Merge

make/Makefile

 #
-# Copyright (c) 1995, 2007, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 1995, 2010, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -243,6 +243,11 @@ SUBDIRS       = tools java javax sun com
 SUBDIRS_tools = launchers
 SUBDIRS_misc  = org sunw jpda mkdemo mksample
 
+# Alternate classes implementation
+ifndef OPENJDK
+  SUBDIRS_misc += altclasses
+endif
+
 include $(BUILDDIR)/common/Subdirs.gmk
 
 all build::

make/altclasses/Makefile

+#
+# Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.  Oracle designates this
+# particular file as subject to the "Classpath" exception as provided
+# by Oracle in the LICENSE file that accompanied this code.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+# or visit www.oracle.com if you need additional information or have any
+# questions.
+#
+
+#
+# Makefile for building alternate runtime classes (not used by default)
+#
+
+BUILDDIR = ..
+
+PRODUCT = altclasses
+
+include $(BUILDDIR)/common/Defs.gmk
+
+# Root of alternate class sources
+
+ALTCLASSES_SRCDIR = $(CLOSED_SRC)/share/altclasses
+
+# Alternate runtime classes
+
+ALTRT_JAR_FILE = $(LIBDIR)/alt-rt.jar
+ALTRT_JAR_SOURCE_FILE = $(TEMPDIR)/alt-rt.jarsrclist
+ALTRT_JAR_SOURCES = $(wildcard $(ALTCLASSES_SRCDIR)/java/*/*.java)
+
+# Use a special file suffix for the file that holds the source list
+
+.SUFFIXES: .jarsrclist
+
+# Build rules
+
+all build: 
+	@if [ -d $(ALTCLASSES_SRCDIR) ] ; then \
+	   $(MAKE) $(ALTRT_JAR_FILE); \
+	fi
+
+# Source list file creation
+
+$(ALTRT_JAR_SOURCE_FILE): $(ALTRT_JAR_SOURCES) FRC
+	$(prep-target)
+	$(ECHO) $(ALTRT_JAR_SOURCES) > $@
+
+clean clobber::
+	$(RM) $(ALTRT_JAR_FILE) $(ALTRT_JAR_SOURCE_FILE) 
+	$(RM) -r $(ALTRT_JAR_SOURCE_FILE).classes
+
+include $(BUILDDIR)/common/Classes.gmk
+
+# Pattern rule to turn a source list file into a jar file
+$(LIBDIR)/%.jar : $(TEMPDIR)/%.jarsrclist
+	$(prep-target)
+	$(RM) -r $(<).classes
+	$(MKDIR) -p $(<).classes
+	$(JAVAC_CMD) -implicit:none -d $(<).classes @$<
+	$(BOOT_JAR_CMD) cf $@ -C $(<).classes . $(BOOT_JAR_JFLAGS)
+
+# Force target
+
+FRC:
+
+# Non file targets
+
+.PHONY: all build clean clobber
+

make/mkdemo/nio/zipfs/Makefile

@@ -42,3 +42,10 @@ DEMO_DESTDIR    = $(DEMODIR)/nio/$(DEMONAME)
 #
 include $(BUILDDIR)/common/Demo.gmk
 
+#EXTJAR = $(EXTDIR)/$(DEMONAME).jar
+#
+#all : build $(EXTJAR)
+#
+#$(EXTJAR) : $(DEMO_JAR)
+#	$(prep-target)
+#	$(CP) $(DEMO_JAR) $(EXTJAR)

src/share/classes/com/sun/java/util/jar/pack/ClassReader.java

 /*
- * Copyright (c) 2001, 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -30,7 +30,6 @@ import java.util.*;
 import com.sun.java.util.jar.pack.Package.Class;
 import com.sun.java.util.jar.pack.Package.InnerClass;
 import com.sun.java.util.jar.pack.ConstantPool.*;
-import com.sun.tools.classfile.AttributeException;
 
 /**
  * Reader for a class file that is being incorporated into a package.
@@ -422,7 +421,7 @@ class ClassReader implements Constants {
                         readCode(m.code);
                     } catch (Instruction.FormatException iie) {
                         String message = iie.getMessage() + " in " + h;
-                        throw new ClassReader.ClassFormatException(message);
+                        throw new ClassReader.ClassFormatException(message, iie);
                     }
                 } else {
                     assert(h == cls);
@@ -477,9 +476,13 @@ class ClassReader implements Constants {
         // (Later, ics may be transferred to the pkg.)
     }
 
-    class ClassFormatException extends IOException {
+    static class ClassFormatException extends IOException {
         public ClassFormatException(String message) {
             super(message);
         }
+
+        public ClassFormatException(String message, Throwable cause) {
+            super(message, cause);
+        }
     }
 }

src/share/classes/com/sun/java/util/jar/pack/PackerImpl.java

@@ -614,10 +614,14 @@ public class PackerImpl  extends TLGlobals implements Pack200.Packer {
         List<InFile> scanJar(JarFile jf) throws IOException {
             // Collect jar entries, preserving order.
             List<InFile> inFiles = new ArrayList<>();
-            for (JarEntry je : Collections.list(jf.entries())) {
-                InFile inFile = new InFile(jf, je);
-                assert(je.isDirectory() == inFile.name.endsWith("/"));
-                inFiles.add(inFile);
+            try {
+                for (JarEntry je : Collections.list(jf.entries())) {
+                    InFile inFile = new InFile(jf, je);
+                    assert(je.isDirectory() == inFile.name.endsWith("/"));
+                    inFiles.add(inFile);
+                }
+            } catch (IllegalStateException ise) {
+                throw new IOException(ise.getLocalizedMessage(), ise);
             }
             return inFiles;
         }

src/share/classes/com/sun/java/util/jar/pack/UnpackerImpl.java

@@ -92,7 +92,13 @@ public class UnpackerImpl extends TLGlobals implements Pack200.Unpacker {
      * @param out a JarOutputStream.
      * @exception IOException if an error is encountered.
      */
-    public void unpack(InputStream in0, JarOutputStream out) throws IOException {
+    public void unpack(InputStream in, JarOutputStream out) throws IOException {
+        if (in == null) {
+            throw new NullPointerException("null input");
+        }
+        if (out == null) {
+            throw new NullPointerException("null output");
+        }
         assert(Utils.currentInstance.get() == null);
         TimeZone tz = (props.getBoolean(Utils.PACK_DEFAULT_TIMEZONE))
                       ? null
@@ -102,18 +108,18 @@ public class UnpackerImpl extends TLGlobals implements Pack200.Unpacker {
             Utils.currentInstance.set(this);
             if (tz != null) TimeZone.setDefault(TimeZone.getTimeZone("UTC"));
             final int verbose = props.getInteger(Utils.DEBUG_VERBOSE);
-            BufferedInputStream in = new BufferedInputStream(in0);
-            if (Utils.isJarMagic(Utils.readMagic(in))) {
+            BufferedInputStream in0 = new BufferedInputStream(in);
+            if (Utils.isJarMagic(Utils.readMagic(in0))) {
                 if (verbose > 0)
                     Utils.log.info("Copying unpacked JAR file...");
-                Utils.copyJarFile(new JarInputStream(in), out);
+                Utils.copyJarFile(new JarInputStream(in0), out);
             } else if (props.getBoolean(Utils.DEBUG_DISABLE_NATIVE)) {
-                (new DoUnpack()).run(in, out);
-                in.close();
+                (new DoUnpack()).run(in0, out);
+                in0.close();
                 Utils.markJarFile(out);
             } else {
-                (new NativeUnpack(this)).run(in, out);
-                in.close();
+                (new NativeUnpack(this)).run(in0, out);
+                in0.close();
                 Utils.markJarFile(out);
             }
         } finally {
@@ -132,6 +138,12 @@ public class UnpackerImpl extends TLGlobals implements Pack200.Unpacker {
      * @exception IOException if an error is encountered.
      */
     public void unpack(File in, JarOutputStream out) throws IOException {
+        if (in == null) {
+            throw new NullPointerException("null input");
+        }
+        if (out == null) {
+            throw new NullPointerException("null output");
+        }
         // Use the stream-based implementation.
         // %%% Reconsider if native unpacker learns to memory-map the file.
         FileInputStream instr = new FileInputStream(in);

