8215032: Support Kerberos cross-realm referrals (RFC 6806)

Reviewed-by: weijun
2025-09-20 11:04:34 +02:00 · 2019-06-05 01:42:11 -03:00 · 2019-06-05 01:42:11 -03:00 · 5aae9ef0db
commit 5aae9ef0db
parent 8ee8c48696
25 changed files with 933 additions and 204 deletions
--- a/src/java.base/share/conf/security/java.security
+++ b/src/java.base/share/conf/security/java.security
@ -474,6 +474,31 @@ networkaddress.cache.negative.ttl=10
 #
 krb5.kdc.bad.policy = tryLast

+#
+# Kerberos cross-realm referrals (RFC 6806)
+#
+# OpenJDK's Kerberos client supports cross-realm referrals as defined in
+# RFC 6806. This allows to setup more dynamic environments in which clients
+# do not need to know in advance how to reach the realm of a target principal
+# (either a user or service).
+#
+# When a client issues an AS or a TGS request, the "canonicalize" option
+# is set to announce support of this feature. A KDC server may fulfill the
+# request or reply referring the client to a different one. If referred,
+# the client will issue a new request and the cycle repeats.
+#
+# In addition to referrals, the "canonicalize" option allows the KDC server
+# to change the client name in response to an AS request. For security reasons,
+# RFC 6806 (section 11) FAST scheme is enforced.
+#
+# Disable Kerberos cross-realm referrals. Value may be overwritten with a
+# System property (-Dsun.security.krb5.disableReferrals).
+sun.security.krb5.disableReferrals=false
+
+# Maximum number of AS or TGS referrals to avoid infinite loops. Value may
+# be overwritten with a System property (-Dsun.security.krb5.maxReferrals).
+sun.security.krb5.maxReferrals=5
+
 #
 # Algorithm restrictions for certification path (CertPath) processing
 #