New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ELY-85] GSSAPI+SPNEGO workaround for JDK-8194073 (native Kerberos) #1060
Conversation
Can one of the admins verify this patch? |
this is ok to test |
Generally Ok but wonder if we could use a slightly more meaningful name for the property and possibly also a little bit more of the background in the comments so we know what this workaround is doing without needing to cross reference the BZ. Also should we support the property in the properties actually passed into the mechanism? That way it can be added to a wildfly-config.xml |
Updated: mechanism properties used instead:
|
@@ -393,11 +393,11 @@ private Configuration createConfiguration() throws IOException { | |||
if (IS_IBM) { | |||
options.put("noAddress", "true"); | |||
options.put("credsType", (isServer && !obtainKerberosTicket) ? "acceptor" : "both"); | |||
options.put("useKeytab", keyTab.toURI().toURL().toString()); | |||
if (keyTab != null) options.put("useKeytab", keyTab.toURI().toURL().toString()); | |||
} else { | |||
options.put("storeKey", "true"); | |||
options.put("useKeyTab", "true"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this still be true even if keyTab == null?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To set useKeyTab=true without setting of keytab is valid:
If keytab is not set then the module will locate the keytab from the Kerberos configuration file. If it is not specified in the Kerberos configuration file then it will look for the file {user.home}{file.separator}krb5.keytab.
(even through we use undefined keyTab primary in combination with native kerberos, which ignores this properties at all)
Added workaround to make native Kerberos working with GSSAPI and SPNEGO mechanisms.
(GS2 mechanism is blocked by another not-workaroundable JDK issue too, so kept without this.)
Also allowed null keyTab in GSSCredentialFactory (when checkKeyTab = false) - set keyTab is ignored when native Kerberos is used.
https://issues.jboss.org/browse/ELY-85