diff --git a/jdk/src/share/classes/com/sun/security/jgss/ExtendedGSSContext.java b/jdk/src/share/classes/com/sun/security/jgss/ExtendedGSSContext.java
index dc7a3556d7d..1ac610d8880 100644
--- a/jdk/src/share/classes/com/sun/security/jgss/ExtendedGSSContext.java
+++ b/jdk/src/share/classes/com/sun/security/jgss/ExtendedGSSContext.java
@@ -99,4 +99,58 @@ public interface ExtendedGSSContext extends GSSContext {
*/
public Object inquireSecContext(InquireType type)
throws GSSException;
+
+ /**
+ * Requests that the delegation policy be respected. When a true value is
+ * requested, the underlying context would use the delegation policy
+ * defined by the environment as a hint to determine whether credentials
+ * delegation should be performed. This request can only be made on the
+ * context initiator's side and it has to be done prior to the first
+ * call to initSecContext
.
+ *
+ * When this flag is false, delegation will only be tried when the + * {@link GSSContext#requestCredDeleg(boolean) credentials delegation flag} + * is true. + *
+ * When this flag is true but the + * {@link GSSContext#requestCredDeleg(boolean) credentials delegation flag} + * is false, delegation will be only tried if the delegation policy permits + * delegation. + *
+ * When both this flag and the + * {@link GSSContext#requestCredDeleg(boolean) credentials delegation flag} + * are true, delegation will be always tried. However, if the delegation + * policy does not permit delegation, the value of + * {@link #getDelegPolicyState} will be false, even + * if delegation is performed successfully. + *
+ * In any case, if the delegation is not successful, the value returned + * by {@link GSSContext#getCredDelegState()} is false, and the value + * returned by {@link #getDelegPolicyState()} is also false. + *
+ * Not all mechanisms support delegation policy. Therefore, the
+ * application should check to see if the request was honored with the
+ * {@link #getDelegPolicyState() getDelegPolicyState} method. When
+ * delegation policy is not supported, requestDelegPolicy
+ * should return silently without throwing an exception.
+ *
+ * Note: for the Kerberos 5 mechanism, the delegation policy is expressed + * through the OK-AS-DELEGATE flag in the service ticket. When it's true, + * the KDC permits delegation to the target server. In a cross-realm + * environment, in order for delegation be permitted, all cross-realm TGTs + * on the authentication path must also have the OK-AS-DELAGATE flags set. + * @param state true if the policy should be respected + * @throws GSSException containing the following + * major error codes: + * {@link GSSException#FAILURE GSSException.FAILURE} + */ + public void requestDelegPolicy(boolean state) throws GSSException; + + /** + * Returns the delegation policy response. Called after a security context + * is established. This method can be only called on the initiator's side. + * See {@link ExtendedGSSContext#requestDelegPolicy}. + * @return the delegation policy response + */ + public boolean getDelegPolicyState(); } diff --git a/jdk/src/share/classes/org/ietf/jgss/GSSContext.java b/jdk/src/share/classes/org/ietf/jgss/GSSContext.java index 5fb769dc523..e8eb7027580 100644 --- a/jdk/src/share/classes/org/ietf/jgss/GSSContext.java +++ b/jdk/src/share/classes/org/ietf/jgss/GSSContext.java @@ -1,5 +1,5 @@ /* - * Copyright 2000-2001 Sun Microsystems, Inc. All Rights Reserved. + * Copyright 2000-2009 Sun Microsystems, Inc. All Rights Reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -678,7 +678,7 @@ public interface GSSContext { * are not definitive then the method will attempt to treat all * available bytes as part of the token.
* - * Other than the possible blocking behaviour described above, this + * Other than the possible blocking behavior described above, this * method is equivalent to the byte array based {@link #unwrap(byte[], * int, int, MessageProp) unwrap} method.
* @@ -826,7 +826,7 @@ public interface GSSContext { * are not definitive then the method will attempt to treat all * available bytes as part of the token.
