Details
-
Enhancement
-
Resolution: Delivered
-
P4
-
None
Description
The "Troubleshooting Security" (https://docs.oracle.com/en/java/javase/21/security/troubleshooting-security.html) has a Note linking to a page on JSSE debugging. We can add a similar link on JGSS and Kerberos to their own troubleshooting page.
We already have such a page at https://docs.oracle.com/en/java/javase/21/security/troubleshooting.html#GUID-2087ADBA-6C36-43D5-8841-C79FCB4F5FBE but it's only focused on the Java Kerberos mechanism. I suggest we add a new troubleshooting page right in the "7 Java Generic Security Services (Java GSS-API)" section. The initial content should at least introduce the debugging options. There are several ways to enable debugging:
- In the Krb5LoginModule JAAS configuration entry, one can add "debug = true" to enable debugging there.
- Setting the system property "sun.security.jgss.debug" to "true" turns on debugging in the JGSS framework.
- Setting the system property "sun.security.krb5.debug" to "true" turns on debugging in Java Kerberos 5 mechanism.
- Setting the system property "sun.security.spnego.debug" to "true" turns on debugging in Java SPNEGO mechanism.
- Setting the system property "sun.security.nativegss.debug" to "true" turns on debugging in native JGSS bridge.
- Setting the environment variable SSPI_BRIDGE_TRACE to "true" turns on debugging in the SSPI bridge on Windows
The page should warn that debugging info might contain sensitive information.
Update: withJDK-8051959, we can add "decorations" to all the value above to print out thread info or timestamp, i.e.
* "+timestamp" string can be appended to property value
* to print timestamp information. (e.g. "true+timestamp")
* "+thread" string can be appended to property value
* to print thread and caller information. (e.g. "true+thread")
We already have such a page at https://docs.oracle.com/en/java/javase/21/security/troubleshooting.html#GUID-2087ADBA-6C36-43D5-8841-C79FCB4F5FBE but it's only focused on the Java Kerberos mechanism. I suggest we add a new troubleshooting page right in the "7 Java Generic Security Services (Java GSS-API)" section. The initial content should at least introduce the debugging options. There are several ways to enable debugging:
- In the Krb5LoginModule JAAS configuration entry, one can add "debug = true" to enable debugging there.
- Setting the system property "sun.security.jgss.debug" to "true" turns on debugging in the JGSS framework.
- Setting the system property "sun.security.krb5.debug" to "true" turns on debugging in Java Kerberos 5 mechanism.
- Setting the system property "sun.security.spnego.debug" to "true" turns on debugging in Java SPNEGO mechanism.
- Setting the system property "sun.security.nativegss.debug" to "true" turns on debugging in native JGSS bridge.
- Setting the environment variable SSPI_BRIDGE_TRACE to "true" turns on debugging in the SSPI bridge on Windows
The page should warn that debugging info might contain sensitive information.
Update: with
* "+timestamp" string can be appended to property value
* to print timestamp information. (e.g. "true+timestamp")
* "+thread" string can be appended to property value
* to print thread and caller information. (e.g. "true+thread")