New Features in JavaTM GSS for Java TM 2 SDK, Standard Edition, v 1.4.2 include the following:
- Configurable Kerberos Settings
The Kerberos Key Distribution Center (KDC) name and realm settings are provided in the Kerberos configuration file or via the system properties
java.security.krb5.realm. In previous releases, changes to the Kerberos configuration values would only take effect when an application was restarted.
In the 1.4.2 release of the Java platform, a new boolean option
refreshKrb5Configcan be specified in the entry for
Krb5LoginModulein the JAAS configuration file. If this option is set to
true, the configuration values will be refreshed before the
loginmethod of the
- Support for Slave Kerberos Key Distribution Center
Kerberos allows the use of slave KDCs so that if the master KDC is unavailable, the slave KDCs will respond to user requests. In earlier releases of the J2SE, Sun's implementation of Kerberos tried only the master KDC and would give up if there was no response within the default KDC timeout specified in the Kerberos configuration file, or 30 seconds if no timeout had been specified.
With this 1.4.2 release, Sun's implementation of Kerberos will retry with the slave KDC(s), if they are specified. The slave KDCs can be specified in the Kerberos configuration file or via a list of KDCs separated by a colon (
:) in the system property
- Support TCP for Kerberos Key Distribution Center Transport
Sun's implementation of Kerberos implements Kerberos version 5 according to RFC 1510 and uses UDP transport for ticket requests. A new Internet draft updates this RFC. One of the added features is required support for TCP as a transport in addition to UDP. As a result, in cases where Kerberos tickets exceed the UDP packet size limit, the KDC would return an error code indicating that the request should be resent over TCP.
In the current 1.4.2 release, Sun's implementation of Kerberos now supports automatic fallback to TCP. Therefore, if the Kerberos ticket request using UDP fails and the KDC returns the error code
KRB_ERR_RESPONSE_TOO_BIG, TCP is automatically the default transport.
The current draft which updates RFC 1510, is available online: http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-kerberos-clarifications-04.txt.
- Kerberos Service Ticket in the Subject's Private Credentials
The Kerberos service ticket is now stored in the Subject's private credentials. This change allows application developers access to the service ticket so that it can be used outside the JGSS (for example, in native applications or for proprietary uses). In addition, the service ticket can now be reused if the application tries to establish a security context to the same service again. The service ticket should be valid for it to be reusable.
Previously, when using Java Generic Security Services (JGSS) over Kerberos V5, if the
useSubjectCredsOnlyproperty was set to true, the Ticket Granting Ticket (TGT) was retrieved from the Subject and used to establish a GSS Security context. The service ticket obtained was not stored in the Subject. Now the service ticket is also stored in the Subject if
If a client application searches through the Subject's private credentials, in previous releases it would find only the TGT. As of this release, it also will find any Service ticket(s) obtained.
The bug report associated with this change is 4688866.
|firstname.lastname@example.org. This is not a subscription list.|| |