RFR 6722928: Support SSPI as a native GSS-API provider
Weijun Wang
weijun.wang at oracle.com
Mon Mar 25 23:12:21 UTC 2019
> On Mar 25, 2019, at 11:37 PM, Nico Williams <Nico.Williams at twosigma.com> wrote:
>
> On Mon, Mar 25, 2019 at 11:17:17AM +0800, Weijun Wang wrote:
>>> On Mar 23, 2019, at 7:50 AM, Michael Osipov <1983-01-06 at gmx.net> wrote:
>>>>> There's a few reasons:
>>>>>
>>>>> - NTLM doesn't have an OID, at least as I remember
>>>>>
>>>>> - the JDK's JGSS stuff is very Kerberos-specific, especially w/
>>>>> regards to the ServicePermission stuff
>>>>
>>>> Yes, it needs to check a permission if the token is SPNEGO and
>>>> internally it's Kerberos. I also believe the HTTP Negotiate code
>>>> there is probably not good at dealing with a Negotiate dialog with
>>>> 2 rounds. The first problem should be easy to fix, I'll see if the
>>>> 2nd is complicated.
>
> I expect lots of implementations of HTTP/Negotiate to not support more
> than one round trip. However, if a client and server lack credentials
> for a common mechanism, authentication will fail or not even start, and
> if they do have credentials for a common mechanism but one or both
> cannot handle more than one round trip, they'll fail. Either way they
> fail, so what's the problem? Ignoring for a moment NTLM's weakness,
> adding support for it adds ways to win, not ways to fail.
>
>> It works. Java's (old) HTTPConnection sends an NTLM token to IIS and
>> after 4 messages I see 200 OK.
>>
>> But 1) Java GSS acceptor does not accept it and I don't want to break
>> interop inside Java.
>
> That's not breaking interop. A Windows initiator and non-Windows
> acceptor (and vice-versa) will still interop provided both have Kerberos
> credentials.
But there needs another round of negotiation and you know Java might not be good at it.
>
>> 2) No more permission check.
>
> I don't understand (2).
Now that the ServicePermission check is skipped, some sort of NTLMPermission check will be needed.
--Max
>
>> Not going to do it this time. Later I might ask networking how
>> transparent NTLM works and if they needs any permission checking or
>> other settings I can probably follow.
>
> Of course it needs permission checking, except that in a world without
> applets that's a bit pointless.
>
> Nico
> --
More information about the security-dev
mailing list