RFR: 8349546: Linux support for Kerberos "nativeccache" functionality [v12]
Nick Hall
duke at openjdk.org
Tue Nov 18 12:21:10 UTC 2025
On Tue, 18 Nov 2025 04:49:35 GMT, Weijun Wang <weijun at openjdk.org> wrote:
> I am thinking this should be a required dependency. Otherwise, the JDK build will vary depending on the machine used. I don’t believe we’ve ever done this before (unless user explicitly specifies configure options), right?
>
> @nrhall, a related question: what if the library is available at build time but not at runtime?
If libkrb5 available at build time, it will build the new JNI library/test etc as expected; if libkrb5 is then not available at runtime, the library will fail to load silently (once, and then will not be retried) - this was actually already part of the code, so I imagine this case has happened before somewhere already - see Credentials.java L446:
if (!alreadyTried) {
// See if there's any native code to load
try {
ensureLoaded();
} catch (Exception e) {
if (DEBUG != null) {
DEBUG.println("Can not load native ccache library");
e.printStackTrace();
}
alreadyTried = true;
}
}
I will say that libkrb5 is largely pretty stable (it's really old code with few features being added), though I'm not sure what range is required to be supported here in terms of operating system builds? Worst case though, any incompatibility will just result in this code not being used, although as it'd be a silent failure without debug flags, that's perhaps not ideal (but has always been the case, even before this change).
@wangweij I've attended to your code review feedback above (and cleaned up a few other bits of the jtreg directives that weren't required).
-------------
PR Comment: https://git.openjdk.org/jdk/pull/28075#issuecomment-3547350870
PR Comment: https://git.openjdk.org/jdk/pull/28075#issuecomment-3547354335
More information about the security-dev
mailing list