[security-dev 00669]: Re: Review request: Infinite loop if SPNEGO specified as sun.security.jgss.mechanism
Valerie Peng
Yu-Ching.Peng at Sun.COM
Thu Mar 5 22:10:32 UTC 2009
I think when SPNEGO is specified to be the default mechanism for JGSS
(as the property name implies), it should be up to the SPNEGO
implementation to specify what its default concrete mechanism should be.
I think your new constant DEFAULT_MECH_OID2 should conceptually at the
SPNEGO mech provider level instead of at the GSS level, i.e. inside
class sun.security.jgss.ProviderList.
Thus, it's better to move this constant to the SPNEGO mech provider
level since it's only used by SpNego.
In addition, since the default mech for JGSS does not change at runtime,
you should initialize this default mech for SPNEGO accordingly, so that
you don't have to do the if-default-JGSS-Mech-is-SPNEGO check for every
invocation of SpNegoMechFactory.getNameElement(...).
Valerie
On 03/05/09 00:41, Xuelei Fan wrote:
> "sun.security.jgss.mechanism", it is a undocumented property, right? I
> think it is hard to explain why SPNEGO is request, but KRB5 given, it
> is not the expected behavior. Why not thrown a GSSException?
> Andrew
>
> Weijun Wang wrote:
>> Hi Andrew or Valerie
>>
>> Please take a review at this bug fix:
>>
>> http://cr.openjdk.java.net/~weijun/6770883/webrev.01/
>> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6770883
>>
>> Basically. Since SPNEGO is a pseudo-mech that's meant to negotiate a
>> real concrete mech, SPNEGO itself cannot be used as the underlying
>> default mech under.
>>
>> Thanks
>> Max
>>
>
More information about the security-dev
mailing list