JDK-8131051 : KDC might issue a renewable ticket even if not requested
- Type: Bug
- Component: security-libs
- Sub-Component: org.ietf.jgss:krb5
- Priority: P3
- Status: Closed
- Resolution: Fixed
- Submitted: 2015-07-13
- Updated: 2020-02-26
- Resolved: 2015-07-22
The Version table provides details related to the release that this issue/RFE will be addressed.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
| JDK 7 | JDK 8 | JDK 9 | Other |
|---|---|---|---|
| 7u211Fixed | 8u202Fixed  |
9 b75Fixed |
openjdk7uFixed |
Related Reports
|
Relates :
|
Description
Java compares the renewable flag in the request and reply and throw an exception if they are not the same, but this might not always be correct. If the client requests for a ticket with a ticket_lifetime that the KDC considers too long, it (For example, the one in MIT krb5) might issue a ticket with a shorter ticket_lifetime but makes it renewable with a renew_lifetime that is equal to the ticket_lifetime request. Before jdk9, java does not allow setting ticket_lifetime and the KDC will always issue a ticket with a default lifetime and the above will not happen. After jdk9, this is allowed and will trigger this error.