JDK-6979689 : principalname always needed in krb5 login
  • Type: Bug
  • Component: security-libs
  • Sub-Component: org.ietf.jgss:krb5
  • Affected Version: 7
  • Priority: P4
  • Status: Closed
  • Resolution: Duplicate
  • OS: generic
  • CPU: generic
  • Submitted: 2010-08-25
  • Updated: 2012-12-05
  • Resolved: 2012-12-05
Related Reports
Duplicate :  
Description
In JGSS acceptor side, we usually write:

     GSSContext context = manager.createContext(manager.createCredential(
                        manager.createName(serverName, GSSName.NT_USER_NAME),
                        GSSCredential.INDEFINITE_LIFETIME,
                        new Oid("1.2.840.113554.1.2.2"),
                        GSSCredential.ACCEPT_ONLY));

Now if useSubjectCredsOnly=false, this call will automatically trigger a JAAS login. In the case of Kerberos, Krb5LoginModule.login() is called.

For krb5 login, user must provide a principal name, either thru callback, or initial state, or inside a JAAS login file, even though a non-null GSSName is already provided in the JGSS call.

This also means that although we've provided default JAAS login file in JDK 7, the acceptor side does not really work.

We should make use of the name in GSSName in the JGSS call. For compatibility, the name is only used when neither of the name retrieval methods in krb5LoginModule is provided. In the case of no retrieval method and null GSSName, we can also read name from keytab if only one service name is included in the keytab file.