jdk/src/java.security.jgss/share/classes/javax/security/auth/kerberos/ServicePermission.java
--- a/jdk/src/java.security.jgss/share/classes/javax/security/auth/kerberos/ServicePermission.java Sat May 23 02:49:50 2015 +0300
+++ b/jdk/src/java.security.jgss/share/classes/javax/security/auth/kerberos/ServicePermission.java Sun May 24 16:35:12 2015 +0800
@@ -51,7 +51,7 @@
* used within.
* <p>
* The service principal name is the canonical name of the
- * {@code KereberosPrincipal} supplying the service, that is
+ * {@code KerberosPrincipal} supplying the service, that is
* the KerberosPrincipal represents a Kerberos service
* principal. This name is treated in a case sensitive manner.
* An asterisk may appear by itself, to signify any service principal.
@@ -62,6 +62,10 @@
* permission also implies that the TGT can be obtained by an
* Authentication Service exchange.
* <p>
+ * Granting this permission also implies creating {@link KerberosPrincipal}
+ * or {@link org.ietf.jgss.GSSName GSSName} without providing a Kerberos
+ * realm, as long as the permission's service principal is in this realm.
+ * <p>
* The possible actions are:
*
* <pre>
@@ -146,6 +150,9 @@
* @param action the action string
*/
public ServicePermission(String servicePrincipal, String action) {
+ // Note: servicePrincipal can be "@REALM" which means any principal in
+ // this realm implies it. action can be "-" which means any
+ // action implies it.
super(servicePrincipal);
init(servicePrincipal, getMask(action));
}
@@ -208,7 +215,9 @@
boolean impliesIgnoreMask(ServicePermission p) {
return ((this.getName().equals("*")) ||
- this.getName().equals(p.getName()));
+ this.getName().equals(p.getName()) ||
+ (p.getName().startsWith("@") &&
+ this.getName().endsWith(p.getName())));
}
/**
@@ -318,7 +327,10 @@
/**
* Convert an action string to an integer actions mask.
*
- * @param action the action string
+ * Note: if action is "-", action will be NONE, which means any
+ * action implies it.
+ *
+ * @param action the action string.
* @return the action mask
*/
private static int getMask(String action) {
@@ -335,9 +347,11 @@
char[] a = action.toCharArray();
+ if (a.length == 1 && a[0] == '-') {
+ return mask;
+ }
+
int i = a.length - 1;
- if (i < 0)
- return mask;
while (i != -1) {
char c;
@@ -501,6 +515,17 @@
ServicePermission np = (ServicePermission) permission;
int desired = np.getMask();
+ if (desired == 0) {
+ for (Permission p: perms.values()) {
+ ServicePermission sp = (ServicePermission)p;
+ if (sp.impliesIgnoreMask(np)) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+
// first, check for wildcard principal
ServicePermission x = (ServicePermission)perms.get("*");
if (x != null) {