> I'd like to propose a fix for JDK-8270137 [1].
>
> This bug is triggered when using a previously stored referral ticket (in the
> Referrals Cache) at the moment of following a S4U2Proxy cross-realm referral.
> The mistakenly-used referral ticket matched the client and service names but
> it was obtained as a result of a non-S4U2Proxy request. In fact, it was the
> middle service that got it while trying to determine the backend service
> realm in a previous S4U2Proxy communication. The mistakenly-used referral
> ticket was not bind to the impersonated user (in other words, it was not
> obtained attaching the user's TGS as part of a S4U2Proxy request) and, thus,
> must not be used.
>
> Even when one possible approach to fix this issue could be to be more
> selective at the moment of getting referral tickets from the Cache (that is:
> do not get anything from the Cache if it's for a S4U2Proxy request), I
> decided to go one step further and enhance the Referrals Cache. With this
> enhancement, we add more information to the stored referral tickets such as a
> footprint of the TGS (in the case of S4U2Proxy requests) or the user
> principal (in the case of S4U2Self requests). We now allow to store S4U2Proxy
> and S4U2Self referrals tickets but those will be re-used only if there is a
> perfect match of the TGS or user principal. As an example, if a middle
> service tries to replicate the exact S4U2Self communication for exactly the
> same user, cached referral tickets should be okay. With this enhancement, we
> increase the use of the Cache and the performance (time, network resources,
> etc.).
>
> The ReferralsTest is enhanced to reflect these new scenarios and now uses
> cached S4U2Proxy/S4U2Self referral tickets.
>
> No regressions observed in jdk/sun/security/krb5.
>
> --
> [1] - https://bugs.openjdk.java.net/browse/JDK-8270137
Martin Balao has updated the pull request incrementally with one additional
commit since the last revision:
clientSvcTicket* variables/parameters renamed to userSvcTicket* for clarity.
-
Changes:
- all: https://git.openjdk.java.net/jdk/pull/5036/files
- new: https://git.openjdk.java.net/jdk/pull/5036/files/4cb4b3e0..3e6f2db7
Webrevs:
- full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5036&range=02
- incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5036&range=01-02
Stats: 16 lines in 1 file changed: 0 ins; 0 del; 16 mod
Patch: https://git.openjdk.java.net/jdk/pull/5036.diff
Fetch: git fetch https://git.openjdk.java.net/jdk pull/5036/head:pull/5036
PR: https://git.openjdk.java.net/jdk/pull/5036