* - * Other than the possible blocking behaviour described above, this + * Other than the possible blocking behavior described above, this * method is equivalent to the byte array based {@link #verifyMIC(byte[], * int, int, byte[], int, int, MessageProp) verifyMIC} method.
* @@ -917,7 +917,7 @@ public interface GSSContext { * getMutualAuthState} method.
*
* @param state a boolean value indicating whether mutual
- * authentication shouls be used or not.
+ * authentication should be used or not.
* @see #getMutualAuthState()
*
* @throws GSSException containing the following
@@ -928,7 +928,7 @@ public interface GSSContext {
/**
* Requests that replay detection be enabled for the
- * per-message security services after context establishemnt. This
+ * per-message security services after context establishment. This
* request can only be made on the context initiator's side and it has
* to be done prior to the first call to
* initSecContext
. During context establishment replay
@@ -958,7 +958,7 @@ public interface GSSContext {
/**
* Requests that sequence checking be enabled for the
- * per-message security services after context establishemnt. This
+ * per-message security services after context establishment. This
* request can only be made on the context initiator's side and it has
* to be done prior to the first call to
* initSecContext
. During context establishment sequence
diff --git a/jdk/src/share/classes/sun/net/www/protocol/http/spnego/NegotiatorImpl.java b/jdk/src/share/classes/sun/net/www/protocol/http/spnego/NegotiatorImpl.java
index dd4a39bd875..af0c9726ad9 100644
--- a/jdk/src/share/classes/sun/net/www/protocol/http/spnego/NegotiatorImpl.java
+++ b/jdk/src/share/classes/sun/net/www/protocol/http/spnego/NegotiatorImpl.java
@@ -25,6 +25,7 @@
package sun.net.www.protocol.http.spnego;
+import com.sun.security.jgss.ExtendedGSSContext;
import java.io.IOException;
import org.ietf.jgss.GSSContext;
@@ -100,15 +101,10 @@ public class NegotiatorImpl extends Negotiator {
null,
GSSContext.DEFAULT_LIFETIME);
- // In order to support credential delegation in HTTP/SPNEGO,
- // we always request it before initSecContext. The current
- // implementation will check the OK-AS-DELEGATE flag inside
- // the service ticket of the web server, and only enable
- // delegation when this flag is set. This check is only
- // performed when the GSS caller is CALLER_HTTP_NEGOTIATE,
- // so all other normal GSS-API calls are not affected.
-
- context.requestCredDeleg(true);
+ // Always respect delegation policy in HTTP/SPNEGO.
+ if (context instanceof ExtendedGSSContext) {
+ ((ExtendedGSSContext)context).requestDelegPolicy(true);
+ }
oneToken = context.initSecContext(new byte[0], 0, 0);
}
diff --git a/jdk/src/share/classes/sun/security/jgss/GSSContextImpl.java b/jdk/src/share/classes/sun/security/jgss/GSSContextImpl.java
index de703ef4ded..210ba5b869a 100644
--- a/jdk/src/share/classes/sun/security/jgss/GSSContextImpl.java
+++ b/jdk/src/share/classes/sun/security/jgss/GSSContextImpl.java
@@ -89,7 +89,8 @@ import com.sun.security.jgss.*;
*/
class GSSContextImpl implements ExtendedGSSContext {
- private GSSManagerImpl gssManager = null;
+ private final GSSManagerImpl gssManager;
+ private final boolean initiator;
// private flags for the context state
private static final int PRE_INIT = 1;
@@ -99,14 +100,12 @@ class GSSContextImpl implements ExtendedGSSContext {
// instance variables
private int currentState = PRE_INIT;
- private boolean initiator;
private GSSContextSpi mechCtxt = null;
private Oid mechOid = null;
private ObjectIdentifier objId = null;
private GSSCredentialImpl myCred = null;
- private GSSCredentialImpl delegCred = null;
private GSSNameImpl srcName = null;
private GSSNameImpl targName = null;
@@ -121,6 +120,7 @@ class GSSContextImpl implements ExtendedGSSContext {
private boolean reqSequenceDetState = true;
private boolean reqCredDelegState = false;
private boolean reqAnonState = false;
+ private boolean reqDelegPolicyState = false;
/**
* Creates a GSSContextImp on the context initiator's side.
