JGSS-API supporting SSPI on Windows

Chan, Sunny Sunny.Chan at gs.com
Mon Apr 10 04:46:04 UTC 2017


Hello,

Windows has changed the default such that the session key is not included in TGT, and for Windows SSO to work with Java implementation out of the box it will required AllowTGTSessionKey options to be added to the registry. However, this options has associated security risk as it expose the session key to all apps, and it also means that right now Kerberos SSO in Windows does not work out of the box

Looking at the Java bug database, there has been suggestion that Java could support SSPI as a JGSS-API provided which would allow Java to work out of the box without the AllowTGTSessionKey options. (http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6722928). However, in the evaluation it says:

Might support it, although I hope most of the functions of Windows SSPI can also be supported by pure Java. Interop is important between different platforms

I would like to understand what is the "Interop" concern here? Have we evaluated how much work need to do to support it (so that we can consider contributing the implementation)?

Sunny Chan
Executive Director
Technology

Goldman Sachs (Asia) L.L.C. | 39th Floor | The Center | 99 Queens Road Central | Hong Kong
Email:  sunny.chan at gs.com | Tel: +852 2978 6481 | Fax: +852 2978 0633

Learn more about Goldman Sachs
GS.com<http://www.goldmansachs.com/> | Blog<http://www.goldmansachs.com/careers/blog/index.html> | LinkedIn<http://www.linkedin.com/company/goldman-sachs/careers> | YouTube<http://www.youtube.com/goldmansachs> | Twitter<http://www.twitter.com/goldmansachs>

This message may contain information that is confidential or privileged.  If you are not the intended recipient, please advise the sender immediately and delete this message.  See http://www.gs.com/disclaimer/email for further information on confidentiality and the risks inherent in electronic communication.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/security-dev/attachments/20170410/e4279b3c/attachment.html>


More information about the security-dev mailing list