-
Bug
-
Resolution: Fixed
-
P3
-
9
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8136054 | emb-9 | Weijun Wang | P3 | Resolved | Fixed | team |
| JDK-8239216 | openjdk8u252 | Andrew Hughes | P3 | Resolved | Fixed | b03 |
| JDK-8237242 | openjdk8u242 | Andrew Hughes | P3 | Resolved | Fixed | b08 |
| JDK-8240053 | openjdk7u | Andrew Hughes | P3 | Resolved | Fixed | master |
Java Kerberos was designed to provide the addresses of a service when requesting for a forwarded TGT. However, the field was never filled, because of a bug that the service principal does not have the KRB_NT_SRV_HST nameType.
InJDK-8031111, we "fixed" this bug and the addresses field is now always sent.
However, it is well known in the Kerberos community that it's difficult to get the correct addresses. For example, the service and the client might be inside a NAT but the KDC is not. If the addresses observed by the client and the KDC are different, such a ticket will be rejected when the service is trying to use it.
For this reason, the addresses field in a forwarded TGT request is not used in practice. We will backout the changes made inJDK-8031111.
In
However, it is well known in the Kerberos community that it's difficult to get the correct addresses. For example, the service and the client might be inside a NAT but the KDC is not. If the addresses observed by the client and the KDC are different, such a ticket will be rejected when the service is trying to use it.
For this reason, the addresses field in a forwarded TGT request is not used in practice. We will backout the changes made in
- backported by
-
JDK-8136054 Do not request for addresses for forwarded TGT
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
- duplicates
-
-
- Closed
-
- relates to
-
JDK-8031111 fix krb5 caddr
-
- Resolved
-
(1 relates to)