JDK-8001104 : Unbound SASL service: the GSSAPI/krb5 mech
  • Type: Sub-task
  • Status: Closed
  • Resolution: Fixed
  • Component: security-libs
  • Sub-Component: org.ietf.jgss:krb5
  • Priority: P4
  • Submit Date: 2012-10-18
  • Updated Date: 2017-05-17
  • Resolved Date: 2013-02-09
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availabitlity Release.

To download the current JDK release, click here.
JDK 8
8 b78Fixed
Related Reports
Duplicate :  
Duplicate :  
Relates :  
Relates :  
Description
Further enable unbound SASL for the GSSAPI/krb5 mech, so that the server can accept requests to any service that it has keys in its keytab.

Precisely, in the main task, we can already create a GSSAPI SASL server with serverName == null, but the service principal is still a concrete value that must be provided by the underlying mechanism, in this case, the principal value in the JAAS login conf file. In this sub task, there is no need to specify this principal field anymore. The client can request for any service principal name, as long as the server can find keys for the service principal in its keytab file, the authentication can go on and the server acts as that principal.
Comments
The What's New section of the release notes links to the Enhancements page of the security guide (docs/technotes/guides/security/enhancements-8.html), which contains a summary of this change.
2014-01-03

release note: scope: Java SE text: The Krb5LoginModule principal value in a JAAS config file can be set to "*" on the acceptor side to denote an unbound acceptor. This means the initiator can access the server using any service principal name as long as the acceptor has the long term secret keys to that service. The name can be retrieved by the acceptor through GSSContext.getTargName() after the context is established.
2013-12-11

provided test cases passed from b79 - b95 in 1.8
2013-06-17