bug fix for native kerberos libraries

Weijun Wang weijun.wang at oracle.com
Mon Oct 22 00:17:38 UTC 2012


You are still using JAAS? There is no need to call Krb5LoginModule or 
read credentials cache yourself if you are using native kerberos. Just 
call JGSS APIs directly.

Thanks
Weijun

On 10/19/2012 11:17 PM, christos at zoulas.com wrote:
> On Oct 19,  8:50am, christos at zoulas.com (Christos Zoulas) wrote:
> -- Subject: Re: bug fix for native kerberos libraries
>
> Hi Weijun,
>
> I verified that setting -Djavax.security.auth.useSubjectCredsOnly=false
> fixes this issue, but then unless I brought in my other patch from jdk6,
> I get:
>      javax.security.auth.login.LoginException: Unable to obtain Princpal Name for authentication
>
> Someone should fix the typo in the exception string, but also why do I need
> this?
>
> Thanks,
>
> christos
>
> --- bsd-port/jdk/src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java	2011-07-17 20:36:08.000000000 -0400
> +++ ./Krb5LoginModule.java	2012-10-19 10:51:02.027729713 -0400
> @@ -624,6 +624,29 @@
>                   // ticketCacheName == null implies the default cache
>                   if (debug)
>                       System.out.println("Acquire TGT from Cache");
> +		if (ticketCacheName == null) {
> +		    /*
> +		     * http://docs.oracle.com/cd/E19082-01/819-2252/\
> +		     * 6n4i8rtr3/index.html
> +		     */
> +		    String krb5CCName = System.getenv("KRB5CCNAME");
> +		    if (krb5CCName != null) {
> +			final String filePrefix = "FILE:";
> +			final String memoryPrefix = "MEMORY:";
> +			if (krb5CCName.startsWith(filePrefix))
> +			    ticketCacheName = krb5CCName.substring(
> +				filePrefix.length());
> +			else if (krb5CCName.startsWith(memoryPrefix))
> +			    ticketCacheName = krb5CCName.substring(
> +				memoryPrefix.length());
> +			else
> +			    ticketCacheName = krb5CCName;
> +			if (debug)
> +			    System.out.println("Located ticket cache "
> +				+ ticketCacheName
> +				+ " through environment variable KRB5CCNAME.");
> +		    }
> +		}
>                   cred  = Credentials.acquireTGTFromCache
>                       (principal, ticketCacheName);
>
>



More information about the security-dev mailing list