8001104: Unbound SASL service: the GSSAPI/krb5 mech

Reviewed-by: valeriep

1 files changed, 31 insertions, 28 deletions

diff --git a/src/share/classes/sun/security/jgss/krb5/SubjectComber.java b/src/share/classes/sun/security/jgss/krb5/SubjectComber.java
index d267dbd4b2..ad1723fe09 100644
--- a/src/share/classes/sun/security/jgss/krb5/SubjectComber.java
+++ b/src/share/classes/sun/security/jgss/krb5/SubjectComber.java
@@ -86,37 +86,40 @@ class SubjectComber {
             List<T> answer = (oneOnly ? null : new ArrayList<T>());
 
             if (credClass == KeyTab.class) {
-                // TODO: There is currently no good way to filter out keytabs
-                // not for serverPrincipal. We can only check the principal
-                // set. If the server is not there, we can be sure none of the
-                // keytabs should be used, otherwise, use all for safety.
-                boolean useAll = false;
-                if (serverPrincipal != null) {
-                    for (KerberosPrincipal princ:
-                            subject.getPrincipals(KerberosPrincipal.class)) {
-                        if (princ.getName().equals(serverPrincipal)) {
-                            useAll = true;
-                            break;
-                        }
-                    }
-                } else {
-                    useAll = true;
-                }
-                if (useAll) {
-                    Iterator<KeyTab> iterator =
-                        subject.getPrivateCredentials(KeyTab.class).iterator();
-                    while (iterator.hasNext()) {
-                        KeyTab t = iterator.next();
-                        if (DEBUG) {
-                            System.out.println("Found " + credClass.getSimpleName()
-                                    + " " + t);
-                        }
-                        if (oneOnly) {
-                            return t;
+                Iterator<KeyTab> iterator =
+                    subject.getPrivateCredentials(KeyTab.class).iterator();
+                while (iterator.hasNext()) {
+                    KeyTab t = iterator.next();
+                    if (serverPrincipal != null && t.isBound()) {
+                        KerberosPrincipal name = t.getPrincipal();
+                        if (name != null) {
+                            if (!serverPrincipal.equals(name.getName())) {
+                                continue;
+                            }
                         } else {
-                            answer.add(credClass.cast(t));
+                            // legacy bound keytab. although we don't know who
+                            // the bound principal is, it must be in allPrincs
+                            boolean found = false;
+                            for (KerberosPrincipal princ:
+                                    subject.getPrincipals(KerberosPrincipal.class)) {
+                                if (princ.getName().equals(serverPrincipal)) {
+                                    found = true;
+                                    break;
+                                }
+                            }
+                            if (!found) continue;
                         }
                     }
+                    // Check passed, we can add now
+                    if (DEBUG) {
+                        System.out.println("Found " + credClass.getSimpleName()
+                                + " " + t);
+                    }
+                    if (oneOnly) {
+                        return t;
+                    } else {
+                        answer.add(credClass.cast(t));
+                    }
                 }
             } else if (credClass == KerberosKey.class) {
                 // We are looking for credentials for the serverPrincipal