Request for enhancement: Support KRB5_CONFIG
Weijun Wang
weijun.wang at oracle.com
Thu Jun 21 04:50:08 UTC 2012
Hi All
Oracle's Java currently looks for the krb5.conf file in this order:
1: If -Djava.security.krb5.conf defined, use it
2: If jre/lib/security/krb5.conf found, use it
3: Looking for the system default krb5.conf
. /etc/krb5/krb5.conf on Solaris
. /etc/krb5.conf on Linux
. $WINDOWS/krb5.ini on Windows
. edu.mit.Kerberos or krb5.conf on Mac
We know native kerberos supports a KRB5_CONFIG env variable for the same
purpose. Hereby I suggest adding a check
1.5: If KRB5_CONFIG defined, use it
This will work with native Kerberos installation better. But there is
one compatibility issue that if you already have this variable set:
Current behavior: Java uses /etc/krb5.conf
Future behavior: Java uses KRB5_CONFIG
I wonder if that will be a problem in a real production environment.
Suppose you really have a different krb5.conf, you might have already
use -Djava.security.krb5.conf to override it.
I have more questions:
1. Is the value of this variable always a file path (either absolute or
relative)? Is it possible to be something like file:/etc/krb5.conf?
2. Should it always be honored? Is it possible that in a server
environment it should be ignored for security reasons? (If so, I wonder
how a server is defined).
Any suggestion?
Thanks
Max
More information about the security-dev
mailing list