RFR 8044215: Unable to initiate SpNego using a S4U2Proxy GSSCredential (Krb5ProxyCredential)

Wang Weijun weijun.wang at oracle.com
Wed Oct 8 13:34:39 UTC 2014

Ping again.


On Sep 28, 2014, at 16:55, Wang Weijun <weijun.wang at oracle.com> wrote:

> Please review the fix at
>   http://cr.openjdk.java.net/~weijun/8044215/webrev.00
> If a service is using constrained delegation to act as a client, it should not be able to request for a traditional delegation to another service (on behalf of the client). Otherwise it automatically elevate itself into a higher privilege and thus break out the constrained state.
> Java currently does not prevent the request from being sent out, and when the KDC denies the request, user would see a confusing error message "Client principal does not match". Actually here the KDC is sending back a ticket for the service itself (instead of for the client).
> This fix simply ignores any traditional delegation request in this case so the request will never be sent out. Throwing an exception in this case is not a good solution because the application might not be able to know if it's using a constrained delegation or a traditional delegation. If it's a constrained delegation and the KDC has been configured to allow a further constrained delegation to the 2nd service, it would still work anyway (because a constrained delegation does not need a request).
> Thanks
> Max

More information about the security-dev mailing list