@@ -221,6 +221,7 @@ class GSSContextImpl implements ExtendedGSSContext {
mechCtxt.requestSequenceDet(reqSequenceDetState);
mechCtxt.requestAnonymity(reqAnonState);
mechCtxt.setChannelBinding(channelBindings);
+ mechCtxt.requestDelegPolicy(reqDelegPolicyState);
objId = new ObjectIdentifier(mechOid.toString());
@@ -465,42 +466,42 @@ class GSSContextImpl implements ExtendedGSSContext {
}
public void requestMutualAuth(boolean state) throws GSSException {
- if (mechCtxt == null)
+ if (mechCtxt == null && initiator)
reqMutualAuthState = state;
}
public void requestReplayDet(boolean state) throws GSSException {
- if (mechCtxt == null)
+ if (mechCtxt == null && initiator)
reqReplayDetState = state;
}
public void requestSequenceDet(boolean state) throws GSSException {
- if (mechCtxt == null)
+ if (mechCtxt == null && initiator)
reqSequenceDetState = state;
}
public void requestCredDeleg(boolean state) throws GSSException {
- if (mechCtxt == null)
+ if (mechCtxt == null && initiator)
reqCredDelegState = state;
}
public void requestAnonymity(boolean state) throws GSSException {
- if (mechCtxt == null)
+ if (mechCtxt == null && initiator)
reqAnonState = state;
}
public void requestConf(boolean state) throws GSSException {
- if (mechCtxt == null)
+ if (mechCtxt == null && initiator)
reqConfState = state;
}
public void requestInteg(boolean state) throws GSSException {
- if (mechCtxt == null)
+ if (mechCtxt == null && initiator)
reqIntegState = state;
}
public void requestLifetime(int lifetime) throws GSSException {
- if (mechCtxt == null)
+ if (mechCtxt == null && initiator)
reqLifetime = lifetime;
}
@@ -630,6 +631,8 @@ class GSSContextImpl implements ExtendedGSSContext {
targName = null;
}
+ // ExtendedGSSContext methods:
+
@Override
public Object inquireSecContext(InquireType type) throws GSSException {
SecurityManager security = System.getSecurityManager();
@@ -641,4 +644,18 @@ class GSSContextImpl implements ExtendedGSSContext {
}
return mechCtxt.inquireSecContext(type);
}
+
+ @Override
+ public void requestDelegPolicy(boolean state) throws GSSException {
+ if (mechCtxt == null && initiator)
+ reqDelegPolicyState = state;
+ }
+
+ @Override
+ public boolean getDelegPolicyState() {
+ if (mechCtxt != null)
+ return mechCtxt.getDelegPolicyState();
+ else
+ return reqDelegPolicyState;
+ }
}
diff --git a/jdk/src/share/classes/sun/security/jgss/krb5/InitialToken.java b/jdk/src/share/classes/sun/security/jgss/krb5/InitialToken.java
index 2f0b834c1b9..ed7eb8c6e18 100644
--- a/jdk/src/share/classes/sun/security/jgss/krb5/InitialToken.java
+++ b/jdk/src/share/classes/sun/security/jgss/krb5/InitialToken.java
@@ -85,32 +85,39 @@ abstract class InitialToken extends Krb5Token {
int size = CHECKSUM_LENGTH_SIZE + CHECKSUM_BINDINGS_SIZE +
CHECKSUM_FLAGS_SIZE;
- if (context.getCredDelegState()) {
- if (context.getCaller() instanceof HttpCaller &&
- !serviceTicket.getFlags()[Krb5.TKT_OPTS_DELEGATE]) {
- // When the caller is HTTP/SPNEGO and OK-AS-DELEGATE
- // is not present in the service ticket, delegation
- // is disabled.
