Java Generic Security Services and Kerberos

Feature Enhancements Added to Java

Security Contents

This page describes and lists security features and enhancements added to the Java Generic Security Services API (Java GSS) and Kerberos, by major version number, from v1.4 through v1.8.

NOTE: The APIs and features described in this document are subject to change.


Java Generic Security Services API and Kerberos Enhancements for Java SE 8

The following enhancements were added to the Java GSS API and Kerberos implementation in Java SE 8.

MS-SFU Kerberos Extensions for JDK 8

MS-SFU refers to Microsoft Kerberos 5 extensions that allow a service to obtain a Kerberos service ticket on behalf of a client. This is useful when the authentication between the client and this service is not established through Kerberos (thus the standard Kerberos delegation cannot be used) but the service needs to access a Kerberos-secured back-end server in the name of the client.

Support for the MS-SFU extensions was added in JDK 8. This includes support for the S4U2self and S4U2proxy protocols, as defined in MS-SFU.

This feature is very useful in secure enterprise deployments. For example, in a typical network service, the front end (such as a web server) often needs to access the back end (such as a database server) on behalf of a client. Normal Kerberos 5 supports delegation, but demands that all layers in this chain explicitly use Kerberos authentication at each step, which is not always possible or desirable.

For example, if a client logs in to a web server using digest authentication, then there are no Kerberos credentials to be delegated, and normal step-by-step Kerberos 5 authentication cannot occur. However, because MS-SFU defines the Service for User (S4U2self) extension so that the front end can access the back end on behalf of the client without presenting the client's Kerberos credentials, MS-SFU could provide authentication in this situation.

In addition, there are potential security gaps in the standard Kerberos 5 delegation mechanism (which Microsoft calls open delegation). In this mechanism, once the service account has the client's delegated credentials, it has access to any service. Thus, great care is needed with open delegation.

In contrast, the MS-SFU delegation (implemented in S4U2proxy) is much more secure. Here the administrator can precisely control the services to which a particular service can delegate. (Microsoft calls this constrained delegation.)

MS-SFU Implementation Details

The original Kerberos 5 protocol was defined in RFC 4120. MS-SFU adds two extensions to that protocol: Service for User to Self (S4U2self), which allows a front-end service to obtain a Kerberos service ticket to itself on behalf of a user, and Service for User to Proxy (S4U2proxy), which enables it to obtain a service ticket on behalf of the user to a second, back-end service.

Together, these two extensions enable the front-end service to obtain a Kerberos service ticket on behalf of a user. The resulting service ticket can be used to access other services on the local or remote machines.

A new public method (GSSCredential::impersonate) has been added to the com.sun.security.jgss package to implement these extensions.

Java Generic Security Services API and Kerberos Enhancements for Java SE 6

The following enhancements were added to the Java Generic Security Services API (Java GSS) and Kerberos implementation in Java SE 6.


Java Generic Security Services API and Kerberos Enhancements for Java SE 5.0

The following enhancements were added to the Java Generic Security Services API (Java GSS) and Kerberos implementation in Java SE 5.0.


New Features in Java GSS for Java 2 SDK, Standard Edition, v 1.4.2


Copyright © 1993, 2014, Oracle and/or its affiliates. All rights reserved.