On Tue, 18 Nov 2025 12:21:09 GMT, Nick Hall <[email protected]> wrote:
>> _Purpose_
>>
>> This PR allows Linux based applications using JAAS to acquire Kerberos TGTs
>> natively using the local system's Kerberos libraries/configuration, building
>> on existing support on Windows/MacOSX.
>>
>> _Rationale_
>>
>> Currently the (pure java) JAAS codebase only supports file-based credential
>> caches (ccaches). There are many other useful types of ccache accessible
>> via the local system libraries; this change allows credentials to be
>> acquired natively using those libraries, and thus adds support for all other
>> ccache types supported by the local system (e.g. KCM, in-memory and kernel
>> types), This support already exists on MacOSX and Windows.
>>
>> The code change here largely uses the MacOSX code, edited for Linux with
>> associated build system changes. It also adds an appropriate jtreg test
>> which uses some native test helper code to manufacture an in-memory cache,
>> and then uses the new code to acquire these credentials natively. This has
>> been tested on Linux/Mac and the jtreg test passes on each (I couldn't see
>> any existing tests on MacOSX for this feature).
>>
>> Additionally this PR fixes a bug that's existed for a while (see L585-588 in
>> `nativeccache.c`) - without this code, this is a 100% reproducible segfault
>> on Linux (it's unclear why this hasn't affected the Mac JVMs up to now,
>> probably just no calling code that provides an empty list of addresses). It
>> also fixes a (non problem) typo in the variable name in a function prototype.
>>
>> _Implementation Detail_
>>
>> Note that there were multiple possible ways of doing this:
>>
>> 1) Duplicate the MacOSX `nativeccache.c`, edit lightly for Linux and build a
>> new library on Linux only (`liblinuxkrb5`), leaving MacOSX largely
>> unchanged, but at the expense of this code duplication.
>>
>> 2) Create a new shared library used on both platforms with conditional
>> compilation to manage the differences. This necessitates a library name
>> change on MacOSX and potentially knock-on packaging changes on that
>> platform, which seemed a potentially expensive side-effect.
>>
>> 3) Create a shared `nativeccache.c` (using `EXTRA_SRC` in the build) and
>> build separate MacOSX/Linux libraries. This allows the MacOSX library name
>> to remain unchanged, and only adds a new library in Linux.
>>
>> I tried all three options; 3 seemed to be the best compromise all around,
>> although is one of the options that effectively introduces a "no-op" change
>> on MacOSX as a result. Hopefully the additional jtreg test is sufficient to
>> compensat...
>
> Nick Hall has updated the pull request incrementally with one additional
> commit since the last revision:
>
> Clean up jtreg run/compile directives, attend to other review comments
There's prior art here for CUPS - this is a mandatory compile-time and run-time
dependency. I guess the difference with CUPS is that Java can't print without
it, whereas JAAS _can_ auth using Kerberos without my code, it's just limited
to a file ccache.
It turns out that this limitation actually works to our advantage. The
existing code will first try and use the pure Java code to acquire a file
ccache using a series of hard-coded defaults:
* 1. KRB5CCNAME (bare file name without FILE:)
* 2. /tmp/krb5cc_<uid> on unix systems
* 3. <user.home>/krb5cc_<user.name>
* 4. <user.home>/krb5cc (if can't get <user.name>)
(I'm not sure of the provenance of 3 and 4, but 1 and 2 are reasonable)
It then checks that the crypto is something it can handle.
If the code successfully finds a supported ccache, it will succeed _whether the
new native lib is loadable or not_. If it does not find a supported ccache
this way, it will then try and load the native lib (and potentially fail with
an `UnsatisfiedLinkError`) at this point.
(FWIW, I've tested this locally by temporarily making the system libkrb5
library inaccessible, then running a test with a regular FILE: ccache, and it
worked as above.)
Assuming we did build it in by default, I suspect most people using FILE:
ccaches will not even get to the native library load - and anyone trying to use
unsupported ccache types/crypto with an older Java version would have got an
error anyway, it's just that now this might be an `UnsatisfiedLinkError`
instead of a `LoginException`.
I imagine this code was written this way for similar reasons to the discussion
we're having here, on whichever of Windows/MacOS this was first introduced.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/28075#issuecomment-3554366847
