RFR 6722928: Support SSPI as a native GSS-API provider
Michael Osipov
1983-01-06 at gmx.net
Fri Mar 22 23:50:34 UTC 2019
Am 2019-03-23 um 00:21 schrieb Weijun Wang:
>
>
>> On Mar 22, 2019, at 11:28 PM, Nico Williams <Nico.Williams at twosigma.com> wrote:
>>
>> On Thu, Mar 21, 2019 at 10:17:36PM +0100, Michael Osipov wrote:
>>> * header comment: Why do actually exclude NTLM from SPNEGO? Let SSPI work as
>>> it is intended to work. Means less code you have to maintain
>>
>> There's a few reasons:
>>
>> - NTLM doesn't have an OID, at least as I remember
>>
>> - the JDK's JGSS stuff is very Kerberos-specific, especially w/ regards
>> to the ServicePermission stuff
>
> Yes, it needs to check a permission if the token is SPNEGO and internally it's Kerberos. I also believe the HTTP Negotiate code there is probably not good at dealing with a Negotiate dialog with 2 rounds. The first problem should be easy to fix, I'll see if the 2nd is complicated.
Reminds me of https://issues.apache.org/jira/browse/HTTPCLIENT-1625...
More information about the security-dev
mailing list