Looks fine to me. A very minor suggestion to add one more comment here: ServerHandshaker.java --------------------- 1340 // Pre-check permission if bound
It would be nice to say more that the permission checking for unbound krb5 will be done in Kerberos ClientKeyExchange. Thanks, Xuelei On 4/17/2013 9:39 AM, Weijun Wang wrote: > Webrev updated: > > http://cr.openjdk.java.net/~weijun/8005523/webrev.02/ > > Changes since webrev.01: > > 1. Add a isRelated() Krb5Helper method to find out if a Subject can > provide creds for a service principal. > > 2. Server check permission at initialization if bound > > 3. Only check permission again at clientkeyexchange if unbound > > Thanks > Max > > On 4/16/13 8:48 PM, Weijun Wang wrote: >> >> >> On 4/16/13 8:18 PM, Xuelei Fan wrote: >>> On 4/16/2013 5:44 PM, Weijun Wang wrote: >>>>> >>>>> I am not sure how to do that. Can I just skip this check and whenever >>>>> subject != null always set resumingSession to true? This is not very >>>>> correct but is it possible to detect the mismatch later and "resume" >>>>> the >>>>> full negotiation? >>>>> >>> No, it is dangerous. The server has to make the right decision while >>> parsing ClientHello. >>> >>> Can you design a new Krb5Helper method to match the principals and >>> implement it in krb5/Krb5ProxyImpl.java. If it is a bound krb5, need to >>> match exactly; otherwise, the matching is performed per the request of >>> unbound krb5. >> >> I'll try. >> >>> >>> For unbound krb5, what's the return value of KerberosKey.getPrincipal()? >> >> Unbound krb5 has no KerberosKey, it only has KeyTab, and KeyTab.isBound >> is false. >> >> -Max >> >>> Is it a "*"? If it is always a "*", we also can check it in >>> ServerHandshake.java. I'm afraid it is not reliable so you won't >>> consider it. >>> >>>> >>>> It seems the purpose of this check is that, if it fails, you can be >>>> sure >>>> that kerberos is not loaded so the full negotiation will try to find a >>>> RSA ciphersuite. Is that right? >>>> >>> It depends. The check is also can be used to prevent abused session >>> resuming. The following full negotiation acts like a new handshaking, so >>> the Kerberos cipher suite may be used again. >>> >>>> I cannot call kerberos-specific codes in SSL because of module >>>> independence. >>>> >>> krb5/Krb5ProxyImpl.java? See above. >>> >>> Xuelei >>>
