Hi Max, Thanks for your feedback.
Here it's Webrev.01: * http://cr.openjdk.java.net/~mbalao/webrevs/8215032/8215032.webrev.01/ Webrev.01 includes: * rep.encKDCRepPart.pAData may be null in KrbKdcRep.java (found by Max) * When requesting a TGS, the sname principal name is of type KRB_NT_SRV_HST instead of Unknown (found by Max) * When a cross-realm TGT is received, it should be used as the TGT in the next request (found by Max) * Referrals Cache updated to send the previously received TGT * TGTs are now cached * It may not be necessary to do cross-realm authentication when Referrals Cache is used * Moved logic down to serviceCredsSingle method in CredentialsUtil.java because this is the point where we really know that the request will be made (requests at a higher layer may be filtered due to the referrals cache) * Cross-referrals test updated to work with the cross-realm TGT received * Copyright date update Testing: jdk/sun/security/krb5 pass - no regressions Look forward to your comments. I'll start the CSR process meanwhile [1] (work in progress). Kind regards, Martin.- -- [1] - https://bugs.openjdk.java.net/browse/JDK-8223172
