code review request: 6894072: always refresh keytab
Valerie (Yu-Ching) Peng
valerie.peng at oracle.com
Sat Mar 26 00:20:13 UTC 2011
Max,
Well, I find it a bit awkward that the KeyTab class has to have the
KerberosPrincipal info which "intends" to use it.
Have you considered a different approach like:
Instead of adding the whole KeyTab object into the Subject's private
credential set, we add a "to-be-resolved" KerberosKey object. When we
need to use this kind of key, we'd check the associated KeyTab object to
re-fresh its value if needed. This approach is conceptually closer to
what we had and the changes aren't as dramatic and seems to meet the
need required by 6894072.
I'll continue to review your webrev, but just want to kick this idea off
w/ you and see if it may work.
Valerie
On 03/23/11 02:00 AM, Weijun Wang wrote:
> Hi Valerie
>
> Updated webrev:
>
> http://cr.openjdk.java.net/~weijun/6894072/webrev.02
>
> Changes since last version:
>
> 1. A KerberosPrincipal inside javax..KeyTab class. New getInstance()
> arguments, new getPrincipal() method.
>
> It can only be non-null now, but I didn't say anything in the spec.
> I'm hoping it can be null in the future to support multiple service
> principal in a single service.
>
> 2. toString(), hashCode(), equals() for KeyTab, since it will be put
> inside private credentials set.
>
> 3. Enhancement to SubjectComber:
> a) Generics for find() and findMany()
> b) findAux() now support Krb5AcceptCredential
>
> 4. Krb5Util.ServiceCreds: since principal is already inside both
> KeyTab and KerberosKey, no more KerberosPrincipal argument in
> getInstance(), there is still a field inside to save the value.
>
> 5. sun..KeyTab and javax..KeyTab: isMissing==true is now valid.
> Changes to the javadoc of javax..KeyTab.getKeys().
>
> 6. New TwoPrinces.java test, a subject with 2 KerberosPrincipal after
> JAAS commit.
>
> This time I'd like to first make sure implementation is correct, and
> then I'll update the CCC. Is this OK?
>
> Thanks
> Max
More information about the security-dev
mailing list