8212217: JGSS: Don't dispose() of creds too eagerly

Reviewed-by: mullan, weijun
2025-09-16 09:04:41 +02:00 · 2018-11-01 22:41:32 +08:00 · 2018-11-01 22:41:32 +08:00 · 58a340bcb1
commit 58a340bcb1
parent 2fe0a0f20b
1 changed files with 26 additions and 10 deletions
--- a/src/java.security.jgss/share/classes/sun/security/jgss/wrapper/NativeGSSContext.java
+++ b/src/java.security.jgss/share/classes/sun/security/jgss/wrapper/NativeGSSContext.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -63,12 +63,14 @@ class NativeGSSContext implements GSSContextSpi {
    private GSSNameElement srcName;
    private GSSNameElement targetName;
    private GSSCredElement cred;
+    private GSSCredElement disposeCred;
    private boolean isInitiator;
    private boolean isEstablished;
    private Oid actualMech; // Assigned during context establishment

    private ChannelBinding cb;
    private GSSCredElement delegatedCred;
+    private GSSCredElement disposeDelegatedCred;
    private int flags;
    private int lifetime = GSSCredential.DEFAULT_LIFETIME;
    private final GSSLibStub cStub;
@ -192,6 +194,7 @@ class NativeGSSContext implements GSSContextSpi {
        }
        cStub = stub;
        cred = myCred;
+        disposeCred = null;
        targetName = peer;
        isInitiator = true;
        lifetime = time;
@ -199,8 +202,9 @@ class NativeGSSContext implements GSSContextSpi {
        if (GSSUtil.isKerberosMech(cStub.getMech())) {
            doServicePermCheck();
            if (cred == null) {
-                cred = new GSSCredElement(null, lifetime,
-                                          GSSCredential.INITIATE_ONLY, cStub);
+                disposeCred = cred =
+                    new GSSCredElement(null, lifetime,
+                            GSSCredential.INITIATE_ONLY, cStub);
            }
            srcName = cred.getName();
        }
@ -211,6 +215,7 @@ class NativeGSSContext implements GSSContextSpi {
        throws GSSException {
        cStub = stub;
        cred = myCred;
+        disposeCred = null;

        if (cred != null) targetName = cred.getName();

@ -297,9 +302,9 @@ class NativeGSSContext implements GSSContextSpi {
                        (cStub.getContextName(pContext, true), cStub);
                }
                if (cred == null) {
-                    cred = new GSSCredElement(srcName, lifetime,
-                                              GSSCredential.INITIATE_ONLY,
-                                              cStub);
+                    disposeCred = cred =
+                        new GSSCredElement(srcName, lifetime,
+                                GSSCredential.INITIATE_ONLY, cStub);
                }
            }
        }
@ -315,6 +320,7 @@ class NativeGSSContext implements GSSContextSpi {
                                    inToken.length);
            long pCred = (cred == null? 0 : cred.pCred);
            outToken = cStub.acceptContext(pCred, cb, inToken, this);
+            disposeDelegatedCred = delegatedCred;
            SunNativeProvider.debug("acceptSecContext=> outToken len=" +
                                    (outToken == null? 0 : outToken.length));

@ -323,9 +329,12 @@ class NativeGSSContext implements GSSContextSpi {
                    (cStub.getContextName(pContext, false), cStub);
                // Replace the current default acceptor cred now that
                // the context acceptor name is available
-                if (cred != null) cred.dispose();
-                cred = new GSSCredElement(targetName, lifetime,
-                                          GSSCredential.ACCEPT_ONLY, cStub);
+                if (disposeCred != null) {
+                    disposeCred.dispose();
+                }
+                disposeCred = cred =
+                    new GSSCredElement(targetName, lifetime,
+                            GSSCredential.ACCEPT_ONLY, cStub);
            }

            // Only inspect token when the permission check has not
@ -346,9 +355,15 @@ class NativeGSSContext implements GSSContextSpi {
    }

    public void dispose() throws GSSException {
+        if (disposeCred != null) {
+            disposeCred.dispose();
+        }
+        if (disposeDelegatedCred != null) {
+            disposeDelegatedCred.dispose();
+        }
+        disposeDelegatedCred = disposeCred = cred = null;
        srcName = null;
        targetName = null;
-        cred = null;
        delegatedCred = null;
        if (pContext != 0) {
            pContext = cStub.deleteContext(pContext);
@ -612,6 +627,7 @@ class NativeGSSContext implements GSSContextSpi {
        }
    }
    public GSSCredentialSpi getDelegCred() throws GSSException {
+        disposeDelegatedCred = null;
        return delegatedCred;
    }
    public boolean isInitiator() {