## Open Internet { #open-internet }

If your app is in the open internet, you wouldn't "trust the network" and let anyone send privileged requests without authentication.

Attackers could simply run a script to send requests to your API, no need for browser interaction, so you are probably already securing any privileged endpoints.

In that case **this attack / risk doesn't apply to you**.

import java.util.Map;

import javax.security.auth.kerberos.KerberosKey;

import jcifs.pac.PACDecodingException;
import jcifs.pac.Pac;

/**
 * Kerberos authorization data containing PAC (Privilege Attribute Certificate) information.
 */
public class KerberosPacAuthData extends KerberosAuthData {

    private Pac pac;

    /**
     * Constructs KerberosPacAuthData from token bytes.
     *

 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 */
package jcifs.pac;

/**
 * Constants for PAC (Privilege Attribute Certificate) data structures.
 * Defines buffer types and other constants used in PAC parsing and validation.
 */
public interface PacConstants {

    /**
     * PAC structure version number.
     */

 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 */
package jcifs.pac;

import jcifs.CIFSException;

/**
 * Exception thrown when PAC (Privilege Attribute Certificate) data cannot be decoded.
 * Indicates malformed or invalid PAC structures in Kerberos tickets.
 */
public class PACDecodingException extends CIFSException {

 * This class ensures that at most one thread is running at a time. This is initially the JUnit test
 * thread, which yields its execution privilege while calling [runTasks], [runNextTask], or
 * [advanceUntil]. These functions don't return until the task threads are all idle.
 *
 * Task threads release their execution privilege in these ways:
 *
 *  * By yielding in [TaskRunner.Backend.coordinatorWait].
 *  * By yielding in [BlockingQueue.poll].

async def needy_dependency(fresh_value: Annotated[str, Depends(get_value, use_cache=False)]):
    return {"fresh_value": fresh_value}
```

////

//// tab | Python 3.10+ non annoté

/// tip | Astuce

Privilégiez la version `Annotated` si possible.

///

```Python hl_lines="1"
async def needy_dependency(fresh_value: str = Depends(get_value, use_cache=False)):
    return {"fresh_value": fresh_value}
```

////

   * for an RPC may wait for a similar call that requests a long timeout, or a call by an
   * unprivileged user may return a resource accessible only to a privileged user making a similar
   * call. To prevent this problem, create a key object that includes all values that affect the
   * result of the query. Or use {@code LoadingCache.get(K)}, which lacks the ability to refer to

import javax.crypto.Mac;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.kerberos.KerberosKey;

/**
 * Utility class for calculating and verifying PAC (Privilege Attribute Certificate) message authentication codes.
 * This class provides methods for computing MACs using various Kerberos encryption types including
 * ARCFOUR-HMAC-MD5 and AES-based HMAC algorithms.
 */

import java.security.MessageDigest;
import java.util.Map;

import javax.security.auth.kerberos.KerberosKey;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import jcifs.util.Hexdump;

/**
 * Privilege Attribute Certificate (PAC) decoder for Kerberos tickets.
 * Parses and validates PAC data structures containing user authorization information
 * from Active Directory Kerberos tickets.
 */
public class Pac {

{% endfor %}

</div>

Although the team members have the permissions to perform privileged tasks, all the [help from others maintaining FastAPI](./help-fastapi.md#help-maintain-fastapi) is very much appreciated! 🙇‍♂️

## FastAPI Experts