RFR 8131051: KDC might issue a renewable ticket even if not requested
Xuelei Fan
xuelei.fan at oracle.com
Tue Jul 21 08:36:14 UTC 2015
Looks fine to me.
Hm, it's an interesting behavior of KDC.
Xuelei
On 7/21/2015 4:12 PM, Weijun Wang wrote:
> Ping again.
>
> Basically, Java currently requires the renewable flag of a ticket to be
> identical to the renewable flag in the request, and thus rejects the
> following legal case:
>
> - Client requests for a non-renewable ticket with a lifetime of 2 days
>
> - KDC thinks 2 days is too long, instead, it issues a ticket with a
> lifetime of 10 hours, but makes it renewable with 2 days
>
> Thanks
> Max
>
>
> On 07/13/2015 05:12 PM, Weijun Wang wrote:
>> Hi All
>>
>> Please take a look at the fix at
>>
>> http://cr.openjdk.java.net/~weijun/8131051/webrev.00/
>>
>> When a ticket request has a ticket_lifetime that the KDC considers too
>> long it will issue a renewable ticket with a shorter lifetime.
>> Unfortunately, JDK does not accept this.
>>
>> Thanks
>> Max
More information about the security-dev
mailing list