--- a/jdk/src/share/classes/sun/security/jgss/krb5/Krb5InitCredential.java Tue Nov 06 18:41:01 2012 -0800
+++ b/jdk/src/share/classes/sun/security/jgss/krb5/Krb5InitCredential.java Wed Nov 07 14:13:01 2012 +0800
@@ -309,8 +309,7 @@
int initLifetime)
throws GSSException {
- String realm = null;
- final String clientPrincipal, tgsPrincipal = null;
+ final String clientPrincipal;
/*
* Find the TGT for the realm that the client is in. If the client
@@ -318,20 +317,8 @@
*/
if (name != null) {
clientPrincipal = (name.getKrb5PrincipalName()).getName();
- realm = (name.getKrb5PrincipalName()).getRealmAsString();
} else {
clientPrincipal = null;
- try {
- Config config = Config.getInstance();
- realm = config.getDefaultRealm();
- } catch (KrbException e) {
- GSSException ge =
- new GSSException(GSSException.NO_CRED, -1,
- "Attempt to obtain INITIATE credentials failed!" +
- " (" + e.getMessage() + ")");
- ge.initCause(e);
- throw ge;
- }
}
final AccessControlContext acc = AccessController.getContext();
@@ -343,9 +330,11 @@
return AccessController.doPrivileged(
new PrivilegedExceptionAction<KerberosTicket>() {
public KerberosTicket run() throws Exception {
+ // It's OK to use null as serverPrincipal. TGT is almost
+ // the first ticket for a principal and we use list.
return Krb5Util.getTicket(
realCaller,
- clientPrincipal, tgsPrincipal, acc);
+ clientPrincipal, null, acc);
}});
} catch (PrivilegedActionException e) {
GSSException ge =
@@ -356,4 +345,20 @@
throw ge;
}
}
+
+ @Override
+ public GSSCredentialSpi impersonate(GSSNameSpi name) throws GSSException {
+ try {
+ Krb5NameElement kname = (Krb5NameElement)name;
+ Credentials newCred = Credentials.acquireS4U2selfCreds(
+ kname.getKrb5PrincipalName(), krb5Credentials);
+ return new Krb5ProxyCredential(this, kname, newCred.getTicket());
+ } catch (IOException | KrbException ke) {
+ GSSException ge =
+ new GSSException(GSSException.FAILURE, -1,
+ "Attempt to obtain S4U2self credentials failed!");
+ ge.initCause(ke);
+ throw ge;
+ }
+ }
}