Code review request: 8001326: Improve Kerberos replay caching
weijun.wang at oracle.com
Wed Jun 5 18:32:29 PDT 2013
On 5/31/13 9:16 AM, Valerie (Yu-Ching) Peng wrote:
> One question:
> In DflCache.java, you mentioned that the old style block is always
> created even if a new style is available.
> When both are present, Is it always new style before old one? The impl
> in DflCache.java seems to assume this.
Yes. This is also what MIT krb5 does. I can add a comment on it.
> On 05/28/13 01:45, Weijun Wang wrote:
>> Please review the code changes at
>> Two new system properties are introduced. sun.security.krb5.rcache to
>> control what rcache type should be used. Besides the original one
>> (which does not need this system property to be set), we support dfl
>> and none now. Also, sun.security.krb5.acceptor.subkey can be set to
>> true to let acceptor generate a sub-key, so that even if a replayed
>> authenticator is not detected, a replayed message won't work.
More information about the security-dev