On Fri, Mar 22, 2019 at 05:23:27PM +0100, Michael Osipov wrote: > Am 2019-03-22 um 16:28 schrieb Nico Williams: > > - the JDK's JGSS stuff is very Kerberos-specific, especially w/ regards > > to the ServicePermission stuff > > Granted.
:( > > IMO JAAS (and with it, *Permission) should be removed with prejudice now > > that applet support has been removed. Perhaps stubs should be left > > behind for compatibility reasons, and all the doAs*() methods should > > just act as though permission is granted. > > > > Removing JAAS would be a wonderful simplification, then the JGSS stuff > > could stop being Kerberos-specific. > > Fully agree, it has been a pain in the last couple of years. This would > also require an RFC update for the JGSS bindings to logon onto network > with username/password or keytab w/o login modules. Our contributions add acquireCredWithPassword() methods. And we could add acquireCredFrom() to match gss_acquire_cred_from() / gss_add_cred_from() (a Heimdal and MIT innovation that allows, among other things, to use a specific keytab). But also, most JGSS users don't need the JDK to have this functionality since using kinit externally and KRB5* env vars works perfectly fine for the vast majority of cases. Nico --
