Quantcast

RFR release notes for multiple enhancements: krb5, SASL, JAAS, policytool

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RFR release notes for multiple enhancements: krb5, SASL, JAAS, policytool

Weijun Wang
Hi All

Please review the following release notes. For each one, I've listed the
JBS URL for the release-note task, the original bug (in parentheses),
the synopsis, and the intended release note text:

https://bugs.openjdk.java.net/browse/JDK-8173011
(https://bugs.openjdk.java.net/browse/JDK-8029995)
accept yes/no for boolean krb5.conf settings

    krb5.conf now accepts "yes" or "no" for boolean-valued settings.

https://bugs.openjdk.java.net/browse/JDK-8173012
(https://bugs.openjdk.java.net/browse/JDK-8044085)
Access ExtendedGSSContext.inquireSecContext() result through SASL

    The output of `ExtendedGSSContext.inquireSecContext()` is now
available as negotiated properties for the SASL GSSAPI mechanism using
the name "com.sun.security.jgss.inquiretype.<type_name>", where
"type_name" is the string form of the `InquireType` enum parameter in
lower case, for example,
"com.sun.security.jgss.inquiretype.krb5_get_session_key_ex" for the
session key of an established Kerberos 5 security context.

https://bugs.openjdk.java.net/browse/JDK-8173014
(https://bugs.openjdk.java.net/browse/JDK-8047789)
auth.login.LoginContext needs to be updated to work with modules

    After this change, besides including the necessary methods
(`initialize`, `login`, `logout`, `commit`, `abort`), any login module
must implement the `LoginModule` interface. Otherwise a `LoginException`
will thrown when the login module is used.

https://bugs.openjdk.java.net/browse/JDK-8173015
(https://bugs.openjdk.java.net/browse/JDK-8056174)
New APIs for jar signing

    A new `jdk.security.jarsigner.JarSigner` API is added to the
`jdk.jartool` module which can be used to sign a jar file.

https://bugs.openjdk.java.net/browse/JDK-8173016
(https://bugs.openjdk.java.net/browse/JDK-8147400)
Deprecate policytool

    The policytool is moved to the `jdk.policytool` and deprecated.

https://bugs.openjdk.java.net/browse/JDK-8173017
(https://bugs.openjdk.java.net/browse/JDK-8157848)
Deprecate the javax.security.auth.Policy API with forRemoval=true

    The `javax.security.auth.Policy` class has been deprecated since JDK
1.4 and superseded/replaced by java.security.Policy. It is now marked
`forRemoval=true` and will be removed in a future release.

Thanks
Max
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RFR release notes for multiple enhancements: krb5, SASL, JAAS, policytool

Weijun Wang
One more:

https://bugs.openjdk.java.net/browse/JDK-8173018
(https://bugs.openjdk.java.net/browse/JDK-8076535)
Deprecate the com.sun.jarsigner package

     The `com.sun.jarsigner` package is being deprecated. This includes
the `ContentSigner` class, the `ContentSignerParameters` interface, and
the jarsigner command's "-altsigner" and "-altsignerpath" options.

Thanks
Max

On 01/19/2017 10:40 AM, Weijun Wang wrote:

