--- a/src/java.security.jgss/share/classes/sun/security/krb5/KrbTgsRep.java Thu Oct 17 20:27:44 2019 +0100
+++ b/src/java.security.jgss/share/classes/sun/security/krb5/KrbTgsRep.java Thu Oct 17 20:53:35 2019 +0100
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -84,11 +84,22 @@
EncTGSRepPart enc_part = new EncTGSRepPart(ref);
rep.encKDCRepPart = enc_part;
- check(false, req, rep);
+ check(false, req, rep, tgsReq.tgsReqKey);
+
+ PrincipalName serverAlias = tgsReq.getServerAlias();
+ if (serverAlias != null) {
+ PrincipalName repSname = enc_part.sname;
+ if (serverAlias.equals(repSname) ||
+ isReferralSname(repSname)) {
+ serverAlias = null;
+ }
+ }
this.creds = new Credentials(rep.ticket,
rep.cname,
+ tgsReq.getClientAlias(),
enc_part.sname,
+ serverAlias,
enc_part.key,
enc_part.flags,
enc_part.authtime,
@@ -111,4 +122,16 @@
sun.security.krb5.internal.ccache.Credentials setCredentials() {
return new sun.security.krb5.internal.ccache.Credentials(rep, secondTicket);
}
+
+ private static boolean isReferralSname(PrincipalName sname) {
+ if (sname != null) {
+ String[] snameStrings = sname.getNameStrings();
+ if (snameStrings.length == 2 &&
+ snameStrings[0].equals(
+ PrincipalName.TGS_DEFAULT_SRV_NAME)) {
+ return true;
+ }
+ }
+ return false;
+ }
}