[security-dev 01272]: Re: 6885204: JSSE should not require Kerberos to be present

Vincent Ryan Vincent.Ryan at Sun.COM
Mon Oct 5 18:07:42 UTC 2009


There's a new webrev available at:

http://cr.openjdk.java.net/~vinnie/6885204/webrev.01/webrev/



Brad Wetmore wrote:
> 
> Vincent Ryan wrote:
>> I'm proposing a change that enables JSSE to work when Kerberos is not
>> present
>> at runtime:
>>
>>   http://cr.openjdk.java.net/~vinnie/6885204/webrev.00/webrev/
> 
> DelegateHttpsURLConnection.java/HttpsClient.java
> ================================================
> 
> Can you put in a comment here that explains why you've added the
> ciphersuite check?  I had to think about it for a second, which means it
> won't be immediately clear to others.  ;)

Done.

> 
> CipherSuite.java/JsseJce.java
> =================================
> 
> // It is true because we might not have an ECC or
> // Kerberos implementation.
> 
> Here's a small can of worms.  The dynamic code was added when ECC was
> only available via the PKCS11 provider, and people could remove the ECC
> tokens at will and thus effectively disable ECC.  With the addition of
> your full-time ECC provider, this could have gone away.  But since some
> of the open source folks wanted to make your ECC provider optional, I
> guess we're have to continue this check.
> 
> That said, what you're trying to solve here is different.  Either the
> Kerberos implementation is there or it isn't.  It doesn't get
> dynamically installed into the JRE during the middle of a run, right? If
> it's not made available dynamically, a simple one-time check should be
> sufficient.

Right. I've changed the code to perform the Kerberos check just once
(in a static initializer).


> 
> Is the doPrivileged necessary here?

Yes, because the Class.forName references a class from a different package.


> 
> Brad
> 
> 



More information about the security-dev mailing list