[security-dev 00034]: Re: JGSS: Re-construct Credentials.acquireTGTFromCache
Max (Weijun) Wang
Weijun.Wang at Sun.COM
Wed Jan 2 14:13:11 UTC 2008
Hi Andrew
The current CredentialsCache.getInstance() on Windows should always
return the file cache, right? Inside the acquireDefaultCreds()
method, if cache.getDefaultCreds() returns a non-null object which
has the correct eType, then LSA is never read.
Take this for example:
1. User login Active Directory as A
2. User's JAAS login config includes "principal=A"
Now, acquireTGTFromCache returns the TGT for A in LSA. However, if
3. User run "kinit B" and generate a file cache for user B
acquireTGTFromCache returns NULL, since the TGT for B in fcache is
first returned and then ignored.
On Jan 2, 2008, at 8:39 PM, Andrew Fan wrote:
> Just as the comments, "// The default ticket cache on Windows is
> not a file." So I don't think there are some credentials missed, or
> won't get read.
>
> For the send question, the current CredentialsCache is implemented
> as a file based cache. It's a good idea that we adjust the
> CredentialsCache to accept LSA on windows platform. I made a few
> updates on MemoryCredentialsCache, and CredentialsCache to accept
> MemoryCredentialsCache months ago, I haven't test it completely. I
> never thought about that it could be used to improve the
> acquireTGTFromCache.
Oh, this is cool. The whole ccache picture for Windows may include
file cache, MIT-style in-memory cache, Windows LSA cache. Does this
mean there should return 3 kinds of CredentialsCache objects? Is
something like CredentialsCache.getAllInstances() needed?
Thanks
Max
>
> Andrew
>
> Weijun Max Wang wrote:
>> Hi All
>>
>> Current sun.security.krb5.Credentials's acquireTGTFromCache method
>> looks
>> like --
>>
>> Cred acquireTGTFromCache(princ, fcache) {
>> if (fcache not specified) {
>> if (Windows) {
>> cred = function {
>> get default TGT from default file cache;
>> if (found && etypeSupported) return it;
>> else return one from LSA;
>> }
>> if (princ specified && princ is not princ in cred)
>> return null;
>> else
>> return cred;
>> }
>> }
>> read cred for princ in fcache
>> if (found && etypeSupported) return it;
>> else return null;
>> }
>>
>> It seems there's a chance on Windows that the default TGT in default
>> file cache (fcache == null) is not for princ, but maybe there's
>> one for
>> princ in LSA. It won't get read.
>>
>> Right? Shall we just move the whole fcache to the beginning and
>> only use
>> LSA as a fallback?
>>
>> Thanks
>> Max
>>
>>
>
More information about the security-dev
mailing list