On Tue, 10 Aug 2021 13:45:22 GMT, Martin Balao <mba...@openjdk.org> wrote:
>> src/java.security.jgss/share/classes/sun/security/krb5/internal/ReferralsCache.java
>> line 59:
>>
>>> 57: private byte[] clientSvcTicketEnc; // S4U2Proxy only
>>> 58: ReferralCacheKey (PrincipalName cname, PrincipalName sname,
>>> 59: PrincipalName user, Ticket clientSvcTicket) {
>>
>> It's probably not necessary, but I somehow feel it will be clearer to add
>> S4U2Type into the key. In fact, with all these info it almost looks like the
>> key contains everything in a TGS-REQ (except for the timestamp maybe).
>
> Hmm.. in my view, adding the S4U2Type to the key will provide not much value
> other than minor consistency checks (in the form of debug-mode assertions)
> because the assumptions that a key with a non-null 'user' value is of
> S4U2Self type and that a key with a non-null 'clientSvcTicketEnc' value is of
> S4U2Proxy type (as suggested next to the field decl) are safe. The key type
> will not be necessary to make a key unique. One more comment to clarify just
> in case. The clientSvcTicketEnc value is somehow related to the other values
> in the key but it's not a 1 to 1 field mapping. This is because the TGS is
> the one that the user-to-be-impersonated sent to the middle service; whilst
> the cname and sname are related to a middle service ticket. If I'm correct,
> the cname in the key should match the client service ticket sname (both of
> them being the middle service name).
Not adding the type is OK, I said it's just to be a little clearer. I think
you're right about the cname. It's always the one that actually sends the
request.
What is "the TGS" (in "the TGS is the one")? `clientSvcTicketEnc`? BTW, is
"client service ticket" a well known name? or we can name it "user"-something?
-------------
PR: https://git.openjdk.java.net/jdk/pull/5036
