Conversation
Signed-off-by: Irfan Sharif <IrfanSharif@ibm.com>
Signed-off-by: Irfan Sharif <IrfanSharif@ibm.com>
Signed-off-by: Irfan Sharif <IrfanSharif@ibm.com>
Signed-off-by: Irfan Sharif <IrfanSharif@ibm.com>
ThePrez
left a comment
ThePrez
left a comment
There was a problem hiding this comment.
Overall functionality looks good.
Even though the naming was my suggestion, please name the new functions something else. Setting the token explicitly is actually bypassing GSS. So I'd propose something like setKerbTicket
|
Can you comment why you permit the kerberos ticket to be passed in the password field? Should a method be used to set the ticket, instead of passing it though the password? |
Signed-off-by: Irfan Sharif <IrfanSharif@ibm.com>
jeber-ibm
left a comment
jeber-ibm
left a comment
There was a problem hiding this comment.
We need to make sure that the ticket is not visible for a long time in memory. We do not want an attacker to do a memory dump and gain access to the ticket.
The stored ticket should be encrypted so that it is not visible in a memory dump. Just look at how the password is encrypted so that it is not visible in a memory dump.
If the ticket is stored temporarily in a byte[], the byte[] should be cleared after using the ticket.
Also, do not clear the kerberos ticket if the JDBC connection is closed. The ticket should only be cleared when the AS400 object is closed. If the JDBC connection is closed, the AS400 object could attempt to connect to a different host server. If the ticket is encrypted anyway, it is not so vital to clear it out.
|
waiting on changes to be merged into @irfanshar branch: irfanshar#1 |
4 participants
Allow authentication by passing in GSSToken in password field