8012615: Realm.getRealmsList returns realms list in wrong

Reviewed-by: valeriep, xuelei

8012615: Realm.getRealmsList returns realms list in wrong
Reviewed-by: valeriep, xuelei
3781604c · weijun · 433e57be · 3781604c · 3781604c · 3781604c
5 changed file
--- a/src/share/classes/sun/security/krb5/Config.java
+++ b/src/share/classes/sun/security/krb5/Config.java
@@ -225,19 +225,19 @@ public class Config {
     * and has no sub-key at all (given "forwardable" is defined, otherwise,
     * this method has no knowledge if it's a value name or a section name),
     */
-    @SuppressWarnings("unchecked")
    public String get(String... keys) {
-        Vector<String> v = get0(keys);
+        Vector<String> v = getString0(keys);
        if (v == null) return null;
        return v.lastElement();
    }

    /**
     * Gets all values for the specified keys.
-     * @see #get(java.lang.String[])
+     * @throws IllegalArgumentException if any of the keys is illegal
+     *         (See {@link #get})
     */
    public String getAll(String... keys) {
-        Vector<String> v = get0(keys);
+        Vector<String> v = getString0(keys);
        if (v == null) return null;
        StringBuilder sb = new StringBuilder();
        boolean first = true;
@@ -252,17 +252,37 @@ public class Config {
        return sb.toString();
    }

-    // Internal method. Returns the vector of strings for keys.
+    /**
+     * Returns true if keys exists, can be either final string(s) or sub-stanza
+     * @throws IllegalArgumentException if any of the keys is illegal
+     *         (See {@link #get})
+     */
+    public boolean exists(String... keys) {
+        return get0(keys) != null;
+    }
+
+    // Returns final string value(s) for given keys.
+    @SuppressWarnings("unchecked")
+    private Vector<String> getString0(String... keys) {
+        try {
+            return (Vector<String>)get0(keys);
+        } catch (ClassCastException cce) {
+            throw new IllegalArgumentException(cce);
+        }
+    }
+
+    // Internal method. Returns the value for keys, which can be a sub-stanza
+    // or final string value(s).
    // The only method (except for toString) that reads stanzaTable directly.
    @SuppressWarnings("unchecked")
-    private Vector<String> get0(String... keys) {
+    private Object get0(String... keys) {
        Object current = stanzaTable;
        try {
            for (String key: keys) {
                current = ((Hashtable<String,Object>)current).get(key);
                if (current == null) return null;
            }
-            return (Vector<String>)current;
+            return current;
        } catch (ClassCastException cce) {
            throw new IllegalArgumentException(cce);
        }

--- a/src/share/classes/sun/security/krb5/Realm.java
+++ b/src/share/classes/sun/security/krb5/Realm.java
--- a/src/share/classes/sun/security/krb5/internal/CredentialsUtil.java
+++ b/src/share/classes/sun/security/krb5/internal/CredentialsUtil.java
@@ -160,7 +160,7 @@ public class CredentialsUtil {
    /**
     * Gets a TGT to another realm
     * @param localRealm this realm
-     * @param serviceRealm the other realm
+     * @param serviceRealm the other realm, cannot equals to localRealm
     * @param ccreds TGT in this realm
     * @param okAsDelegate an [out] argument to receive the okAsDelegate
     * property. True only if all realms allow delegation.
@@ -174,14 +174,6 @@ public class CredentialsUtil {
        // Get a list of realms to traverse
        String[] realms = Realm.getRealmsList(localRealm, serviceRealm);

-        if (realms == null || realms.length == 0) {
-            if (DEBUG) {
-                System.out.println(
-                        ">>> Credentials acquireServiceCreds: no realms list");
-            }
-            return null;
-        }
-
        int i = 0, k = 0;
        Credentials cTgt = null, newTgt = null, theTgt = null;
        PrincipalName tempService = null;
@@ -206,16 +198,14 @@ public class CredentialsUtil {
            if (newTgt == null) {
                if (DEBUG) {
                    System.out.println(">>> Credentials acquireServiceCreds: "
-                            + "no tgt; searching backwards");
+                            + "no tgt; searching thru capath");
                }

                /*
-                 * No tgt found. Try to get one for a
-                 * realm as close to the target as possible.
-                 * That means traversing the realms list backwards.
+                 * No tgt found. Let's go thru the realms list one by one.
                 */
-                for (newTgt = null, k = realms.length - 1;
-                        newTgt == null && k > i; k--) {
+                for (newTgt = null, k = i+1;
+                        newTgt == null && k < realms.length; k++) {
                    tempService = PrincipalName.tgsService(realms[k], realms[i]);
                    if (DEBUG) {
                        System.out.println(

--- a/test/sun/security/krb5/ParseCAPaths.java
+++ b/test/sun/security/krb5/ParseCAPaths.java
@@ -22,7 +22,7 @@
 */
 /*
 * @test
- * @bug 6789935
+ * @bug 6789935 8012615
 * @run main/othervm ParseCAPaths
 * @summary cross-realm capath search error
 */
@@ -35,37 +35,75 @@ public class ParseCAPaths {
    public static void main(String[] args) throws Exception {
        System.setProperty("java.security.krb5.conf",
                System.getProperty("test.src", ".") +"/krb5-capaths.conf");
-        //System.setProperty("sun.security.krb5.debug", "true");

