RFR: 8279842: HTTPS Channel Binding support for Java GSS/Kerberos
Weijun Wang
weijun at openjdk.java.net
Sat Jan 15 00:47:27 UTC 2022
On Fri, 14 Jan 2022 18:40:41 GMT, Michael McMahon <michaelm at openjdk.org> wrote:
>> src/java.base/share/classes/sun/net/www/http/HttpClient.java line 152:
>>
>>> 150: * If enabled (for a particular destination) then SPNEGO authentication requests will include
>>> 151: * a channel binding token for the destination server. The default behavior and setting for the
>>> 152: * property is "never"
>>
>> Maybe this description should be added to `src/java.base//share/classes/java/net/doc-files/net-properties.html` too?
>
> It's actually a purely system property rather than a Net property at the moment (same as the other spnego ones). Maybe, I should convert them all to net properties, so they can be documented/set in that file?
This system property should only be used for TLS, and the CBT can be used in both the SPNEGO mechanism and the Kerberos 5 mechanism. Therefore I suggest the name should probably contain "tls" (or maybe "https") and "negotiate".
BTW, will you reuse this system property if we decide to support CBT in NTLM as well?
-------------
PR: https://git.openjdk.java.net/jdk/pull/7065
More information about the core-libs-dev
mailing list