diff options
author | weijun <none@none> | 2013-02-09 16:43:49 +0800 |
---|---|---|
committer | weijun <none@none> | 2013-02-09 16:43:49 +0800 |
commit | a08779a74c1920ce5a4a7608860a4503f643ec57 (patch) | |
tree | 794fc8ae827f32b1dad37f4ce351023f60985333 /src/share/classes/sun/security/jgss/krb5/SubjectComber.java | |
parent | a654899248cf5e14219b6c81e670068db0ec9608 (diff) | |
download | jdk8u_jdk-a08779a74c1920ce5a4a7608860a4503f643ec57.tar.gz |
8001104: Unbound SASL service: the GSSAPI/krb5 mech
Reviewed-by: valeriep
Diffstat (limited to 'src/share/classes/sun/security/jgss/krb5/SubjectComber.java')
-rw-r--r-- | src/share/classes/sun/security/jgss/krb5/SubjectComber.java | 59 |
1 files changed, 31 insertions, 28 deletions
diff --git a/src/share/classes/sun/security/jgss/krb5/SubjectComber.java b/src/share/classes/sun/security/jgss/krb5/SubjectComber.java index d267dbd4b2..ad1723fe09 100644 --- a/src/share/classes/sun/security/jgss/krb5/SubjectComber.java +++ b/src/share/classes/sun/security/jgss/krb5/SubjectComber.java @@ -86,37 +86,40 @@ class SubjectComber { List<T> answer = (oneOnly ? null : new ArrayList<T>()); if (credClass == KeyTab.class) { - // TODO: There is currently no good way to filter out keytabs - // not for serverPrincipal. We can only check the principal - // set. If the server is not there, we can be sure none of the - // keytabs should be used, otherwise, use all for safety. - boolean useAll = false; - if (serverPrincipal != null) { - for (KerberosPrincipal princ: - subject.getPrincipals(KerberosPrincipal.class)) { - if (princ.getName().equals(serverPrincipal)) { - useAll = true; - break; - } - } - } else { - useAll = true; - } - if (useAll) { - Iterator<KeyTab> iterator = - subject.getPrivateCredentials(KeyTab.class).iterator(); - while (iterator.hasNext()) { - KeyTab t = iterator.next(); - if (DEBUG) { - System.out.println("Found " + credClass.getSimpleName() - + " " + t); - } - if (oneOnly) { - return t; + Iterator<KeyTab> iterator = + subject.getPrivateCredentials(KeyTab.class).iterator(); + while (iterator.hasNext()) { + KeyTab t = iterator.next(); + if (serverPrincipal != null && t.isBound()) { + KerberosPrincipal name = t.getPrincipal(); + if (name != null) { + if (!serverPrincipal.equals(name.getName())) { + continue; + } } else { - answer.add(credClass.cast(t)); + // legacy bound keytab. although we don't know who + // the bound principal is, it must be in allPrincs + boolean found = false; + for (KerberosPrincipal princ: + subject.getPrincipals(KerberosPrincipal.class)) { + if (princ.getName().equals(serverPrincipal)) { + found = true; + break; + } + } + if (!found) continue; } } + // Check passed, we can add now + if (DEBUG) { + System.out.println("Found " + credClass.getSimpleName() + + " " + t); + } + if (oneOnly) { + return t; + } else { + answer.add(credClass.cast(t)); + } } } else if (credClass == KerberosKey.class) { // We are looking for credentials for the serverPrincipal |