src/share/classes/com/sun/jmx/remote/internal/ServerNotifForwarder.java

 /*
- * Copyright (c) 2002, 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -45,6 +45,8 @@ import javax.management.InstanceNotFoundException;
 import javax.management.ListenerNotFoundException;
 import javax.management.MBeanPermission;
 import javax.management.MBeanServer;
+import javax.management.MBeanServerDelegate;
+import javax.management.MBeanServerNotification;
 import javax.management.Notification;
 import javax.management.NotificationBroadcaster;
 import javax.management.NotificationFilter;
@@ -272,6 +274,7 @@ public class ServerNotifForwarder {
             nr = notifBuffer.fetchNotifications(bufferFilter,
                 startSequenceNumber,
                 t, maxNotifications);
+            snoopOnUnregister(nr);
         } catch (InterruptedException ire) {
             nr = new NotificationResult(0L, 0L, new TargetedNotification[0]);
         }
@@ -283,6 +286,34 @@ public class ServerNotifForwarder {
         return nr;
     }
 
+    // The standard RMI connector client will register a listener on the MBeanServerDelegate
+    // in order to be told when MBeans are unregistered.  We snoop on fetched notifications
+    // so that we can know too, and remove the corresponding entry from the listenerMap.
+    // See 6957378.
+    private void snoopOnUnregister(NotificationResult nr) {
+        Set<IdAndFilter> delegateSet = listenerMap.get(MBeanServerDelegate.DELEGATE_NAME);
+        if (delegateSet == null || delegateSet.isEmpty()) {
+            return;
+        }
+        for (TargetedNotification tn : nr.getTargetedNotifications()) {
+            Integer id = tn.getListenerID();
+            for (IdAndFilter idaf : delegateSet) {
+                if (idaf.id == id) {
+                    // This is a notification from the MBeanServerDelegate.
+                    Notification n = tn.getNotification();
+                    if (n instanceof MBeanServerNotification &&
+                            n.getType().equals(MBeanServerNotification.UNREGISTRATION_NOTIFICATION)) {
+                        MBeanServerNotification mbsn = (MBeanServerNotification) n;
+                        ObjectName gone = mbsn.getMBeanName();
+                        synchronized (listenerMap) {
+                            listenerMap.remove(gone);
+                        }
+                    }
+                }
+            }
+        }
+    }
+
     public void terminate() {
         if (logger.traceOn()) {
             logger.trace("terminate", "Be called.");
@@ -418,10 +449,12 @@ public class ServerNotifForwarder {
             return this.filter;
         }
 
+        @Override
         public int hashCode() {
             return id.hashCode();
         }
 
+        @Override
         public boolean equals(Object o) {
             return ((o instanceof IdAndFilter) &&
                     ((IdAndFilter) o).getId().equals(getId()));

src/share/classes/com/sun/rowset/JdbcRowSetResourceBundle.java

@@ -27,7 +27,6 @@ package com.sun.rowset;
 
 import java.io.*;
 import java.util.*;
-import java.lang.*;
 
 /**
  * This class is used to help in localization of resources,
@@ -42,28 +41,28 @@ public class JdbcRowSetResourceBundle implements Serializable {
      * This <code>String</code> variable stores the location
      * of the resource bundle location.
      */
-    static String fileName;
+    private static String fileName;
 
     /**
      * This variable will hold the <code>PropertyResourceBundle</code>
      * of the text to be internationalized.
      */
-    transient PropertyResourceBundle propResBundle;
+    private transient PropertyResourceBundle propResBundle;
 
     /**
      * The constructor initializes to this object
      *
      */
-    static JdbcRowSetResourceBundle jpResBundle;
+    private static volatile JdbcRowSetResourceBundle jpResBundle;
 
     /**
-     * The varible which will represent the properties
+     * The variable which will represent the properties
      * the suffix or extension of the resource bundle.
      **/
     private static final String PROPERTIES = "properties";
 
     /**
-     * The varibale to represent underscore
+     * The variable to represent underscore
      **/
     private static final String UNDERSCORE = "_";
 

src/share/classes/com/sun/security/auth/NTDomainPrincipal.java

 /*
- * Copyright (c) 1999, 2001, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -68,7 +68,7 @@ public class NTDomainPrincipal implements Principal, java.io.Serializable {
         if (name == null) {
             java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("invalid null input: value",
+                        ("invalid.null.input.value",
                         "sun.security.util.AuthResources"));
             Object[] source = {"name"};
             throw new NullPointerException(form.format(source));
@@ -99,7 +99,7 @@ public class NTDomainPrincipal implements Principal, java.io.Serializable {
     public String toString() {
         java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("NTDomainPrincipal: name",
+                        ("NTDomainPrincipal.name",
                         "sun.security.util.AuthResources"));
         Object[] source = {name};
         return form.format(source);

src/share/classes/com/sun/security/auth/NTNumericCredential.java

 /*
- * Copyright (c) 1999, 2002, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -70,7 +70,7 @@ public class NTNumericCredential {
     public String toString() {
         java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("NTNumericCredential: name",
+                        ("NTNumericCredential.name",
                         "sun.security.util.AuthResources"));
         Object[] source = {Long.toString(impersonationToken)};
         return form.format(source);

src/share/classes/com/sun/security/auth/NTSid.java

 /*
- * Copyright (c) 1999, 2003, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -73,7 +73,7 @@ public class NTSid implements Principal, java.io.Serializable {
         if (stringSid == null) {
             java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("invalid null input: value",
+                        ("invalid.null.input.value",
                         "sun.security.util.AuthResources"));
             Object[] source = {"stringSid"};
             throw new NullPointerException(form.format(source));
@@ -81,7 +81,7 @@ public class NTSid implements Principal, java.io.Serializable {
         if (stringSid.length() == 0) {
             throw new IllegalArgumentException
                 (sun.security.util.ResourcesMgr.getString
-                        ("Invalid NTSid value",
+                        ("Invalid.NTSid.value",
                         "sun.security.util.AuthResources"));
         }
         sid = new String(stringSid);
@@ -108,7 +108,7 @@ public class NTSid implements Principal, java.io.Serializable {
     public String toString() {
         java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("NTSid: name",
+                        ("NTSid.name",
                         "sun.security.util.AuthResources"));
         Object[] source = {sid};
         return form.format(source);

src/share/classes/com/sun/security/auth/NTSidDomainPrincipal.java

 /*
- * Copyright (c) 1999, 2003, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -73,7 +73,7 @@ public class NTSidDomainPrincipal extends NTSid {
     public String toString() {
         java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("NTSidDomainPrincipal: name",
+                        ("NTSidDomainPrincipal.name",
                         "sun.security.util.AuthResources"));
         Object[] source = {getName()};
         return form.format(source);

src/share/classes/com/sun/security/auth/NTSidGroupPrincipal.java

 /*
- * Copyright (c) 1999, 2003, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -68,7 +68,7 @@ public class NTSidGroupPrincipal extends NTSid {
     public String toString() {
         java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("NTSidGroupPrincipal: name",
+                        ("NTSidGroupPrincipal.name",
                         "sun.security.util.AuthResources"));
         Object[] source = {getName()};
         return form.format(source);

