On Mon, 24 Jan 2022 22:11:51 GMT, Michael McMahon <micha...@openjdk.org> wrote:
>> Hi, >> >> This change adds Channel Binding Token (CBT) support to HTTPS >> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO, >> Kerberos) authentication scheme. When enabled, the implementation >> preemptively includes a CBT with authentication requests over Kerberos. The >> feature is enabled as follows: >> >> A system property "jdk.spnego.cbt" is defined which can have the values >> "never" (default), which means the feature is disabled, "always", which >> means the CBT is included for all https Negotiate authentications, or it can >> take the form "domain:a,b.c,*.d.com" which is a comma separated list of >> domains/hosts where the feature is enabled, and disabled everywhere else. In >> the given example, the CBT would be included in authentication requests for >> hosts "a", "b.c" and all hosts under the domain "d.com" and all of its >> sub-domains. >> >> A test will be added separately to the implementation. >> >> Bug report: https://bugs.openjdk.java.net/browse/JDK-8279842 >> >> Thanks, >> Michael > > Michael McMahon has updated the pull request incrementally with one > additional commit since the last revision: > > more updates Looks good to me. Only several wording and style suggestions. I know you are asking SQE to create a security infra test, but I'll see if I can contribute a regression test. Don't wait for me. src/java.base/share/classes/java/net/doc-files/net-properties.html line 223: > 221: <OL> > 222: <LI><P>"never". This is also the default value if the property > is not set. In this case, > 223: CBT's are never sent.</P> Typo, "CBTs"? src/java.base/share/classes/java/net/doc-files/net-properties.html line 224: > 222: <LI><P>"never". This is also the default value if the property > is not set. In this case, > 223: CBT's are never sent.</P> > 224: <LI><P>"always". CBTs are sent for all Kerberos authentication > attempts over HTTPS.</P> Shall we remove "Kerberos"? Or we can use "Kerberos or Negotiate". src/java.base/share/classes/sun/net/www/protocol/https/AbstractDelegateHttpsURLConnection.java line 1: > 1: /** This is not a doc comment. src/java.security.jgss/share/classes/sun/net/www/protocol/http/spnego/NegotiatorImpl.java line 124: > 122: try { > 123: init(hci); > 124: } catch (GSSException | ChannelBindingException e) { Two spaces before "e". ------------- Marked as reviewed by weijun (Reviewer). PR: https://git.openjdk.java.net/jdk/pull/7065
