[jcifs] Will you review my patch to make jcifs-krb5-1.3.17 work on JDK 7, please?

Michael B Allen ioplex at gmail.com
Sun Feb 2 13:51:23 MST 2014 

Hi Kiju,

The jcifs-krb5 package is externally contributed and as such it is not
maintained by the JCIFS project. Also, I was not successful in testing
the last contributed package so I cannot endorse it either.

Now if you're wondering why we even have that package on the site, the
problem is that to properly integrate kerberos into JCIFS I would
first need to factor out all of the NtlmPasswordAuthentication code
and provide a different technique for retrieving credentials as either
properties (which means factoring out the global static Config class)
or by using Thread storage like JAAS. So we don't have proper Kerberos
support because it would require some significant refactoring that
would change the API in ways that would not be backward compatible. So
as a consolation, we host the contributed jcifs-krb5 package just to
give people something.

Mike

On Tue, Jan 28, 2014 at 3:41 AM, Kiju Kim <kiju98 at gmail.com> wrote:
> Hi,
>
> I've noticed KerbAuthExample in jcifs-krb5-1.3.17 doesn't work on JDK 7.
> It works fine on JDK 6 but produces "jcifs.smb.SmbAuthException:
> Access is denied." on JDK 7.
>
> I've learned that it is due to the change how JDK generates subKey
> (https://bugs.openjdk.java.net/browse/JDK-8031973).
>
> I prepared the following patch for Kerb5Context.java and saw
> KerbAuthExample worked fine on JDK 7.
> But I'm newt to jcifs and want my patch reviewed.
>
> <                 return ticket.getSessionKey();
> ---
>>                 com.sun.security.jgss.ExtendedGSSContext ec =
>>                         (com.sun.security.jgss.ExtendedGSSContext) gssContext;
>
>>                 return (Key) ec.inquireSecContext(
>>                         com.sun.security.jgss.InquireType.KRB5_GET_SESSION_KEY
> );
>>                 //return ticket.getSessionKey();
>
> Note that ExtendedGSSContext and InquireType are classes newly added in JDK 7.
> Also note that there is a small difference between the Key object
> returned by ticket.getSessionKey() and
> ec.inquireSecContext(KRB5_GET_SESSION_KEY) that their getAlgorithm()
> outputs are different. The former returns "DES" etc, but the later
> returns "1" etc. Looks like it doesn't affect the behavior of
> KerberosAuthExample but I'm not sure if getAlgorithm() is used
> elsewhere.
>
> Thanks and regards,
> Kiju



-- 
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/

More information about the jCIFS mailing list