On Mon, 3 Nov 2025 18:50:37 GMT, Nick Hall <[email protected]> wrote:
>> _Purpose_
>>
>> This PR allows Linux based applications using JAAS to acquire Kerberos TGTs
>> natively using the local system's Kerberos libraries/configuration, building
>> on existing support on Windows/MacOSX.
>>
>> _Rationale_
>>
>> Currently the (pure java) JAAS codebase only supports file-based credential
>> caches (ccaches). There are many other useful types of ccache accessible
>> via the local system libraries; this change allows credentials to be
>> acquired natively using those libraries, and thus adds support for all other
>> ccache types supported by the local system (e.g. KCM, in-memory and kernel
>> types), This support already exists on MacOSX and Windows.
>>
>> The code change here largely uses the MacOSX code, edited for Linux with
>> associated build system changes. It also adds an appropriate jtreg test
>> which uses some native test helper code to manufacture an in-memory cache,
>> and then uses the new code to acquire these credentials natively. This has
>> been tested on Linux/Mac and the jtreg test passes on each (I couldn't see
>> any existing tests on MacOSX for this feature).
>>
>> Additionally this PR fixes a bug that's existed for a while (see L585-588 in
>> `nativeccache.c`) - without this code, this is a 100% reproducible segfault
>> on Linux (it's unclear why this hasn't affected the Mac JVMs up to now,
>> probably just no calling code that provides an empty list of addresses). It
>> also fixes a (non problem) typo in the variable name in a function prototype.
>>
>> _Implementation Detail_
>>
>> Note that there were multiple possible ways of doing this:
>>
>> 1) Duplicate the MacOSX `nativeccache.c`, edit lightly for Linux and build a
>> new library on Linux only (`liblinuxkrb5`), leaving MacOSX largely
>> unchanged, but at the expense of this code duplication.
>>
>> 2) Create a new shared library used on both platforms with conditional
>> compilation to manage the differences. This necessitates a library name
>> change on MacOSX and potentially knock-on packaging changes on that
>> platform, which seemed a potentially expensive side-effect.
>>
>> 3) Create a shared `nativeccache.c` (using `EXTRA_SRC` in the build) and
>> build separate MacOSX/Linux libraries. This allows the MacOSX library name
>> to remain unchanged, and only adds a new library in Linux.
>>
>> I tried all three options; 3 seemed to be the best compromise all around,
>> although is one of the options that effectively introduces a "no-op" change
>> on MacOSX as a result. Hopefully the additional jtreg test is sufficient to
>> compensat...
>
> Nick Hall has updated the pull request incrementally with one additional
> commit since the last revision:
>
> Address second set of @erikj79's build comments
make/test/JtregNativeJdk.gmk line 126:
> 124: # macOS: build with system krb5 and disable deprecation warnings
> 125: BUILD_JDK_JTREG_LIBRARIES_LDFLAGS_libNativeCredentialCacheHelper :=
> -lkrb5 -lcom_err
> 126: BUILD_JDK_JTREG_LIBRARIES_CFLAGS_libNativeCredentialCacheHelper :=
> -Wno-deprecated-declarations
Why doesn't the macosx target use the KRB5* variables as well?
src/java.security.jgss/share/classes/sun/security/krb5/Credentials.java line 2:
> 1: /*
> 2: * Copyright (c) 2000, 2024, Oracle and/or its affiliates. All rights
> reserved.
nit: update copyright year
src/java.security.jgss/share/classes/sun/security/krb5/Credentials.java line
335:
> 333: if (OperatingSystem.isWindows() ||
> 334: OperatingSystem.isMacOS() ||
> 335: OperatingSystem.isLinux()) {
nit: extra tab?
src/java.security.jgss/share/native/libkrb5shared/nativeccache.c line 2:
> 1: /*
> 2: * Copyright (c) 2011, 2024, Oracle and/or its affiliates. All rights
> reserved.
nit: update copyright year
test/jdk/sun/security/krb5/native/NativeCacheTest.java line 26:
> 24: /*
> 25: * @test
> 26: * @bug 8123456
`@bug` annotation not relevant here
test/jdk/sun/security/krb5/native/libNativeCredentialCacheHelper.c line 71:
> 69: if (utf_chars == NULL) return NULL;
> 70:
> 71: char *result = strdup(utf_chars);
Should check for NULL here
test/jdk/sun/security/krb5/native/libNativeCredentialCacheHelper.c line 143:
> 141: }
> 142:
> 143:
nit: extra line
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/28075#discussion_r2516387392
PR Review Comment: https://git.openjdk.org/jdk/pull/28075#discussion_r2516256982
PR Review Comment: https://git.openjdk.org/jdk/pull/28075#discussion_r2516241205
PR Review Comment: https://git.openjdk.org/jdk/pull/28075#discussion_r2516233000
PR Review Comment: https://git.openjdk.org/jdk/pull/28075#discussion_r2516271877
PR Review Comment: https://git.openjdk.org/jdk/pull/28075#discussion_r2513002208
PR Review Comment: https://git.openjdk.org/jdk/pull/28075#discussion_r2513007140
