[security-dev 01274]: Re: 6885204: JSSE should not require Kerberos to be present
Bradford.Wetmore at Sun.COM
Mon Oct 5 16:08:38 PDT 2009
Vincent Ryan wrote:
> There's a new webrev available at:
77 // It is true because we might not have an ECC or Kerberos
After your change, this comment should be reverted back. Kerberos isn't
Otherwise looks good.
> Brad Wetmore wrote:
>> Vincent Ryan wrote:
>>> I'm proposing a change that enables JSSE to work when Kerberos is not
>>> at runtime:
>> Can you put in a comment here that explains why you've added the
>> ciphersuite check? I had to think about it for a second, which means it
>> won't be immediately clear to others. ;)
>> // It is true because we might not have an ECC or
>> // Kerberos implementation.
>> Here's a small can of worms. The dynamic code was added when ECC was
>> only available via the PKCS11 provider, and people could remove the ECC
>> tokens at will and thus effectively disable ECC. With the addition of
>> your full-time ECC provider, this could have gone away. But since some
>> of the open source folks wanted to make your ECC provider optional, I
>> guess we're have to continue this check.
>> That said, what you're trying to solve here is different. Either the
>> Kerberos implementation is there or it isn't. It doesn't get
>> dynamically installed into the JRE during the middle of a run, right? If
>> it's not made available dynamically, a simple one-time check should be
> Right. I've changed the code to perform the Kerberos check just once
> (in a static initializer).
>> Is the doPrivileged necessary here?
> Yes, because the Class.forName references a class from a different package.
More information about the security-dev