8227437: S4U2proxy cannot continue because server's TGT cannot be found

Reviewed-by: weijun
2025-08-28 07:14:30 +02:00 · 2019-07-17 12:26:56 -03:00 · 2019-07-17 12:26:56 -03:00 · 3cd50f2666
commit 3cd50f2666
parent 5fd772a6f1
23 changed files with 466 additions and 149 deletions
--- a/src/java.security.jgss/share/classes/sun/security/krb5/Credentials.java
+++ b/src/java.security.jgss/share/classes/sun/security/krb5/Credentials.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -49,7 +49,9 @@ public class Credentials {

    Ticket ticket;
    PrincipalName client;
+    PrincipalName clientAlias;
    PrincipalName server;
+    PrincipalName serverAlias;
    EncryptionKey key;
    TicketFlags flags;
    KerberosTime authTime;
@ -69,7 +71,9 @@ public class Credentials {

    public Credentials(Ticket new_ticket,
                       PrincipalName new_client,
+                       PrincipalName new_client_alias,
                       PrincipalName new_server,
+                       PrincipalName new_server_alias,
                       EncryptionKey new_key,
                       TicketFlags new_flags,
                       KerberosTime authTime,
@ -78,14 +82,17 @@ public class Credentials {
                       KerberosTime renewTill,
                       HostAddresses cAddr,
                       AuthorizationData authzData) {
-        this(new_ticket, new_client, new_server, new_key, new_flags,
-                authTime, new_startTime, new_endTime, renewTill, cAddr);
+        this(new_ticket, new_client, new_client_alias, new_server,
+                new_server_alias, new_key, new_flags, authTime,
+                new_startTime, new_endTime, renewTill, cAddr);
        this.authzData = authzData;
    }

    public Credentials(Ticket new_ticket,
                       PrincipalName new_client,
+                       PrincipalName new_client_alias,
                       PrincipalName new_server,
+                       PrincipalName new_server_alias,
                       EncryptionKey new_key,
                       TicketFlags new_flags,
                       KerberosTime authTime,
@ -95,7 +102,9 @@ public class Credentials {
                       HostAddresses cAddr) {
        ticket = new_ticket;
        client = new_client;
+        clientAlias = new_client_alias;
        server = new_server;
+        serverAlias = new_server_alias;
        key = new_key;
        flags = new_flags;
        this.authTime = authTime;
@ -107,7 +116,9 @@ public class Credentials {

    public Credentials(byte[] encoding,
                       String client,
+                       String clientAlias,
                       String server,
+                       String serverAlias,
                       byte[] keyBytes,
                       int keyType,
                       boolean[] flags,
@ -118,7 +129,11 @@ public class Credentials {
                       InetAddress[] cAddrs) throws KrbException, IOException {
        this(new Ticket(encoding),
             new PrincipalName(client, PrincipalName.KRB_NT_PRINCIPAL),
+             (clientAlias == null? null : new PrincipalName(clientAlias,
+                     PrincipalName.KRB_NT_PRINCIPAL)),
             new PrincipalName(server, PrincipalName.KRB_NT_SRV_INST),
+             (serverAlias == null? null : new PrincipalName(serverAlias,
+                     PrincipalName.KRB_NT_SRV_INST)),
             new EncryptionKey(keyType, keyBytes),
             (flags == null? null: new TicketFlags(flags)),
             (authTime == null? null: new KerberosTime(authTime)),
@ -143,10 +158,18 @@ public class Credentials {
        return client;
    }

+    public final PrincipalName getClientAlias() {
+        return clientAlias;
+    }
+
    public final PrincipalName getServer() {
        return server;
    }

+    public final PrincipalName getServerAlias() {
+        return serverAlias;
+    }
+
    public final EncryptionKey getSessionKey() {
        return key;
    }
@ -262,6 +285,7 @@ public class Credentials {
        return new KrbTgsReq(options,
                             this,
                             server,
+                             serverAlias,
                             null, // from
                             null, // till
                             null, // rtime
@ -484,7 +508,11 @@ public class Credentials {
    public static void printDebug(Credentials c) {
        System.out.println(">>> DEBUG: ----Credentials----");
        System.out.println("\tclient: " + c.client.toString());
+        if (c.clientAlias != null)
+            System.out.println("\tclient alias: " + c.clientAlias.toString());
        System.out.println("\tserver: " + c.server.toString());
+        if (c.serverAlias != null)
+            System.out.println("\tserver alias: " + c.serverAlias.toString());
        System.out.println("\tticket: sname: " + c.ticket.sname.toString());
        if (c.startTime != null) {
            System.out.println("\tstartTime: " + c.startTime.getTime());
@ -512,7 +540,11 @@ public class Credentials {
    public String toString() {
        StringBuilder sb = new StringBuilder("Credentials:");
        sb.append(    "\n      client=").append(client);
+        if (clientAlias != null)
+            sb.append(    "\n      clientAlias=").append(clientAlias);
        sb.append(    "\n      server=").append(server);
+        if (serverAlias != null)
+            sb.append(    "\n      serverAlias=").append(serverAlias);
        if (authTime != null) {
            sb.append("\n    authTime=").append(authTime);
        }