RFR 8215032: Support Kerberos cross-realm referrals (RFC 6806)

Martin Balao mbalao at redhat.com
Tue Apr 30 20:28:21 UTC 2019


Hi Max,

Thanks for your feedback.

Here it's Webrev.01:

 * http://cr.openjdk.java.net/~mbalao/webrevs/8215032/8215032.webrev.01/

Webrev.01 includes:

 * rep.encKDCRepPart.pAData may be null in KrbKdcRep.java (found by Max)

 * When requesting a TGS, the sname principal name is of type
KRB_NT_SRV_HST instead of Unknown (found by Max)

 * When a cross-realm TGT is received, it should be used as the TGT
in the next request (found by Max)

 * Referrals Cache updated to send the previously received TGT
  * TGTs are now cached

 * It may not be necessary to do cross-realm authentication when
Referrals Cache is used
  * Moved logic down to serviceCredsSingle method in
CredentialsUtil.java because this is the point where we really know that
the request will be made (requests at a higher layer may be filtered due
to the referrals cache)

 * Cross-referrals test updated to work with the cross-realm TGT received

 * Copyright date update

Testing: jdk/sun/security/krb5 pass - no regressions

Look forward to your comments. I'll start the CSR process meanwhile [1]
(work in progress).

Kind regards,
Martin.-

--
[1] - https://bugs.openjdk.java.net/browse/JDK-8223172



More information about the security-dev mailing list