RFR 8131051: KDC might issue a renewable ticket even if not requested

Xuelei Fan xuelei.fan at oracle.com
Tue Jul 21 08:36:14 UTC 2015


Looks fine to me.

Hm, it's an interesting behavior of KDC.

Xuelei

On 7/21/2015 4:12 PM, Weijun Wang wrote:
> Ping again.
> 
> Basically, Java currently requires the renewable flag of a ticket to be
> identical to the renewable flag in the request, and thus rejects the
> following legal case:
> 
>  - Client requests for a non-renewable ticket with a lifetime of 2 days
> 
>  - KDC thinks 2 days is too long, instead, it issues a ticket with a
> lifetime of 10 hours, but makes it renewable with 2 days
> 
> Thanks
> Max
> 
> 
> On 07/13/2015 05:12 PM, Weijun Wang wrote:
>> Hi All
>>
>> Please take a look at the fix at
>>
>>    http://cr.openjdk.java.net/~weijun/8131051/webrev.00/
>>
>> When a ticket request has a ticket_lifetime that the KDC considers too
>> long it will issue a renewable ticket with a shorter lifetime.
>> Unfortunately, JDK does not accept this.
>>
>> Thanks
>> Max



More information about the security-dev mailing list