- context.setCredDelegState(false);
- } else if (!tgt.isForwardable()) {
- // XXX log this resetting of delegation state
- context.setCredDelegState(false);
- } else {
- KrbCred krbCred = null;
- CipherHelper cipherHelper =
- context.getCipherHelper(serviceTicket.getSessionKey());
- if (useNullKey(cipherHelper)) {
- krbCred = new KrbCred(tgt, serviceTicket,
- EncryptionKey.NULL_KEY);
- } else {
- krbCred = new KrbCred(tgt, serviceTicket,
- serviceTicket.getSessionKey());
+ if (!tgt.isForwardable()) {
+ context.setCredDelegState(false);
+ context.setDelegPolicyState(false);
+ } else if (context.getCredDelegState()) {
+ if (context.getDelegPolicyState()) {
+ if (!serviceTicket.checkDelegate()) {
+ // delegation not permitted by server policy, mark it
+ context.setDelegPolicyState(false);
}
- krbCredMessage = krbCred.getMessage();
- size += CHECKSUM_DELEG_OPT_SIZE +
- CHECKSUM_DELEG_LGTH_SIZE +
- krbCredMessage.length;
}
+ } else if (context.getDelegPolicyState()) {
+ if (serviceTicket.checkDelegate()) {
+ context.setCredDelegState(true);
+ } else {
+ context.setDelegPolicyState(false);
+ }
+ }
+
+ if (context.getCredDelegState()) {
+ KrbCred krbCred = null;
+ CipherHelper cipherHelper =
+ context.getCipherHelper(serviceTicket.getSessionKey());
+ if (useNullKey(cipherHelper)) {
+ krbCred = new KrbCred(tgt, serviceTicket,
+ EncryptionKey.NULL_KEY);
+ } else {
+ krbCred = new KrbCred(tgt, serviceTicket,
+ serviceTicket.getSessionKey());
+ }
+ krbCredMessage = krbCred.getMessage();
+ size += CHECKSUM_DELEG_OPT_SIZE +
+ CHECKSUM_DELEG_LGTH_SIZE +
+ krbCredMessage.length;
}
checksumBytes = new byte[size];
@@ -296,6 +303,7 @@ abstract class InitialToken extends Krb5Token {
return delegCreds;
}
+ // Only called by acceptor
public void setContextFlags(Krb5Context context) {
// default for cred delegation is false
if ((flags & CHECKSUM_DELEG_FLAG) > 0)
diff --git a/jdk/src/share/classes/sun/security/jgss/krb5/Krb5Context.java b/jdk/src/share/classes/sun/security/jgss/krb5/Krb5Context.java
index 4fe1e80f5f9..8810ed606f9 100644
--- a/jdk/src/share/classes/sun/security/jgss/krb5/Krb5Context.java
+++ b/jdk/src/share/classes/sun/security/jgss/krb5/Krb5Context.java
@@ -78,6 +78,7 @@ class Krb5Context implements GSSContextSpi {
private boolean sequenceDetState = true;
private boolean confState = true;
private boolean integState = true;
+ private boolean delegPolicyState = false;
private int mySeqNumber;
private int peerSeqNumber;
@@ -299,6 +300,21 @@ class Krb5Context implements GSSContextSpi {
return sequenceDetState || replayDetState;
}
+ /**
+ * Requests that the deleg policy be respected.
+ */
+ public final void requestDelegPolicy(boolean value) {
+ if (state == STATE_NEW && isInitiator())
+ delegPolicyState = value;
+ }
+
+ /**
+ * Is deleg policy respected?
+ */
+ public final boolean getDelegPolicyState() {
+ return delegPolicyState;
+ }
+
/*
* Anonymity is a little different in that after an application
* requests anonymity it will want to know whether the mechanism
@@ -422,6 +438,10 @@ class Krb5Context implements GSSContextSpi {
integState = state;
}
+ final void setDelegPolicyState(boolean state) {
+ delegPolicyState = state;
+ }
+
/**
* Sets the channel bindings to be used during context
* establishment.
