JDK-8044085 : Access ExtendedGSSContext.inquireSecContext() result through SASL
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.security
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2014-05-28
  • Updated: 2017-05-17
  • Resolved: 2014-07-10
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
9 b23Fixed
Sub Tasks
JDK-8049711 :  
JDK-8173012 :  
Java supports application server to use Kerberos to authenticate clients in two APIs: GSSAPI and SASL. There're applications that need to access ticket info like authorization data and session key to further authorize clients after authentication. JGSS has already support for the query as providing ExtendedGSSContext which can inquiry SESSION_KEY, TKT_FLAGS, AUTHTIME and AUTHZ_DATA. SASL wraps GSSAPI mechanism but hasn't yet support the query.

The bug is reported by Zheng Kai <kai dot zheng at intel dot com>.
Release notes text: The output of ExtendedGSSContext.inquireSecContext() is now available as negotiated properties for the SASL GSSAPI mechanism using the name "com.sun.security.jgss.inquiretype.<type_name>", where "type_name" is the string form of the InquireType enum parameter in lower case, for example, "com.sun.security.jgss.inquiretype.krb5_get_session_key_ex".

We can define new negotiated properties in SASL to automatically support all InquireType values that JGSS supports, say, com.sun.security.jgss.inquiretype.KRB5_GET_SESSION_KEY. Maybe lowercase for consistency with other names.