RFR: 8272162: S4U2Self ticket without forwardable flag
Valerie Peng
valeriep at openjdk.java.net
Mon Nov 22 19:06:45 UTC 2021
On Fri, 22 Oct 2021 16:31:02 GMT, Weijun Wang <weijun at openjdk.org> wrote:
> The S4U2proxy extension requires that the service ticket to the first service has the forwardable flag set, but some versions of Windows Server do not set the forwardable flag in a S4U2self response and accept it in a S4U2proxy request.
>
> There are 2 commits now. The 1st is a refactoring that sends more info into the methods (Ex: `KdcComm::send(byte[])` -> `KdcComm::send(KrbKdcReq)`, and `Ticket` -> `Credentials` in multiple places) so that inside `KdcComm::send` there is enough info to decide how to deal with various errors. The 2nd is the actual fix to this issue, i.e. ignore the flag and retry another KDC.
src/java.security.jgss/share/classes/sun/security/krb5/internal/CredentialsUtil.java line 64:
> 62: PrincipalName sname = middleTGT.getClient();
> 63: String uRealm = user.getRealmString();
> 64: String localRealm = middleTGT.getClient().getRealmString();
nit: can just use sname on line 64?
-------------
PR: https://git.openjdk.java.net/jdk/pull/6082
More information about the security-dev
mailing list