On Thu, 13 Nov 2025 11:02:21 GMT, Nick Hall <[email protected]> wrote:
>> _Purpose_ >> >> This PR allows Linux based applications using JAAS to acquire Kerberos TGTs >> natively using the local system's Kerberos libraries/configuration, building >> on existing support on Windows/MacOSX. >> >> _Rationale_ >> >> Currently the (pure java) JAAS codebase only supports file-based credential >> caches (ccaches). There are many other useful types of ccache accessible >> via the local system libraries; this change allows credentials to be >> acquired natively using those libraries, and thus adds support for all other >> ccache types supported by the local system (e.g. KCM, in-memory and kernel >> types), This support already exists on MacOSX and Windows. >> >> The code change here largely uses the MacOSX code, edited for Linux with >> associated build system changes. It also adds an appropriate jtreg test >> which uses some native test helper code to manufacture an in-memory cache, >> and then uses the new code to acquire these credentials natively. This has >> been tested on Linux/Mac and the jtreg test passes on each (I couldn't see >> any existing tests on MacOSX for this feature). >> >> Additionally this PR fixes a bug that's existed for a while (see L585-588 in >> `nativeccache.c`) - without this code, this is a 100% reproducible segfault >> on Linux (it's unclear why this hasn't affected the Mac JVMs up to now, >> probably just no calling code that provides an empty list of addresses). It >> also fixes a (non problem) typo in the variable name in a function prototype. >> >> _Implementation Detail_ >> >> Note that there were multiple possible ways of doing this: >> >> 1) Duplicate the MacOSX `nativeccache.c`, edit lightly for Linux and build a >> new library on Linux only (`liblinuxkrb5`), leaving MacOSX largely >> unchanged, but at the expense of this code duplication. >> >> 2) Create a new shared library used on both platforms with conditional >> compilation to manage the differences. This necessitates a library name >> change on MacOSX and potentially knock-on packaging changes on that >> platform, which seemed a potentially expensive side-effect. >> >> 3) Create a shared `nativeccache.c` (using `EXTRA_SRC` in the build) and >> build separate MacOSX/Linux libraries. This allows the MacOSX library name >> to remain unchanged, and only adds a new library in Linux. >> >> I tried all three options; 3 seemed to be the best compromise all around, >> although is one of the options that effectively introduces a "no-op" change >> on MacOSX as a result. Hopefully the additional jtreg test is sufficient to >> compensat... > > Nick Hall has updated the pull request incrementally with three additional > commits since the last revision: > > - Small doc fix > - Attend to @wangweij's code review comments - in particular a large > clean-up of the test helper and the output it creates > - Attend to remaining comments from @smemery I'm not sure if there's precedent for it in other `java.security.Principal` types that JAAS can operate on, but it wouldn't be that hard to enhance the JAAS `Krb5LoginModule` to accept a new piece of JAAS configuration that would cause it to write the acquired credential back to an actual ccache as part of storing the keys during commit (within the limits of the local system arrangements - e.g. this wouldn't work on Windows because of the way LSASS protects the ccache, but likely works in Linux/MacOS cases using natively supported cache types). That said, it's not clear that's needed for client applications that use the various security frameworks / principals in the JVM (where the stored keys in the principal are used), but could be useful for helper applications written in Java that do some kind of credential exchange to create a TGT, or perhaps things written partly in JNI. ------------- PR Comment: https://git.openjdk.org/jdk/pull/28075#issuecomment-3527448204
