Integrated: 8279842: HTTPS Channel Binding support for Java GSS/Kerberos

Michael McMahon michaelm at openjdk.java.net
Tue Feb 1 07:30:19 UTC 2022


On Thu, 13 Jan 2022 12:10:11 GMT, Michael McMahon <michaelm at openjdk.org> wrote:

> Hi,
> 
> This change adds Channel Binding Token (CBT) support to HTTPS (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO, Kerberos) authentication scheme. When enabled, the implementation preemptively includes a CBT with authentication requests over Kerberos. The feature is enabled as follows:
> 
> A system property "jdk.spnego.cbt" is defined which can have the values "never" (default), which means the feature is disabled, "always", which means the CBT is included for all https Negotiate authentications, or it can take the form "domain:a,b.c,*.d.com" which is a comma separated list of domains/hosts where the feature is enabled, and disabled everywhere else. In the given example, the CBT would be included in authentication requests for hosts "a", "b.c" and all hosts under the domain "d.com" and all of its sub-domains.
> 
> A test will be added separately to the implementation.
> 
> Bug report: https://bugs.openjdk.java.net/browse/JDK-8279842
> 
> Thanks,
> Michael

This pull request has now been integrated.

Changeset: de3113b9
Author:    Michael McMahon <michaelm at openjdk.org>
URL:       https://git.openjdk.java.net/jdk/commit/de3113b998550021bb502cd6f766036fb8351e7d
Stats:     858 lines in 12 files changed: 696 ins; 146 del; 16 mod

8279842: HTTPS Channel Binding support for Java GSS/Kerberos

Co-authored-by: Weijun Wang <weijun.wang at oracle.com>
Reviewed-by: dfuchs, weijun, darcy

-------------

PR: https://git.openjdk.java.net/jdk/pull/7065



More information about the security-dev mailing list