[security-dev 00035]: Re: JGSS: Re-construct Credentials.acquireTGTFromCache
Andrew Fan
Andrew.Fan at Sun.COM
Wed Jan 2 16:05:16 UTC 2008
Max (Weijun) Wang wrote:
> Hi Andrew
>
> The current CredentialsCache.getInstance() on Windows should always
> return the file cache, right? Inside the acquireDefaultCreds() method,
> if cache.getDefaultCreds() returns a non-null object which has the
> correct eType, then LSA is never read.
>
OK, now I understand your question. I wonder if having a default file
cache, and at the same time the valid LSA cache, should both of them
should be searched for the credentials? which one should be searched
firstly? The currently implement only search one cache, and the file
cache has a higher priority.
Andrew
> Take this for example:
>
> 1. User login Active Directory as A
> 2. User's JAAS login config includes "principal=A"
>
> Now, acquireTGTFromCache returns the TGT for A in LSA. However, if
>
> 3. User run "kinit B" and generate a file cache for user B
>
> acquireTGTFromCache returns NULL, since the TGT for B in fcache is
> first returned and then ignored.
>
> On Jan 2, 2008, at 8:39 PM, Andrew Fan wrote:
>
>> Just as the comments, "// The default ticket cache on Windows is not
>> a file." So I don't think there are some credentials missed, or won't
>> get read.
>>
>> For the send question, the current CredentialsCache is implemented as
>> a file based cache. It's a good idea that we adjust the
>> CredentialsCache to accept LSA on windows platform. I made a few
>> updates on MemoryCredentialsCache, and CredentialsCache to accept
>> MemoryCredentialsCache months ago, I haven't test it completely. I
>> never thought about that it could be used to improve the
>> acquireTGTFromCache.
>
> Oh, this is cool. The whole ccache picture for Windows may include
> file cache, MIT-style in-memory cache, Windows LSA cache. Does this
> mean there should return 3 kinds of CredentialsCache objects? Is
> something like CredentialsCache.getAllInstances() needed?
>
> Thanks
> Max
>
>>
>> Andrew
>>
>> Weijun Max Wang wrote:
>>> Hi All
>>>
>>> Current sun.security.krb5.Credentials's acquireTGTFromCache method
>>> looks
>>> like --
>>>
>>> Cred acquireTGTFromCache(princ, fcache) {
>>> if (fcache not specified) {
>>> if (Windows) {
>>> cred = function {
>>> get default TGT from default file cache;
>>> if (found && etypeSupported) return it;
>>> else return one from LSA;
>>> }
>>> if (princ specified && princ is not princ in cred)
>>> return null;
>>> else
>>> return cred;
>>> }
>>> }
>>> read cred for princ in fcache
>>> if (found && etypeSupported) return it;
>>> else return null;
>>> }
>>>
>>> It seems there's a chance on Windows that the default TGT in default
>>> file cache (fcache == null) is not for princ, but maybe there's one for
>>> princ in LSA. It won't get read.
>>>
>>> Right? Shall we just move the whole fcache to the beginning and only
>>> use
>>> LSA as a fallback?
>>>
>>> Thanks
>>> Max
>>>
>>>
>>
>
More information about the security-dev
mailing list