Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8326381

com.sun.net.httpserver.HttpsParameters and SSLStreams incorrectly handle needClientAuth and wantClientAuth

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: P4 P4
    • 23
    • None
    • core-libs
    • None
    • b14

      com.sun.net.httpserver.HttpsParameters has the setNeedClientAuth(boolean) which says:

      > Sets whether client authentication should be required. Calling this method clears the {@code wantClientAuth} flag.

      However, the implementation of this method doesn't currently clear the wantClientAuth flag.

      This same class has another method setWantClientAuth(boolean) which says:

      > Sets whether client authentication should be requested. Calling this method clears the {@code needClientAuth} flag.

      The implementation of this method doesn't clear the needClientAuth flag.

      These methods are similar to the methods on javax.net.ssl.SSLParameters class and match the javadoc of the methods on SSLParameters. It's the implementation of these methods in HttpsParameters which needs to be fixed to match their API javadoc.

      Furthermore, related to the HttpsParameters class, there's the sun.net.httpserver.SSLStreams class which uses the configured values of needClientAuth and wantClientAuth from the HttpsParameters instance and sets it on the SSLEngine:

                      engine.setNeedClientAuth (params.getNeedClientAuth());
                      engine.setWantClientAuth (params.getWantClientAuth());

      This however is a incorrect way to do it since the SSLEngine's setNeedClientAuth and setWantClientAuth reset the state of these mutually exclusive flags.

            jpai Jaikiran Pai
            jpai Jaikiran Pai
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: