JDK-6722928 : Provide a default native GSS-API library on Windows
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: org.ietf.jgss
  • Affected Version: 7,8,11
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: windows
  • CPU: generic
  • Submitted: 2008-07-07
  • Updated: 2023-08-11
  • Resolved: 2019-06-13
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 13 JDK 14 Other
11.0.10Fixed 13 b25Fixed 14Fixed openjdk8u392Fixed
Related Reports
CSR :  
JDK-8210801 - Provide a default native GSS-API library on Windows
Duplicate :  
JDK-8054026 - Java requires AllowTGTSessionKey = 1 for Kerberos SSO to work
Duplicate :  
JDK-8161921 - Windows 10 Credential Guard does not allow sharing of TGT with Java
Relates :  
JDK-8225687 - Newly added sspi.cpp in JDK-6722928 still contains some small errors
Relates :  
JDK-8290920 - sspi_bridge.dll not built if BUILD_CRYPTO is false
Relates :  
JDK-8280401 - [sspi] gss_accept_sec_context leaves output_token uninitialized
Relates :  
JDK-8199569 - Client-side GSS-API Library for Windows SSPI
Relates :  
JDK-8200468 - Port the native GSS-API bridge to Windows
Relates :  
JDK-8230910 - libsspi_bridge does not build on Windows 32bit
Relates :  
JDK-8161921 - Windows 10 Credential Guard does not allow sharing of TGT with Java
Relates :  
JDK-8208299 - Provide a way to clear NegotiateAuthentication cache
Sub Tasks
JDK-8214079 :  
Release Note: Added a Default Native GSS-API Library on Windows - Closed
Description
SSPI is the MS dialect of GSSAPI. We should support it in JDK on the Windows platform for better interop and system integration with Windows AD. Possible benefits are:

1. No need for krb5.ini and JAAS config
2. No need to retrieve TGT, thus no need for the allowtgtsessionkey registry key
3. Override the restriction when client is a member of local admin group
4. Server side program has no need to run setspn/ktpass
5. Server side program may be run as a Windows service
6. In Windows Server 2008, user2user authentication must be performed through their new protocol (http://tools.ietf.org/html/draft-swift-win2k-krb-user2user-03). SSPI automatically does this.

In the first stage, we should support client side using default credentials.

This provider must be interoperable with Java GSS provider and other native providers.
Comments
Fix request (8u) I want to backport this enhancement to 8u to have the default native GSS-API library on Windows so the user does not need to install a 3rd party library. As noted in the 8u CSR, the risk is minimal. Backport from 11u is almost clean except of the build script Jtreg tests passed successfully. CI test for Linux x64 fails but it is caused by libpcsclite1 installation error. CSR for 8u is approved : https://bugs.openjdk.org/browse/JDK-8312051 Once approved, I'll proceed with the 11u backport of a follow-up bug: JDK-8225687.
18-07-2023
A pull request was submitted for review. URL: https://git.openjdk.org/jdk8u-dev/pull/340 Date: 2023-07-13 06:18:34 +0000
13-07-2023
Fix request (11u) I'd like to have this enhancement in 11u so Windows users can take advantage of better Active Directory integration and interoperability through a native implementation of GSS (i.e.: there shouldn't be a need to get the TGT session key from the Java implementation or use an external 3rd party library to avoid that). As noted in the 11u CSR, risk is minimal. The JDK main line patch does not apply cleanly but a backport proposal has been review-accepted here: http://mail.openjdk.java.net/pipermail/jdk-updates-dev/2020-October/004016.html CSR for 11u has been approved here: https://bugs.openjdk.java.net/browse/JDK-8256559?focusedCommentId=14381873&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-14381873 Once approved, I'll proceed with the 11u backport of a followup bug: JDK-8225687.
24-11-2020
11u RFR: http://mail.openjdk.java.net/pipermail/jdk-updates-dev/2020-October/004012.html
21-10-2020
Michael Osipov <1983-01-06 at gmx dot net> provided numerous valuable feedback on this enhancement. Unfortunately I don't know how to include his name in the comment of the changeset.
13-06-2019
URL: http://hg.openjdk.java.net/jdk/jdk/rev/74f0622db875 User: weijun Date: 2019-06-13 02:07:02 +0000
13-06-2019
Is this ticket impacted by JDK-8199569 ? JDK-8199569 has been closed without comment
24-01-2019
No regression test included. A Windows AD server is needed. These tests are done manually: 1. Normal client/server context establishment and secure communication, including - Client side using Kerberos/SPNEGO - Client side requesting mutual auth or no - Client side requesting delegation or no 2. HTTP access the local or remote or cross-realm web server
20-11-2018
Do we have any updates on this subject?
18-07-2018
EVALUATION Might support it, althoguh I hope most of the functions of Windows SSPI can also be supported by pure Java. Interop is important between different platforms.
13-07-2010