src/share/classes/com/sun/security/auth/NTSidPrimaryGroupPrincipal.java

 /*
- * Copyright (c) 1999, 2003, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -70,7 +70,7 @@ public class NTSidPrimaryGroupPrincipal extends NTSid {
     public String toString() {
         java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("NTSidPrimaryGroupPrincipal: name",
+                        ("NTSidPrimaryGroupPrincipal.name",
                         "sun.security.util.AuthResources"));
         Object[] source = {getName()};
         return form.format(source);

src/share/classes/com/sun/security/auth/NTSidUserPrincipal.java

 /*
- * Copyright (c) 1999, 2003, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -67,7 +67,7 @@ public class NTSidUserPrincipal extends NTSid {
     public String toString() {
         java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("NTSidUserPrincipal: name",
+                        ("NTSidUserPrincipal.name",
                         "sun.security.util.AuthResources"));
         Object[] source = {getName()};
         return form.format(source);

src/share/classes/com/sun/security/auth/NTUserPrincipal.java

 /*
- * Copyright (c) 1999, 2001, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -64,7 +64,7 @@ public class NTUserPrincipal implements Principal, java.io.Serializable {
         if (name == null) {
             java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("invalid null input: value",
+                        ("invalid.null.input.value",
                         "sun.security.util.AuthResources"));
             Object[] source = {"name"};
             throw new NullPointerException(form.format(source));
@@ -93,7 +93,7 @@ public class NTUserPrincipal implements Principal, java.io.Serializable {
     public String toString() {
         java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("NTUserPrincipal: name",
+                        ("NTUserPrincipal.name",
                         "sun.security.util.AuthResources"));
         Object[] source = {name};
         return form.format(source);

src/share/classes/com/sun/security/auth/PolicyFile.java

 /*
- * Copyright (c) 1999, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -490,9 +490,9 @@ public class PolicyFile extends javax.security.auth.Policy {
             }
         } catch (PolicyParser.ParsingException pe) {
             System.err.println(AUTH_POLICY +
-                                rb.getString(": error parsing ") + policy);
+                                rb.getString(".error.parsing.") + policy);
             System.err.println(AUTH_POLICY +
-                                rb.getString(": ") +
+                                rb.getString("COLON") +
                                 pe.getMessage());
             if (debug != null)
                 pe.printStackTrace();
@@ -635,16 +635,16 @@ public class PolicyFile extends javax.security.auth.Policy {
                 } catch (java.lang.reflect.InvocationTargetException ite) {
                     System.err.println
                         (AUTH_POLICY +
-                        rb.getString(": error adding Permission ") +
+                        rb.getString(".error.adding.Permission.") +
                         pe.permission +
-                        rb.getString(" ") +
+                        rb.getString("SPACE") +
                         ite.getTargetException());
                 } catch (Exception e) {
                     System.err.println
                         (AUTH_POLICY +
-                        rb.getString(": error adding Permission ") +
+                        rb.getString(".error.adding.Permission.") +
                         pe.permission +
-                        rb.getString(" ") +
+                        rb.getString("SPACE") +
                         e);
                 }
             }
@@ -652,9 +652,9 @@ public class PolicyFile extends javax.security.auth.Policy {
         } catch (Exception e) {
             System.err.println
                 (AUTH_POLICY +
-                rb.getString(": error adding Entry ") +
+                rb.getString(".error.adding.Entry.") +
                 ge +
-                rb.getString(" ") +
+                rb.getString("SPACE") +
                 e);
         }
 
@@ -1373,18 +1373,18 @@ public class PolicyFile extends javax.security.auth.Policy {
 
         public String toString(){
             StringBuffer sb = new StringBuffer();
-            sb.append(rb.getString("("));
+            sb.append(rb.getString("LPARAM"));
             sb.append(getCodeSource());
             sb.append("\n");
             for (int j = 0; j < permissions.size(); j++) {
                 Permission p = permissions.elementAt(j);
-                sb.append(rb.getString(" "));
-                sb.append(rb.getString(" "));
+                sb.append(rb.getString("SPACE"));
+                sb.append(rb.getString("SPACE"));
                 sb.append(p);
-                sb.append(rb.getString("\n"));
+                sb.append(rb.getString("NEWLINE"));
             }
-            sb.append(rb.getString(")"));
-            sb.append(rb.getString("\n"));
+            sb.append(rb.getString("RPARAM"));
+            sb.append(rb.getString("NEWLINE"));
             return sb.toString();
         }
 
@@ -1415,7 +1415,7 @@ class PolicyPermissions extends PermissionCollection {
         if (isReadOnly())
             throw new SecurityException
             (PolicyFile.rb.getString
-            ("attempt to add a Permission to a readonly PermissionCollection"));
+            ("attempt.to.add.a.Permission.to.a.readonly.PermissionCollection"));
 
         if (perms == null) {
             if (additionalPerms == null)

src/share/classes/com/sun/security/auth/PolicyParser.java

 /*
- * Copyright (c) 1998, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -300,7 +300,7 @@ class PolicyParser {
             keyStoreType = match("quoted string");
         } else {
             throw new ParsingException(st.lineno(),
-                        rb.getString("expected keystore type"));
+                        rb.getString("expected.keystore.type"));
         }
     }
 
@@ -368,8 +368,8 @@ class PolicyParser {
                                 "WILDCARD class but no WILDCARD name");
                     throw new ParsingException
                         (st.lineno(),
-                        rb.getString("can not specify Principal with a ") +
-                        rb.getString("wildcard class without a wildcard name"));
+                        rb.getString("can.not.specify.Principal.with.a.") +
+                        rb.getString("wildcard.class.without.a.wildcard.name"));
                 }
 
                 try {
@@ -389,7 +389,7 @@ class PolicyParser {
             } else {
                 throw new
                  ParsingException(st.lineno(),
-                        rb.getString("expected codeBase or SignedBy"));
+                        rb.getString("expected.codeBase.or.SignedBy"));
             }
         }
 
@@ -397,7 +397,7 @@ class PolicyParser {
         if (principals == null) {
             throw new ParsingException
                 (st.lineno(),
-                rb.getString("only Principal-based grant entries permitted"));
+                rb.getString("only.Principal.based.grant.entries.permitted"));
         }
 
         e.principals = principals;
@@ -416,7 +416,7 @@ class PolicyParser {
             } else {
                 throw new
                     ParsingException(st.lineno(),
-                    rb.getString("expected permission entry"));
+                    rb.getString("expected.permission.entry"));
             }
         }
         match("}");
@@ -522,12 +522,12 @@ class PolicyParser {
         switch (lookahead) {
         case StreamTokenizer.TT_NUMBER:
             throw new ParsingException(st.lineno(), expect,
-                                        rb.getString("number ") +
+                                        rb.getString("number.") +
                                         String.valueOf(st.nval));
         case StreamTokenizer.TT_EOF:
            throw new ParsingException
-                (rb.getString("expected ") + expect +
-                rb.getString(", read end of file"));
+                (rb.getString("expected.") + expect +
+                rb.getString(".read.end.of.file"));
         case StreamTokenizer.TT_WORD:
             if (expect.equalsIgnoreCase(st.sval)) {
                 lookahead = st.nextToken();
@@ -603,11 +603,11 @@ class PolicyParser {
         switch (lookahead) {
         case StreamTokenizer.TT_NUMBER:
             throw new ParsingException(st.lineno(), ";",
-                                       rb.getString("number ") +
+                                       rb.getString("number.") +
                                         String.valueOf(st.nval));
         case StreamTokenizer.TT_EOF:
           throw new ParsingException
-                (rb.getString("expected ';', read end of file"));
+                (rb.getString("expected.read.end.of.file"));
         default:
           lookahead = st.nextToken();
         }
@@ -942,13 +942,13 @@ class PolicyParser {
         }
 
