On Thu, 30 Oct 2025 22:55:34 GMT, Erik Joelsson <[email protected]> wrote:
>> _Purpose_ >> >> This PR allows Linux based applications using JAAS to acquire Kerberos TGTs >> natively using the local system's Kerberos libraries/configuration, building >> on existing support on Windows/MacOSX. >> >> _Rationale_ >> >> Currently the (pure java) JAAS codebase only supports file-based credential >> caches (ccaches). There are many other useful types of ccache accessible >> via the local system libraries; this change allows credentials to be >> acquired natively using those libraries, and thus adds support for all other >> ccache types supported by the local system (e.g. KCM, in-memory and kernel >> types), This support already exists on MacOSX and Windows. >> >> The code change here largely uses the MacOSX code, edited for Linux with >> associated build system changes. It also adds an appropriate jtreg test >> which uses some native test helper code to manufacture an in-memory cache, >> and then uses the new code to acquire these credentials natively. This has >> been tested on Linux/Mac and the jtreg test passes on each (I couldn't see >> any existing tests on MacOSX for this feature). >> >> Additionally this PR fixes a bug that's existed for a while (see L585-588 in >> `nativeccache.c`) - without this code, this is a 100% reproducible segfault >> on Linux (it's unclear why this hasn't affected the Mac JVMs up to now, >> probably just no calling code that provides an empty list of addresses). It >> also fixes a (non problem) typo in the variable name in a function prototype. >> >> _Implementation Detail_ >> >> Note that there were multiple possible ways of doing this: >> >> 1) Duplicate the MacOSX `nativeccache.c`, edit lightly for Linux and build a >> new library on Linux only (`liblinuxkrb5`), leaving MacOSX largely >> unchanged, but at the expense of this code duplication. >> >> 2) Create a new shared library used on both platforms with conditional >> compilation to manage the differences. This necessitates a library name >> change on MacOSX and potentially knock-on packaging changes on that >> platform, which seemed a potentially expensive side-effect. >> >> 3) Create a shared `nativeccache.c` (using `EXTRA_SRC` in the build) and >> build separate MacOSX/Linux libraries. This allows the MacOSX library name >> to remain unchanged, and only adds a new library in Linux. >> >> I tried all three options; 3 seemed to be the best compromise all around, >> although is one of the options that effectively introduces a "no-op" change >> on MacOSX as a result. Hopefully the additional jtreg test is sufficient to >> compensat... > > Is there a particular reason for build.sh in the tests or are you just not > familiar with how native test code gets automatically compiled by the > makefiles based on file naming conventions? In short, any file `lib*.c[pp]` > will get compiled into a native library (and exe*.c[pp] into an executable). > You can define any special flags or platform include/exclude in > `make/test/JtregNativeJdk.gmk`. Hi @erikj79, I noticed that in our CI build the library is not built and the log shows checking for krb5 (<omitted>)... no checking krb5.h usability... no checking krb5.h presence... no checking for krb5.h... no Should we require them to be present? ------------- PR Comment: https://git.openjdk.org/jdk/pull/28075#issuecomment-3535280140
