--- a/jdk/src/java.security.jgss/share/classes/sun/security/krb5/KrbKdcRep.java Tue Jul 21 14:18:07 2015 -0700
+++ b/jdk/src/java.security.jgss/share/classes/sun/security/krb5/KrbKdcRep.java Tue Jul 21 18:02:36 2015 +0800
@@ -75,10 +75,11 @@
}
}
- // XXX Can renew a ticket but not ask for a renewable renewed ticket
- // See impl of Credentials.renew().
- if (req.reqBody.kdcOptions.get(KDCOptions.RENEWABLE) !=
- rep.encKDCRepPart.flags.get(KDCOptions.RENEWABLE)) {
+ // Reply to a renewable request should be renewable, but if request does
+ // not contain renewable, KDC is free to issue a renewable ticket (for
+ // example, if ticket_lifetime is too big).
+ if (req.reqBody.kdcOptions.get(KDCOptions.RENEWABLE) &&
+ !rep.encKDCRepPart.flags.get(KDCOptions.RENEWABLE)) {
throw new KrbApErrException(Krb5.KRB_AP_ERR_MODIFIED);
}