         public ParsingException(int line, String msg) {
-            super(rb.getString("line ") + line + rb.getString(": ") + msg);
+            super(rb.getString("line.") + line + rb.getString("COLON") + msg);
         }
 
         public ParsingException(int line, String expect, String actual) {
-            super(rb.getString("line ") + line + rb.getString(": expected '") +
-                expect + rb.getString("', found '") + actual +
-                rb.getString("'"));
+            super(rb.getString("line.") + line + rb.getString(".expected.") +
+                expect + rb.getString(".found.") + actual +
+                rb.getString("QUOTE"));
         }
     }
 

src/share/classes/com/sun/security/auth/SolarisNumericGroupPrincipal.java

 /*
- * Copyright (c) 1999, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -89,7 +89,7 @@ public class SolarisNumericGroupPrincipal implements
      */
     public SolarisNumericGroupPrincipal(String name, boolean primaryGroup) {
         if (name == null)
-            throw new NullPointerException(rb.getString("provided null name"));
+            throw new NullPointerException(rb.getString("provided.null.name"));
 
         this.name = name;
         this.primaryGroup = primaryGroup;
@@ -165,9 +165,9 @@ public class SolarisNumericGroupPrincipal implements
     public String toString() {
         return((primaryGroup ?
             rb.getString
-            ("SolarisNumericGroupPrincipal [Primary Group]: ") + name :
+            ("SolarisNumericGroupPrincipal.Primary.Group.") + name :
             rb.getString
-            ("SolarisNumericGroupPrincipal [Supplementary Group]: ") + name));
+            ("SolarisNumericGroupPrincipal.Supplementary.Group.") + name));
     }
 
     /**

src/share/classes/com/sun/security/auth/SolarisNumericUserPrincipal.java

 /*
- * Copyright (c) 1999, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -80,7 +80,7 @@ public class SolarisNumericUserPrincipal implements
      */
     public SolarisNumericUserPrincipal(String name) {
         if (name == null)
-            throw new NullPointerException(rb.getString("provided null name"));
+            throw new NullPointerException(rb.getString("provided.null.name"));
 
         this.name = name;
     }
@@ -134,7 +134,7 @@ public class SolarisNumericUserPrincipal implements
      *          <code>SolarisNumericUserPrincipal</code>.
      */
     public String toString() {
-        return(rb.getString("SolarisNumericUserPrincipal: ") + name);
+        return(rb.getString("SolarisNumericUserPrincipal.") + name);
     }
 
     /**

src/share/classes/com/sun/security/auth/SolarisPrincipal.java

 /*
- * Copyright (c) 1999, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -76,7 +76,7 @@ public class SolarisPrincipal implements Principal, java.io.Serializable {
      */
     public SolarisPrincipal(String name) {
         if (name == null)
-            throw new NullPointerException(rb.getString("provided null name"));
+            throw new NullPointerException(rb.getString("provided.null.name"));
 
         this.name = name;
     }
@@ -100,7 +100,7 @@ public class SolarisPrincipal implements Principal, java.io.Serializable {
      * @return a string representation of this <code>SolarisPrincipal</code>.
      */
     public String toString() {
-        return(rb.getString("SolarisPrincipal: ") + name);
+        return(rb.getString("SolarisPrincipal.") + name);
     }
 
     /**

src/share/classes/com/sun/security/auth/SubjectCodeSource.java

 /*
- * Copyright (c) 1999, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -395,7 +395,7 @@ class SubjectCodeSource extends CodeSource implements java.io.Serializable {
                                         principals.listIterator();
             while (li.hasNext()) {
                 PolicyParser.PrincipalEntry pppe = li.next();
-                returnMe = returnMe + rb.getString("\n") +
+                returnMe = returnMe + rb.getString("NEWLINE") +
                         pppe.principalClass + " " +
                         pppe.principalName;
             }

src/share/classes/com/sun/security/auth/UnixNumericGroupPrincipal.java

 /*
- * Copyright (c) 2000, 2003, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -77,7 +77,7 @@ public class UnixNumericGroupPrincipal implements
         if (name == null) {
             java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("invalid null input: value",
+                        ("invalid.null.input.value",
                         "sun.security.util.AuthResources"));
             Object[] source = {"name"};
             throw new NullPointerException(form.format(source));
@@ -159,14 +159,14 @@ public class UnixNumericGroupPrincipal implements
         if (primaryGroup) {
             java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("UnixNumericGroupPrincipal [Primary Group]: name",
+                        ("UnixNumericGroupPrincipal.Primary.Group.name",
                         "sun.security.util.AuthResources"));
             Object[] source = {name};
             return form.format(source);
         } else {
             java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                    ("UnixNumericGroupPrincipal [Supplementary Group]: name",
+                    ("UnixNumericGroupPrincipal.Supplementary.Group.name",
                     "sun.security.util.AuthResources"));
             Object[] source = {name};
             return form.format(source);

src/share/classes/com/sun/security/auth/UnixNumericUserPrincipal.java

 /*
- * Copyright (c) 2000, 2003, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -67,7 +67,7 @@ public class UnixNumericUserPrincipal implements
         if (name == null) {
             java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("invalid null input: value",
+                        ("invalid.null.input.value",
                         "sun.security.util.AuthResources"));
             Object[] source = {"name"};
             throw new NullPointerException(form.format(source));
@@ -127,7 +127,7 @@ public class UnixNumericUserPrincipal implements
     public String toString() {
         java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("UnixNumericUserPrincipal: name",
+                        ("UnixNumericUserPrincipal.name",
                         "sun.security.util.AuthResources"));
         Object[] source = {name};
         return form.format(source);

src/share/classes/com/sun/security/auth/UnixPrincipal.java

 /*
- * Copyright (c) 2000, 2003, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -64,7 +64,7 @@ public class UnixPrincipal implements Principal, java.io.Serializable {
         if (name == null) {
             java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("invalid null input: value",
+                        ("invalid.null.input.value",
                         "sun.security.util.AuthResources"));
             Object[] source = {"name"};
             throw new NullPointerException(form.format(source));
@@ -94,7 +94,7 @@ public class UnixPrincipal implements Principal, java.io.Serializable {
     public String toString() {
         java.text.MessageFormat form = new java.text.MessageFormat
                 (sun.security.util.ResourcesMgr.getString
-                        ("UnixPrincipal: name",
+                        ("UnixPrincipal.name",
                         "sun.security.util.AuthResources"));
         Object[] source = {name};
         return form.format(source);

src/share/classes/com/sun/security/auth/X500Principal.java

 /*
- * Copyright (c) 1999, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -87,7 +87,7 @@ public class X500Principal implements Principal, java.io.Serializable {
      */
     public X500Principal(String name) {
         if (name == null)
-            throw new NullPointerException(rb.getString("provided null name"));
+            throw new NullPointerException(rb.getString("provided.null.name"));
 
         try {
             thisX500Name = new X500Name(name);

