[kitten] Suggested update to RFC 5653 JGSS-API: Provide a way to return a token when context establishment fails

[Nico Williams]

On Sun, Jul 14, 2013 at 10:58 PM, Weijun Wang <weijun.wang at oracle.com> wrote:
> Without the ability to send a token when there is a failure, a Java program
> has no chance to tell the other side what's happening. This is very
> user-unfriendly. Also, in the case of SPNEGO, a "reject" NegTokenResp token
> will never be able to sent out.

I agree.

> My current proposal is to add a new method getOutputToken() to the
> GSSException class (which will be thrown when an error occurs) to return
> this last token. This means the method calls will be something like
>
>         try {
>             send(initSecContext(inToken));
>         } catch (GSSException e) {
>             if (e.getOutputToken() != null) {
>                 send(e.getOutputToken());
>             }
>             throw e;
>         }
>
> The getOutputToken() method can only return a non-null value when it's
> thrown by an initSecContext or acceptSecContext call. The method won't throw
> another GSSException even if the exception was thrown in other calls.

I support this.

> We can use the new JDK 8 default method feature [1] to add this new method
> to the existing GSSException interface.

Excellent,

Nico
--