RFR 6722928: Support SSPI as a native GSS-API provider
Weijun Wang
weijun.wang at oracle.com
Fri May 31 23:43:42 UTC 2019
> On May 31, 2019, at 11:42 PM, Nico Williams <Nico.Williams at twosigma.com> wrote:
>
> On Fri, May 31, 2019 at 10:48:19PM +0800, Weijun Wang wrote:
>>> On May 31, 2019, at 3:09 AM, Nico Williams <Nico.Williams at twosigma.com> wrote:
>>> Can you
>>> just use the empty realm like Heimdal and MIT do?
>>
>> This is for export(), where they use "WELLKNOWN:ORG.H5L.REFERALS-REALM" but I
>> hesitate to introduce it.
>
> Heimdal defines that, but doesn't use it. MIT doesn't even define it.
I thought I saw it with MIT but maybe I got the library setting wrong. Anyway, using macOS's builtin krb5 (is that a Heimdal fork?), export() returns
0000: 04 01 00 0B 06 09 2A 86 48 86 F7 12 01 02 02 00 ......*.H.......
0010: 00 00 31 73 65 72 76 69 63 65 2F 68 6F 73 74 2E ..1service/host.
0020: 6B 33 78 40 57 45 4C 4C 4B 4E 4F 57 4E 3A 4F 52 k3x at WELLKNOWN:OR
0030: 47 2E 48 35 4C 2E 52 45 46 45 52 41 4C 53 2D 52 G.H5L.REFERALS-R
0040: 45 41 4C 4D EALM
--Max
>
>>> Ah, but if it's not the "current" realm? (What do you mean by "current"
>>> anyways?)
>>
>> Current is default, or USERDNSDOMAIN.
>>
>> Then I won't remove it and InitiateSecurityContext will use it.
>
> Hmm, ok.
>
>>> I would think JDK_SSPI_TRACE would be a better name...
>>
>> Yes, I can.
>
> OK.
>
> Nico
> --
More information about the security-dev
mailing list