RFR 8131051: KDC might issue a renewable ticket even if not requested
Weijun Wang
weijun.wang at oracle.com
Tue Jul 21 08:12:08 UTC 2015
Ping again.
Basically, Java currently requires the renewable flag of a ticket to be
identical to the renewable flag in the request, and thus rejects the
following legal case:
- Client requests for a non-renewable ticket with a lifetime of 2 days
- KDC thinks 2 days is too long, instead, it issues a ticket with a
lifetime of 10 hours, but makes it renewable with 2 days
Thanks
Max
On 07/13/2015 05:12 PM, Weijun Wang wrote:
> Hi All
>
> Please take a look at the fix at
>
> http://cr.openjdk.java.net/~weijun/8131051/webrev.00/
>
> When a ticket request has a ticket_lifetime that the KDC considers too
> long it will issue a renewable ticket with a shorter lifetime.
> Unfortunately, JDK does not accept this.
>
> Thanks
> Max
More information about the security-dev
mailing list