diff --git a/jdk/src/share/classes/sun/security/jgss/spi/GSSContextSpi.java b/jdk/src/share/classes/sun/security/jgss/spi/GSSContextSpi.java
index 5bf359a1f8c..aaf4eebc29f 100644
--- a/jdk/src/share/classes/sun/security/jgss/spi/GSSContextSpi.java
+++ b/jdk/src/share/classes/sun/security/jgss/spi/GSSContextSpi.java
@@ -124,6 +124,8 @@ public interface GSSContextSpi {
public void requestInteg(boolean state) throws GSSException;
+ public void requestDelegPolicy(boolean state) throws GSSException;
+
public void setChannelBinding(ChannelBinding cb) throws GSSException;
public boolean getCredDelegState();
@@ -136,6 +138,8 @@ public interface GSSContextSpi {
public boolean getAnonymityState();
+ public boolean getDelegPolicyState();
+
public boolean isTransferable() throws GSSException;
public boolean isProtReady();
diff --git a/jdk/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java b/jdk/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java
index a436092f1bb..7fbff5ef475 100644
--- a/jdk/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java
+++ b/jdk/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java
@@ -63,6 +63,7 @@ public class SpNegoContext implements GSSContextSpi {
private boolean sequenceDetState = true;
private boolean confState = true;
private boolean integState = true;
+ private boolean delegPolicyState = false;
private GSSNameSpi peerName = null;
private GSSNameSpi myName = null;
@@ -153,6 +154,14 @@ public class SpNegoContext implements GSSContextSpi {
integState = value;
}
+ /**
+ * Requests that deleg policy be respected.
+ */
+ public final void requestDelegPolicy(boolean value) throws GSSException {
+ if (state == STATE_NEW && isInitiator())
+ delegPolicyState = value;
+ }
+
/**
* Is integrity available?
*/
@@ -160,6 +169,19 @@ public class SpNegoContext implements GSSContextSpi {
return integState;
}
+ /**
+ * Is deleg policy respected?
+ */
+ public final boolean getDelegPolicyState() {
+ if (isInitiator() && mechContext != null &&
+ mechContext instanceof ExtendedGSSContext &&
+ (state == STATE_IN_PROCESS || state == STATE_DONE)) {
+ return ((ExtendedGSSContext)mechContext).getDelegPolicyState();
+ } else {
+ return delegPolicyState;
+ }
+ }
+
/**
* Requests that credential delegation be done during context
* establishment.
@@ -173,7 +195,7 @@ public class SpNegoContext implements GSSContextSpi {
* Is credential delegation enabled?
*/
public final boolean getCredDelegState() {
- if (mechContext != null &&
+ if (isInitiator() && mechContext != null &&
(state == STATE_IN_PROCESS || state == STATE_DONE)) {
return mechContext.getCredDelegState();
} else {
@@ -201,30 +223,6 @@ public class SpNegoContext implements GSSContextSpi {
return mutualAuthState;
}
- final void setCredDelegState(boolean state) {
- credDelegState = state;
- }
-
- final void setMutualAuthState(boolean state) {
- mutualAuthState = state;
- }
-
- final void setReplayDetState(boolean state) {
- replayDetState = state;
- }
-
- final void setSequenceDetState(boolean state) {
- sequenceDetState = state;
- }
-
- final void setConfState(boolean state) {
- confState = state;
- }
-
- final void setIntegState(boolean state) {
- integState = state;
- }
-
/**
* Returns the mechanism oid.
*
@@ -653,6 +651,10 @@ public class SpNegoContext implements GSSContextSpi {
throw gssException;
}
+ if (state == STATE_DONE) {
+ // now set the context flags for acceptor
+ setContextFlags();
+ }
return retVal;
}
@@ -703,28 +705,31 @@ public class SpNegoContext implements GSSContextSpi {
return out;
}
+ // Only called on acceptor side. On the initiator side, most flags
+ // are already set at request. For those that might get chanegd,
+ // state from mech below is used.