-        // Standard example
+        // MIT
        check("ANL.GOV", "TEST.ANL.GOV", "ANL.GOV");
        check("ANL.GOV", "ES.NET", "ANL.GOV");
        check("ANL.GOV", "PNL.GOV", "ANL.GOV", "ES.NET");
        check("ANL.GOV", "NERSC.GOV", "ANL.GOV", "ES.NET");
+        check("NERSC.GOV", "TEST.ANL.GOV", "NERSC.GOV", "ES.NET", "ANL.GOV");
+
+        // RedHat
+        // 3.6.2.1. Configuring a Shared Hierarchy of Names
+        check("AA.EXAMPLE.COM", "BB.EXAMPLE.COM",
+                "AA.EXAMPLE.COM", "EXAMPLE.COM");
+        check("SITE1.SALES.EXAMPLE.COM", "EVERYWHERE.EXAMPLE.COM",
+                "SITE1.SALES.EXAMPLE.COM", "SALES.EXAMPLE.COM",
+                "EXAMPLE.COM");
+        check("DEVEL.EXAMPLE.COM", "PROD.EXAMPLE.ORG",
+                "DEVEL.EXAMPLE.COM", "EXAMPLE.COM", "COM",
+                "ORG", "EXAMPLE.ORG");
+        // 3.6.2.2. Configuring Paths in krb5.conf
+        check("A.EXAMPLE.COM", "B.EXAMPLE.COM", "A.EXAMPLE.COM");
+        check("A.EXAMPLE.COM", "C.EXAMPLE.COM",
+                "A.EXAMPLE.COM", "B.EXAMPLE.COM");
+        check("A.EXAMPLE.COM", "D.EXAMPLE.COM",
+                "A.EXAMPLE.COM", "B.EXAMPLE.COM", "C.EXAMPLE.COM");
+
+        // The original JDK example
+        check("TIVOLI.COM", "IBM.COM", "TIVOLI.COM", "LDAPCENTRAL.NET",
+            "IBM_LDAPCENTRAL.COM", "MOONLITE.ORG");
+
        // Hierachical
-        check("N1.N.COM", "N2.N.COM", "N1.N.COM", "N.COM");     // 2 common
-        check("N1.N.COM", "N2.N3.COM", "N1.N.COM", "N.COM",     // 1 common
+        check("N1.N.COM", "N2.N.COM", "N1.N.COM", "N.COM");
+        check("N1.N.COM", "N2.N3.COM", "N1.N.COM", "N.COM",
                "COM", "N3.COM");
-        check("N1.COM", "N2.COM", "N1.COM", "COM");             // 1 common
-        check("N1", "N2", "N1");                                // 0 common
-        // Extra garbages
-        check("A1.COM", "A4.COM", "A1.COM", "A2.COM");
+        check("N1.COM", "N2.COM", "N1.COM", "COM");
+        check("N1", "N2", "N1");
+        check("N1.COM", "N2.ORG", "N1.COM", "COM", "ORG");
+        check("N1.N.COM", "N.COM", "N1.N.COM");
+        check("X.N1.N.COM", "N.COM", "X.N1.N.COM", "N1.N.COM");
+        check("N.COM", "N1.N.COM", "N.COM");
+        check("N.COM", "X.N1.N.COM", "N.COM", "N1.N.COM");
+        check("A.B.C", "D.E.F", "A.B.C", "B.C", "C", "F", "E.F");
+
+        // Full path
+        check("A1.COM", "A2.COM", "A1.COM");
+        check("A1.COM", "A3.COM", "A1.COM", "A2.COM");
+        check("A1.COM", "A4.COM", "A1.COM", "A2.COM", "A3.COM");
+
+        // Shortest path
+        check("B1.COM", "B2.COM", "B1.COM");
        check("B1.COM", "B3.COM", "B1.COM", "B2.COM");
+        check("B1.COM", "B4.COM", "B1.COM", "B2.COM", "B3.COM");
+
        // Missing is "."
+        check("C1.COM", "C2.COM", "C1.COM", "COM");
        check("C1.COM", "C3.COM", "C1.COM", "C2.COM");
-        // Multiple path
-        check("D1.COM", "D4.COM", "D1.COM", "D2.COM");
-        check("E1.COM", "E4.COM", "E1.COM", "E2.COM");
-        check("F1.COM", "F4.COM", "F1.COM", "F9.COM");
-        // Infinite loop
-        check("G1.COM", "G3.COM", "G1.COM", "COM");
-        check("H1.COM", "H3.COM", "H1.COM");
+
+        // cRealm = .
+        check("D1.COM", "D2.COM", "D1.COM");
+
+        // Bad cases
+        check("E1.COM", "E2.COM", "E1.COM");
+        check("E1.COM", "E3.COM", "E1.COM", "E4.COM");
+        check("G1.COM", "G3.COM", "G1.COM", "G2.COM");
        check("I1.COM", "I4.COM", "I1.COM", "I5.COM");
-        // J2=J1 is the same as J2=.
-        check("J1.COM", "J2.COM", "J1.COM");
+
        // 7019384
        check("A9.PRAGUE.XXX.CZ", "SERVIS.XXX.CZ",
                "A9.PRAGUE.XXX.CZ", "PRAGUE.XXX.CZ", "ROOT.XXX.CZ");
+
        if (failed != null) {
            throw failed;
        }
@@ -75,6 +113,7 @@ public class ParseCAPaths {
        try {
            check2(from, to, paths);
        } catch (Exception e) {
+            System.out.println("         " + e.getMessage());
            failed = e;
        }
    }
@@ -84,18 +123,14 @@ public class ParseCAPaths {
        System.out.println(from + " -> " + to);
        System.out.println("    expected: " + Arrays.toString(paths));
        String[] result = Realm.getRealmsList(from, to);
-        System.out.println("    result:   " + Arrays.toString(result));
-        if (result == null) {
-            if (paths.length == 0) {
-                // OK
-            } else {
-                throw new Exception("Shouldn't have a valid path.");
-            }
+        if (result == null || result.length == 0) {
+            throw new Exception("There is always a valid path.");
        } else if(result.length != paths.length) {
            throw new Exception("Length of path not correct");
        } else {
            for (int i=0; i<result.length; i++) {
                if (!result[i].equals(paths[i])) {
+                    System.out.println("    result:   " + Arrays.toString(result));
                    throw new Exception("Path not same");
                }
            }