src/share/classes/com/sun/security/auth/login/ConfigFile.java

 /*
- * Copyright (c) 2000, 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -190,7 +190,7 @@ public class ConfigFile extends javax.security.auth.login.Configuration {
                 } catch (PropertyExpander.ExpandException peee) {
                     MessageFormat form = new MessageFormat
                         (ResourcesMgr.getString
-                                ("Unable to properly expand config",
+                                ("Unable.to.properly.expand.config",
                                 "sun.security.util.AuthResources"));
                     Object[] source = {extra_config};
                     throw new IOException(form.format(source));
@@ -206,7 +206,7 @@ public class ConfigFile extends javax.security.auth.login.Configuration {
                     } else {
                         MessageFormat form = new MessageFormat
                             (ResourcesMgr.getString
-                                ("extra_config (No such file or directory)",
+                                ("extra.config.No.such.file.or.directory.",
                                 "sun.security.util.AuthResources"));
                         Object[] source = {extra_config};
                         throw new IOException(form.format(source));
@@ -243,7 +243,7 @@ public class ConfigFile extends javax.security.auth.login.Configuration {
             } catch (PropertyExpander.ExpandException peee) {
                 MessageFormat form = new MessageFormat
                         (ResourcesMgr.getString
-                                ("Unable to properly expand config",
+                                ("Unable.to.properly.expand.config",
                                 "sun.security.util.AuthResources"));
                 Object[] source = {config_url};
                 throw new IOException(form.format(source));
@@ -286,7 +286,7 @@ public class ConfigFile extends javax.security.auth.login.Configuration {
                 debugConfig.println(fnfe.toString());
             }
             throw new IOException(ResourcesMgr.getString
-                    ("Configuration Error:\n\tNo such file or directory",
+                    ("Configuration.Error.No.such.file.or.directory",
                     "sun.security.util.AuthResources"));
         } finally {
             if (isr != null) {
@@ -426,7 +426,7 @@ public class ConfigFile extends javax.security.auth.login.Configuration {
                         AppConfigurationEntry.LoginModuleControlFlag.OPTIONAL;
             else {
                 MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                        ("Configuration Error:\n\tInvalid control flag, flag",
+                        ("Configuration.Error.Invalid.control.flag.flag",
                         "sun.security.util.AuthResources"));
                 Object[] source = {sflag};
                 throw new IOException(form.format(source));
@@ -474,8 +474,7 @@ public class ConfigFile extends javax.security.auth.login.Configuration {
         // add this configuration entry
         if (newConfig.containsKey(appName)) {
             MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                ("Configuration Error:\n\t" +
-                        "Can not specify multiple entries for appName",
+                ("Configuration.Error.Can.not.specify.multiple.entries.for.appName",
                 "sun.security.util.AuthResources"));
             Object[] source = {appName};
             throw new IOException(form.format(source));
@@ -491,8 +490,7 @@ public class ConfigFile extends javax.security.auth.login.Configuration {
         case StreamTokenizer.TT_EOF:
 
             MessageFormat form1 = new MessageFormat(ResourcesMgr.getString
-                ("Configuration Error:\n\texpected [expect], " +
-                        "read [end of file]",
+                ("Configuration.Error.expected.expect.read.end.of.file.",
                 "sun.security.util.AuthResources"));
             Object[] source1 = {expect};
             throw new IOException(form1.format(source1));
@@ -508,8 +506,7 @@ public class ConfigFile extends javax.security.auth.login.Configuration {
                 lookahead = nextToken();
             } else {
                 MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                        ("Configuration Error:\n\tLine line: " +
-                                "expected [expect], found [value]",
+                        ("Configuration.Error.Line.line.expected.expect.found.value.",
                         "sun.security.util.AuthResources"));
                 Object[] source = {new Integer(linenum), expect, st.sval};
                 throw new IOException(form.format(source));
@@ -522,7 +519,7 @@ public class ConfigFile extends javax.security.auth.login.Configuration {
                 lookahead = nextToken();
             } else {
                 MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                        ("Configuration Error:\n\tLine line: expected [expect]",
+                        ("Configuration.Error.Line.line.expected.expect.",
                         "sun.security.util.AuthResources"));
                 Object[] source = {new Integer(linenum), expect, st.sval};
                 throw new IOException(form.format(source));
@@ -535,7 +532,7 @@ public class ConfigFile extends javax.security.auth.login.Configuration {
                 lookahead = nextToken();
             } else {
                 MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                        ("Configuration Error:\n\tLine line: expected [expect]",
+                        ("Configuration.Error.Line.line.expected.expect.",
                         "sun.security.util.AuthResources"));
                 Object[] source = {new Integer(linenum), expect, st.sval};
                 throw new IOException(form.format(source));
@@ -548,7 +545,7 @@ public class ConfigFile extends javax.security.auth.login.Configuration {
                 lookahead = nextToken();
             } else {
                 MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                        ("Configuration Error:\n\tLine line: expected [expect]",
+                        ("Configuration.Error.Line.line.expected.expect.",
                         "sun.security.util.AuthResources"));
                 Object[] source = {new Integer(linenum), expect, st.sval};
                 throw new IOException(form.format(source));
@@ -561,7 +558,7 @@ public class ConfigFile extends javax.security.auth.login.Configuration {
                 lookahead = nextToken();
             } else {
                 MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                        ("Configuration Error:\n\tLine line: expected [expect]",
+                        ("Configuration.Error.Line.line.expected.expect.",
                         "sun.security.util.AuthResources"));
                 Object[] source = {new Integer(linenum), expect, st.sval};
                 throw new IOException(form.format(source));
@@ -570,8 +567,7 @@ public class ConfigFile extends javax.security.auth.login.Configuration {
 
         default:
             MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                        ("Configuration Error:\n\tLine line: " +
-                                "expected [expect], found [value]",
+                        ("Configuration.Error.Line.line.expected.expect.found.value.",
                         "sun.security.util.AuthResources"));
             Object[] source = {new Integer(linenum), expect, st.sval};
             throw new IOException(form.format(source));
@@ -667,8 +663,7 @@ public class ConfigFile extends javax.security.auth.login.Configuration {
 
             if (s == null || s.length() == 0) {
                 MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                        ("Configuration Error:\n\tLine line: " +
-                        "system property [value] expanded to empty value",
+                        ("Configuration.Error.Line.line.system.property.value.expanded.to.empty.value",
                         "sun.security.util.AuthResources"));
                 Object[] source = {new Integer(linenum), value};
                 throw new IOException(form.format(source));

src/share/classes/com/sun/security/auth/module/JndiLoginModule.java

 /*
- * Copyright (c) 2000, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -686,9 +686,9 @@ public class JndiLoginModule implements LoginModule {
 
         Callback[] callbacks = new Callback[2];
         callbacks[0] = new NameCallback(protocol + " "
-                                            + rb.getString("username: "));
+                                            + rb.getString("username."));
         callbacks[1] = new PasswordCallback(protocol + " " +
-                                                rb.getString("password: "),
+                                                rb.getString("password."),
                                             false);
 
         try {

src/share/classes/com/sun/security/auth/module/KeyStoreLoginModule.java

 /*
- * Copyright (c) 2000, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -150,7 +150,7 @@ public class KeyStoreLoginModule implements LoginModule {
     private static final TextOutputCallback bannerCallback =
                 new TextOutputCallback
                         (TextOutputCallback.INFORMATION,
-                        rb.getString("Please enter keystore information"));
+                        rb.getString("Please.enter.keystore.information"));
     private final ConfirmationCallback confirmationCallback =
                 new ConfirmationCallback
                         (ConfirmationCallback.INFORMATION,
@@ -364,10 +364,10 @@ public class KeyStoreLoginModule implements LoginModule {
             NameCallback aliasCallback;
             if (keyStoreAlias == null || keyStoreAlias.length() == 0) {
                 aliasCallback = new NameCallback(
-                                        rb.getString("Keystore alias: "));
+                                        rb.getString("Keystore.alias."));
             } else {
                 aliasCallback =
-                    new NameCallback(rb.getString("Keystore alias: "),
+                    new NameCallback(rb.getString("Keystore.alias."),
                                      keyStoreAlias);
             }
 
