Re: RFR 6722928: Support SSPI as a native GSS-API provider

[Weijun Wang]

> On Mar 22, 2019, at 11:28 PM, Nico Williams <nico.willi...@twosigma.com> 
> wrote:
> 
> On Thu, Mar 21, 2019 at 10:17:36PM +0100, Michael Osipov wrote:
>> * header comment: Why do actually exclude NTLM from SPNEGO? Let SSPI work as
>> it is intended to work. Means less code you have to maintain
> 
> There's a few reasons:
> 
> - NTLM doesn't have an OID, at least as I remember
> 
> - the JDK's JGSS stuff is very Kerberos-specific, especially w/ regards
>   to the ServicePermission stuff

Yes, it needs to check a permission if the token is SPNEGO and internally it's 
Kerberos. I also believe the HTTP Negotiate code there is probably not good at 
dealing with a Negotiate dialog with 2 rounds. The first problem should be easy 
to fix, I'll see if the 2nd is complicated.

--Max

> 
> IMO JAAS (and with it, *Permission) should be removed with prejudice now
> that applet support has been removed.  Perhaps stubs should be left
> behind for compatibility reasons, and all the doAs*() methods should
> just act as though permission is granted.
> 
> Removing JAAS would be a wonderful simplification, then the JGSS stuff
> could stop being Kerberos-specific.
> 
> Nico
> --