-
CSR
-
Resolution: Approved
-
P3
-
None
-
behavioral
-
minimal
-
-
System or security property
-
JDK
Differences with JDK CSR JDK-8210801: none.
Summary
Provide a default native GSS-API library on Windows so user does not need to install a 3rd party library. This library will be client-side only and supports the Kerberos 5 and SPNEGO mechanisms.
Problem
In JDK 11 we've ported the native GSS bridge to Windows which allows JDK to use an existing native GSS-API library. However, unlike other OSes where either there is an out-of-box native GSS-API library or it can be easily installed from the system package manager, there is no default native GSS-API library on Windows and user has to install a 3rd party one.
There are other benefits we can get from using our own native GSS-API library. See solution below.
Solution
Create a native GSS-API library for Windows and include it in JDK as the default native GSS-API library. The library will expose its functions through the RFC 2743 GSS-API C bindings, and its implementation will be based on Windows SSPI APIs.
This native library is superior to the existing Java GSS-API library in that it can directly read user credentials cached during Windows logon. The Java GSS-API library used to be able to read the cache when a registry value is set but it's now disabled by the Windows 10 Credential Guard. If the Java GSS-API library cannot read the cache, it will have to login itself by asking for username and passwords from the user. This prevents Kerberos from being used as a Single Sign-on mechanism.
Specification
This library will be automatically loaded by the native GSS bridge if the system property "sun.security.jgss.native" is set to "true". If user wants to use a 3rd-party native GSS-API library they can set the system property "sun.security.jgss.lib" to its path.
This change will be described on the Accessing Native GSS-API page.
- csr of
-
JDK-8312050 Provide a default native GSS-API library on Windows
- Resolved