JDK-6722928 : Provide a default native GSS-API library on Windows
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: org.ietf.jgss
  • Affected Version: 7,8,11
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: windows
  • CPU: generic
  • Submitted: 2008-07-07
  • Updated: 2023-08-11
  • Resolved: 2019-06-13
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 13 JDK 14 Other
11.0.10Fixed 13 b25Fixed 14Fixed openjdk8u392Fixed
Related Reports
CSR :  
Duplicate :  
Duplicate :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Sub Tasks
JDK-8214079 :  
SSPI is the MS dialect of GSSAPI. We should support it in JDK on the Windows platform for better interop and system integration with Windows AD. Possible benefits are:

1. No need for krb5.ini and JAAS config
2. No need to retrieve TGT, thus no need for the allowtgtsessionkey registry key
3. Override the restriction when client is a member of local admin group
4. Server side program has no need to run setspn/ktpass
5. Server side program may be run as a Windows service
6. In Windows Server 2008, user2user authentication must be performed through their new protocol (http://tools.ietf.org/html/draft-swift-win2k-krb-user2user-03). SSPI automatically does this.

In the first stage, we should support client side using default credentials.

This provider must be interoperable with Java GSS provider and other native providers.

Fix request (8u) I want to backport this enhancement to 8u to have the default native GSS-API library on Windows so the user does not need to install a 3rd party library. As noted in the 8u CSR, the risk is minimal. Backport from 11u is almost clean except of the build script Jtreg tests passed successfully. CI test for Linux x64 fails but it is caused by libpcsclite1 installation error. CSR for 8u is approved : https://bugs.openjdk.org/browse/JDK-8312051 Once approved, I'll proceed with the 11u backport of a follow-up bug: JDK-8225687.

A pull request was submitted for review. URL: https://git.openjdk.org/jdk8u-dev/pull/340 Date: 2023-07-13 06:18:34 +0000

Fix request (11u) I'd like to have this enhancement in 11u so Windows users can take advantage of better Active Directory integration and interoperability through a native implementation of GSS (i.e.: there shouldn't be a need to get the TGT session key from the Java implementation or use an external 3rd party library to avoid that). As noted in the 11u CSR, risk is minimal. The JDK main line patch does not apply cleanly but a backport proposal has been review-accepted here: http://mail.openjdk.java.net/pipermail/jdk-updates-dev/2020-October/004016.html CSR for 11u has been approved here: https://bugs.openjdk.java.net/browse/JDK-8256559?focusedCommentId=14381873&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-14381873 Once approved, I'll proceed with the 11u backport of a followup bug: JDK-8225687.

11u RFR: http://mail.openjdk.java.net/pipermail/jdk-updates-dev/2020-October/004012.html

Michael Osipov <1983-01-06 at gmx dot net> provided numerous valuable feedback on this enhancement. Unfortunately I don't know how to include his name in the comment of the changeset.

URL: http://hg.openjdk.java.net/jdk/jdk/rev/74f0622db875 User: weijun Date: 2019-06-13 02:07:02 +0000

Is this ticket impacted by JDK-8199569 ? JDK-8199569 has been closed without comment

No regression test included. A Windows AD server is needed. These tests are done manually: 1. Normal client/server context establishment and secure communication, including - Client side using Kerberos/SPNEGO - Client side requesting mutual auth or no - Client side requesting delegation or no 2. HTTP access the local or remote or cross-realm web server

Do we have any updates on this subject?

EVALUATION Might support it, althoguh I hope most of the functions of Windows SSPI can also be supported by pure Java. Interop is important between different platforms.