JDK-8215032 : Support Kerberos cross-realm referrals (RFC 6806)
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: org.ietf.jgss:krb5
  • Affected Version: 8,11,13
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2018-12-07
  • Updated: 2019-11-04
  • Resolved: 2019-06-06
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 13 JDK 14 Other
11.0.6Fixed 13 b25Fixed 14Fixed openjdk8uUnresolved
Related Reports
CSR :  
Duplicate :  
Relates :  
Relates :  
Relates :  
Relates :  
Sub Tasks
JDK-8225387 :  
The goal of this enhancement is to support Kerberos cross-realm referrals in OpenJDK's client, according to RFC 6806 [1].

This enhancement includes support of:

 * Canonicalize flag and NT-ENTERPRISE principals in AS requests
 * Client referrals (AS requests)
 * Server referrals (TGS requests)
 * FAST - RFC 6806 Section 11
 * Referrals cache

[1] - https://tools.ietf.org/html/rfc6806.html
Removing jdk11u-fix-yes label due to missing CSR for the backport. Will re-approve once CSR review was conducted successfully.

Fix Request (jdk11u) I'd like to request a jdk11u backport of this enhancement. The reason is to enable JDK-11 users to use the OpenJDK Kerberos client in more complex and dynamic environments. This will also bring feature parity with other Kerberos clients, such as MIT's client in Linux. Patch applies cleanly to jdk11u except for a couple of copyright header dates. Update: even though the patch applies cleanly, a review process will be needed because of a missing dependency.

Sure, when I said "(yes, I know about 8-pool and 11-pool, that is much more tedious)", I meant "hollow" backport issues with {8,11}-pool. That is too much work for the issue that might not end up backported at all. Simplicity, consistency with the "Bug" issues, much smaller red tape volume win here.

Hmm, in that case I would have created backport issues (see the More drop down menu).

Well, that is the easiest way to keep track of backports work (yes, I know about 8-pool and 11-pool, that is much more tedious). In some sense, "8" and "11" are affected by not having this enhancement, it would go better with synopsis like "OpenJDK does not support Kerberos cross-realm referrals (RFC 6806)", but it is what it is.

[~shade] It's a little odd to have an Enhancement affecting previous versions of the JDK (how can they be affected if they don't support it?), can you explain why you added that?

[~mbalao] This enhancement needs to be reviewed and pushed before Rampdown Phase 1 on 2019/06/13 to be included in JDK 13.