RFR 8044215: Unable to initiate SpNego using a S4U2Proxy GSSCredential (Krb5ProxyCredential)

Wang Weijun weijun.wang at oracle.com
Wed Oct 8 13:34:39 UTC 2014


Ping again.

--Max

On Sep 28, 2014, at 16:55, Wang Weijun <weijun.wang at oracle.com> wrote:

> Please review the fix at
> 
>   http://cr.openjdk.java.net/~weijun/8044215/webrev.00
> 
> If a service is using constrained delegation to act as a client, it should not be able to request for a traditional delegation to another service (on behalf of the client). Otherwise it automatically elevate itself into a higher privilege and thus break out the constrained state.
> 
> Java currently does not prevent the request from being sent out, and when the KDC denies the request, user would see a confusing error message "Client principal does not match". Actually here the KDC is sending back a ticket for the service itself (instead of for the client).
> 
> This fix simply ignores any traditional delegation request in this case so the request will never be sent out. Throwing an exception in this case is not a good solution because the application might not be able to know if it's using a constrained delegation or a traditional delegation. If it's a constrained delegation and the KDC has been configured to allow a further constrained delegation to the 2nd service, it would still work anyway (because a constrained delegation does not need a request).
> 
> Thanks
> Max
> 



More information about the security-dev mailing list