Summary

Introduce a new system/security property to control the name comparison mode in Kerberos keytab and credentials cache (ccache) entry lookup.

Problem

While RFC 4120 defines Kerberos principal names to be case-sensitive, many vendors treat them as case-insensitive (Example: Windows Active Directory). In the current Kerberos implementation inside JDK, keytab and ccache entry lookup works in case-insensitive mode for maximum interoperability.

However, in a case-sensitive Kerberos environment, if two principals have names only differ in case, there is a chance that JDK picks the wrong entry and authentication would fail.

Solution

Introduce a new system/security property named jdk.security.krb5.name.case.sensitive. When set to true, name comparison in keytab and ccache entry loop works in case-sensitive mode. For backward compatibility, the default value is false.

Specification

Add the definition in java.security:

#
# Policy for name comparison in keytab and ccache entry lookup
#
# When looking up a keytab or credentials cache (ccache) entry for a Kerberos
# principal, the principal name is compared with the name in the entry.
# The comparison is by default case-insensitive. However, many Kerberos
# implementations consider principal names to be case-sensitive. Consequently,
# if two principals have names that differ only in case, there is a risk that
# an incorrect keytab or ccache entry might be selected.
#
# If this security property is set to "true", the comparison of principal
# names at keytab and ccache entry lookup is case-sensitive.
#
# The default value is "false".
#
# If a system property of the same name is also specified, it supersedes the
# security property value defined here.
#
#jdk.security.krb5.name.case.sensitive=false