[security-dev 00034]: Re: JGSS: Re-construct Credentials.acquireTGTFromCache

Wed, 02 Jan 2008 06:13:41 -0800 

Hi Andrew
The current CredentialsCache.getInstance() on Windows should always return the file cache, right? Inside the acquireDefaultCreds() method, if cache.getDefaultCreds() returns a non-null object which has the correct eType, then LSA is never read. 

Take this for example:

1. User login Active Directory as A
2. User's JAAS login config includes "principal=A"

Now, acquireTGTFromCache returns the TGT for A in LSA. However, if

3. User run "kinit B" and generate a file cache for user B


acquireTGTFromCache returns NULL, since the TGT for B in fcache is  
first returned and then ignored.


On Jan 2, 2008, at 8:39 PM, Andrew Fan wrote:


Just as the comments, "// The default ticket cache on Windows is  
not a file." So I don't think there are some credentials missed, or  
won't get read.



For the send question, the current CredentialsCache is implemented  
as a file based cache.  It's a good idea that we adjust the  
CredentialsCache to accept LSA on windows platform.  I made a few  
updates on MemoryCredentialsCache, and CredentialsCache  to accept   
MemoryCredentialsCache months ago, I haven't test it completely. I  
never thought about that it could be used to improve the  
acquireTGTFromCache.



Oh, this is cool. The whole ccache picture for Windows may include  
file cache, MIT-style in-memory cache, Windows LSA cache. Does this  
mean there should return 3 kinds of CredentialsCache objects? Is  
something like CredentialsCache.getAllInstances() needed?


Thanks
Max



Andrew

Weijun Max Wang wrote:

Hi All


Current sun.security.krb5.Credentials's acquireTGTFromCache method  
looks

like --

Cred acquireTGTFromCache(princ, fcache) {
  if (fcache not specified) {
    if (Windows) {
      cred = function {
        get default TGT from default file cache;
        if (found && etypeSupported) return it;
        else return one from LSA;
      }
      if (princ specified && princ is not princ in cred)
        return null;
      else
        return cred;
    }
  }
  read cred for princ in fcache
  if (found && etypeSupported) return it;
  else return null;
}

It seems there's a chance on Windows that the default TGT in default

file cache (fcache == null) is not for princ, but maybe there's  
one for

princ in LSA. It won't get read.


Right? Shall we just move the whole fcache to the beginning and  
only use

LSA as a fallback?

Thanks
Max




























					Reply via email to