This seems ok to me. I think we should also document this behavior if it
isn't already (maybe in one of the security guides), so could you file a
followon docs bug?
Thanks,
Sean
On 07/21/2015 11:22 PM, Weijun Wang wrote:
Hi All
Please review the code change at
http://cr.openjdk.java.net/~weijun/8132111/webrev.00/
Java Kerberos was designed to provide the addresses of a service when
requesting for a forwarded TGT. However, the field was never filled,
because of a bug that the service principal does not have the
KRB_NT_SRV_HST nameType. (It has always been KRB_NT_UNKNOWN).
In JDK-8031111, we "fixed" this and the addresses field is now always sent.
However, it is well known in the Kerberos community that it's difficult
to get the correct addresses. For example, the service and the client
might be inside a NAT but the KDC is not. If the addresses observed by
the client and the KDC are different, such a ticket will be rejected
when the service is trying to use it.
For this reason, other krb5 vendors do not use the addresses field in a
forwarded TGT request. We will remove it in this fix. This is also the
actual behavior of Java before JDK-8031111.
Thanks
Max
