RFR 6722928: Support SSPI as a native GSS-API provider
Nico Williams
Nico.Williams at twosigma.com
Fri Mar 22 15:28:24 UTC 2019
On Thu, Mar 21, 2019 at 10:17:36PM +0100, Michael Osipov wrote:
> * header comment: Why do actually exclude NTLM from SPNEGO? Let SSPI work as
> it is intended to work. Means less code you have to maintain
There's a few reasons:
- NTLM doesn't have an OID, at least as I remember
- the JDK's JGSS stuff is very Kerberos-specific, especially w/ regards
to the ServicePermission stuff
IMO JAAS (and with it, *Permission) should be removed with prejudice now
that applet support has been removed. Perhaps stubs should be left
behind for compatibility reasons, and all the doAs*() methods should
just act as though permission is granted.
Removing JAAS would be a wonderful simplification, then the JGSS stuff
could stop being Kerberos-specific.
Nico
--
More information about the security-dev
mailing list