> Hi All
>
> Please review the following release notes. For each one, I've listed the
> JBS URL for the release-note task, the original bug (in parentheses),
> the synopsis, and the intended release note text:
>
> https://bugs.openjdk.java.net/browse/JDK-8173011
> (https://bugs.openjdk.java.net/browse/JDK-8029995)
> accept yes/no for boolean krb5.conf settings
>
>    krb5.conf now accepts "yes" or "no" for boolean-valued settings.
>
> https://bugs.openjdk.java.net/browse/JDK-8173012
> (https://bugs.openjdk.java.net/browse/JDK-8044085)
> Access ExtendedGSSContext.inquireSecContext() result through SASL
>
>    The output of `ExtendedGSSContext.inquireSecContext()` is now
> available as negotiated properties for the SASL GSSAPI mechanism using
> the name "com.sun.security.jgss.inquiretype.<type_name>", where
> "type_name" is the string form of the `InquireType` enum parameter in
> lower case, for example,
> "com.sun.security.jgss.inquiretype.krb5_get_session_key_ex" for the
> session key of an established Kerberos 5 security context.
>
> https://bugs.openjdk.java.net/browse/JDK-8173014
> (https://bugs.openjdk.java.net/browse/JDK-8047789)
> auth.login.LoginContext needs to be updated to work with modules
>
>    After this change, besides including the necessary methods
> (`initialize`, `login`, `logout`, `commit`, `abort`), any login module
> must implement the `LoginModule` interface. Otherwise a `LoginException`
> will thrown when the login module is used.
>
> https://bugs.openjdk.java.net/browse/JDK-8173015
> (https://bugs.openjdk.java.net/browse/JDK-8056174)
> New APIs for jar signing
>
>    A new `jdk.security.jarsigner.JarSigner` API is added to the
> `jdk.jartool` module which can be used to sign a jar file.
>
> https://bugs.openjdk.java.net/browse/JDK-8173016
> (https://bugs.openjdk.java.net/browse/JDK-8147400)
> Deprecate policytool
>
>    The policytool is moved to the `jdk.policytool` and deprecated.
>
> https://bugs.openjdk.java.net/browse/JDK-8173017
> (https://bugs.openjdk.java.net/browse/JDK-8157848)
> Deprecate the javax.security.auth.Policy API with forRemoval=true
>
>    The `javax.security.auth.Policy` class has been deprecated since JDK
> 1.4 and superseded/replaced by java.security.Policy. It is now marked
> `forRemoval=true` and will be removed in a future release.
>
> Thanks
> Max
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RFR release notes for multiple enhancements: krb5, SASL, JAAS, policytool

Weijun Wang
Another one:

https://bugs.openjdk.java.net/browse/JDK-8173035
(https://bugs.openjdk.java.net/browse/JDK-8029904)
Remove com.sun.security.auth.callback.DialogCallbackHandler

     `com.sun.security.auth.callback.DialogCallbackHandler` has been
removed in JDK 9. This class, in the JDK-specific extensions to JAAS,
was deprecated in JDK 8 and previously flagged for removal.

Thanks
Max

On 01/19/2017 10:45 AM, Weijun Wang wrote:

> One more:
>
> https://bugs.openjdk.java.net/browse/JDK-8173018
> (https://bugs.openjdk.java.net/browse/JDK-8076535)
> Deprecate the com.sun.jarsigner package
>
>     The `com.sun.jarsigner` package is being deprecated. This includes
> the `ContentSigner` class, the `ContentSignerParameters` interface, and
> the jarsigner command's "-altsigner" and "-altsignerpath" options.
>
> Thanks
> Max
>
> On 01/19/2017 10:40 AM, Weijun Wang wrote:
>> Hi All
>>
>> Please review the following release notes. For each one, I've listed the
>> JBS URL for the release-note task, the original bug (in parentheses),
>> the synopsis, and the intended release note text:
>>
>> https://bugs.openjdk.java.net/browse/JDK-8173011
>> (https://bugs.openjdk.java.net/browse/JDK-8029995)
>> accept yes/no for boolean krb5.conf settings
>>
>>    krb5.conf now accepts "yes" or "no" for boolean-valued settings.
>>
>> https://bugs.openjdk.java.net/browse/JDK-8173012
>> (https://bugs.openjdk.java.net/browse/JDK-8044085)
>> Access ExtendedGSSContext.inquireSecContext() result through SASL
>>
>>    The output of `ExtendedGSSContext.inquireSecContext()` is now
>> available as negotiated properties for the SASL GSSAPI mechanism using
>> the name "com.sun.security.jgss.inquiretype.<type_name>", where
>> "type_name" is the string form of the `InquireType` enum parameter in
>> lower case, for example,
>> "com.sun.security.jgss.inquiretype.krb5_get_session_key_ex" for the
>> session key of an established Kerberos 5 security context.
>>
>> https://bugs.openjdk.java.net/browse/JDK-8173014
>> (https://bugs.openjdk.java.net/browse/JDK-8047789)
>> auth.login.LoginContext needs to be updated to work with modules
>>
>>    After this change, besides including the necessary methods
>> (`initialize`, `login`, `logout`, `commit`, `abort`), any login module
>> must implement the `LoginModule` interface. Otherwise a `LoginException`
>> will thrown when the login module is used.
>>
>> https://bugs.openjdk.java.net/browse/JDK-8173015
>> (https://bugs.openjdk.java.net/browse/JDK-8056174)
>> New APIs for jar signing
>>
>>    A new `jdk.security.jarsigner.JarSigner` API is added to the
>> `jdk.jartool` module which can be used to sign a jar file.
>>
>> https://bugs.openjdk.java.net/browse/JDK-8173016
>> (https://bugs.openjdk.java.net/browse/JDK-8147400)
>> Deprecate policytool
>>
>>    The policytool is moved to the `jdk.policytool` and deprecated.
>>
>> https://bugs.openjdk.java.net/browse/JDK-8173017
>> (https://bugs.openjdk.java.net/browse/JDK-8157848)
>> Deprecate the javax.security.auth.Policy API with forRemoval=true
>>
>>    The `javax.security.auth.Policy` class has been deprecated since JDK
>> 1.4 and superseded/replaced by java.security.Policy. It is now marked
>> `forRemoval=true` and will be removed in a future release.
>>
>> Thanks
>> Max
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RFR release notes for multiple enhancements: krb5, SASL, JAAS, policytool

