# HG changeset patch # User weijun # Date 1562371879 -28800 # Node ID a55b46a208d12e7a65c8b8d1ee3464998830c5bd # Parent a30c86af2eb7dbc03bd933bb0b43f4f25bb44cf1 8227305: Krb5Util::getTicketFromSubjectAndTgs is useless Reviewed-by: xuelei diff -r a30c86af2eb7 -r a55b46a208d1 src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Util.java --- a/src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Util.java Fri Jul 05 00:24:54 2019 -0700 +++ b/src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Util.java Sat Jul 06 08:11:19 2019 +0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -58,82 +58,6 @@ } /** - * Retrieve the service ticket for serverPrincipal from caller's Subject - * or from Subject obtained by logging in, or if not found, via the - * Ticket Granting Service using the TGT obtained from the Subject. - * - * Caller must have permission to: - * - access and update Subject's private credentials - * - create LoginContext - * - read the auth.login.defaultCallbackHandler security property - * - * NOTE: This method is used by JSSE Kerberos Cipher Suites - */ - public static KerberosTicket getTicketFromSubjectAndTgs(GSSCaller caller, - String clientPrincipal, String serverPrincipal, String tgsPrincipal, - AccessControlContext acc) - throws LoginException, KrbException, IOException { - - // 1. Try to find service ticket in acc subject - Subject accSubj = Subject.getSubject(acc); - KerberosTicket ticket = SubjectComber.find(accSubj, - serverPrincipal, clientPrincipal, KerberosTicket.class); - - if (ticket != null) { - return ticket; // found it - } - - Subject loginSubj = null; - if (!GSSUtil.useSubjectCredsOnly(caller)) { - // 2. Try to get ticket from login - try { - loginSubj = GSSUtil.login(caller, GSSUtil.GSS_KRB5_MECH_OID); - ticket = SubjectComber.find(loginSubj, - serverPrincipal, clientPrincipal, KerberosTicket.class); - if (ticket != null) { - return ticket; // found it - } - } catch (LoginException e) { - // No login entry to use - // ignore and continue - } - } - - // Service ticket not found in subject or login - // Try to get TGT to acquire service ticket - - // 3. Try to get TGT from acc subject - KerberosTicket tgt = SubjectComber.find(accSubj, - tgsPrincipal, clientPrincipal, KerberosTicket.class); - - boolean fromAcc; - if (tgt == null && loginSubj != null) { - // 4. Try to get TGT from login subject - tgt = SubjectComber.find(loginSubj, - tgsPrincipal, clientPrincipal, KerberosTicket.class); - fromAcc = false; - } else { - fromAcc = true; - } - - // 5. Try to get service ticket using TGT - if (tgt != null) { - Credentials tgtCreds = ticketToCreds(tgt); - Credentials serviceCreds = Credentials.acquireServiceCreds( - serverPrincipal, tgtCreds); - if (serviceCreds != null) { - ticket = credsToTicket(serviceCreds); - - // Store service ticket in acc's Subject - if (fromAcc && accSubj != null && !accSubj.isReadOnly()) { - accSubj.getPrivateCredentials().add(ticket); - } - } - } - return ticket; - } - - /** * Retrieves the ticket corresponding to the client/server principal * pair from the Subject in the specified AccessControlContext. * If the ticket can not be found in the Subject, and if