was Re: RFR 6722928: Support SSPI as a native GSS-API provider
Nico Williams
Nico.Williams at twosigma.com
Fri Mar 22 19:29:06 UTC 2019
On Fri, Mar 22, 2019 at 05:23:27PM +0100, Michael Osipov wrote:
> Am 2019-03-22 um 16:28 schrieb Nico Williams:
> > - the JDK's JGSS stuff is very Kerberos-specific, especially w/ regards
> > to the ServicePermission stuff
>
> Granted.
:(
> > IMO JAAS (and with it, *Permission) should be removed with prejudice now
> > that applet support has been removed. Perhaps stubs should be left
> > behind for compatibility reasons, and all the doAs*() methods should
> > just act as though permission is granted.
> >
> > Removing JAAS would be a wonderful simplification, then the JGSS stuff
> > could stop being Kerberos-specific.
>
> Fully agree, it has been a pain in the last couple of years. This would
> also require an RFC update for the JGSS bindings to logon onto network
> with username/password or keytab w/o login modules.
Our contributions add acquireCredWithPassword() methods.
And we could add acquireCredFrom() to match gss_acquire_cred_from() /
gss_add_cred_from() (a Heimdal and MIT innovation that allows, among
other things, to use a specific keytab).
But also, most JGSS users don't need the JDK to have this functionality
since using kinit externally and KRB5* env vars works perfectly fine for
the vast majority of cases.
Nico
--
More information about the security-dev
mailing list