New Features in JavaTM GSS
for Java TM 2 SDK, Standard Edition, v 1.4.2 include the
following:
Configurable Kerberos Settings The Kerberos Key Distribution
Center (KDC) name and realm settings are provided in the Kerberos
configuration file or via the system properties
java.security.krb5.kdc and
java.security.krb5.realm. In previous releases, changes to the
Kerberos configuration values would only take effect when an application was
restarted.
In the 1.4.2 release of the Java platform, a new boolean option
refreshKrb5Config can be specified in the entry for
Krb5LoginModule in the JAAS configuration file. If this option
is set to true, the configuration values will be refreshed
before the login method of the Krb5LoginModule is
called.
Support for Slave Kerberos Key Distribution Center Kerberos
allows the use of slave KDCs so that if the master KDC is unavailable, the
slave KDCs will respond to user requests. In earlier releases of the J2SE,
Sun's implementation of Kerberos tried only the master KDC and would give up
if there was no response within the default KDC timeout specified in the
Kerberos configuration file, or 30 seconds if no timeout had been specified.
With this 1.4.2 release, Sun's implementation of Kerberos will retry with
the slave KDC(s), if they are specified. The slave KDCs can be specified in
the Kerberos configuration file or via a list of KDCs separated by a colon
(:) in the system property java.security.krb5.kdc.
Support TCP for Kerberos Key Distribution Center Transport
Sun's implementation of Kerberos implements Kerberos version 5 according to
RFC 1510 and uses
UDP transport for ticket requests. A new Internet draft updates this
RFC. One of the added features is required support for TCP as a
transport in addition to UDP. As a result, in cases where Kerberos
tickets exceed the UDP packet size limit, the KDC would return an
error code indicating that the request should be resent over TCP.
In the current 1.4.2 release, Sun's implementation of Kerberos
now supports automatic fallback to TCP. Therefore, if the Kerberos
ticket request using UDP fails and the KDC returns the error code
KRB_ERR_RESPONSE_TOO_BIG, TCP is automatically the
default transport.
Kerberos Service Ticket in the Subject's Private Credentials
The Kerberos service ticket is now stored in the Subject's
private credentials.
This change allows application developers access
to the service ticket so that it can be used outside
the JGSS (for example, in native applications or
for proprietary uses). In addition, the service ticket
can now be reused if the application tries to establish
a security context to the same service again. The
service ticket should be valid for it to be reusable.
Previously, when using Java Generic Security
Services (JGSS) over Kerberos V5, if the useSubjectCredsOnly
property was set to true, the Ticket Granting Ticket
(TGT) was retrieved from the Subject and used to
establish a GSS Security context. The service ticket
obtained was not stored in the Subject.
Now the service ticket is also stored in the
Subject if useSubjectCredsOnly is true.
If a client
application searches through the Subject's private
credentials, in previous releases it would find only the
TGT. As of this release, it also will find any Service
ticket(s) obtained.
The bug report associated with this change is 4688866.