RFR: 8279842: HTTPS Channel Binding support for Java GSS/Kerberos
Michael McMahon
michaelm at openjdk.java.net
Fri Jan 14 11:09:46 UTC 2022
Hi,
This change adds Channel Binding Token (CBT) support to HTTPS (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO, Kerberos) authentication scheme. When enabled, the implementation preemptively includes a CBT with authentication requests over Kerberos. The feature is enabled as follows:
A system property "jdk.spnego.cbt" is defined which can have the values "never" (default), which means the feature is disabled, "always", which means the CBT is included for all https Negotiate authentications, or it can take the form "domain:a,b.c,*.d.com" which is a comma separated list of domains/hosts where the feature is enabled, and disabled everywhere else. In the given example, the CBT would be included in authentication requests for hosts "a", "b.c" and all hosts under the domain "d.com" and all of its sub-domains.
A test will be added separately to the implementation.
Bug report: https://bugs.openjdk.java.net/browse/JDK-8279842
Thanks,
Michael
-------------
Commit messages:
- cleanup but still no test. Will be added in closed repo
- First version of fix. No test and feature enabled always.
Changes: https://git.openjdk.java.net/jdk/pull/7065/files
Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=7065&range=00
Issue: https://bugs.openjdk.java.net/browse/JDK-8279842
Stats: 149 lines in 7 files changed: 143 ins; 0 del; 6 mod
Patch: https://git.openjdk.java.net/jdk/pull/7065.diff
Fetch: git fetch https://git.openjdk.java.net/jdk pull/7065/head:pull/7065
PR: https://git.openjdk.java.net/jdk/pull/7065
More information about the core-libs-dev
mailing list