--- a/test/sun/security/krb5/krb5-capaths.conf
+++ b/test/sun/security/krb5/krb5-capaths.conf
 [capaths]

-# Standard
+# http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/capaths.html

 ANL.GOV = {
    TEST.ANL.GOV = .
@@ -14,81 +14,86 @@ TEST.ANL.GOV = {
 PNL.GOV = {
    ANL.GOV = ES.NET
 }
+#NERSC.GOV = {
+#    ANL.GOV = ES.NET
+#}
+ES.NET = {
+    ANL.GOV = .
+}
 NERSC.GOV = {
    ANL.GOV = ES.NET
+    TEST.ANL.GOV = ES.NET
+    TEST.ANL.GOV = ANL.GOV
+    PNL.GOV = ES.NET
+    ES.NET = .
 }
-ES.NET = {
-    ANL.GOV = .
+
+# The original JDK example
+
+TIVOLI.COM = {
+    IBM.COM = IBM_LDAPCENTRAL.COM MOONLITE.ORG
+    IBM_LDAPCENTRAL.COM = LDAPCENTRAL.NET
+    LDAPCENTRAL.NET = .
+}
+
+# https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Setting_Up_Cross_Realm_Authentication.html
+
+A.EXAMPLE.COM = {
+    B.EXAMPLE.COM = .
+    C.EXAMPLE.COM = B.EXAMPLE.COM
+    D.EXAMPLE.COM = B.EXAMPLE.COM
+    D.EXAMPLE.COM = C.EXAMPLE.COM
 }

-# Extra garbages
+# Full path

 A1.COM = {
    A2.COM = .
-    A4.COM = A2.COM
-    A3.COM = A4.COM
    A3.COM = A2.COM
+    A4.COM = A2.COM
+    A4.COM = A3.COM
 }

+# Shortest path
+
 B1.COM = {
    B2.COM = .
    B3.COM = B2.COM
-    B3.COM = B4.COM
+    B4.COM = B3.COM
 }

-# Missing is "."
+# If no sRealm key, fallback to hierarchy

 C1.COM = {
    C3.COM = C2.COM
 }

-# Multiple paths
+# cRealm is "."

 D1.COM = {
-    D2.COM = .
-    D3.COM = .
-    D4.COM = D2.COM
-    D4.COM = D3.COM
+    D2.COM=D1.COM
 }

+# Bad cases
+
 E1.COM = {
-    E2.COM = .
+    E2.COM = E2.COM
+    E3.COM = E4.COM
    E3.COM = .
-    E4.COM = E2.COM   E3.COM   E2.COM
 }

-# Shortest or First?
-
-F1.COM = {
-    F2.COM = .
-    F3.COM = F2.COM
-    F4.COM = F9.COM
-    F4.COM = F3.COM
-    F4.COM = F2.COM
-}
-
-# Infinite loop
-
 G1.COM = {
    G2.COM = G3.COM
    G3.COM = G2.COM
 }

-H1.COM = {
-    H2.COM = H3.COM
-    H3.COM = H2.COM
-    H3.COM = .
-}
-
 I1.COM = {
    I2.COM = I3.COM
    I3.COM = I2.COM
-    I4.COM = I2.COM I5.COM
+    I4.COM = I5.COM
 }

-J1.COM = {
-    J2.COM=J1.COM
-}
+# 7019384

 A9.PRAGUE.XXX.CZ = {
    PRAGUE.XXX.CZ = .