On Tue, 10 Aug 2021 13:45:22 GMT, Martin Balao <mba...@openjdk.org> wrote:

>> src/java.security.jgss/share/classes/sun/security/krb5/internal/ReferralsCache.java
>>  line 59:
>> 
>>> 57:         private byte[] clientSvcTicketEnc; // S4U2Proxy only
>>> 58:         ReferralCacheKey (PrincipalName cname, PrincipalName sname,
>>> 59:                 PrincipalName user, Ticket clientSvcTicket) {
>> 
>> It's probably not necessary, but I somehow feel it will be clearer to add 
>> S4U2Type into the key. In fact, with all these info it almost looks like the 
>> key contains everything in a TGS-REQ (except for the timestamp maybe).
>
> Hmm.. in my view, adding the S4U2Type to the key will provide not much value 
> other than minor consistency checks (in the form of debug-mode assertions) 
> because the assumptions that a key with a non-null 'user' value is of 
> S4U2Self type and that a key with a non-null 'clientSvcTicketEnc' value is of 
> S4U2Proxy type (as suggested next to the field decl) are safe. The key type 
> will not be necessary to make a key unique. One more comment to clarify just 
> in case. The clientSvcTicketEnc value is somehow related to the other values 
> in the key but it's not a 1 to 1 field mapping. This is because the TGS is 
> the one that the user-to-be-impersonated sent to the middle service; whilst 
> the cname and sname are related to a middle service ticket. If I'm correct, 
> the cname in the key should match the client service ticket sname (both of 
> them being the middle service name).

Not adding the type is OK, I said it's just to be a little clearer. I think 
you're right about the cname. It's always the one that actually sends the 
request.

What is "the TGS" (in "the TGS is the one")? `clientSvcTicketEnc`? BTW, is 
"client service ticket" a well known name? or we can name it "user"-something?

-------------

PR: https://git.openjdk.java.net/jdk/pull/5036

Reply via email to