[security-dev 01452]: code reviewer request: 6844193: support max_retries in krb5.conf

Max Wang Weijun.Wang at Sun.COM
Wed Dec 9 08:00:06 UTC 2009


Hi Valerie

Another RFE, please take a review:

     http://cr.openjdk.java.net/~weijun/6844193/webrev.02/

Basically, this RFE allows max_retries, kdc_timeout, and  
udp_preference_limit to be configurable in three layers:

   1. hard coded defaults in JRE
   2. global values in krb5.conf's [libdefaults]
   3. realm-specific in krb5.conf's [realms]

Currently, max_retries is simply not configurable,  
udp_preference_limit can only be configured globally, and kdc_timeout  
can be configured to be realm-specific. This RFE put them in the same  
level.

This RFE is for OpenJDK 7 only.

Thanks
Max


On Dec 9, 2009, at 11:54 AM, Max (Weijun) Wang wrote:

> Hi Valerie
>
>  Webrev updated:
>
>    http://cr.openjdk.java.net/~weijun/6843127/webrev.01
>
>  1. Add synchronized modifier to all methods
>  2. s/PreferredKDCList/KdcAccessbility/g
>  3. s/goodkdcs/list/g
>
> Hi All
>
>  I need another code reviewer, want to backport it to 6u20.
>
>  The bug is at --
>
>    http://bugs.sun.com/view_bug.do?bug_id=6843127
>
>  The description of the fix is at --
>
>    http://cr.openjdk.java.net/~weijun/6843127/webrev.01/src/share/lib/security/java.security.cdiff.html
>
> Thanks
> Max
>
> On Dec 9, 2009, at 8:59 AM, Valerie Peng wrote:
>
>> Hi, Max,
>>
>> Ok, it sounds like there isn't an easy way to centralize the KDC  
>> accessibility policy, timeout, and the number of retries. Let's  
>> just leave it as is then.
>> Your changes generally looks fine and here are my only comments:
>> <KrbKdcReq.java>
>> 1. PreferredKDCList.bads is of type HashSet whose access needs to  
>> be explicitly synchronized?
>> 2. Some nitpicking on naming, it seems somewhat confusing to name  
>> the class "PreferredKDCList" when it includes all kdcs for that  
>> specific realm. Maybe something like "KdcAvailability",  
>> "KdcAccessibility", or "KdcByAvailability", etc. Same goes for the  
>> local variable "goodkdcs" in its list(String) method which actually  
>> contains all kdcs for the specific realm in the end.
>>
>> Thanks,
>> Valerie
>>
>> On 11/22/09 22:10, Max (Weijun) Wang wrote:
> ....
>




More information about the security-dev mailing list