Please review the fix at http://cr.openjdk.java.net/~weijun/8044215/webrev.00
If a service is using constrained delegation to act as a client, it should not be able to request for a traditional delegation to another service (on behalf of the client). Otherwise it automatically elevate itself into a higher privilege and thus break out the constrained state. Java currently does not prevent the request from being sent out, and when the KDC denies the request, user would see a confusing error message "Client principal does not match". Actually here the KDC is sending back a ticket for the service itself (instead of for the client). This fix simply ignores any traditional delegation request in this case so the request will never be sent out. Throwing an exception in this case is not a good solution because the application might not be able to know if it's using a constrained delegation or a traditional delegation. If it's a constrained delegation and the KDC has been configured to allow a further constrained delegation to the 2nd service, it would still work anyway (because a constrained delegation does not need a request). Thanks Max
