RFR 8042900: Allow com.sun.security.jgss to be in different module than org.ietf.jgss
Alan Bateman
Alan.Bateman at oracle.com
Thu Aug 28 08:54:04 UTC 2014
On 27/08/2014 08:17, Wang Weijun wrote:
> Hi All
>
> Please review the code change at
>
> http://cr.openjdk.java.net/~weijun/8042900/webrev.00/
>
> The purpose of this fix is to move com.sun.security.jgss (where the ExtendedGSSXXX classes reside) out of the java.security.jgss module, since it is openjdk-specific and not defined in Java SE. This is listed as the 1st open issue in http://openjdk.java.net/jeps/200.
>
> Because GSSManager::createContext() actually returns an ExtendedGSSContext object now, we will need to add a check there so that when the extended classes are available it still returns ExtendedGSSContext and otherwise a plain GSSContext. An internal OrgIetfJgssExtender class is defined and Extender in com.sun.security.jgss extends it. When GSSManagerImpl is creating a GSSContext (or GSSCredential) object, it detects whether an extension is available and if so returns a "wrapped" object that has extended functions.
>
> Please note that in this fix all extended functions are actually implemented in the basic (say, GSSContextImpl) class, but they are only exported through the extended interface (say, ExtendedGSSContext) to application developers.
>
> The detection of whether an extension is available is now performed by calling "Class.forName("com.sun.security.jgss.Extender")". This will be revisited later if we have other handy methods to detect whether a module is available or be converted to a service loader.
>
> A sub-task (JDK-8056141) will move com.sun.security.jgss and com.sun.security.sasl.gsskerb into a new jdk.security.jgss module.
>
>
I've looked through the changes, I don't claim to know this area very
well and so I think it needs a Reviewer from the security area to help
review too.
At a high-level then the approach seems reasonable and I see how this
will fits with the second part that will facilitate the refactoring of
com.sun.security.jgss to another module. The Class.forName to tickle the
Extender to register seems okay.
A minor comment on Extender is that I think I'd prefer the methods to
named "wrap" rather than "wrapped", also I assume you'll add a copyright
header to the file before you push.
A minor comment on OrgIetfJgssExtender is that perhaps JgssExtender
would be a simpler name. Can the setExtender method be protected rather
than public, I assume it will only ever be called by sub-types. Should
theOthe be volatile? I can't tell if there are any race conditions here.
As per Extender I would have a preference for wrap rather than wrapped.
I don't think I understand the update to test S4U2selfGSS.java, is this
related to this change?
Otherwise I don't see any issues and overall this seems good work.
-Alan.
More information about the security-dev
mailing list