private void setContextFlags() {
if (mechContext != null) {
// default for cred delegation is false
if (mechContext.getCredDelegState()) {
- setCredDelegState(true);
+ credDelegState = true;
}
// default for the following are true
if (!mechContext.getMutualAuthState()) {
- setMutualAuthState(false);
+ mutualAuthState = false;
}
if (!mechContext.getReplayDetState()) {
- setReplayDetState(false);
+ replayDetState = false;
}
if (!mechContext.getSequenceDetState()) {
- setSequenceDetState(false);
+ sequenceDetState = false;
}
if (!mechContext.getIntegState()) {
- setIntegState(false);
+ integState = false;
}
if (!mechContext.getConfState()) {
- setConfState(false);
+ confState = false;
}
}
}
@@ -837,6 +842,10 @@ public class SpNegoContext implements GSSContextSpi {
mechContext.requestMutualAuth(mutualAuthState);
mechContext.requestReplayDet(replayDetState);
mechContext.requestSequenceDet(sequenceDetState);
+ if (mechContext instanceof ExtendedGSSContext) {
+ ((ExtendedGSSContext)mechContext).requestDelegPolicy(
+ delegPolicyState);
+ }
}
// pass token
@@ -1202,5 +1211,5 @@ public class SpNegoContext implements GSSContextSpi {
"inquireSecContext not supported by underlying mech.");
}
}
-
}
+
diff --git a/jdk/src/share/classes/sun/security/jgss/wrapper/NativeGSSContext.java b/jdk/src/share/classes/sun/security/jgss/wrapper/NativeGSSContext.java
index 5b2a670b054..dc8c2bfafa9 100644
--- a/jdk/src/share/classes/sun/security/jgss/wrapper/NativeGSSContext.java
+++ b/jdk/src/share/classes/sun/security/jgss/wrapper/NativeGSSContext.java
@@ -549,6 +549,9 @@ class NativeGSSContext implements GSSContextSpi {
public void requestInteg(boolean state) throws GSSException {
changeFlags(GSS_C_INTEG_FLAG, state);
}
+ public void requestDelegPolicy(boolean state) throws GSSException {
+ // Not supported, ignore
+ }
public void requestLifetime(int lifetime) throws GSSException {
if (isInitiator && pContext == 0) {
this.lifetime = lifetime;
@@ -590,6 +593,9 @@ class NativeGSSContext implements GSSContextSpi {
public boolean getIntegState() {
return checkFlags(GSS_C_INTEG_FLAG);
}
+ public boolean getDelegPolicyState() {
+ return false;
+ }
public int getLifetime() {
return cStub.getContextTime(pContext);
}
diff --git a/jdk/src/share/classes/sun/security/krb5/Credentials.java b/jdk/src/share/classes/sun/security/krb5/Credentials.java
index c003a29fa64..e2f2f901097 100644
--- a/jdk/src/share/classes/sun/security/krb5/Credentials.java
+++ b/jdk/src/share/classes/sun/security/krb5/Credentials.java
@@ -234,7 +234,19 @@ public class Credentials {
* @return true if OK-AS_DELEGATE flag is set, otherwise, return false.
*/
public boolean checkDelegate() {
- return (flags.get(Krb5.TKT_OPTS_DELEGATE));
+ return flags.get(Krb5.TKT_OPTS_DELEGATE);
+ }
+
+ /**
+ * Reset TKT_OPTS_DELEGATE to false, called at credentials acquirement
+ * when one of the cross-realm TGTs does not have the OK-AS-DELEGATE
+ * flag set. This info must be preservable and restorable through
+ * the Krb5Util.credsToTicket/ticketToCreds() methods so that even if
+ * the service ticket is cached it still remembers the cross-realm
+ * authentication result.
+ */
+ public void resetDelegate() {
+ flags.set(Krb5.TKT_OPTS_DELEGATE, false);
}
public Credentials renew() throws KrbException, IOException {
diff --git a/jdk/src/share/classes/sun/security/krb5/internal/CredentialsUtil.java b/jdk/src/share/classes/sun/security/krb5/internal/CredentialsUtil.java
index fd2c925c046..7286aebcc84 100644
--- a/jdk/src/share/classes/sun/security/krb5/internal/CredentialsUtil.java
+++ b/jdk/src/share/classes/sun/security/krb5/internal/CredentialsUtil.java
@@ -1,5 +1,5 @@
/*
- * Portions Copyright 2001-2004 Sun Microsystems, Inc. All Rights Reserved.
