Fixed JAAS ticket validator.

sankar-hub · Mar 23, 2017 · 005320c · 005320c
1 parent e7113fd
commit 005320c
Showing 1 changed file with 19 additions and 38 deletions.
diff --git a/.../springframework/security/kerberos/authentication/sun/SunJaasKerberosTicketValidator.java b/.../springframework/security/kerberos/authentication/sun/SunJaasKerberosTicketValidator.java
@@ -15,19 +15,6 @@
  */
 package org.springframework.security.kerberos.authentication.sun;
 
-import java.security.Principal;
-import java.security.PrivilegedActionException;
-import java.security.PrivilegedExceptionAction;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Set;
-
-import javax.security.auth.Subject;
-import javax.security.auth.kerberos.KerberosPrincipal;
-import javax.security.auth.login.AppConfigurationEntry;
-import javax.security.auth.login.Configuration;
-import javax.security.auth.login.LoginContext;
-
 import com.sun.security.jgss.GSSUtil;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -41,11 +28,22 @@
 import org.springframework.core.io.Resource;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.kerberos.authentication.JaasSubjectHolder;
-import org.springframework.security.kerberos.authentication.KerberosMultiTier;
 import org.springframework.security.kerberos.authentication.KerberosTicketValidation;
 import org.springframework.security.kerberos.authentication.KerberosTicketValidator;
 import org.springframework.util.Assert;
 
+import javax.security.auth.Subject;
+import javax.security.auth.kerberos.KerberosPrincipal;
+import javax.security.auth.login.AppConfigurationEntry;
+import javax.security.auth.login.Configuration;
+import javax.security.auth.login.LoginContext;
+import java.security.Principal;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Set;
+
 /**
  * Implementation of {@link KerberosTicketValidator} which uses the SUN JAAS
  * login module, which is included in the SUN JRE, it will not work with an IBM JRE.
@@ -200,30 +198,13 @@ public KerberosTicketValidation run() throws Exception {
 			byte[] responseToken = new byte[0];
             GSSManager manager = GSSManager.getInstance();
 
-            GSSName serverName =
-                    manager.createName(servicePrincipal,
-                            GSSName.NT_USER_NAME);
-
-            GSSCredential serverCreds =
-                    manager.createCredential(serverName,
-                            GSSCredential.INDEFINITE_LIFETIME,
-                            KerberosMultiTier.KERBEROS_OID,
-                            GSSCredential.INITIATE_AND_ACCEPT);
-
-            GSSContext context = manager.createContext(serverCreds);
-
-			boolean first = true;
-			while (!context.isEstablished()) {
-				if (first) {
-					kerberosTicket = tweakJdkRegression(kerberosTicket);
-				}
-				responseToken = context.acceptSecContext(kerberosTicket, 0, kerberosTicket.length);
-                serverName = context.getSrcName();
-				if (serverName == null) {
-					throw new BadCredentialsException("GSSContext name of the context initiator is null");
-				}
-				first = false;
-			}
+            GSSContext context = manager.createContext((GSSCredential) null);
+
+            byte[] patchedToken = tweakJdkRegression(kerberosTicket);
+
+            while (!context.isEstablished()) {
+                context.acceptSecContext(patchedToken, 0, patchedToken.length);
+            }
 
             Subject subject = GSSUtil.createSubject(
                     context.getSrcName(),