[security-dev 00034]: Re: JGSS: Re-construct Credentials.acquireTGTFromCache

Max (Weijun) Wang Weijun.Wang at Sun.COM
Wed Jan 2 06:13:11 PST 2008

Hi Andrew

The current CredentialsCache.getInstance() on Windows should always  
return the file cache, right? Inside the acquireDefaultCreds()  
method, if cache.getDefaultCreds() returns a non-null object which  
has the correct eType, then LSA is never read.

Take this for example:

1. User login Active Directory as A
2. User's JAAS login config includes "principal=A"

Now, acquireTGTFromCache returns the TGT for A in LSA. However, if

3. User run "kinit B" and generate a file cache for user B

acquireTGTFromCache returns NULL, since the TGT for B in fcache is  
first returned and then ignored.

On Jan 2, 2008, at 8:39 PM, Andrew Fan wrote:

> Just as the comments, "// The default ticket cache on Windows is  
> not a file." So I don't think there are some credentials missed, or  
> won't get read.
> For the send question, the current CredentialsCache is implemented  
> as a file based cache.  It's a good idea that we adjust the  
> CredentialsCache to accept LSA on windows platform.  I made a few  
> updates on MemoryCredentialsCache, and CredentialsCache  to accept   
> MemoryCredentialsCache months ago, I haven't test it completely. I  
> never thought about that it could be used to improve the  
> acquireTGTFromCache.

Oh, this is cool. The whole ccache picture for Windows may include  
file cache, MIT-style in-memory cache, Windows LSA cache. Does this  
mean there should return 3 kinds of CredentialsCache objects? Is  
something like CredentialsCache.getAllInstances() needed?


> Andrew
> Weijun Max Wang wrote:
>> Hi All
>> Current sun.security.krb5.Credentials's acquireTGTFromCache method  
>> looks
>> like --
>> Cred acquireTGTFromCache(princ, fcache) {
>>   if (fcache not specified) {
>>     if (Windows) {
>>       cred = function {
>>         get default TGT from default file cache;
>>         if (found && etypeSupported) return it;
>>         else return one from LSA;
>>       }
>>       if (princ specified && princ is not princ in cred)
>>         return null;
>>       else
>>         return cred;
>>     }
>>   }
>>   read cred for princ in fcache
>>   if (found && etypeSupported) return it;
>>   else return null;
>> }
>> It seems there's a chance on Windows that the default TGT in default
>> file cache (fcache == null) is not for princ, but maybe there's  
>> one for
>> princ in LSA. It won't get read.
>> Right? Shall we just move the whole fcache to the beginning and  
>> only use
>> LSA as a fallback?
>> Thanks
>> Max

More information about the security-dev mailing list