Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8256559

Provide a default native GSS-API library on Windows

    XMLWordPrintable

    Details

    • Type: CSR
    • Status: Closed
    • Priority: P3
    • Resolution: Approved
    • Fix Version/s: 11.0.10
    • Component/s: security-libs
    • Labels:
      None
    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Compatibility Risk Description:
      Hide
      There was no default native GSS-API library on Windows before so a user would have to set "sun.security.jgss.lib" to a 3rd-party library. After this change, this setting still works, and now user have the chance to use a builtin library (when "sun.security.jgss.native" is set to "true" and "sun.security.jgss.lib" is not set).
      Show
      There was no default native GSS-API library on Windows before so a user would have to set "sun.security.jgss.lib" to a 3rd-party library. After this change, this setting still works, and now user have the chance to use a builtin library (when "sun.security.jgss.native" is set to "true" and "sun.security.jgss.lib" is not set).
    • Interface Kind:
      System or security property
    • Scope:
      JDK

      Description

      Differences with JDK CSR JDK-8210801: none.

      Summary

      Provide a default native GSS-API library on Windows so user does not need to install a 3rd party library. This library will be client-side only and supports the Kerberos 5 and SPNEGO mechanisms.

      Problem

      In JDK 11 we've ported the native GSS bridge to Windows which allows JDK to use an existing native GSS-API library. However, unlike other OSes where either there is an out-of-box native GSS-API library or it can be easily installed from the system package manager, there is no default native GSS-API library on Windows and user has to install a 3rd party one.

      There are other benefits we can get from using our own native GSS-API library. See solution below.

      Solution

      Create a native GSS-API library for Windows and include it in JDK as the default native GSS-API library. The library will expose its functions through the RFC 2743 GSS-API C bindings, and its implementation will be based on Windows SSPI APIs.

      This native library is superior to the existing Java GSS-API library in that it can directly read user credentials cached during Windows logon. The Java GSS-API library used to be able to read the cache when a registry value is set but it's now disabled by the Windows 10 Credential Guard. If the Java GSS-API library cannot read the cache, it will have to login itself by asking for username and passwords from the user. This prevents Kerberos from being used as a Single Sign-on mechanism.

      Specification

      This library will be automatically loaded by the native GSS bridge if the system property "sun.security.jgss.native" is set to "true". If user wants to use a 3rd-party native GSS-API library they can set the system property "sun.security.jgss.lib" to its path.

      This change will be described on the Accessing Native GSS-API page.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mbalao Martin Balao
              Reporter:
              weijun Weijun Wang
              Reviewed By:
              Joe Darcy
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: