diff --git a/jdk/src/share/classes/com/sun/security/jgss/AuthorizationDataEntry.java b/jdk/src/share/classes/com/sun/security/jgss/AuthorizationDataEntry.java
new file mode 100644
index 00000000000..0386792a7c2
--- /dev/null
+++ b/jdk/src/share/classes/com/sun/security/jgss/AuthorizationDataEntry.java
@@ -0,0 +1,68 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Sun designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Sun in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+package com.sun.security.jgss;
+
+/**
+ * Kerberos 5 AuthorizationData entry.
+ */
+final public class AuthorizationDataEntry {
+
+ private final int type;
+ private final byte[] data;
+
+ /**
+ * Create an AuthorizationDataEntry object.
+ * @param type the ad-type
+ * @param data the ad-data, a copy of the data will be saved
+ * inside the object.
+ */
+ public AuthorizationDataEntry(int type, byte[] data) {
+ this.type = type;
+ this.data = data.clone();
+ }
+
+ /**
+ * Get the ad-type field.
+ * @return ad-type
+ */
+ public int getType() {
+ return type;
+ }
+
+ /**
+ * Get a copy of the ad-data field.
+ * @return ad-data
+ */
+ public byte[] getData() {
+ return data.clone();
+ }
+
+ public String toString() {
+ return "AuthorizationDataEntry: type="+type+", data=" +
+ data.length + " bytes:\n" +
+ new sun.misc.HexDumpEncoder().encode(data);
+ }
+}
diff --git a/jdk/src/share/classes/com/sun/security/jgss/ExtendedGSSContext.java b/jdk/src/share/classes/com/sun/security/jgss/ExtendedGSSContext.java
index ed1ab747136..dc7a3556d7d 100644
--- a/jdk/src/share/classes/com/sun/security/jgss/ExtendedGSSContext.java
+++ b/jdk/src/share/classes/com/sun/security/jgss/ExtendedGSSContext.java
@@ -39,6 +39,11 @@ public interface ExtendedGSSContext extends GSSContext {
* For each supported attribute type, the type for the output are
* defined below.
*
+ * - {@code KRB5_GET_TKT_FLAGS}:
+ * the returned object is a boolean array for the service ticket flags,
+ * which is long enough to contain all true bits. This means if
+ * the user wants to get the n'th bit but the length of the
+ * returned array is less than n, it is regarded as false.
*
- {@code KRB5_GET_SESSION_KEY}:
* the returned object is an instance of {@link java.security.Key},
* which has the following properties:
@@ -48,6 +53,13 @@ public interface ExtendedGSSContext extends GSSContext {
*
- Format: "RAW"
*
- Encoded form: the raw key bytes, not in any ASN.1 encoding
*
+ *
- {@code KRB5_GET_AUTHZ_DATA}:
+ * the returned object is an array of
+ * {@link com.sun.security.jgss.AuthorizationDataEntry}, or null if the
+ * optional field is missing in the service ticket.
+ *
- {@code KRB5_GET_AUTHTIME}:
+ * the returned object is a String object in the standard KerberosTime
+ * format defined in RFC 4120 5.2.3
*
*
* If there is a security manager, an {@link InquireSecContextPermission}
diff --git a/jdk/src/share/classes/com/sun/security/jgss/InquireType.java b/jdk/src/share/classes/com/sun/security/jgss/InquireType.java
index 2b1d8172e72..b9ea04098b5 100644
--- a/jdk/src/share/classes/com/sun/security/jgss/InquireType.java
+++ b/jdk/src/share/classes/com/sun/security/jgss/InquireType.java
@@ -32,7 +32,23 @@ package com.sun.security.jgss;
public enum InquireType {
/**
* Attribute type for retrieving the session key of an
- * established security context.
+ * established Kerberos 5 security context.
*/
- KRB5_GET_SESSION_KEY
+ KRB5_GET_SESSION_KEY,
+ /**
+ * Attribute type for retrieving the service ticket flags of an
+ * established Kerberos 5 security context.
+ */
+ KRB5_GET_TKT_FLAGS,
+ /**
+ * Attribute type for retrieving the authorization data in the
+ * service ticket of an established Kerberos 5 security context.
+ * Only supported on the acceptor side.
+ */
+ KRB5_GET_AUTHZ_DATA,
+ /**
+ * Attribute type for retrieving the authtime in the service ticket
+ * of an established Kerberos 5 security context.
+ */
+ KRB5_GET_AUTHTIME
}
diff --git a/jdk/src/share/classes/sun/security/jgss/krb5/InitSecContextToken.java b/jdk/src/share/classes/sun/security/jgss/krb5/InitSecContextToken.java
index 6706e8e4a4c..5f88068ccec 100644
--- a/jdk/src/share/classes/sun/security/jgss/krb5/InitSecContextToken.java
+++ b/jdk/src/share/classes/sun/security/jgss/krb5/InitSecContextToken.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2000-2008 Sun Microsystems, Inc. All Rights Reserved.
