Patching bug 6722928/serious limitations of JGSS under Windows 7
Weijun Wang
weijun.wang at oracle.com
Tue Aug 14 09:30:21 UTC 2012
Hi Michael
The feature was dropped mainly because of delegation problem. If I
remember (and understand) correctly, using the underlying SSPI there
seems no good way to acquire a FORWARDED ticket and send it to the
middle server to perform delegation. I think maybe Microsoft restricts
this so that you are always under the UAC umbrella, otherwise, a
forwarded TGT might let you do much more it wants.
This means if the client uses SSPI but the server uses pure Java, there
is a loss of function, and I was not happy with this (4 years ago).
This might change if pure Java Kerberos also supports constrained
delegation.
BTW, when you say "a very good patch", have you compiled it and really
find it useful? This patch was still in experimental status at the time
of posting.
Thanks
Weijun
On 08/14/2012 05:14 PM, 1983-01-06 at gmx.net wrote:
> Hi folks,
>
> like many many other developers I have switched to Windows 7 on my machine. After hours of search I have realized that JGSS is seriously crippled due to UAC, account permissions and LSA's limitations.
>
> I have found the ticket 6722928 which has been filed more than 4 years ago. Suprisingly, Weijun Wang has already provided a very good patch [1] and nothing has happened since 2010.
>
> The current situation of Kerberos in Java on Windows 7 is very frustating from an enterprise point of view. I am convinced that I speak for the vast majority of devs and users who want to have native SSPI support on Windows with tampering with the registry, cred caches, ini files. Most even can't do because group policies don't allow it. Fortunately I can but since I am a local admin with a domain account, I am crippled too.
>
> Is there anything happening from the OpenJDK folks (Oracle JDK devs) for fix that issue anytime soon? This would bring the great Java platform on par with .NET's support of GSS-API/SSPI on Windows.
>
> Yours,
>
> Michael Osipov
>
> [1] http://cr.openjdk.java.net/~weijun/6722928/webrev.00/jdk.patch
>
More information about the security-dev
mailing list