[security-dev 01270]: Re: 6885204: JSSE should not require Kerberos to be present
Brad Wetmore
Bradford.Wetmore at Sun.COM
Sat Oct 3 00:44:31 UTC 2009
Vincent Ryan wrote:
> I'm proposing a change that enables JSSE to work when Kerberos is not present
> at runtime:
>
> http://cr.openjdk.java.net/~vinnie/6885204/webrev.00/webrev/
DelegateHttpsURLConnection.java/HttpsClient.java
================================================
Can you put in a comment here that explains why you've added the
ciphersuite check? I had to think about it for a second, which means it
won't be immediately clear to others. ;)
CipherSuite.java/JsseJce.java
=================================
// It is true because we might not have an ECC or
// Kerberos implementation.
Here's a small can of worms. The dynamic code was added when ECC was
only available via the PKCS11 provider, and people could remove the ECC
tokens at will and thus effectively disable ECC. With the addition of
your full-time ECC provider, this could have gone away. But since some
of the open source folks wanted to make your ECC provider optional, I
guess we're have to continue this check.
That said, what you're trying to solve here is different. Either the
Kerberos implementation is there or it isn't. It doesn't get
dynamically installed into the JRE during the middle of a run, right?
If it's not made available dynamically, a simple one-time check should
be sufficient.
Is the doPrivileged necessary here?
Brad
More information about the security-dev
mailing list