences/edu.mit.Kerberos";
>>>>>>>>>> String userPrefs=userHome + PREF_FILE;
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> if (fileExists(userPrefs)) {
>>>>>>>>>> return userPrefs;
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> if (fileExists(PREF_FILE)) {
>>>>>>>>>> return PREF_FILE;
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> if (fileExists("/etc/krb5.conf")) {
>>>>>>>>>> return"/etc/krb5.conf";
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> return "";
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>>
>>>>>>>>>> Bino.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Dec 19, 2011, at 4:49 PM, Weijun Wang wrote:
>>>>>>>>>>
>>>>>>>>>>> I take a brief look at
>>>>>>>>>>>
>>>>>>>>>>> src/macosx/native/java/util/SCDynamicStoreConfig.m
>>>>>>>>>>> src/share/classes/sun/security/krb5/SCDynamicStoreConfig.java
>>>>>>>>>>>
>>>>>>>>>>> and it is an alternative way of specifying krb5.conf, but there
>>>>>>>>>>> is no
>>>>>>>>>>> line on the credentials cache.
>>>>>>>>>>>
>>>>>>>>>>> In fact, in
>>>>>>>>>>> src/share/classes/sun/security/krb5/Credentials.java, the
>>>>>>>>>>> native method declaration still exists:
>>>>>>>>>>>
>>>>>>>>>>> private static native Credentials acquireDefaultNativeCreds();
>>>>>>>>>>>
>>>>>>>>>>> but I cannot find the implementation codes for it.
>>>>>>>>>>>
>>>>>>>>>>> I'm testing on 10.6.
>>>>>>>>>>>
>>>>>>>>>>> Thanks
>>>>>>>>>>> Max
>>>>>>>>>>>
>>>>>>>>>>> On 12/20/2011 05:30 AM, Bino George wrote:
>>>>>>>>>>>> Hi Mike,
>>>>>>>>>>>>
>>>>>>>>>>>>> Actually, Bino - on Lion we compile in the SCDynamicStore
>>>>>>>>>>>>> version, and
>>>>>>>>>>>>> on SnowLeopard we compile it out an just use the file version
>>>>>>>>>>>>> in Java.
>>>>>>>>>>>>> Do you know if the SCDynamicStore version is building on
>>>>>>>>>>>>> SnowLeopard,
>>>>>>>>>>>>> but just not enabled? Does it rely on new constants that are
>>>>>>>>>>>>> only on
>>>>>>>>>>>>> Lion?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> The difference between JDK6 and JDK7 is that in JDK6 we do not
>>>>>>>>>>>> compile
>>>>>>>>>>>> the SCDynamicStore code. But since SCDynamicStore does not use
>>>>>>>>>>>> any new
>>>>>>>>>>>> API, we compile it both on Lion and SnowLeopard on JDK7 and we
>>>>>>>>>>>> only load
>>>>>>>>>>>> the SCDynamicStore code on Lion (we check at runtime for os
>>>>>>>>>>>> version). We
>>>>>>>>>>>> don't rely on any OS provided constants, I don't think there
>>>>>>>>>>>> are any, we
>>>>>>>>>>>> just look for the following keys on Lion in SCDynamicStore :
>>>>>>>>>>>>
>>>>>>>>>>>> #define KERBEROS_DEFAULT_REALMS @"Kerberos-Default-Realms"
>>>>>>>>>>>> #define KERBEROS_DEFAULT_REALM_MAPPINGS
>>>>>>>>>>>> @"Kerberos-Domain-Realm-Mappings"
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks,
>>>>>>>>>>>> Bino.
>>>>>>>>>>>>
>>>>>>>>>>>> On Dec 19, 2011, at 11:10 AM, Mike Swingler wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> On Dec 19, 2011, at 11:05 AM, Bino George wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi Mike,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Bino, I thought we contributed all of the Kerberos
>>>>>>>>>>>>>>> implementation
>>>>>>>>>>>>>>> (including the new SCDynamicStore implementation for Lion).
