RFR: 8279842: HTTPS Channel Binding support for Java GSS/Kerberos [v7]

Weijun Wang weijun at openjdk.java.net
Tue Jan 25 00:44:44 UTC 2022 

On Mon, 24 Jan 2022 22:11:51 GMT, Michael McMahon <michaelm at openjdk.org> wrote:

>> Hi,
>> 
>> This change adds Channel Binding Token (CBT) support to HTTPS (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO, Kerberos) authentication scheme. When enabled, the implementation preemptively includes a CBT with authentication requests over Kerberos. The feature is enabled as follows:
>> 
>> A system property "jdk.spnego.cbt" is defined which can have the values "never" (default), which means the feature is disabled, "always", which means the CBT is included for all https Negotiate authentications, or it can take the form "domain:a,b.c,*.d.com" which is a comma separated list of domains/hosts where the feature is enabled, and disabled everywhere else. In the given example, the CBT would be included in authentication requests for hosts "a", "b.c" and all hosts under the domain "d.com" and all of its sub-domains.
>> 
>> A test will be added separately to the implementation.
>> 
>> Bug report: https://bugs.openjdk.java.net/browse/JDK-8279842
>> 
>> Thanks,
>> Michael
>
> Michael McMahon has updated the pull request incrementally with one additional commit since the last revision:
> 
>   more updates

Looks good to me. Only several wording and style suggestions.

I know you are asking SQE to create a security infra test, but I'll see if I can contribute a regression test. Don't wait for me.

src/java.base/share/classes/java/net/doc-files/net-properties.html line 223:

> 221:         <OL>
> 222:           <LI><P>"never". This is also the default value if the property is not set. In this case,
> 223:               CBT's are never sent.</P>

Typo, "CBTs"?

src/java.base/share/classes/java/net/doc-files/net-properties.html line 224:

> 222:           <LI><P>"never". This is also the default value if the property is not set. In this case,
> 223:               CBT's are never sent.</P>
> 224:           <LI><P>"always". CBTs are sent for all Kerberos authentication attempts over HTTPS.</P>

Shall we remove "Kerberos"? Or we can use "Kerberos or Negotiate".

src/java.base/share/classes/sun/net/www/protocol/https/AbstractDelegateHttpsURLConnection.java line 1:

> 1: /**

This is not a doc comment.

src/java.security.jgss/share/classes/sun/net/www/protocol/http/spnego/NegotiatorImpl.java line 124:

> 122:         try {
> 123:             init(hci);
> 124:         } catch (GSSException | ChannelBindingException  e) {

Two spaces before "e".

-------------

Marked as reviewed by weijun (Reviewer).

PR: https://git.openjdk.java.net/jdk/pull/7065

More information about the core-libs-dev mailing list