[security-dev 01270]: Re: 6885204: JSSE should not require Kerberos to be present

Brad Wetmore Bradford.Wetmore at Sun.COM
Sat Oct 3 00:44:31 UTC 2009


Vincent Ryan wrote:
> I'm proposing a change that enables JSSE to work when Kerberos is not present
> at runtime:
> 
>   http://cr.openjdk.java.net/~vinnie/6885204/webrev.00/webrev/

DelegateHttpsURLConnection.java/HttpsClient.java
================================================

Can you put in a comment here that explains why you've added the 
ciphersuite check?  I had to think about it for a second, which means it 
won't be immediately clear to others.  ;)

CipherSuite.java/JsseJce.java
=================================

// It is true because we might not have an ECC or
// Kerberos implementation.

Here's a small can of worms.  The dynamic code was added when ECC was 
only available via the PKCS11 provider, and people could remove the ECC 
tokens at will and thus effectively disable ECC.  With the addition of 
your full-time ECC provider, this could have gone away.  But since some 
of the open source folks wanted to make your ECC provider optional, I 
guess we're have to continue this check.

That said, what you're trying to solve here is different.  Either the 
Kerberos implementation is there or it isn't.  It doesn't get 
dynamically installed into the JRE during the middle of a run, right? 
If it's not made available dynamically, a simple one-time check should 
be sufficient.

Is the doPrivileged necessary here?

Brad





More information about the security-dev mailing list