Mercurial Mercurial > jdk-sandbox / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
jdk/src/java.security.jgss/share/classes/javax/security/auth/kerberos/ServicePermission.java
changeset 33282 00f3c40fd3af
parent 32424 2d9d66d0519f 
--- a/jdk/src/java.security.jgss/share/classes/javax/security/auth/kerberos/ServicePermission.java	Sat May 23 02:49:50 2015 +0300
+++ b/jdk/src/java.security.jgss/share/classes/javax/security/auth/kerberos/ServicePermission.java	Sun May 24 16:35:12 2015 +0800
@@ -51,7 +51,7 @@
  * used within.
  * <p>
  * The service principal name is the canonical name of the
- * {@code KereberosPrincipal} supplying the service, that is
+ * {@code KerberosPrincipal} supplying the service, that is
  * the KerberosPrincipal represents a Kerberos service
  * principal. This name is treated in a case sensitive manner.
  * An asterisk may appear by itself, to signify any service principal.
@@ -62,6 +62,10 @@
  * permission also implies that the TGT can be obtained by an
  * Authentication Service exchange.
  * <p>
+ * Granting this permission also implies creating {@link KerberosPrincipal}
+ * or {@link org.ietf.jgss.GSSName GSSName} without providing a Kerberos
+ * realm, as long as the permission's service principal is in this realm.
+ * <p>
  * The possible actions are:
  *
  * <pre>
@@ -146,6 +150,9 @@
      * @param action the action string
      */
     public ServicePermission(String servicePrincipal, String action) {
+        // Note: servicePrincipal can be "@REALM" which means any principal in
+        // this realm implies it. action can be "-" which means any
+        // action implies it.
         super(servicePrincipal);
         init(servicePrincipal, getMask(action));
     }
@@ -208,7 +215,9 @@
 
     boolean impliesIgnoreMask(ServicePermission p) {
         return ((this.getName().equals("*")) ||
-                this.getName().equals(p.getName()));
+                this.getName().equals(p.getName()) ||
+                (p.getName().startsWith("@") &&
+                        this.getName().endsWith(p.getName())));
     }
 
     /**
@@ -318,7 +327,10 @@
     /**
      * Convert an action string to an integer actions mask.
      *
-     * @param action the action string
+     * Note: if action is "-", action will be NONE, which means any
+     * action implies it.
+     *
+     * @param action the action string.
      * @return the action mask
      */
     private static int getMask(String action) {
@@ -335,9 +347,11 @@
 
         char[] a = action.toCharArray();
 
+        if (a.length == 1 && a[0] == '-') {
+            return mask;
+        }
+
         int i = a.length - 1;
-        if (i < 0)
-            return mask;
 
         while (i != -1) {
             char c;
@@ -501,6 +515,17 @@
         ServicePermission np = (ServicePermission) permission;
         int desired = np.getMask();
 
+        if (desired == 0) {
+            for (Permission p: perms.values()) {
+                ServicePermission sp = (ServicePermission)p;
+                if (sp.impliesIgnoreMask(np)) {
+                    return true;
+                }
+            }
+            return false;
+        }
+
+
         // first, check for wildcard principal
         ServicePermission x = (ServicePermission)perms.get("*");
         if (x != null) {
jdk-sandbox