+ * Portions Copyright 2001-2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -117,6 +117,7 @@ rs.
// Get a list of realms to traverse
String[] realms = Realm.getRealmsList(localRealm, serviceRealm);
+ boolean okAsDelegate = true;
if (realms == null || realms.length == 0)
{
@@ -194,6 +195,15 @@ rs.
*/
newTgtRealm = newTgt.getServer().getInstanceComponent();
+ if (okAsDelegate && !newTgt.checkDelegate()) {
+ if (DEBUG)
+ {
+ System.out.println(">>> Credentials acquireServiceCreds: " +
+ "global OK-AS-DELEGATE turned off at " +
+ newTgt.getServer());
+ }
+ okAsDelegate = false;
+ }
if (DEBUG)
{
@@ -283,6 +293,9 @@ rs.
System.out.println(">>> Credentials acquireServiceCreds: returning creds:");
Credentials.printDebug(theCreds);
}
+ if (!okAsDelegate) {
+ theCreds.resetDelegate();
+ }
return theCreds;
}
throw new KrbApErrException(Krb5.KRB_AP_ERR_GEN_CRED,
diff --git a/jdk/test/sun/security/krb5/auto/Context.java b/jdk/test/sun/security/krb5/auto/Context.java
index 140623f8310..3187e99d87e 100644
--- a/jdk/test/sun/security/krb5/auto/Context.java
+++ b/jdk/test/sun/security/krb5/auto/Context.java
@@ -72,7 +72,7 @@ import com.sun.security.jgss.AuthorizationDataEntry;
public class Context {
private Subject s;
- private GSSContext x;
+ private ExtendedGSSContext x;
private boolean f; // context established?
private String name;
private GSSCredential cred; // see static method delegated().
@@ -147,8 +147,8 @@ public class Context {
@Override
public byte[] run(Context me, byte[] dummy) throws Exception {
GSSManager m = GSSManager.getInstance();
- me.x = m.createContext(
- target.indexOf('@') < 0 ?
+ me.x = (ExtendedGSSContext)m.createContext(
+ target.indexOf('@') < 0 ?
m.createName(target, null) :
m.createName(target, GSSName.NT_HOSTBASED_SERVICE),
mech,
@@ -170,7 +170,7 @@ public class Context {
@Override
public byte[] run(Context me, byte[] dummy) throws Exception {
GSSManager m = GSSManager.getInstance();
- me.x = m.createContext(m.createCredential(
+ me.x = (ExtendedGSSContext)m.createContext(m.createCredential(
null,
GSSCredential.INDEFINITE_LIFETIME,
mech,
@@ -193,7 +193,7 @@ public class Context {
*
* @return the GSSContext object
*/
- public GSSContext x() {
+ public ExtendedGSSContext x() {
return x;
}
@@ -255,6 +255,11 @@ public class Context {
if (x.getSequenceDetState()) {
sb.append("seq det, ");
}
+ if (x instanceof ExtendedGSSContext) {
+ if (((ExtendedGSSContext)x).getDelegPolicyState()) {
+ sb.append("deleg policy, ");
+ }
+ }
System.out.println("Context status of " + name + ": " + sb.toString());
System.out.println(x.getSrcName() + " -> " + x.getTargName());
} catch (Exception e) {
diff --git a/jdk/test/sun/security/krb5/auto/KDC.java b/jdk/test/sun/security/krb5/auto/KDC.java
index 586d8b23e61..169094c779b 100644
--- a/jdk/test/sun/security/krb5/auto/KDC.java
+++ b/jdk/test/sun/security/krb5/auto/KDC.java
@@ -63,6 +63,14 @@ import sun.security.util.DerValue;
* settings after calling a KDC method, call Config.refresh()
to
* make sure your changes are reflected in the Config
object.
*
+ * System properties recognized:
+ *