[PATCH] Handle alternative Kerberos credential cache locations

Elliott Baron ebaron at redhat.com
Fri Sep 20 00:02:17 UTC 2013 

Hi,

Kerberos 1.11 introduced a new configuration variable to override the 
default location of the credential cache at build time. Fedora 18 and up 
have used this new configuration variable to define an alternate default 
cache location (/run/user/$UID/krb5cc/tkt). This bug was initially 
reported against Fedora [1].

On Linux and Solaris systems, FileCredentialsCache.getDefaultCacheName() 
defaults to the previously hard-coded location (/tmp/krb5cc_$UID). This 
location will be incorrect if Kerberos was built with an alternative 
credential cache location set. Since this credential cache location can 
be arbitrary, we need to query the Kerberos API for the correct 
location. This patch implements this query using a new JNI call, which 
adds a dependency on libkrb5 for Linux and Solaris systems. I have also 
included a test case which uses a stub library in place of the real JNI 
libkrb5 wrapper.

The patch krb5-default-ccache should be applied to jdk8. This includes 
modifications to the build system in order to handle the dependency on 
libkrb5. These changes include querying pkg-config for the location of 
Kerberos includes and libraries, although there does not appear to be 
support for a libkrb5 pkg-config file just yet. An alternative program, 
krb5-config, operates similarly to pkg-config and prints the locations 
of the required libraries and includes. This program is included as part 
of Kerberos. This patch adds M4 macros to query krb5-config, and 
integrates these macros into libraries.m4. I have omitted 
generated-configure.sh for brevity.

The second patch jdk-krb5-default-ccache-fix should be applied to 
jdk8/jdk. This includes the changes to FileCredentialsCache and the new 
native component, krb5ccache.c. The library generated from it is named 
libj2krb5. This patch includes krb5-config support in 
jdk_generic_profile.sh. This will allow users of the old build system 
(and JDK7) to automatically find the necessary includes and libraries 
for Kerberos. For the test component, the patch includes a Makefile to 
build the stub library. The test should be run using the provided 
run_tests.sh shell script.

Thanks,
Elliott

[1] https://bugzilla.redhat.com/show_bug.cgi?id=991170
-------------- next part --------------
A non-text attachment was scrubbed...
Name: krb5-default-ccache-v3.patch
Type: text/x-patch
Size: 11520 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20130919/3cd03e87/krb5-default-ccache-v3.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jdk-krb5-default-ccache-fix-v9.patch
Type: text/x-patch
Size: 29868 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20130919/3cd03e87/jdk-krb5-default-ccache-fix-v9.patch>

More information about the security-dev mailing list