[security-dev 00035]: Re: JGSS: Re-construct Credentials.acquireTGTFromCache

Andrew Fan Andrew.Fan at Sun.COM
Wed Jan 2 08:05:16 PST 2008


Max (Weijun) Wang wrote:
> Hi Andrew
>
> The current CredentialsCache.getInstance() on Windows should always 
> return the file cache, right? Inside the acquireDefaultCreds() method, 
> if cache.getDefaultCreds() returns a non-null object which has the 
> correct eType, then LSA is never read.
>
OK, now I understand your question. I wonder if having a default file 
cache, and at the same time the valid LSA cache, should both of them 
should be searched for the credentials? which one should be searched 
firstly? The currently implement only search one cache, and the file 
cache has a higher priority.

Andrew
> Take this for example:
>
> 1. User login Active Directory as A
> 2. User's JAAS login config includes "principal=A"
>
> Now, acquireTGTFromCache returns the TGT for A in LSA. However, if
>
> 3. User run "kinit B" and generate a file cache for user B
>
> acquireTGTFromCache returns NULL, since the TGT for B in fcache is 
> first returned and then ignored.
>
> On Jan 2, 2008, at 8:39 PM, Andrew Fan wrote:
>
>> Just as the comments, "// The default ticket cache on Windows is not 
>> a file." So I don't think there are some credentials missed, or won't 
>> get read.
>>
>> For the send question, the current CredentialsCache is implemented as 
>> a file based cache.  It's a good idea that we adjust the 
>> CredentialsCache to accept LSA on windows platform.  I made a few 
>> updates on MemoryCredentialsCache, and CredentialsCache  to accept  
>> MemoryCredentialsCache months ago, I haven't test it completely. I 
>> never thought about that it could be used to improve the 
>> acquireTGTFromCache.
>
> Oh, this is cool. The whole ccache picture for Windows may include 
> file cache, MIT-style in-memory cache, Windows LSA cache. Does this 
> mean there should return 3 kinds of CredentialsCache objects? Is 
> something like CredentialsCache.getAllInstances() needed?
>
> Thanks
> Max
>
>>
>> Andrew
>>
>> Weijun Max Wang wrote:
>>> Hi All
>>>
>>> Current sun.security.krb5.Credentials's acquireTGTFromCache method 
>>> looks
>>> like --
>>>
>>> Cred acquireTGTFromCache(princ, fcache) {
>>>   if (fcache not specified) {
>>>     if (Windows) {
>>>       cred = function {
>>>         get default TGT from default file cache;
>>>         if (found && etypeSupported) return it;
>>>         else return one from LSA;
>>>       }
>>>       if (princ specified && princ is not princ in cred)
>>>         return null;
>>>       else
>>>         return cred;
>>>     }
>>>   }
>>>   read cred for princ in fcache
>>>   if (found && etypeSupported) return it;
>>>   else return null;
>>> }
>>>
>>> It seems there's a chance on Windows that the default TGT in default
>>> file cache (fcache == null) is not for princ, but maybe there's one for
>>> princ in LSA. It won't get read.
>>>
>>> Right? Shall we just move the whole fcache to the beginning and only 
>>> use
>>> LSA as a fallback?
>>>
>>> Thanks
>>> Max
>>>
>>>
>>
>




More information about the security-dev mailing list