GSSCredential inside Subject?

Valerie (Yu-Ching) Peng valerie.peng at
Wed May 28 23:25:27 UTC 2014

AFAIK, this searchSubject utility function is looking for the requested 
GSSCredentialSpi objects (not GSSCredentialImpl object which contains a 
Hashtable of GSSCredentialSpi objects and their keys).

When creating the Subject object ourselves, we only convert and stores 
Kerberos-specific creds and ignores non-Kerberos creds (including native 
GSS cred since all we have is native GSS cred handle which can't be 
converted into KerberosKey/Ticket).

However, the app can do whatever they want when constructing their own 
Subject objects. Although I am not sure if any such usage exists.


On 05/27/14 03:50, Wang Weijun wrote:
> Hi Valerie
> I am working on breaking JGSS into modules and is now looking at sun/security/jgss/ There is a method
>      public static<T extends GSSCredentialSpi>  Vector<T>
>              searchSubject(final GSSNameSpi name,
>                            final Oid mech,
>                            final boolean initiate,
>                            final Class<? extends T>  credCls) {
> which goes inside a Subject's priv cred sets looking for GSSCredentialImpl objects. I searched thru other JDK codes and cannot see who is putting those objects there. Do you remember anything? Or we are thinking about applications putting them there? I cannot think of any such convention.
> In fact, all I can see JAAS/JGSS/krb5 doing with a Subject is putting KerberosPrincipal into princ set and KerberosKey/KerberosTicket/KeyTab into priv cred set. Nothing else.
> Thanks
> Max

More information about the security-dev mailing list