Hi Martin,
Looks fine overall. Only two suggestions:
1. Can we change the signature of handleS4U2ProxyReferral so that there is only
one credsInOut?
String handleS4U2ProxyReferral(Credentials asCreds,
Credentials[] credsInOut, PrincipalName sname)
and call it with "new Credentials[] {creds, null}"?
Then you can clearly specify
input: first referral TGT for S4U2proxy, null
output: service's final referral TGT, client's final referral TGT
2. Can we add a S4U2Type argument in serviceCreds(options,...)? Then its
callers can specify it directly and there is no need for this method to guess
it out.
Thanks,
Max
p.s. Something related but not for this enhancement. The getTGTforRealm method
should not call Realm.getRealmsList() (i.e. use [capaths] in krb5.conf) when
using referral. It should just follow the referral.
> On Nov 1, 2019, at 5:37 AM, Martin Balao <mba...@redhat.com> wrote:
>
> Hi,
>
> Webrev.02:
>
> * http://cr.openjdk.java.net/~mbalao/webrevs/8005819/8005819.webrev.02/
>
> Changes:
>
> * No need to create a new sname PrincipalName in
> CredentialsUtil::handleS4U2ProxyReferral as it's not mutable.
>
> Regards,
> Martin.-
>
