diff options
Diffstat (limited to 'src/share/lib/security/java.security-macosx')
| -rw-r--r-- | src/share/lib/security/java.security-macosx | 32 |
1 files changed, 29 insertions, 3 deletions
diff --git a/src/share/lib/security/java.security-macosx b/src/share/lib/security/java.security-macosx index 8af804b714..6404a382ec 100644 --- a/src/share/lib/security/java.security-macosx +++ b/src/share/lib/security/java.security-macosx @@ -344,7 +344,7 @@ networkaddress.cache.negative.ttl=10 # By default, the location of the OCSP responder is determined implicitly # from the certificate being validated. This property explicitly specifies # the location of the OCSP responder. The property is used when the -# Authority Information Access extension (defined in RFC 3280) is absent +# Authority Information Access extension (defined in RFC 5280) is absent # from the certificate or when it requires overriding. # # Example, @@ -423,6 +423,32 @@ networkaddress.cache.negative.ttl=10 # krb5.kdc.bad.policy = tryLess:2,2000 krb5.kdc.bad.policy = tryLast +# +# Kerberos cross-realm referrals (RFC 6806) +# +# OpenJDK's Kerberos client supports cross-realm referrals as defined in +# RFC 6806. This allows to setup more dynamic environments in which clients +# do not need to know in advance how to reach the realm of a target principal +# (either a user or service). +# +# When a client issues an AS or a TGS request, the "canonicalize" option +# is set to announce support of this feature. A KDC server may fulfill the +# request or reply referring the client to a different one. If referred, +# the client will issue a new request and the cycle repeats. +# +# In addition to referrals, the "canonicalize" option allows the KDC server +# to change the client name in response to an AS request. For security reasons, +# RFC 6806 (section 11) FAST scheme is enforced. +# +# Disable Kerberos cross-realm referrals. Value may be overwritten with a +# System property (-Dsun.security.krb5.disableReferrals). +sun.security.krb5.disableReferrals=false + +# Maximum number of AS or TGS referrals to avoid infinite loops. Value may +# be overwritten with a System property (-Dsun.security.krb5.maxReferrals). +sun.security.krb5.maxReferrals=5 + +# # Algorithm restrictions for certification path (CertPath) processing # # In some environments, certain algorithms or key lengths may be undesirable @@ -864,8 +890,8 @@ jdk.xml.dsig.secureValidationPolicy=\ # Patterns are separated by ";" (semicolon). # Whitespace is significant and is considered part of the pattern. # -# If the system property jdk.serialFilter is also specified, it supersedes -# the security property value defined here. +# If the system property jdk.serialFilter is also specified on the command +# line, it supersedes the security property value defined here. # # If a pattern includes a "=", it sets a limit. # If a limit appears more than once the last value is used. |