1

windows-xp sends the SPNEGO token in the authorization header to the our server which understands the kerberos protocol. The server application is implemented using gss-api provided by java.

our code extract the upn name from the spnego token and validate it against with the LDAP store. If the upn name contains the only ascii chars (less than 127) then every thing works fine.

But if the user name contains the non-ascii chars(eg irish fada) then java gss-api is interpreting them as junk chars for some reason.

I would like to know whether Java7 GSS name can contain the non-ascii chars?

Jorge_B
  • 9,712
  • 2
  • 17
  • 22
user3329152
  • 11
  • 1

2 Answers2

2

The RFC 1510 mandates for principal names a GeneralString which is a UTF-8 encoded string as per RFC 3641. So you should check the bytes in Wireshark first see whether they are OK or not. If you think that JGSS does not follow that you should file a ticket with Oracle.

Community
  • 1
  • 1
Michael-O
  • 18,123
  • 6
  • 55
  • 121
  • This is part of Kerberos that has always been contentious and many older kerberos implementations do not follow the most recent rfc's. My experience with the Java kerberos libraries is that they do not keep up with the advancing standards. – Fred the Magic Wonder Dog Feb 21 '14 at 03:29
0

Fortunately, Java 7 has a way to do it. Just add system property -Dsun.security.krb5.msinterop.kstring=true to the command line that runs your server.

For more details see: http://bugs.java.com/view_bug.do?bug_id=2182089

ilalex
  • 3,018
  • 2
  • 24
  • 37