Details
-
Sub-task
-
Resolution: Fixed
-
P4
-
None
-
b78
-
Verified
Description
Further enable unbound SASL for the GSSAPI/krb5 mech, so that the server can accept requests to any service that it has keys in its keytab.
Precisely, in the main task, we can already create a GSSAPI SASL server with serverName == null, but the service principal is still a concrete value that must be provided by the underlying mechanism, in this case, the principal value in the JAAS login conf file. In this sub task, there is no need to specify this principal field anymore. The client can request for any service principal name, as long as the server can find keys for the service principal in its keytab file, the authentication can go on and the server acts as that principal.
Precisely, in the main task, we can already create a GSSAPI SASL server with serverName == null, but the service principal is still a concrete value that must be provided by the underlying mechanism, in this case, the principal value in the JAAS login conf file. In this sub task, there is no need to specify this principal field anymore. The client can request for any service principal name, as long as the server can find keys for the service principal in its keytab file, the authentication can go on and the server acts as that principal.
Attachments
Issue Links
- duplicates
-
JDK-6979689 principalname always needed in krb5 login
- Closed
-
JDK-7112336 Request is for enhancements to the GSS API implementation and code paths
- Closed
- relates to
-
JDK-7110803 SASL service for multiple hostnames
- Closed
-
JDK-8005523 Unbound krb5 for TLS
- Closed