United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-8001104 Unbound SASL service: the GSSAPI/krb5 mech
JDK-8001104 : Unbound SASL service: the GSSAPI/krb5 mech

Details
Type:
Sub-task
Submit Date:
2012-10-18
Status:
Closed
Updated Date:
2014-01-03
Project Name:
JDK
Resolved Date:
2013-02-09
Component:
security-libs
OS:
Sub-Component:
org.ietf.jgss:krb5
CPU:
Priority:
P4
Resolution:
Fixed
Affected Versions:
Fixed Versions:

Related Reports
Duplicate:
Duplicate:
Relates:
Relates:

Sub Tasks

Description
Further enable unbound SASL for the GSSAPI/krb5 mech, so that the server can accept requests to any service that it has keys in its keytab.

Precisely, in the main task, we can already create a GSSAPI SASL server with serverName == null, but the service principal is still a concrete value that must be provided by the underlying mechanism, in this case, the principal value in the JAAS login conf file. In this sub task, there is no need to specify this principal field anymore. The client can request for any service principal name, as long as the server can find keys for the service principal in its keytab file, the authentication can go on and the server acts as that principal.
                                    

Comments
URL:   http://hg.openjdk.java.net/jdk8/tl/jdk/rev/d14cd2272b2d
User:  weijun
Date:  2013-02-09 08:47:03 +0000

                                     
2013-02-09
URL:   http://hg.openjdk.java.net/jdk8/jdk8/jdk/rev/d14cd2272b2d
User:  lana
Date:  2013-02-15 17:35:39 +0000

                                     
2013-02-15
provided test cases passed from b79 - b95 in 1.8
                                     
2013-06-17
release note:

scope: Java SE
text: The Krb5LoginModule principal value in a JAAS config file can be set to "*" on the acceptor side to denote an unbound acceptor. This means the initiator can access the server using any service principal name as long as the acceptor has the long term secret keys to that service. The name can be retrieved by the acceptor through GSSContext.getTargName() after the context is established.
                                     
2013-12-11
The What's New section of the release notes links to the Enhancements page of the security guide (docs/technotes/guides/security/enhancements-8.html), which contains a summary of this change.
                                     
2014-01-03



Hardware and Software, Engineered to Work Together