RFR 8022582: Relax response flags checking in sun.security.krb5.KrbKdcRep.check.

Sean Mullan sean.mullan at oracle.com
Mon Jan 26 15:33:11 UTC 2015

Typo on line 941 of KDC.java: s/senstives/sensitives

Also the OS component of the bug is set to "solaris_10", which doesn't 
seem right.

Looks ok otherwise.


On 01/14/2015 11:10 PM, Wang Weijun wrote:
> Hi All
> Please review the code changes at
>    http://cr.openjdk.java.net/~weijun/8022582/webrev.00
> Sometimes a forwardable ticket request is sent but KDC returns a non-forwardable one. For example, in Windows, an account can be set as "sensitive and cannot be delegated". While it's possible to remove the "forwardable=true" line in krb5.conf to avoid the check failure, the file is global and maybe another account wants to be delegated. Therefore we just to relax the forwardable check.
> KrbTgsReq is also modified so that one can get a service ticket when TGT is not forwardable.
> One special case is S4U2self request, both the existing ticket and the expected ticket must be forwardable, and we fail early if one is not.
> A new test simulates the "sensitive account" concept in Windows.
> Thanks
> Max

More information about the security-dev mailing list