@@ -379,11 +379,11 @@ public class KeyStoreLoginModule implements LoginModule {
                 break;
             case NORMAL:
                 keyPassCallback = new PasswordCallback
-                    (rb.getString("Private key password (optional): "), false);
+                    (rb.getString("Private.key.password.optional."), false);
                 // fall thru
             case TOKEN:
                 storePassCallback = new PasswordCallback
-                    (rb.getString("Keystore password: "), false);
+                    (rb.getString("Keystore.password."), false);
                 break;
             }
             prompt(aliasCallback, storePassCallback, keyPassCallback);

src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java

@@ -27,7 +27,6 @@
 package com.sun.security.auth.module;
 
 import java.io.*;
-import java.net.*;
 import java.text.MessageFormat;
 import java.util.*;
 
@@ -38,9 +37,6 @@ import javax.security.auth.login.*;
 import javax.security.auth.spi.*;
 
 import sun.security.krb5.*;
-import sun.security.krb5.Config;
-import sun.security.krb5.RealmException;
-import sun.security.util.AuthResources;
 import sun.security.jgss.krb5.Krb5Util;
 import sun.security.krb5.Credentials;
 import sun.misc.HexDumpEncoder;
@@ -685,32 +681,27 @@ public class Krb5LoginModule implements LoginModule {
                     }
 
                 }
+
+                KrbAsReqBuilder builder;
                 // We can't get the key from the keytab so prompt
                 if (encKeys == null) {
                     promptForPass(getPasswdFromSharedState);
-
-                    encKeys = EncryptionKey.acquireSecretKeys(
-                        password, principal.getSalt());
-
+                    builder = new KrbAsReqBuilder(principal, password);
                     if (isInitiator) {
-                        if (debug)
-                            System.out.println("Acquire TGT using AS Exchange");
-                        cred = Credentials.acquireTGT(principal,
-                                                encKeys, password);
-                        // update keys after pre-auth
-                        encKeys = EncryptionKey.acquireSecretKeys(password,
-                                                        principal.getSalt());
+                        // XXX Even if isInitiator=false, it might be
+                        // better to do an AS-REQ so that keys can be
+                        // updated with PA info
+                        cred = builder.action().getCreds();
                     }
+                    encKeys = builder.getKeys();
                 } else {
+                    builder = new KrbAsReqBuilder(principal, encKeys);
                     if (isInitiator) {
-                        if (debug)
-                            System.out.println("Acquire TGT using AS Exchange");
-                        cred = Credentials.acquireTGT(principal,
-                                                encKeys, password);
+                        cred = builder.action().getCreds();
                     }
                 }
+                builder.destroy();
 
-                // Get the TGT using AS Exchange
                 if (debug) {
                     System.out.println("principal is " + principal);
                     HexDumpEncoder hd = new HexDumpEncoder();
@@ -780,7 +771,7 @@ public class Krb5LoginModule implements LoginModule {
                 Callback[] callbacks = new Callback[1];
                 MessageFormat form = new MessageFormat(
                                        rb.getString(
-                                       "Kerberos username [[defUsername]]: "));
+                                       "Kerberos.username.defUsername."));
                 Object[] source =  {defUsername};
                 callbacks[0] = new NameCallback(form.format(source));
                 callbackHandler.handle(callbacks);
@@ -835,7 +826,7 @@ public class Krb5LoginModule implements LoginModule {
                 String userName = krb5PrincName.toString();
                 MessageFormat form = new MessageFormat(
                                          rb.getString(
-                                         "Kerberos password for [username]: "));
+                                         "Kerberos.password.for.username."));
                 Object[] source = {userName};
                 callbacks[0] = new PasswordCallback(
                                                     form.format(source),

src/share/classes/com/sun/security/auth/module/LdapLoginModule.java

 /*
- * Copyright (c) 2005, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -969,8 +969,8 @@ public class LdapLoginModule implements LoginModule {
                 "to acquire authentication information from the user");
 
         Callback[] callbacks = new Callback[2];
-        callbacks[0] = new NameCallback(rb.getString("username: "));
-        callbacks[1] = new PasswordCallback(rb.getString("password: "), false);
+        callbacks[0] = new NameCallback(rb.getString("username."));
+        callbacks[1] = new PasswordCallback(rb.getString("password."), false);
 
         try {
             callbackHandler.handle(callbacks);

src/share/classes/com/sun/servicetag/SunConnection.java

@@ -51,8 +51,8 @@ import javax.net.ssl.HttpsURLConnection;
  */
 class SunConnection {
 
-    private static String JDK_REGISTRATION_URL = "https://inventory.sun.com/";
-    private static String SANDBOX_TESTING_URL = "https://inventory-beta.sun.com/";
+    private static String JDK_REGISTRATION_URL = "https://hs-ws1.oracle.com/";
+    private static String SANDBOX_TESTING_URL = "https://hs-ws1-tst.oracle.com/";
     private static String REGISTRATION_WEB_PATH = "RegistrationWeb/register";
 
     // System properties for testing

src/share/classes/com/sun/servicetag/resources/register.html

@@ -64,7 +64,7 @@ a:visited,a:visited code{color:#917E9C}
         </ul>
         <p class="style1">Product registration is FREE, quick and easy!</p>
         <blockquote>
-          <p class="style1">All you need is a Sun Developer Network or other Sun Online account. If you don't already have one, you will be prompted to create one. </p>
+          <p class="style1">All you need is an Oracle.com account. If you don't already have one, you will be prompted to create one. </p>
           <table width="708" border="0" cellspacing="0" cellpadding="3">
             <tr valign="top">
               <td width="126" height="35">
@@ -83,9 +83,9 @@ a:visited,a:visited code{color:#917E9C}
        <td bgcolor="#f1f7df">
        <p class="style3">Oracle Corporation respects your privacy. 
     We will use your personal information for communications 
-    and management of your Sun Online Account, the services 
-    and applications you access using your Sun Online Account, 
-    and the products and systems you register with your Sun Online Account.</p>
+    and management of your Oracle.com account, the services 
+    and applications you access using your Oracle.com account, 
+    and the products and systems you register with your Oracle.com account.</p>
                 <p class="style3">For more information on the data that will be collected as 
           part of the registration process and how it will be managed <br>
           see <a href="http://java.sun.com/javase/registration/JDKRegistrationPrivacy.html">http://java.sun.com/javase/registration/JDKRegistrationPrivacy.html</a>. <br>      

src/share/classes/com/sun/servicetag/resources/register_ja.html

@@ -59,7 +59,7 @@ a:visited,a:visited code{color:#917E9C}
         </ul>
         <p class="style1">製品登録は無料であり、迅速で簡単です。</p>
         <blockquote>
-          <p class="style1">必要になるのは、Sun 開発者向けネットワークアカウントまたはその他の Sun オンラインアカウントだけです。 まだアカウントがない場合は、アカウントの作成が求められます。 </p>
+          <p class="style1">必要になるのは、Oracle.com アカウントだけです。 まだアカウントがない場合は、アカウントの作成が求められます。 </p>
           <table width="708" border="0" cellspacing="0" cellpadding="3">
             <tr valign="top">
               <td width="126" height="35"><form name="form1" method="post" action="@@REGISTRATION_URL@@" enctype="text/xml">
@@ -75,7 +75,7 @@ a:visited,a:visited code{color:#917E9C}
    <tr>
        <td>&nbsp;</td>
 	<td bgcolor="#f1f7df">
-        <p class="style3">Oracle Corporation は、お客様のプライバシーを尊重します。 お客様の個人情報は、お客様の Sun オンラインアカウント、お客様が Sun オンラインアカウントを使用してアクセスするサービスとアプリケーション、およびお客様が Sun オンラインアカウントで登録する製品とシステムの通信と管理に使用します。</p>
+        <p class="style3">Oracle Corporation は、お客様のプライバシーを尊重します。 お客様の個人情報は、お客様の Oracle.com アカウント、お客様が Oracle.com アカウントを使用してアクセスするサービスとアプリケーション、およびお客様が Oracle.com アカウントで登録する製品とシステムの通信と管理に使用します。</p>
                 <p class="style3">登録の際に収集されるデータや、それらがどのように管理されるかについての詳細は、<br><a href="http://java.sun.com/javase/ja/registration/JDKRegistrationPrivacy.html">http://java.sun.com/javase/ja/registration/JDKRegistrationPrivacy.html</a> を参照してください。 <br> <br> Oracle のプライバシーポリシーについての詳細は、<a href="http://www.oracle.com/html/privacy.html">http://www.oracle.com/html/privacy.html</a> を参照するか、<a class="moz-txt-link-rfc2396E" href="mailto:privacy_ww@oracle.com">お問い合わせフォーム</a>からお問い合わせください。</p></td>
   </tr>
   <tr>

