RFR: 8272162: S4U2Self ticket without forwardable flag [v2]
Weijun Wang
weijun at openjdk.java.net
Wed Nov 24 02:45:37 UTC 2021
> The S4U2proxy extension requires that the service ticket to the first service has the forwardable flag set, but some versions of Windows Server do not set the forwardable flag in a S4U2self response and accept it in a S4U2proxy request.
>
> There are 2 commits now. The 1st is a refactoring that sends more info into the methods (Ex: `KdcComm::send(byte[])` -> `KdcComm::send(KrbKdcReq)`, and `Ticket` -> `Credentials` in multiple places) so that inside `KdcComm::send` there is enough info to decide how to deal with various errors. The 2nd is the actual fix to this issue, i.e. ignore the flag and retry another KDC.
Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
some word changes
-------------
Changes:
- all: https://git.openjdk.java.net/jdk/pull/6082/files
- new: https://git.openjdk.java.net/jdk/pull/6082/files/c07e6f64..1f93a881
Webrevs:
- full: https://webrevs.openjdk.java.net/?repo=jdk&pr=6082&range=01
- incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=6082&range=00-01
Stats: 5 lines in 3 files changed: 0 ins; 0 del; 5 mod
Patch: https://git.openjdk.java.net/jdk/pull/6082.diff
Fetch: git fetch https://git.openjdk.java.net/jdk pull/6082/head:pull/6082
PR: https://git.openjdk.java.net/jdk/pull/6082
More information about the security-dev
mailing list