Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
4.5.2
-
None
Description
In GGSSchemeBase.generateGSSToken, line 133 in version 4.5.2:
gssContext.requestCredDeleg(true);
For Kerberos, this means that the client will forward the to TGT to the server. First, I don't see why you would want that, as that is an unnecessary security risk. Second, I have a problem with my SecurityManager (Oracle's in-database Aurora security manager), so I am unable to create a permission for this that works.
I suggest to change this to
gssContext.requestCredDeleg(false);
There might be situations where a client application would actually want to pass the TGT, but it should be possible to control this.