JDK-8210801 : Provide a default native GSS-API library on Windows
  • Type: CSR
  • Component: security-libs
  • Sub-Component: org.ietf.jgss
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 12
  • Submitted: 2018-09-17
  • Updated: 2018-12-07
  • Resolved: 2018-12-07
Related Reports
CSR :  

Provide a default native GSS-API library on Windows so user does not need to install a 3rd party library. This library will be client-side only and supports the Kerberos 5 and SPNEGO mechanisms.


In JDK 11 we've [ported](https://bugs.openjdk.java.net/browse/JDK-8200468) the native GSS bridge to Windows which allows JDK to use an existing native GSS-API library. However, unlike other OSes where either there is an out-of-box native GSS-API library or it can be easily installed from the system package manager, there is no default native GSS-API library on Windows and user has to install a 3rd party one.

There are other benefits we can get from using our own native GSS-API library. See solution below.


Create a native GSS-API library for Windows and include it in JDK as the default native GSS-API library. The library will expose its functions through the RFC 2743 GSS-API C bindings, and its implementation will be based on Windows SSPI APIs.

This native library is superior to the existing Java GSS-API library in that it can directly read user credentials cached during Windows logon. The Java GSS-API library used to be able to read the cache when [a registry value is set](https://support.microsoft.com/en-us/help/308339/registry-key-to-allow-session-keys-to-be-sent-in-kerberos-ticket-grant) but it's now disabled by the Windows 10 Credential Guard. If the Java GSS-API library cannot read the cache, it will have to login itself by asking for username and passwords from the user. This prevents Kerberos from being used as a Single Sign-on mechanism.


This library will be automatically loaded by the native GSS bridge if the system property "sun.security.jgss.native" is set to "true". If user wants to use a 3rd-party native GSS-API library they can set the system property "sun.security.jgss.lib" to its path.

This change will be described on the [Accessing Native GSS-API](https://docs.oracle.com/en/java/javase/11/security/accessing-native-gss-api.html) page.
From context, I'm inferring sun.security.jgss.native is set to true by default. Moving to Approved.

Please provide more detail on the end-user visible impact of this change before the request is finalized. Moving to Provisional.