bug fix for native kerberos libraries

Weijun Wang weijun.wang at oracle.com
Fri Oct 19 01:11:33 UTC 2012


Hi Christos

You mean the exception thrown in NativeGSSFactory.java lines 52-60?

         Vector<GSSCredElement> creds = GSSUtil.searchSubject
             (name, mech, initiate, GSSCredElement.class);

         // If Subject is present but no native creds available
         if (creds != null && creds.isEmpty()) {
             if (GSSUtil.useSubjectCredsOnly(caller)) {
                 throw new GSSException(GSSException.NO_CRED);
             }
         }

Why would you leave GSSUtil.useSubjectCredsOnly to be true? IMHO, there 
is no need to call JGSS through JAAS when you are using a native provider.

Thanks
Max

On 10/19/2012 05:26 AM, Sean Mullan wrote:
>
> (Forwarding to security-dev as this should be discussed in that group, not
> core-libs).
>
> On 10/18/12 5:02 PM, christos at zoulas.com wrote:
>> Hello,
>>
>> This simple fix allows kerberos authentication to work with:
>>
>> 	-Dsun.security.jgss.native=true
>>
>> and microsoft's sqljdbc 4.0.2206.100 driver.
>>
>> Enjoy,
>>
>> christos
>>
>> --- a/java/src/sun/security/jgss/GSSUtil.java   Mon Oct 15 17:43:08 2012 -0400
>> +++ b/java/src/sun/security/jgss/GSSUtil.java   Mon Oct 15 17:44:28 2012 -0400
>> @@ -333,10 +333,19 @@
>>                           Subject accSubj = Subject.getSubject(acc);
>>                           Vector<GSSCredentialSpi> result = null;
>>                           if (accSubj != null) {
>> -                            result = new Vector<GSSCredentialSpi>();
>>                               Iterator<GSSCredentialImpl> iterator =
>>                                   accSubj.getPrivateCredentials
>>                                   (GSSCredentialImpl.class).iterator();
>> +                            // GSSCredentialImpl is only implemented in
>> +                            // the non-native kerberos implementation,
>> +                            // so if we don't get any elements here
>> +                            // assume native and return null so that
>> +                            // searchSubject does not fail. A better
>> +                            // fix is to implement the code that handles
>> +                            // this in native java.
>> +                            if (!iterator.hasNext())
>> +                                return null;
>> +                            result = new Vector<GSSCredentialSpi>();
>>                               while (iterator.hasNext()) {
>>                                   GSSCredentialImpl cred = iterator.next();
>>                                   debug("...Found cred" + cred);
>>



More information about the security-dev mailing list