Xuelei Fan-2
In reply to this post by Weijun Wang
On 1/18/2017 6:40 PM, Weijun Wang wrote:
> https://bugs.openjdk.java.net/browse/JDK-8173011
> (https://bugs.openjdk.java.net/browse/JDK-8029995)
> accept yes/no for boolean krb5.conf settings
>
>    krb5.conf now accepts "yes" or "no" for boolean-valued settings.
Looks fine to me.  May be nice to state "yes" is equivalent to "true",
and "no" is equivalent to "false" (with an example?).

Xuelei
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RFR release notes for multiple enhancements: krb5, SASL, JAAS, policytool

Jamil Nimeh
In reply to this post by Weijun Wang
Hi Max, just one nit for JDK-8044085:

The release note is one sentence, but it is a bit of a run-on. It might
be worth breaking it up into two sentences, the first for the
description and the second containing the example.

Aside from that they look good to me.

--Jamil


On 1/18/2017 6:40 PM, Weijun Wang wrote:

> Hi All
>
> Please review the following release notes. For each one, I've listed
> the JBS URL for the release-note task, the original bug (in
> parentheses), the synopsis, and the intended release note text:
>
> https://bugs.openjdk.java.net/browse/JDK-8173011
> (https://bugs.openjdk.java.net/browse/JDK-8029995)
> accept yes/no for boolean krb5.conf settings
>
>    krb5.conf now accepts "yes" or "no" for boolean-valued settings.
>
> https://bugs.openjdk.java.net/browse/JDK-8173012
> (https://bugs.openjdk.java.net/browse/JDK-8044085)
> Access ExtendedGSSContext.inquireSecContext() result through SASL
>
>    The output of `ExtendedGSSContext.inquireSecContext()` is now
> available as negotiated properties for the SASL GSSAPI mechanism using
> the name "com.sun.security.jgss.inquiretype.<type_name>", where
> "type_name" is the string form of the `InquireType` enum parameter in
> lower case, for example,
> "com.sun.security.jgss.inquiretype.krb5_get_session_key_ex" for the
> session key of an established Kerberos 5 security context.
>
> https://bugs.openjdk.java.net/browse/JDK-8173014
> (https://bugs.openjdk.java.net/browse/JDK-8047789)
> auth.login.LoginContext needs to be updated to work with modules
>
>    After this change, besides including the necessary methods
> (`initialize`, `login`, `logout`, `commit`, `abort`), any login module
> must implement the `LoginModule` interface. Otherwise a
> `LoginException` will thrown when the login module is used.
>
> https://bugs.openjdk.java.net/browse/JDK-8173015
> (https://bugs.openjdk.java.net/browse/JDK-8056174)
> New APIs for jar signing
>
>    A new `jdk.security.jarsigner.JarSigner` API is added to the
> `jdk.jartool` module which can be used to sign a jar file.
>
> https://bugs.openjdk.java.net/browse/JDK-8173016
> (https://bugs.openjdk.java.net/browse/JDK-8147400)
> Deprecate policytool
>
>    The policytool is moved to the `jdk.policytool` and deprecated.
>
> https://bugs.openjdk.java.net/browse/JDK-8173017
> (https://bugs.openjdk.java.net/browse/JDK-8157848)
> Deprecate the javax.security.auth.Policy API with forRemoval=true
>
>    The `javax.security.auth.Policy` class has been deprecated since
> JDK 1.4 and superseded/replaced by java.security.Policy. It is now
> marked `forRemoval=true` and will be removed in a future release.
>
> Thanks
> Max