src/share/classes/com/sun/servicetag/resources/register_zh_CN.html

@@ -60,7 +60,7 @@ a:visited,a:visited code{color:#917E9C}
         </ul>
 <p class="style1">产品注册是免费的，即快速又轻松！</p>
         <blockquote>
-<p class="style1">您需要具有 Sun 开发者网络或其他 Sun 联机帐户。如果您没有，系统将提示您创建一个。 </p>
+<p class="style1">您需要具有 Oracle.com 帐户。如果您没有，系统将提示您创建一个。 </p>
           <table width="708" border="0" cellspacing="0" cellpadding="3">
             <tr valign="top">
               <td width="126" height="35"><form name="form1" method="post" action="@@REGISTRATION_URL@@" enctype="text/xml">
@@ -76,7 +76,7 @@ a:visited,a:visited code{color:#917E9C}
     <tr>
        <td>&nbsp;</td>
 	<td bgcolor="#f1f7df">
-        <p class="style3">Oracle 尊重您的隐私。我们会将您的个人信息用于通信和 Sun 联机帐户的管理、Sun 联机帐户访问的服务和应用程序以及用于使用 Sun 联机帐户注册的产品和系统。</p>
+        <p class="style3">Oracle 尊重您的隐私。我们会将您的个人信息用于通信和 Oracle.com 帐户的管理、Oracle.com 帐户访问的服务和应用程序以及用于使用 Oracle.com 帐户注册的产品和系统。</p>
 <p class="style3">有关注册过程中收集的数据以及这些数据的管理方式的更多信息，<br>请访问 <a href="http://java.sun.com/javase/registration/JDKRegistrationPrivacy.html">http://java.sun.com/javase/registration/JDKRegistrationPrivacy.html</a>。<br> <br>有关 Oracle 隐私政策的更多信息，请访问 <a href="http://www.oracle.com/html/privacy.html">http://www.oracle.com/html/privacy.html</a> 或与 <a class="moz-txt-link-rfc2396E" href="mailto:privacy_ww@oracle.com">privacy_ww@oracle.com</a> 联系。</p></td>
   </tr>
   <tr>

src/share/classes/java/io/ByteArrayInputStream.java

@@ -179,11 +179,14 @@ class ByteArrayInputStream extends InputStream {
         } else if (off < 0 || len < 0 || len > b.length - off) {
             throw new IndexOutOfBoundsException();
         }
+
         if (pos >= count) {
             return -1;
         }
-        if (pos + len > count) {
-            len = count - pos;
+
+        int avail = count - pos;
+        if (len > avail) {
+            len = avail;
         }
         if (len <= 0) {
             return 0;
@@ -206,14 +209,13 @@ class ByteArrayInputStream extends InputStream {
      * @return  the actual number of bytes skipped.
      */
     public synchronized long skip(long n) {
-        if (pos + n > count) {
-            n = count - pos;
+        long k = count - pos;
+        if (n < k) {
+            k = n < 0 ? 0 : n;
         }
-        if (n < 0) {
-            return 0;
-        }
-        pos += n;
-        return n;
+
+        pos += k;
+        return k;
     }
 
     /**

src/share/classes/java/lang/StackTraceElement.java

 /*
- * Copyright (c) 2000, 2004, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,8 @@
 
 package java.lang;
 
+import java.util.Objects;
+
 /**
  * An element in a stack trace, as returned by {@link
  * Throwable#getStackTrace()}.  Each element represents a single stack frame.
@@ -53,26 +55,21 @@ public final class StackTraceElement implements java.io.Serializable {
      * @param methodName the name of the method containing the execution point
      *        represented by the stack trace element
      * @param fileName the name of the file containing the execution point
-     *         represented by the stack trace element, or <tt>null</tt> if
+     *         represented by the stack trace element, or {@code null} if
      *         this information is unavailable
      * @param lineNumber the line number of the source line containing the
      *         execution point represented by this stack trace element, or
      *         a negative number if this information is unavailable. A value
      *         of -2 indicates that the method containing the execution point
      *         is a native method
-     * @throws NullPointerException if <tt>declaringClass</tt> or
-     *         <tt>methodName</tt> is null
+     * @throws NullPointerException if {@code declaringClass} or
+     *         {@code methodName} is null
      * @since 1.5
      */
     public StackTraceElement(String declaringClass, String methodName,
                              String fileName, int lineNumber) {
-        if (declaringClass == null)
-            throw new NullPointerException("Declaring class is null");
-        if (methodName == null)
-            throw new NullPointerException("Method name is null");
-
-        this.declaringClass = declaringClass;
-        this.methodName     = methodName;
+        this.declaringClass = Objects.nonNull(declaringClass, "Declaring class is null");
+        this.methodName     = Objects.nonNull(methodName, "Method name is null");
         this.fileName       = fileName;
         this.lineNumber     = lineNumber;
     }
@@ -80,13 +77,13 @@ public final class StackTraceElement implements java.io.Serializable {
     /**
      * Returns the name of the source file containing the execution point
      * represented by this stack trace element.  Generally, this corresponds
-     * to the <tt>SourceFile</tt> attribute of the relevant <tt>class</tt>
+     * to the {@code SourceFile} attribute of the relevant {@code class}
      * file (as per <i>The Java Virtual Machine Specification</i>, Section
      * 4.7.7).  In some systems, the name may refer to some source code unit
      * other than a file, such as an entry in source repository.
      *
      * @return the name of the file containing the execution point
-     *         represented by this stack trace element, or <tt>null</tt> if
+     *         represented by this stack trace element, or {@code null} if
      *         this information is unavailable.
      */
     public String getFileName() {
@@ -96,8 +93,8 @@ public final class StackTraceElement implements java.io.Serializable {
     /**
      * Returns the line number of the source line containing the execution
      * point represented by this stack trace element.  Generally, this is
-     * derived from the <tt>LineNumberTable</tt> attribute of the relevant
-     * <tt>class</tt> file (as per <i>The Java Virtual Machine
+     * derived from the {@code LineNumberTable} attribute of the relevant
+     * {@code class} file (as per <i>The Java Virtual Machine
      * Specification</i>, Section 4.7.8).
      *
      * @return the line number of the source line containing the execution
@@ -112,7 +109,7 @@ public final class StackTraceElement implements java.io.Serializable {
      * Returns the fully qualified name of the class containing the
      * execution point represented by this stack trace element.
      *
-     * @return the fully qualified name of the <tt>Class</tt> containing
+     * @return the fully qualified name of the {@code Class} containing
      *         the execution point represented by this stack trace element.
      */
     public String getClassName() {
@@ -123,8 +120,8 @@ public final class StackTraceElement implements java.io.Serializable {
      * Returns the name of the method containing the execution point
      * represented by this stack trace element.  If the execution point is
      * contained in an instance or class initializer, this method will return
-     * the appropriate <i>special method name</i>, <tt>&lt;init&gt;</tt> or
-     * <tt>&lt;clinit&gt;</tt>, as per Section 3.9 of <i>The Java Virtual
+     * the appropriate <i>special method name</i>, {@code <init>} or
+     * {@code <clinit>}, as per Section 3.9 of <i>The Java Virtual
      * Machine Specification</i>.
      *
      * @return the name of the method containing the execution point
@@ -138,7 +135,7 @@ public final class StackTraceElement implements java.io.Serializable {
      * Returns true if the method containing the execution point
      * represented by this stack trace element is a native method.
      *
-     * @return <tt>true</tt> if the method containing the execution point
+     * @return {@code true} if the method containing the execution point
      *         represented by this stack trace element is a native method.
      */
     public boolean isNativeMethod() {
@@ -151,21 +148,21 @@ public final class StackTraceElement implements java.io.Serializable {
      * examples may be regarded as typical:
      * <ul>
      * <li>
-     *   <tt>"MyClass.mash(MyClass.java:9)"</tt> - Here, <tt>"MyClass"</tt>
+     *   {@code "MyClass.mash(MyClass.java:9)"} - Here, {@code "MyClass"}
      *   is the <i>fully-qualified name</i> of the class containing the
      *   execution point represented by this stack trace element,
-     *   <tt>"mash"</tt> is the name of the method containing the execution
-     *   point, <tt>"MyClass.java"</tt> is the source file containing the
-     *   execution point, and <tt>"9"</tt> is the line number of the source
+     *   {@code "mash"} is the name of the method containing the execution
+     *   point, {@code "MyClass.java"} is the source file containing the
+     *   execution point, and {@code "9"} is the line number of the source
      *   line containing the execution point.
      * <li>
-     *   <tt>"MyClass.mash(MyClass.java)"</tt> - As above, but the line
+     *   {@code "MyClass.mash(MyClass.java)"} - As above, but the line
      *   number is unavailable.
      * <li>
-     *   <tt>"MyClass.mash(Unknown Source)"</tt> - As above, but neither
+     *   {@code "MyClass.mash(Unknown Source)"} - As above, but neither
      *   the file name nor the line  number are available.
      * <li>
-     *   <tt>"MyClass.mash(Native Method)"</tt> - As above, but neither
+     *   {@code "MyClass.mash(Native Method)"} - As above, but neither
      *   the file name nor the line  number are available, and the method
      *   containing the execution point is known to be a native method.
      * </ul>
@@ -181,25 +178,21 @@ public final class StackTraceElement implements java.io.Serializable {
 
