RFR: 8245527: LDAP Cnannel Binding support for Java GSS/Kerberos

Daniel Fuchs daniel.fuchs at oracle.com
Wed Jun 24 18:56:03 UTC 2020 

Hi Alexey,

The JNDI/LDAP part looks mostly good. You will need someone
from the security libs to review the security lib part of the
changes.

In the test I would recommend using the test URIBuilder to avoid
strange intermittent errors if the test is run on a
machine where looking up "localhost" doesn't yield back
InetAddress.getLoopbackAddress():

------------------

  * @library /test/lib
...
import java.net.URI;
import jdk.test.lib.net.URIBuilder;
...
         URI uri = URIBuilder.newBuilder()
             .scheme("ldaps")
             .loopback()
             .port(serverPort)
             .build();
         env.put(Context.PROVIDER_URL, uri.toString());

------------------

So we have now two new properties:

jdk.internal.sasl.tlschannelbinding which is a private contract between
    java.naming and jdk.security.jgss;
com.sun.jndi.ldap.tls.cbtype which is a new JDK implementation specific
    environment property for the InitialLdapContext, and is depending
    on another JDK specific environment property:
    "com.sun.jndi.ldap.connect.timeout"

None of these properties are currently documented in the JDK itself.
Although jdk.internal.sasl.tlschannelbinding probably doesn't need
to be documented (but I'll defer to the security experts for that),
the other two probably should. Where is the question.
If we had a jdk.namimg.ldap module then the documentation for
these jndi properties would probably need to go in its module-info.java
API documentation, but we don't. Obviously we will want to write
a release note for this fix that documents the new
com.sun.jndi.ldap.tls.cbtype property - but will that be
sufficient? The CSR committee might wish for more.

Anyone has advice to share on this?

best regards,

-- daniel


On 17/06/2020 12:26, Alexey Bakhtin wrote:
> Hello Daniel,
> 
> Thank you for review.
> 
> As you suggested I’ve added static factory methods to create TlsChannelBinding class and changed connectionTimeout verification to  "if (connectTimeout <= 0)"
> Also, I’ve added simple regression test to verify Channel Binding parameters.
> 
> Please find updated webrev at:http://cr.openjdk.java.net/~abakhtin/8245527/webrev.v8/
> 
> The link to CSR for this feature :https://bugs.openjdk.java.net/browse/JDK-8247311
> 
> Regards
> Alexey

More information about the security-dev mailing list