RFR: 8245527: LDAP Cnannel Binding support for Java GSS/Kerberos

Daniel Fuchs daniel.fuchs at oracle.com
Tue May 26 14:14:49 UTC 2020

Hi Alexey,

This is not a review. A few high level comments however:

For that kind of change that introduce a new environment
property you will need to file a CSR, and probably provide
some release notes as well.

Your changes seem to trigger new IllegalStateException and
UnsupportedOperationExceptions which are undocumented.
I believe they should be replaced by NamingException which
is documented at the public API level.

Also it would be good to have a test that validates that
the proposed changes works as expected.

I will not comment on the security libs changes - I'm clearly
out of my depth there. It's a bit distasteful that the
LdapCtxt/LdapClient have to have knowledge of channel binding
and extract the certificates from the SSLSocket to pass them to
the lower layer. Ideally this should rather be handled by the
SASL layers?

best regards,

-- daniel

On 25/05/2020 16:33, Alexey Bakhtin wrote:
> Updated webrev is available at:http://cr.openjdk.java.net/~abakhtin/8245527/webrev.v1/

More information about the security-dev mailing list