Re: RFR: 8275535: Retrying a failed authentication on multiple LDAP servers can lead to users blocked

On Wed, 9 Feb 2022 15:05:24 GMT, Martin Balao wrote: >>> > @martinuy, I am the reporter of JDK-8160768. Regarding this PR, isn't >>> > everything protocol related a fail-fast issue? E.g., if the socket is up >>> > and running, but the LDAP message is rejected can we assume that all >>> > subse

Re: RFR: 8275535: Retrying a failed authentication on multiple LDAP servers can lead to users blocked

On Tue, 8 Feb 2022 13:51:57 GMT, Martin Balao wrote: > > @martinuy, I am the reporter of JDK-8160768. Regarding this PR, isn't > > everything protocol related a fail-fast issue? E.g., if the socket is up > > and running, but the LDAP message is rejected can we assume that all > > subsequent se

Re: RFR: 8279842: HTTPS Channel Binding support for Java GSS/Kerberos [v8]

On Tue, 25 Jan 2022 12:47:26 GMT, Michael McMahon wrote: >> src/java.base/share/classes/sun/net/www/http/HttpClient.java line 150: >> >>> 148: * "domain:a,c.d,*.e.f" (sent to host a, or c.d or to the domain >>> e.f and any of its subdomains). This is >>> 149: * a comma separated list

Re: RFR: 8279842: HTTPS Channel Binding support for Java GSS/Kerberos [v8]

On Tue, 25 Jan 2022 10:30:20 GMT, Michael McMahon wrote: >> Hi, >> >> This change adds Channel Binding Token (CBT) support to HTTPS >> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO, >> Kerberos) authentication scheme. When enabled, the implementation >> preemptively inclu

Re: RFR: 8279842: HTTPS Channel Binding support for Java GSS/Kerberos [v3]

On Fri, 21 Jan 2022 15:51:10 GMT, Michael McMahon wrote: >> `NamingException` has `setRootCause()`. Why not use that? I use that one too >> and full stack is retained. > > Yes, I can do that. Though it will cause the existing LDAP channel binding > test to fail which is checking for an empty ro

Re: RFR: 8279842: HTTPS Channel Binding support for Java GSS/Kerberos [v3]

On Fri, 21 Jan 2022 13:35:53 GMT, Michael McMahon wrote: >> src/java.naming/share/classes/com/sun/jndi/ldap/sasl/LdapSasl.java line 133: >> >>> 131: >>> (String)env.get(TlsChannelBinding.CHANNEL_BINDING_TYPE)); >>> 132: } catch (ChannelBindingExce

Re: RFR: 8279842: HTTPS Channel Binding support for Java GSS/Kerberos [v3]

On Thu, 20 Jan 2022 10:58:27 GMT, Michael McMahon wrote: >> Hi, >> >> This change adds Channel Binding Token (CBT) support to HTTPS >> (java.net.HttpsURLConnection) when used with the Negotiate (SPNEGO, >> Kerberos) authentication scheme. When enabled, the implementation >> preemptively inclu

Re: RFR: 8279842: HTTPS Channel Binding support for Java GSS/Kerberos

On Sat, 15 Jan 2022 00:23:31 GMT, Weijun Wang wrote: >> Yes. I would like the security team to validate this. > > I suggest moving the `TlsChannelBinding` class into > `java.base/sun.security.util` since it's not only used by LDAP anymore. It's > even not restricted to GSS-API. According to >

Re: RFR: 8275535: Retrying a failed authentication on multiple LDAP servers can lead to users blocked

On Thu, 16 Dec 2021 01:23:11 GMT, Martin Balao wrote: >> Hi @AlekseiEfimov >> >> Can you please review the CSR [1]? >> >> Thanks, >> Martin.- >> >> -- >> [1] - https://bugs.openjdk.java.net/browse/JDK-8276959 > >> @martinuy This pull request has been inactive for more than 4 weeks and will >

Re: RFR: 8275535: Retrying a failed authentication on multiple LDAP servers can lead to users blocked

On Thu, 16 Dec 2021 01:23:11 GMT, Martin Balao wrote: >> Hi @AlekseiEfimov >> >> Can you please review the CSR [1]? >> >> Thanks, >> Martin.- >> >> -- >> [1] - https://bugs.openjdk.java.net/browse/JDK-8276959 > >> @martinuy This pull request has been inactive for more than 4 weeks and will >

Re: RFR: 8273402: Use derived NamingExceptions in com.sun.jndi.ldap.Connection#readReply

On Thu, 9 Sep 2021 22:02:55 GMT, Aleksei Efimov wrote: > Hi, > The following fix changes type of exception thrown when an LDAP operation > fails for reasons like read timeout or connection closure/cancellation: > instead of throwing a general `NamingException`, the internal LDAP connection > c

Re: RFR: 8273402: Use derived NamingExceptions in com.sun.jndi.ldap.Connection#readReply

On Thu, 9 Sep 2021 22:02:55 GMT, Aleksei Efimov wrote: > Hi, > The following fix changes type of exception thrown when an LDAP operation > fails for reasons like read timeout or connection closure/cancellation: > instead of throwing a general `NamingException`, the internal LDAP connection > c

Re: RFR: 8245527: LDAP Cnannel Binding support for Java GSS/Kerberos

Am 2020-05-21 um 09:35 schrieb Alexey Bakhtin: Hello, Could you please review the following patch: JBS: https://bugs.openjdk.java.net/browse/JDK-8245527 Webrev: http://cr.openjdk.java.net/~abakhtin/8245527/webrev.v0/ Let's go through your changes statically: * The JIRA issue title has a typo

Re: RFR: 8245527: LDAP Cnannel Binding support for Java GSS/Kerberos

Am 2020-05-24 um 01:38 schrieb Michael Osipov: Am 2020-05-21 um 09:35 schrieb Alexey Bakhtin: ... What about introducing a UnspecEmptyInetAddress() which gives the proper AF type, but #getAddress() would return null? This should satisfy the requirements, InitialToken as well as the RFC. this of

Re: RFR: 8218021: jarsigner strips the execute permission when signing a .zip file

Am 2020-01-17 um 11:59 schrieb Seán Coffey: Hi, Looking to introduce some JDK private functionality which will help preserve internal zip file attribute permissions when jarsigner is run on a zip file. Some of the logic is taken from the recent work carried out in this area for zipfs API. h