RFR 8044215: Unable to initiate SpNego using a S4U2Proxy GSSCredential (Krb5ProxyCredential)
Wang Weijun
weijun.wang at oracle.com
Sun Sep 28 08:55:23 UTC 2014
Please review the fix at
http://cr.openjdk.java.net/~weijun/8044215/webrev.00
If a service is using constrained delegation to act as a client, it should not be able to request for a traditional delegation to another service (on behalf of the client). Otherwise it automatically elevate itself into a higher privilege and thus break out the constrained state.
Java currently does not prevent the request from being sent out, and when the KDC denies the request, user would see a confusing error message "Client principal does not match". Actually here the KDC is sending back a ticket for the service itself (instead of for the client).
This fix simply ignores any traditional delegation request in this case so the request will never be sent out. Throwing an exception in this case is not a good solution because the application might not be able to know if it's using a constrained delegation or a traditional delegation. If it's a constrained delegation and the KDC has been configured to allow a further constrained delegation to the 2nd service, it would still work anyway (because a constrained delegation does not need a request).
Thanks
Max
More information about the security-dev
mailing list