If a service account is trusted for delegation, it can request
service tickets on behalf of an authenticated user to any other
Constrained delegation is a way to restrict the service accounts
for which service tickets can be obtained. This seems a useful
feature to introduce.
See also: Comments section.
scope: Java SE
text: Protocol transition and constrained delegation support for Kerberos 5. Note it works on the same realm only in JDK 8.