[kitten] Suggested update to RFC 5653 JGSS-API: Provide a way to return a token when context establishment fails
Nico Williams
nico at cryptonector.com
Fri Jul 19 06:37:52 UTC 2013
On Sun, Jul 14, 2013 at 10:58 PM, Weijun Wang <weijun.wang at oracle.com> wrote:
> Without the ability to send a token when there is a failure, a Java program
> has no chance to tell the other side what's happening. This is very
> user-unfriendly. Also, in the case of SPNEGO, a "reject" NegTokenResp token
> will never be able to sent out.
I agree.
> My current proposal is to add a new method getOutputToken() to the
> GSSException class (which will be thrown when an error occurs) to return
> this last token. This means the method calls will be something like
>
> try {
> send(initSecContext(inToken));
> } catch (GSSException e) {
> if (e.getOutputToken() != null) {
> send(e.getOutputToken());
> }
> throw e;
> }
>
> The getOutputToken() method can only return a non-null value when it's
> thrown by an initSecContext or acceptSecContext call. The method won't throw
> another GSSException even if the exception was thrown in other calls.
I support this.
> We can use the new JDK 8 default method feature [1] to add this new method
> to the existing GSSException interface.
Excellent,
Nico
--
More information about the security-dev
mailing list