RFR: 8279842: HTTPS Channel Binding support for Java GSS/Kerberos [v4]

Fri Jan 21 15:43:47 UTC 2022

On Fri, 21 Jan 2022 15:26:33 GMT, Michael McMahon <michaelm at openjdk.org> wrote:

>> Hi,
>> 
>> This change adds Channel Binding Token (CBT) support to HTTPS (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO, Kerberos) authentication scheme. When enabled, the implementation preemptively includes a CBT with authentication requests over Kerberos. The feature is enabled as follows:
>> 
>> A system property "jdk.spnego.cbt" is defined which can have the values "never" (default), which means the feature is disabled, "always", which means the CBT is included for all https Negotiate authentications, or it can take the form "domain:a,b.c,*.d.com" which is a comma separated list of domains/hosts where the feature is enabled, and disabled everywhere else. In the given example, the CBT would be included in authentication requests for hosts "a", "b.c" and all hosts under the domain "d.com" and all of its sub-domains.
>> 
>> A test will be added separately to the implementation.
>> 
>> Bug report: https://bugs.openjdk.java.net/browse/JDK-8279842
>> 
>> Thanks,
>> Michael
>
> Michael McMahon has updated the pull request incrementally with one additional commit since the last revision:
> 
>   more tidy-up

Marked as reviewed by dfuchs (Reviewer).

src/java.naming/share/classes/com/sun/jndi/ldap/sasl/LdapSasl.java line 144:

> 142:                         } catch (ChannelBindingException e) {
> 143:                             throw new NamingException(e.getMessage());
> 144:                         }

Should we call initCause here and above? I see that we do call initCause in NegotiatorImpl.java.
On the one hand it's better for diagnostic. On the other hand it exposes a module-internal exception class which is not great. Or maybe we should set the cause of the CBE as the cause of NamingException.

-------------

PR: https://git.openjdk.java.net/jdk/pull/7065