>>>>>>>>>>>>>>> Do you
>>>>>>>>>>>>>>> think the system kinit and the SCDynamicStore versions aren't
>>>>>>>>>>>>>>> playing ball with each other?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Yes, we did contribute that code already and we tested it in
>>>>>>>>>>>>>> JDK7 on
>>>>>>>>>>>>>> Lion. Not sure if this is a SnowLeopard issue.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Weijun, does your tests work with JDK6 from Apple on the same
>>>>>>>>>>>>>> machine, the code should be identical.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Actually, Bino - on Lion we compile in the SCDynamicStore
>>>>>>>>>>>>> version, and
>>>>>>>>>>>>> on SnowLeopard we compile it out an just use the file version
>>>>>>>>>>>>> in Java.
>>>>>>>>>>>>> Do you know if the SCDynamicStore version is building on
>>>>>>>>>>>>> SnowLeopard,
>>>>>>>>>>>>> but just not enabled? Does it rely on new constants that are
>>>>>>>>>>>>> only on
>>>>>>>>>>>>> Lion?
>>>>>>>>>>>>>
>>>>>>>>>>>>> ~Mike
>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Dec 19, 2011, at 10:50 AM, Mike Swingler wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Bino, I thought we contributed all of the Kerberos
>>>>>>>>>>>>>>> implementation
>>>>>>>>>>>>>>> (including the new SCDynamicStore implementation for Lion).
>>>>>>>>>>>>>>> Do you
>>>>>>>>>>>>>>> think the system kinit and the SCDynamicStore versions aren't
>>>>>>>>>>>>>>> playing ball with each other? Weijun, what version of Mac
>>>>>>>>>>>>>>> OS X are
>>>>>>>>>>>>>>> you testing on? 10.6 or 10.7?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> ~Mike
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Dec 18, 2011, at 10:49 PM, Jeannette Hung wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hey Mike,
>>>>>>>>>>>>>>>> What's the scope with the Kerberos code in the macos port?
>>>>>>>>>>>>>>>> It looks
>>>>>>>>>>>>>>>> like something is missing.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>> jeannette
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Begin forwarded message:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> *From: *Weijun Wang<weijun.wang at oracle.com
>>>>>>>>>>>>>>>>> <mailto:weijun.wang at oracle.com>
>>>>>>>>>>>>>>>>> <mailto:weijun.wang at oracle.com>>
>>>>>>>>>>>>>>>>> *Subject: **Some Mac JDK codes not open sourced (was Fwd:
>>>>>>>>>>>>>>>>> Re:
>>>>>>>>>>>>>>>>> Kerberos codes in Apple's Java)*
>>>>>>>>>>>>>>>>> *Date: *December 15, 2011 6:52:18 PM PST
>>>>>>>>>>>>>>>>> *To: *Frances Ho<Frances.Ho at oracle.com
>>>>>>>>>>>>>>>>> <mailto:Frances.Ho at oracle.com>
>>>>>>>>>>>>>>>>> <mailto:Frances.Ho at oracle.com>>
>>>>>>>>>>>>>>>>> *Cc: *Jeannette Hung<jeannette.hung at ORACLE.COM
>>>>>>>>>>>>>>>>> <mailto:jeannette.hung at ORACLE.COM>
>>>>>>>>>>>>>>>>> <mailto:jeannette.hung at ORACLE.COM>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Hi Frances
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I suspect some Kerberos native codes on Apple's JDK 6 are
>>>>>>>>>>>>>>>>> not
>>>>>>>>>>>>>>>>> included in their macosx-port OpenJDK 7 contribution. I've
>>>>>>>>>>>>>>>>> contacted with some Apple guys but get no answer until
>>>>>>>>>>>>>>>>> now. (see
>>>>>>>>>>>>>>>>> forwarded mail thread)
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Do we have a project/product manager that can talk to
>>>>>>>>>>>>>>>>> someone
>>>>>>>>>>>>>>>>> inside Apple on this?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> In my opinion, these are not sensitive codes that they
>>>>>>>>>>>>>>>>> cannot open
>>>>>>>>>>>>>>>>> source.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>>> Max
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> -------- Original Message --------
>>>>>>>>>>>>>>>>> Subject: Re: Kerberos codes in Apple's Java
>>>>>>>>>>>>>>>>> Date: Thu, 01 Dec 2011 22:54:57 +0800
>>>>>>>>>>>>>>>>> From: Weijun Wang<weijun.wang at oracle.com
>>>>>>>>>>>>>>>>> <mailto:weijun.wang at oracle.com>
