United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
JDK-6350061 : JGSS requires big-endian credential cache

Details
Type:
Enhancement
Submit Date:
2005-11-14
Status:
Resolved
Updated Date:
2010-11-04
Project Name:
JDK
Resolved Date:
2005-12-03
Component:
security-libs
OS:
linux
Sub-Component:
java.security
CPU:
x86
Priority:
P3
Resolution:
Fixed
Affected Versions:
5.0
Fixed Versions:

Related Reports
Backport:
Backport:

Sub Tasks

Description
A DESCRIPTION OF THE REQUEST :
The JGSS Kerberos implementation expects the credential cache file specified in KRB5CCNAME to be stored in network (big-endian) byte order.

However, the file created by the kinit(1) distributed with other kerberos vendors(e.g. MIT)  is stored in host byte order. This means that on little-endian architectures used for Linux and win32 hosts the file cannot be read in Java without using the kinit distributed with Java.


JUSTIFICATION :
The purpose of kerberos is single sign-on.  With a very small change-- simply toggling the byte order of integers in the credential cache file depending on the host architecture, JGSS could cleanly interoperate with existing kerberos implemenations.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
JGSS should create and read the kerberos credential cache file in a byte order dependent on the host architecture.
ACTUAL -
JGSS creates and reads the kerberos credential cache file in big endian byte order only.

CUSTOMER SUBMITTED WORKAROUND :
The temporary solution is to rewrite the credential cache into the correct byte order before JGSS attempts to use it.  This is a huge hack and requires parsing the non-trivial binary ticket file format.

                                    

Comments
EVALUATION

I don't think the problem here is with Java GSS. 
Java GSS can read credential cache created by MIT.
See comments for details.

Seema Malkani
                                     
2005-11-16



Hardware and Software, Engineered to Work Together