Ping again. --Max
On Sep 28, 2014, at 16:55, Wang Weijun <weijun.w...@oracle.com> wrote: > Please review the fix at > > http://cr.openjdk.java.net/~weijun/8044215/webrev.00 > > If a service is using constrained delegation to act as a client, it should > not be able to request for a traditional delegation to another service (on > behalf of the client). Otherwise it automatically elevate itself into a > higher privilege and thus break out the constrained state. > > Java currently does not prevent the request from being sent out, and when the > KDC denies the request, user would see a confusing error message "Client > principal does not match". Actually here the KDC is sending back a ticket for > the service itself (instead of for the client). > > This fix simply ignores any traditional delegation request in this case so > the request will never be sent out. Throwing an exception in this case is not > a good solution because the application might not be able to know if it's > using a constrained delegation or a traditional delegation. If it's a > constrained delegation and the KDC has been configured to allow a further > constrained delegation to the 2nd service, it would still work anyway > (because a constrained delegation does not need a request). > > Thanks > Max >