>>>>>>>>>>>>>>>>> <mailto:weijun.wang at oracle.com>>
>>>>>>>>>>>>>>>>> To: Bino George<bino at apple.com<mailto:bino at apple.com>
>>>>>>>>>>>>>>>>> <mailto:bino at apple.com>>
>>>>>>>>>>>>>>>>> CC: security-dev at openjdk.java.net
>>>>>>>>>>>>>>>>> <mailto:security-dev at openjdk.java.net>
>>>>>>>>>>>>>>>>> <mailto:security-dev at openjdk.java.net>
>>>>>>>>>>>>>>>>> <security-dev at openjdk.java.net
>>>>>>>>>>>>>>>>> <mailto:security-dev at openjdk.java.net>
>>>>>>>>>>>>>>>>> <mailto:security-dev at openjdk.java.net>>,
>>>>>>>>>>>>>>>>> macosx-port-dev at openjdk.java.net
>>>>>>>>>>>>>>>>> <mailto:macosx-port-dev at openjdk.java.net>
>>>>>>>>>>>>>>>>> <mailto:macosx-port-dev at openjdk.java.net>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Hi Bino
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> 2. Reading native memory-based credentials cache into
>>>>>>>>>>>>>>>>>>> Credentials objects
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I don't think we do this in JDK6 either.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I just tried OS X's builtin kinit and klist command:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> $ kinit dummy
>>>>>>>>>>>>>>>>> Please enter the password for dummy at THREE.LOCAL
>>>>>>>>>>>>>>>>> <mailto:dummy at THREE.LOCAL>
>>>>>>>>>>>>>>>>> <mailto:dummy at THREE.LOCAL>:
>>>>>>>>>>>>>>>>> $ klist
>>>>>>>>>>>>>>>>> Kerberos 5 ticket cache: 'API:Initial default ccache'
>>>>>>>>>>>>>>>>> ...
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> So here the ccache name is "API:Initial default ccache",
>>>>>>>>>>>>>>>>> which looks
>>>>>>>>>>>>>>>>> like an in-memory ccache. At least I cannot find normal
>>>>>>>>>>>>>>>>> file-based
>>>>>>>>>>>>>>>>> ccache file named /tmp/krb5cc_**.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> There is also a difference between Apple's JDK 6u29 and
>>>>>>>>>>>>>>>>> the current
>>>>>>>>>>>>>>>>> macosx-port OpenJDK build when calling the following method:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> sun.security.krb5,Credentials.acquireTGTFromCache()
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> It returns a valid credential (which is identical to the
>>>>>>>>>>>>>>>>> klist
>>>>>>>>>>>>>>>>> output)
>>>>>>>>>>>>>>>>> in Apple's 6u29, but the macosx-port one returns null. So it
>>>>>>>>>>>>>>>>> seems the
>>>>>>>>>>>>>>>>> Apple JDK can see the special ccache object but
>>>>>>>>>>>>>>>>> macosx-port cannot.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>>> Max
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Regards
>>>>>>>>>>>>>>>>>> Bino.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On Oct 14, 2011, at 10:38 AM, Weijun Wang wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Hi Mike
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I'm working in the Java SE Security Team in Oracle.
>>>>>>>>>>>>>>>>>>> Apple's
>>>>>>>>>>>>>>>>>>> JRE (at
>>>>>>>>>>>>>>>>>>> least in the JDK 6 releases) supports some extra Kerberos
>>>>>>>>>>>>>>>>>>> features for
>>>>>>>>>>>>>>>>>>> OS X. As I know, at least there are:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> 1. Looking for krb5.conf at
>>>>>>>>>>>>>>>>>>> /Library/Preferences/edu.mit.Kerberos
>>>>>>>>>>>>>>>>>>> 2. Reading native memory-based credentials cache into
>>>>>>>>>>>>>>>>>>> Credentials objects
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I didn't see them on the Project Status page [1]. Is it
>>>>>>>>>>>>>>>>>>> because they
>>>>>>>>>>>>>>>>>>> are too trivial to be listed or you're not going to
>>>>>>>>>>>>>>>>>>> support them?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Thanks
>>>>>>>>>>>>>>>>>>> Max
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> [1]
>>>>>>>>>>>>>>>>>>> http://wikis.sun.com/display/OpenJDK/Mac+OS+X+Port+Project+Status
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
More information about the macosx-port-dev
mailing list