RFR 8005819: Support cross-realm MSSFU

Weijun Wang weijun.wang at oracle.com
Fri Dec 6 08:27:51 UTC 2019

Hi Martin,

Looks fine overall. Only two suggestions:

1. Can we change the signature of handleS4U2ProxyReferral so that there is only one credsInOut?

   String handleS4U2ProxyReferral(Credentials asCreds,
        Credentials[] credsInOut, PrincipalName sname)

and call it with "new Credentials[] {creds, null}"?

Then you can clearly specify

  input: first referral TGT for S4U2proxy, null
  output: service's final referral TGT, client's final referral TGT

2. Can we add a S4U2Type argument in serviceCreds(options,...)? Then its callers can specify it directly and there is no need for this method to guess it out.


p.s. Something related but not for this enhancement. The getTGTforRealm method should not call Realm.getRealmsList() (i.e. use [capaths] in krb5.conf) when using referral. It should just follow the referral.

> On Nov 1, 2019, at 5:37 AM, Martin Balao <mbalao at redhat.com> wrote:
> Hi,
> Webrev.02:
> * http://cr.openjdk.java.net/~mbalao/webrevs/8005819/8005819.webrev.02/
> Changes:
> * No need to create a new sname PrincipalName in
> CredentialsUtil::handleS4U2ProxyReferral as it's not mutable.
> Regards,
> Martin.-

More information about the security-dev mailing list