+ * Copyright 2000-2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -25,12 +25,14 @@
package sun.security.jgss.krb5;
+import com.sun.security.jgss.AuthorizationDataEntry;
import org.ietf.jgss.*;
import java.io.InputStream;
-import java.io.OutputStream;
import java.io.IOException;
import sun.security.krb5.*;
import java.net.InetAddress;
+import sun.security.krb5.internal.AuthorizationData;
+import sun.security.krb5.internal.KerberosTime;
class InitSecContextToken extends InitialToken {
@@ -59,6 +61,9 @@ class InitSecContextToken extends InitialToken {
Checksum checksum = gssChecksum.getChecksum();
+ context.setTktFlags(serviceTicket.getFlags());
+ context.setAuthTime(
+ new KerberosTime(serviceTicket.getAuthTime()).toString());
apReq = new KrbApReq(serviceTicket,
mutualRequired,
useSubkey,
@@ -143,6 +148,21 @@ class InitSecContextToken extends InitialToken {
// Use the same sequence number as the peer
// (Behaviour exhibited by the Windows SSPI server)
context.resetMySequenceNumber(peerSeqNumber);
+ context.setAuthTime(
+ new KerberosTime(apReq.getCreds().getAuthTime()).toString());
+ context.setTktFlags(apReq.getCreds().getFlags());
+ AuthorizationData ad = apReq.getCreds().getAuthzData();
+ if (ad == null) {
+ context.setAuthzData(null);
+ } else {
+ AuthorizationDataEntry[] authzData =
+ new AuthorizationDataEntry[ad.count()];
+ for (int i=0; i>> KrbApReq: authenticate succeed.");
}
diff --git a/jdk/src/share/classes/sun/security/krb5/internal/AuthorizationData.java b/jdk/src/share/classes/sun/security/krb5/internal/AuthorizationData.java
index 269edec71a1..13c89dec7d8 100644
--- a/jdk/src/share/classes/sun/security/krb5/internal/AuthorizationData.java
+++ b/jdk/src/share/classes/sun/security/krb5/internal/AuthorizationData.java
@@ -174,4 +174,12 @@ public class AuthorizationData implements Cloneable {
}
return retVal;
}
+
+ public int count() {
+ return entry.length;
+ }
+
+ public AuthorizationDataEntry item(int i) {
+ return (AuthorizationDataEntry)entry[i].clone();
+ }
}
diff --git a/jdk/src/share/classes/sun/security/tools/PolicyTool.java b/jdk/src/share/classes/sun/security/tools/PolicyTool.java
index afc3a9b8988..ce54ba61ca9 100644
--- a/jdk/src/share/classes/sun/security/tools/PolicyTool.java
+++ b/jdk/src/share/classes/sun/security/tools/PolicyTool.java
@@ -3962,7 +3962,10 @@ class InqSecContextPerm extends Perm {
super("InquireSecContextPermission",
"com.sun.security.jgss.InquireSecContextPermission",
new String[] {
- "KRB5_GET_SESSION_KEY"
+ "KRB5_GET_SESSION_KEY",
+ "KRB5_GET_TKT_FLAGS",
+ "KRB5_GET_AUTHZ_DATA",
+ "KRB5_GET_AUTHTIME"
},
null);
}
diff --git a/jdk/test/sun/security/krb5/auto/Context.java b/jdk/test/sun/security/krb5/auto/Context.java
index b8ce532be19..140623f8310 100644
--- a/jdk/test/sun/security/krb5/auto/Context.java
+++ b/jdk/test/sun/security/krb5/auto/Context.java
@@ -41,6 +41,7 @@ import org.ietf.jgss.MessageProp;
import org.ietf.jgss.Oid;
import com.sun.security.jgss.ExtendedGSSContext;
import com.sun.security.jgss.InquireType;
+import com.sun.security.jgss.AuthorizationDataEntry;
/**
* Context of a JGSS subject, encapsulating Subject and GSSContext.
@@ -288,6 +289,23 @@ public class Context {
throw new Exception("Session key cannot be null");
}
System.out.println("Session key is: " + k);
+ boolean[] flags = (boolean[])ex.inquireSecContext(
+ InquireType.KRB5_GET_TKT_FLAGS);
+ if (flags == null) {
+ throw new Exception("Ticket flags cannot be null");
+ }
+ System.out.println("Ticket flags is: " + Arrays.toString(flags));
+ String authTime = (String)ex.inquireSecContext(
+ InquireType.KRB5_GET_AUTHTIME);
+ if (authTime == null) {
+ throw new Exception("Auth time cannot be null");
+ }
+ System.out.println("AuthTime is: " + authTime);
+ if (!x.isInitiator()) {
+ AuthorizationDataEntry[] ad = (AuthorizationDataEntry[])ex.inquireSecContext(
+ InquireType.KRB5_GET_AUTHZ_DATA);
+ System.out.println("AuthzData is: " + Arrays.toString(ad));
+ }
}
}
}