jdk-sandbox: comparison jdk/src/java.security.jgss/share/classes/sun/security/jgss/wrapper/GSSNameElement.java

equal deleted inserted replaced

-:0291fb74c7b6
+:00f3c40fd3af
 import org.ietf.jgss.*;
 import java.security.Provider;
 import java.security.Security;
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
+import sun.security.krb5.Realm;
 import sun.security.jgss.GSSUtil;
 import sun.security.util.ObjectIdentifier;
 import sun.security.util.DerInputStream;
 import sun.security.util.DerOutputStream;
 import sun.security.jgss.GSSUtil;
 import sun.security.jgss.GSSExceptionImpl;
 import sun.security.jgss.spi.GSSNameSpi;
+import javax.security.auth.kerberos.ServicePermission;
 /**
 * This class is essentially a wrapper class for the gss_name_t
 * structure of the native GSS library.
 * @author Valerie Peng
 }
 }
 pName = cStub.importName(name, nameType);
 setPrintables();
+SecurityManager sm = System.getSecurityManager();
+if (sm != null && !Realm.AUTODEDUCEREALM) {
+String krbName = getKrbName();
+int atPos = krbName.lastIndexOf('@');
+if (atPos != -1) {
+String atRealm = krbName.substring(atPos);
+if (nameType.equals(GSSUtil.NT_GSS_KRB5_PRINCIPAL)
+&& new String(nameBytes).endsWith(atRealm)) {
+// Created from Kerberos name with realm, no need to check
+} else {
+try {
+sm.checkPermission(new ServicePermission(atRealm, "-"));
+} catch (SecurityException se) {
+// Do not chain the actual exception to hide info
+throw new GSSException(GSSException.FAILURE);
+}
+}
+}
+}
 SunNativeProvider.debug("Imported " + printableName + " w/ type " +
 printableType);
 }
 private void setPrintables() throws GSSException {

changeset 33282	00f3c40fd3af
parent 28553	6c0b398bd744
child 37577	8ba03c9fa5ee