[security-dev 00033]: Re: JGSS: Re-construct Credentials.acquireTGTFromCache

Andrew Fan andrew.fan at sun.com
Wed Jan 2 04:39:40 PST 2008


Just as the comments, "// The default ticket cache on Windows is not a 
file." So I don't think there are some credentials missed, or won't get 
read.

For the send question, the current CredentialsCache is implemented as a 
file based cache.  It's a good idea that we adjust the CredentialsCache 
to accept LSA on windows platform.  I made a few updates on 
MemoryCredentialsCache, and CredentialsCache  to accept  
MemoryCredentialsCache months ago, I haven't test it completely. I never 
thought about that it could be used to improve the acquireTGTFromCache.

Andrew

Weijun Max Wang wrote:
> Hi All
>
> Current sun.security.krb5.Credentials's acquireTGTFromCache method looks
> like --
>
> Cred acquireTGTFromCache(princ, fcache) {
>   if (fcache not specified) {
>     if (Windows) {
>       cred = function {
>         get default TGT from default file cache;
>         if (found && etypeSupported) return it;
>         else return one from LSA;
>       }
>       if (princ specified && princ is not princ in cred)
>         return null;
>       else
>         return cred;
>     }
>   }
>   read cred for princ in fcache
>   if (found && etypeSupported) return it;
>   else return null;
> }
>
> It seems there's a chance on Windows that the default TGT in default
> file cache (fcache == null) is not for princ, but maybe there's one for
> princ in LSA. It won't get read.
>
> Right? Shall we just move the whole fcache to the beginning and only use
> LSA as a fallback?
>
> Thanks
> Max
>
>   




More information about the security-dev mailing list