# HG changeset patch
# User rpatil
# Date 1511299276 0
# Node ID 25909c2cebbd12beb852dd7504b04ec664f19833
# Parent  998e4d7a514a16dd39696759a7535b30560fada2
8178794: Correct Kerberos ticket grants
Reviewed-by: coffeys, valeriep
Contributed-by: prasadarao.koppula@oracle.com

diff -r 998e4d7a514a -r 25909c2cebbd src/share/classes/sun/security/krb5/KrbAsRep.java
--- a/src/share/classes/sun/security/krb5/KrbAsRep.java	Tue Nov 21 09:22:13 2017 +0000
+++ b/src/share/classes/sun/security/krb5/KrbAsRep.java	Tue Nov 21 21:21:16 2017 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -160,7 +160,7 @@
         creds = new Credentials(
                                 rep.ticket,
                                 req.reqBody.cname,
-                                rep.ticket.sname,
+                                enc_part.sname,
                                 enc_part.key,
                                 enc_part.flags,
                                 enc_part.authtime,
diff -r 998e4d7a514a -r 25909c2cebbd src/share/classes/sun/security/krb5/KrbTgsRep.java
--- a/src/share/classes/sun/security/krb5/KrbTgsRep.java	Tue Nov 21 09:22:13 2017 +0000
+++ b/src/share/classes/sun/security/krb5/KrbTgsRep.java	Tue Nov 21 21:21:16 2017 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -88,7 +88,7 @@
 
         this.creds = new Credentials(rep.ticket,
                                 req.reqBody.cname,
-                                rep.ticket.sname,
+                                enc_part.sname,
                                 enc_part.key,
                                 enc_part.flags,
                                 enc_part.authtime,
diff -r 998e4d7a514a -r 25909c2cebbd test/sun/security/krb5/auto/KDC.java
--- a/test/sun/security/krb5/auto/KDC.java	Tue Nov 21 09:22:13 2017 +0000
+++ b/test/sun/security/krb5/auto/KDC.java	Tue Nov 21 21:21:16 2017 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2008, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2008, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -744,7 +744,9 @@
                 throw new KrbException(Krb5.KDC_ERR_SUMTYPE_NOSUPP); // TODO
             }
             Ticket t = new Ticket(
-                    service,
+                    System.getProperty("test.kdc.diff.sname") != null ?
+                        new PrincipalName("xx" + service.toString()) :
+                        service,
                     new EncryptedData(skey, enc.asn1Encode(), KeyUsage.KU_TICKET)
             );
             EncTGSRepPart enc_part = new EncTGSRepPart(
diff -r 998e4d7a514a -r 25909c2cebbd test/sun/security/krb5/auto/TicketSName.java
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/krb5/auto/TicketSName.java	Tue Nov 21 21:21:16 2017 +0000
@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8178794
+ * @summary krb5 client should ignore sname in incoming tickets
+ * @compile -XDignore.symbol.file TicketSName.java
+ * @run main/othervm -Dtest.kdc.diff.sname TicketSName
+ */
+
+import java.util.Set;
+
+import javax.security.auth.kerberos.KerberosTicket;
+
+import sun.security.jgss.GSSUtil;
+
+public class TicketSName {
+
+    public static void main(String[] args) throws Exception {
+
+        new OneKDC(null).writeJAASConf();
+
+        Context c, s;
+        c = Context.fromJAAS("client");
+        s = Context.fromJAAS("server");
+
+        c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
+        s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
+
+        Context.handshake(c, s);
+
+        String expected = OneKDC.SERVER + "@" + OneKDC.REALM;
+        Set<KerberosTicket> creds =
+            c.s().getPrivateCredentials(KerberosTicket.class);
+        for (KerberosTicket t : creds) {
+            if (t.getServer().toString().equals(expected)) {
+                return;
+            }
+        }
+        c.status();
+        throw new Exception("no " + expected);
+    }
+}