When to Use Java GSS-API Versus JSSE

Java GSS-API and JSSE provide you with the same basic set of security features:

  1. Client-server authentication
  2. Encryption and integrity protection of transmitted data

However, there are some key differences between the two. This document lists some of them to help you decide which might be more appropriate in your environment:

  1. Kerberos Single Sign-On Support

    GSS-API contains support for Kerberos as a mandatory security mechanism. This means that if your desktop has Kerberos support, you can write Java GSS-API based applications that never prompt the user for a password.

    Addition of Kerberos Cipher Suites to Transport Layer Security (TLS) (RFC 2712) defined Kerberos Cipher Suites for TLS, but the document is out-of-date and does not support modern encryption types like AES.

  2. Communications API

    JSSE supports a socket-based API. JSSE sockets extend the socket classes found in java.net and JSSE socket factories extend the socket factories found in javax.net. Thus, if your application is written such that its security needs to be configured via a socket factory, then JSSE might be more appropriate for you. JSSE sockets need to use some reliable transport. Typically, implementations use TCP.

    Java GSS-API, on the other hand, is a token-based API that relies on the application to do the communication. This means that the application can use TCP sockets, UDP datagrams, or any other channel that will allow it to transport Java GSS-API generated tokens. If your application has varying communication protocol needs, then Java GSS-API might be more appropriate for you. Java GSS-API can read and write its tokens using input and output streams. However, you will need to set up the streams yourself.

  3. Credential Delegation

    Java GSS-API allows the client to delegate its credentials to the server when using Kerberos. If your application will be deployed in a multi-tier environment where intermediaries need to impersonate clients when talking to backend layers, Java GSS-API might be more appropriate for you.

  4. Selective Encryption

    Because Java GSS-API is token-based, you can choose to selectively encrypt certain messages but not all. If your application needs to intersperse plaintext and ciphertext messages, Java GSS-API might be more appropriate for you.

  5. Protocol Requirements

    JSSE provides implementations of the TLS protocol including TLS version 1.3 and TLS version 1.2. Java GSS-API provides an implementation of the GSS-API framework defined in Generic Security Service API Version 2: Java Bindings Update (RFC 5653), as well as an implementation of the Kerberos Version 5 mechanism defined in The Kerberos Version 5 GSS-API Mechanism (RFC 1964). (On Microsoft Windows platforms, this may be known as SSPI with Kerberos.) Some servers such as HTTPS servers will require you to use TLS, in which case JSSE will be appropriate for you. Other servers such as LDAP servers using SASL might need GSS-API with Kerberos, in which case Java GSS-API will be appropriate for you.