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RFR release notes for multiple enhancements: krb5, SASL, JAAS, policytool

Weijun Wang
In reply to this post by Xuelei Fan-2


On 01/20/2017 01:57 AM, Xuelei Fan wrote:
> On 1/18/2017 6:40 PM, Weijun Wang wrote:
>> https://bugs.openjdk.java.net/browse/JDK-8173011
>> (https://bugs.openjdk.java.net/browse/JDK-8029995)
>> accept yes/no for boolean krb5.conf settings
>>
>>    krb5.conf now accepts "yes" or "no" for boolean-valued settings.
> Looks fine to me.  May be nice to state "yes" is equivalent to "true",
> and "no" is equivalent to "false" (with an example?).

Good idea, but maybe an example is too much. I assume people will
understand it easily. Furthermore, this is mainly for interop with MIT
krb5. If someone already has a "setting = yes" I don't want Java krb5 to
misunderstand it. This RFE is not intended to persuade people using the
new values.

Thanks
Max

>
> Xuelei
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RFR release notes for multiple enhancements: krb5, SASL, JAAS, policytool

Weijun Wang
In reply to this post by Jamil Nimeh
Hi Jamil

Many thanks to the review. How do you think of the other two in my
follow up mails?

> https://bugs.openjdk.java.net/browse/JDK-8173035
> (https://bugs.openjdk.java.net/browse/JDK-8029904) Remove
> com.sun.security.auth.callback.DialogCallbackHandler
>
> `com.sun.security.auth.callback.DialogCallbackHandler` has been
> removed in JDK 9. This class, in the JDK-specific extensions to JAAS,
> was deprecated in JDK 8 and previously flagged for removal.
>
>> https://bugs.openjdk.java.net/browse/JDK-8173018
>> (https://bugs.openjdk.java.net/browse/JDK-8076535) Deprecate the
>> com.sun.jarsigner package
>>
>> The `com.sun.jarsigner` package is being deprecated. This includes
>> the `ContentSigner` class, the `ContentSignerParameters` interface,
>> and the jarsigner command's "-altsigner" and "-altsignerpath"
>> options.
>>

Thanks
Max


On 01/20/2017 06:26 AM, Jamil Nimeh wrote:
> Hi Max, just one nit for JDK-8044085:
>
> The release note is one sentence, but it is a bit of a run-on. It
> might be worth breaking it up into two sentences, the first for the
> description and the second containing the example.
>
> Aside from that they look good to me.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RFR release notes for multiple enhancements: krb5, SASL, JAAS, policytool

Sean Mullan
In reply to this post by Weijun Wang
On 1/19/17 9:20 AM, Weijun Wang wrote:

> On 01/19/2017 10:45 AM, Weijun Wang wrote:
>> One more:
>>
>> https://bugs.openjdk.java.net/browse/JDK-8173018
>> (https://bugs.openjdk.java.net/browse/JDK-8076535)
>> Deprecate the com.sun.jarsigner package
>>
>>     The `com.sun.jarsigner` package is being deprecated. This includes
>> the `ContentSigner` class, the `ContentSignerParameters` interface, and
>> the jarsigner command's "-altsigner" and "-altsignerpath" options.

Looks good.

--Sean
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RFR release notes for multiple enhancements: krb5, SASL, JAAS, policytool

Sean Mullan
In reply to this post by Weijun Wang
On 1/19/17 9:20 AM, Weijun Wang wrote:
> Another one:
>
> https://bugs.openjdk.java.net/browse/JDK-8173035
> (https://bugs.openjdk.java.net/browse/JDK-8029904)
> Remove com.sun.security.auth.callback.DialogCallbackHandler
>
>     `com.sun.security.auth.callback.DialogCallbackHandler` has been
> removed in JDK 9. This class, in the JDK-specific extensions to JAAS,
> was deprecated in JDK 8 and previously flagged for removal.

Looks good.

--Sean
Loading...