RFR: 8311532: Option to disable Krb5LoginModule::login method [v2]
Alexey Bakhtin
abakhtin at openjdk.org
Thu Aug 24 21:24:51 UTC 2023
> JGSS is implemented in the JVM in 2 levels: the standard Java security provider for Kerberos in sun.security.jgss.krb5.Krb5MechFactory and the JAAS login module for Kerberos in com.sun.security.auth.module.Krb5LoginModule. The problem is that in this hierarchy, the login module doesn't go through the provider, but tries to read the credential cache (which is blocked by the credential guard in Win platform). This is not an issue if Kerberos is used via the JGSS API because it automatically does the JAAS login as needed, and won't do it at all if a native implementation is used. However many libraries (even some built-in ones in the JVM) still needlessly call login() before using JGSS.
>
> This patch represents the configuration option ( `“doNotLogin”` ) to allow skipping the login, with a system property (`“sun.security.auth.skipLogin”`) to set the default value if this option is not provided. This way it would not break the regular Java Kerberos provider and allow users to both individually (via JAAS configs) and globally (via the property) set the expected behavior
Alexey Bakhtin has updated the pull request incrementally with one additional commit since the last revision:
Rename system property
-------------
Changes:
- all: https://git.openjdk.org/jdk/pull/15254/files
- new: https://git.openjdk.org/jdk/pull/15254/files/7bf8ec45..efc7d7f1
Webrevs:
- full: https://webrevs.openjdk.org/?repo=jdk&pr=15254&range=01
- incr: https://webrevs.openjdk.org/?repo=jdk&pr=15254&range=00-01
Stats: 1 line in 1 file changed: 0 ins; 0 del; 1 mod
Patch: https://git.openjdk.org/jdk/pull/15254.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/15254/head:pull/15254
PR: https://git.openjdk.org/jdk/pull/15254
More information about the security-dev
mailing list