--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/krb5/auto/DynamicKeytab.java	Wed Apr 20 18:41:32 2011 +0800
@@ -0,0 +1,140 @@
+/*
+ * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 6894072
+ * @run main/othervm DynamicKeytab
+ * @summary always refresh keytab
+ */
+
+import java.io.File;
+import java.io.FileOutputStream;
+import org.ietf.jgss.GSSException;
+import sun.security.jgss.GSSUtil;
+import sun.security.krb5.KrbException;
+import sun.security.krb5.internal.Krb5;
+
+public class DynamicKeytab {
+
+    Context c, s;
+    public static void main(String[] args)
+            throws Exception {
+        new DynamicKeytab().go();
+    }
+
+    void go() throws Exception {
+        OneKDC k = new OneKDC(null);
+        k.writeJAASConf();
+
+        new File(OneKDC.KTAB).delete();
+
+
+        // Starts with no keytab
+        c = Context.fromJAAS("client");
+        s = Context.fromJAAS("com.sun.security.jgss.krb5.accept");
+
+        // Test 1: read new key 1 from keytab
+        k.addPrincipal(OneKDC.SERVER, "pass1".toCharArray());
+        k.writeKtab(OneKDC.KTAB);
+        connect();
+
+        // Test 2: service key cached, find 1 in keytab (now contains 1 and 2)
+        k.addPrincipal(OneKDC.SERVER, "pass2".toCharArray());
+        k.appendKtab(OneKDC.KTAB);
+        connect();
+
+        // Test 3: re-login. Now find 2 in keytab
+        c = Context.fromJAAS("client");
+        connect();
+
+        // Test 4: re-login, KDC use 3 this time.
+        c = Context.fromJAAS("client");
+        // Put 3 and 4 into keytab but keep the real key back to 3.
+        k.addPrincipal(OneKDC.SERVER, "pass3".toCharArray());
+        k.appendKtab(OneKDC.KTAB);
+        k.addPrincipal(OneKDC.SERVER, "pass4".toCharArray());
+        k.appendKtab(OneKDC.KTAB);
+        k.addPrincipal(OneKDC.SERVER, "pass3".toCharArray());
+        connect();
+
+        // Test 5: invalid keytab file, should ignore
+        new FileOutputStream(OneKDC.KTAB).write("BADBADBAD".getBytes());
+        connect();
+
+        // Test 6: delete keytab file, identical to revoke all
+        new File(OneKDC.KTAB).delete();
+        try {
+            connect();
+            throw new Exception("Should not success");
+        } catch (GSSException gsse) {
+            System.out.println(gsse);
+            KrbException ke = (KrbException)gsse.getCause();
+            // KrbApReq.authenticate(*) if (dkey == null)...
+            // This should have been Krb5.KRB_AP_ERR_NOKEY
+            if (ke.returnCode() != Krb5.API_INVALID_ARG) {
+                throw new Exception("Not expected failure code: " +
+                        ke.returnCode());
+            }
+        }
+
+        // Test 7: 3 revoked, should fail (now contains only 5)
+        k.addPrincipal(OneKDC.SERVER, "pass5".toCharArray());
+        k.writeKtab(OneKDC.KTAB);   // overwrite keytab, which means
+                                    // old key is revoked
+        try {
+            connect();
+            throw new Exception("Should not success");
+        } catch (GSSException gsse) {
+            System.out.println(gsse);
+            KrbException ke = (KrbException)gsse.getCause();
+            if (ke.returnCode() != Krb5.KRB_AP_ERR_BADKEYVER) {
+                throw new Exception("Not expected failure code: " +
+                        ke.returnCode());
+            }
+        }
+
+        // Test 8: an empty KDC means revoke all
+        KDC.create("EMPTY.REALM").writeKtab(OneKDC.KTAB);
+        try {
+            connect();
+            throw new Exception("Should not success");
+        } catch (GSSException gsse) {
+            System.out.println(gsse);
+            KrbException ke = (KrbException)gsse.getCause();
+            // KrbApReq.authenticate(*) if (dkey == null)...
+            // This should have been Krb5.KRB_AP_ERR_NOKEY
+            if (ke.returnCode() != Krb5.API_INVALID_ARG) {
+                throw new Exception("Not expected failure code: " +
+                        ke.returnCode());
+            }
+        }
+    }
+
+    void connect() throws Exception {
+        Thread.sleep(2000);     // make sure ktab timestamp is different
+        c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
+        s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
+        Context.handshake(c, s);
+    }
+}