Code review request: 8001326: Improve Kerberos replay caching

Weijun Wang weijun.wang at oracle.com
Wed Jun 5 18:32:29 PDT 2013


On 5/31/13 9:16 AM, Valerie (Yu-Ching) Peng wrote:
>
> One question:
> In DflCache.java, you mentioned that the old style block is always
> created even if a new style is available.
> When both are present, Is it always new style before old one? The impl
> in DflCache.java seems to assume this.

Yes. This is also what MIT krb5 does. I can add a comment on it.

Thanks
Max

> Thanks,
> Valerie
>
> On 05/28/13 01:45, Weijun Wang wrote:
>> Please review the code changes at
>>
>>    http://cr.openjdk.java.net/~weijun/8001326/webrev.00/
>>
>> Two new system properties are introduced. sun.security.krb5.rcache to
>> control what rcache type should be used. Besides the original one
>> (which does not need this system property to be set), we support dfl
>> and none now. Also, sun.security.krb5.acceptor.subkey can be set to
>> true to let acceptor generate a sub-key, so that even if a replayed
>> authenticator is not detected, a replayed message won't work.
>>
>> Thanks
>> Max
>


More information about the security-dev mailing list