8303809: Dispose context in SPNEGO NegotiatorImpl

Reviewed-by: dfuchs, weijun

src/java.base/share/classes/sun/net/www/protocol/http/AuthenticationInfo.java

@@ -519,4 +519,13 @@ public abstract class AuthenticationInfo extends AuthCacheValue implements Clone
         s2 = new String (pw.getPassword());
         s.defaultWriteObject ();
     }
+
+    /**
+     * Releases any system or cryptographic resources.
+     * It is up to implementors to override disposeContext()
+     * to take necessary action.
+     */
+    public void disposeContext() {
+        // do nothing
+    }
 }

src/java.base/share/classes/sun/net/www/protocol/http/HttpURLConnection.java

@@ -2009,6 +2009,12 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
             if (serverAuthKey != null) {
                 AuthenticationInfo.endAuthRequest(serverAuthKey);
             }
+            if (proxyAuthentication != null) {
+                proxyAuthentication.disposeContext();
+            }
+            if (serverAuthentication != null) {
+                serverAuthentication.disposeContext();
+            }
         }
     }
 
@@ -2252,6 +2258,9 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
             if (proxyAuthKey != null) {
                 AuthenticationInfo.endAuthRequest(proxyAuthKey);
             }
+            if (proxyAuthentication != null) {
+                proxyAuthentication.disposeContext();
+            }
         }
 
         // restore original request headers
@@ -2502,6 +2511,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
             }
             if (ret != null) {
                 if (!ret.setHeaders(this, p, raw)) {
+                    ret.disposeContext();
                     ret = null;
                 }
             }
@@ -2674,6 +2684,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
 
             if (ret != null ) {
                 if (!ret.setHeaders(this, p, raw)) {
+                    ret.disposeContext();
                     ret = null;
                 }
             }
@@ -2700,6 +2711,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
                     DigestAuthentication da = (DigestAuthentication)
                         currentProxyCredentials;
                     da.checkResponse (raw, method, getRequestURI());
+                    currentProxyCredentials.disposeContext();
                     currentProxyCredentials = null;
                 }
             }
@@ -2710,6 +2722,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
                     DigestAuthentication da = (DigestAuthentication)
                         currentServerCredentials;
                     da.checkResponse (raw, method, url);
+                    currentServerCredentials.disposeContext();
                     currentServerCredentials = null;
                 }
             }

src/java.base/share/classes/sun/net/www/protocol/http/NegotiateAuthentication.java

@@ -242,6 +242,22 @@ class NegotiateAuthentication extends AuthenticationInfo {
         return negotiator.nextToken(token);
     }
 
+    /**
+     * Releases any system resources and cryptographic information stored in
+     * the context object and invalidates the context.
+     */
+    @Override
+    public void disposeContext() {
+        if (negotiator != null) {
+            try {
+                negotiator.disposeContext();
+            } catch (IOException ioEx) {
+                //do not rethrow IOException
+            }
+            negotiator = null;
+        }
+    }
+
     // MS will send a final WWW-Authenticate even if the status is already
     // 200 OK. The token can be fed into initSecContext() again to determine
     // if the server can be trusted. This is not the same concept as Digest's

src/java.base/share/classes/sun/net/www/protocol/http/Negotiator.java

@@ -82,5 +82,7 @@ public abstract class Negotiator {
             logger.finest("NegotiateAuthentication: " + e);
         }
     }
+
+    public void disposeContext() throws IOException { };
 }
 

src/java.security.jgss/share/classes/sun/net/www/protocol/http/spnego/NegotiatorImpl.java

@@ -127,6 +127,11 @@ public class NegotiatorImpl extends Negotiator {
                         "fallback to other scheme if allowed. Reason:");
                 e.printStackTrace();
             }
+            try {
+                disposeContext();
+            } catch (Exception ex) {
+                //dispose context silently
+            }
             throw new IOException("Negotiate support not initiated", e);
         }
     }
@@ -149,6 +154,9 @@ public class NegotiatorImpl extends Negotiator {
     @Override
     public byte[] nextToken(byte[] token) throws IOException {
         try {
+            if (context == null) {
+                throw new IOException("Negotiate support cannot continue. Context is invalidated");
+            }
             return context.initSecContext(token, 0, token.length);
         } catch (GSSException e) {
             if (DEBUG) {
@@ -158,4 +166,26 @@ public class NegotiatorImpl extends Negotiator {
             throw new IOException("Negotiate support cannot continue", e);
         }
     }
+
+    /**
+     * Releases any system resources and cryptographic information stored in
+     * the context object and invalidates the context.
+     *
+     * @throws IOException containing a reason of failure in the cause
+     */
+    @Override
+    public void disposeContext() throws IOException {
+        try {
+            if (context != null) {
+                context.dispose();
+            }
+        } catch (GSSException e) {
+            if (DEBUG) {
+                System.out.println("Cannot release resources. Reason:");
+                e.printStackTrace();
+            }
+            throw new IOException("Cannot release resources", e);
+        };
+        context = null;
+    }
 }