Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8131051

KDC might issue a renewable ticket even if not requested

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 9
    • Component/s: security-libs
    • Labels:

      Backports

        Description

        Java compares the renewable flag in the request and reply and throw an exception if they are not the same, but this might not always be correct. If the client requests for a ticket with a ticket_lifetime that the KDC considers too long, it (For example, the one in MIT krb5) might issue a ticket with a shorter ticket_lifetime but makes it renewable with a renew_lifetime that is equal to the ticket_lifetime request.

        Before jdk9, java does not allow setting ticket_lifetime and the KDC will always issue a ticket with a default lifetime and the above will not happen. After jdk9, this is allowed and will trigger this error.

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  weijun Weijun Wang
                  Reporter:
                  weijun Weijun Wang
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: