RFR 8131051: KDC might issue a renewable ticket even if not requested

Weijun Wang weijun.wang at oracle.com
Tue Jul 21 08:12:08 UTC 2015

Ping again.

Basically, Java currently requires the renewable flag of a ticket to be 
identical to the renewable flag in the request, and thus rejects the 
following legal case:

  - Client requests for a non-renewable ticket with a lifetime of 2 days

  - KDC thinks 2 days is too long, instead, it issues a ticket with a 
lifetime of 10 hours, but makes it renewable with 2 days


On 07/13/2015 05:12 PM, Weijun Wang wrote:
> Hi All
> Please take a look at the fix at
>    http://cr.openjdk.java.net/~weijun/8131051/webrev.00/
> When a ticket request has a ticket_lifetime that the KDC considers too
> long it will issue a renewable ticket with a shorter lifetime.
> Unfortunately, JDK does not accept this.
> Thanks
> Max

More information about the security-dev mailing list