[security-dev 00033]: Re: JGSS: Re-construct Credentials.acquireTGTFromCache
Andrew Fan
andrew.fan at sun.com
Wed Jan 2 12:39:40 UTC 2008
Just as the comments, "// The default ticket cache on Windows is not a
file." So I don't think there are some credentials missed, or won't get
read.
For the send question, the current CredentialsCache is implemented as a
file based cache. It's a good idea that we adjust the CredentialsCache
to accept LSA on windows platform. I made a few updates on
MemoryCredentialsCache, and CredentialsCache to accept
MemoryCredentialsCache months ago, I haven't test it completely. I never
thought about that it could be used to improve the acquireTGTFromCache.
Andrew
Weijun Max Wang wrote:
> Hi All
>
> Current sun.security.krb5.Credentials's acquireTGTFromCache method looks
> like --
>
> Cred acquireTGTFromCache(princ, fcache) {
> if (fcache not specified) {
> if (Windows) {
> cred = function {
> get default TGT from default file cache;
> if (found && etypeSupported) return it;
> else return one from LSA;
> }
> if (princ specified && princ is not princ in cred)
> return null;
> else
> return cred;
> }
> }
> read cred for princ in fcache
> if (found && etypeSupported) return it;
> else return null;
> }
>
> It seems there's a chance on Windows that the default TGT in default
> file cache (fcache == null) is not for princ, but maybe there's one for
> princ in LSA. It won't get read.
>
> Right? Shall we just move the whole fcache to the beginning and only use
> LSA as a fallback?
>
> Thanks
> Max
>
>
More information about the security-dev
mailing list