RFR 8186576: KerberosTicket does not properly handle renewable tickets at the end of their lifetime

Weijun Wang weijun.wang at oracle.com
Thu Aug 24 23:44:20 UTC 2017


> On Aug 25, 2017, at 6:27 AM, Xuelei Fan <xuelei.fan at oracle.com> wrote:
> 
> javax/security/auth/kerberos/KerberosTicket.java
> ------------------------------------------------
> if (getRenewTill() == null) {
>    // The current ticket's lifetime is greater than renew_until.
>    // No need to refresh.
>    return;
> }
> 
> The comment is confusing to me.  Per the getRenewTill() specification, does "getRenewTill() == null" means the ticket is non-renewable (destroyed)?

This is a bug of MIT krb5's kdc implementation, which wrongly issues a renewable ticket without the renew_till field. We will have to deal with it.

getRenewTill()'s spec says null is return if the ticket is non-renewable (destroyed), but has not said it does not return null if it's renewable. Of course, it's an error case but I mean the spec has not enforced it.

I can enhance the comment to something like "Renewable ticket without renew_until. This is illegal and let's ignore it".

--Max

> 
> Xuelei
> 
> On 8/24/2017 2:28 AM, Weijun Wang wrote:
>> Please review the fix at
>>    http://cr.openjdk.java.net/~weijun/8186576/webrev.00
>> This is a MIT/krb5 bug [1], but we will accept it anyway. Also, renew such a ticket is now a no-op because the lifetime will not be extended anyway.
>> New test included.
>> Thanks
>> Max
>> [1] http://mailman.mit.edu/pipermail/krbdev/2017-August/012809.html




More information about the security-dev mailing list