RFR 8215032: Support Kerberos cross-realm referrals (RFC 6806)
Martin Balao
mbalao at redhat.com
Tue Apr 30 20:28:21 UTC 2019
Hi Max,
Thanks for your feedback.
Here it's Webrev.01:
* http://cr.openjdk.java.net/~mbalao/webrevs/8215032/8215032.webrev.01/
Webrev.01 includes:
* rep.encKDCRepPart.pAData may be null in KrbKdcRep.java (found by Max)
* When requesting a TGS, the sname principal name is of type
KRB_NT_SRV_HST instead of Unknown (found by Max)
* When a cross-realm TGT is received, it should be used as the TGT
in the next request (found by Max)
* Referrals Cache updated to send the previously received TGT
* TGTs are now cached
* It may not be necessary to do cross-realm authentication when
Referrals Cache is used
* Moved logic down to serviceCredsSingle method in
CredentialsUtil.java because this is the point where we really know that
the request will be made (requests at a higher layer may be filtered due
to the referrals cache)
* Cross-referrals test updated to work with the cross-realm TGT received
* Copyright date update
Testing: jdk/sun/security/krb5 pass - no regressions
Look forward to your comments. I'll start the CSR process meanwhile [1]
(work in progress).
Kind regards,
Martin.-
--
[1] - https://bugs.openjdk.java.net/browse/JDK-8223172
More information about the security-dev
mailing list