[jdev] GSSAPI and service hostname
Simon Wilkinson
sxw at inf.ed.ac.uk
Thu Jan 15 15:31:52 CST 2009
On 15 Jan 2009, at 17:19, Peter Saint-Andre wrote:
>
> AFAIK, no servers implement that yet, and in any case it was designed
> for a slightly different use case (basically situations in which DNS
> SRV
> results don't tell you the hostname of the connection manager you're
> talking to because load balancers are in use).
GSSAPI domain based names are specifically designed to deal with the
problem where the connection host is derived through an insecure SRV
lookup, so they're exactly the correct tool to use to resolve this
issue. The problem is with knowing what the other end is prepared to
accept. I suppose if you're using your own SASL implementation you
could do a gss_init_sec_context() for the domain based name first, and
if that fails, fall back to using the hostname you got through the SRV
lookup.
Simon.
More information about the JDev
mailing list