     /**
      * Returns true if the specified object is another
-     * <tt>StackTraceElement</tt> instance representing the same execution
-     * point as this instance.  Two stack trace elements <tt>a</tt> and
-     * <tt>b</tt> are equal if and only if:
+     * {@code StackTraceElement} instance representing the same execution
+     * point as this instance.  Two stack trace elements {@code a} and
+     * {@code b} are equal if and only if:
      * <pre>
      *     equals(a.getFileName(), b.getFileName()) &&
      *     a.getLineNumber() == b.getLineNumber()) &&
      *     equals(a.getClassName(), b.getClassName()) &&
      *     equals(a.getMethodName(), b.getMethodName())
      * </pre>
-     * where <tt>equals</tt> is defined as:
-     * <pre>
-     *     static boolean equals(Object a, Object b) {
-     *         return a==b || (a != null && a.equals(b));
-     *     }
-     * </pre>
+     * where {@code equals} has the semantics of {@link
+     * java.util.Objects#equals(Object, Object) Objects.equals}.
      *
      * @param  obj the object to be compared with this stack trace element.
      * @return true if the specified object is another
-     *         <tt>StackTraceElement</tt> instance representing the same
+     *         {@code StackTraceElement} instance representing the same
      *         execution point as this instance.
      */
     public boolean equals(Object obj) {
@@ -208,12 +201,10 @@ public final class StackTraceElement implements java.io.Serializable {
         if (!(obj instanceof StackTraceElement))
             return false;
         StackTraceElement e = (StackTraceElement)obj;
-        return e.declaringClass.equals(declaringClass) && e.lineNumber == lineNumber
-            && eq(methodName, e.methodName) && eq(fileName, e.fileName);
-    }
-
-    private static boolean eq(Object a, Object b) {
-        return a==b || (a != null && a.equals(b));
+        return e.declaringClass.equals(declaringClass) &&
+            e.lineNumber == lineNumber &&
+            Objects.equals(methodName, e.methodName) &&
+            Objects.equals(fileName, e.fileName);
     }
 
     /**
@@ -221,7 +212,7 @@ public final class StackTraceElement implements java.io.Serializable {
      */
     public int hashCode() {
         int result = 31*declaringClass.hashCode() + methodName.hashCode();
-        result = 31*result + (fileName == null ?   0 : fileName.hashCode());
+        result = 31*result + Objects.hashCode(fileName);
         result = 31*result + lineNumber;
         return result;
     }

src/share/classes/java/lang/Thread.java

@@ -229,7 +229,7 @@ class Thread implements Runnable {
      * after setting this thread's interrupt status.
      */
     private volatile Interruptible blocker;
-    private Object blockerLock = new Object();
+    private final Object blockerLock = new Object();
 
     /* Set the blocker field; invoked via sun.misc.SharedSecrets from java.nio code
      */
@@ -688,16 +688,19 @@ class Thread implements Runnable {
             throw new IllegalThreadStateException();
 
         /* Notify the group that this thread is about to be started
-         * so that it can be added to the group's list of threads. */
+         * so that it can be added to the group's list of threads
+         * and the group's unstarted count can be decremented. */
         group.threadStarting(this);
 
-        boolean failed = true;
+        boolean started = false;
         try {
             start0();
-            failed = false;
+            started = true;
         } finally {
             try {
-                group.threadStarted(this, failed);
+                if (!started) {
+                    group.threadStartFailed(this);
+                }
             } catch (Throwable ignore) {
                 /* do nothing. If start0 threw a Throwable then
                   it will be passed up the call stack */
@@ -955,7 +958,7 @@ class Thread implements Runnable {
             Interruptible b = blocker;
             if (b != null) {
                 interrupt0();           // Just to set the interrupt flag
-                b.interrupt();
+                b.interrupt(this);
                 return;
             }
         }

src/share/classes/java/lang/ThreadGroup.java

@@ -870,9 +870,16 @@ class ThreadGroup implements Thread.UncaughtExceptionHandler {
     /**
      * Notifies the group that the thread {@code t} is about to be
      * started and adds the thread to this thread group.
+     *
+     * The thread is now a fully fledged member of the group, even though
+     * it hasn't been started yet. It will prevent the group from being
+     * destroyed so the unstarted Threads count is decremented.
      */
     void threadStarting(Thread t) {
-        add(t);
+        synchronized (this) {
+            add(t);
+            nUnstartedThreads--;
+        }
     }
 
     /**
@@ -907,12 +914,10 @@ class ThreadGroup implements Thread.UncaughtExceptionHandler {
     }
 
     /**
-     * Notifies the group that the thread {@code t} has completed
+     * Notifies the group that the thread {@code t} has failed
      * an attempt to start.
      *
-     * <p> If the thread has been started successfully
-     * then the group has its unstarted Threads count decremented.
-     * Otherwise the state of this thread group is rolled back as if the
+     * <p> The state of this thread group is rolled back as if the
      * attempt to start the thread has never occurred. The thread is again
      * considered an unstarted member of the thread group, and a subsequent
      * attempt to start the thread is permitted.
@@ -923,16 +928,10 @@ class ThreadGroup implements Thread.UncaughtExceptionHandler {
      * @param  failed
      *         true if the thread could not be started successfully
      */
-    void threadStarted(Thread t, boolean failed) {
+    void threadStartFailed(Thread t) {
         synchronized(this) {
-            if (failed) {
-                remove(t);
-            } else {
-                if (destroyed) {
-                    return;
-                }
-                nUnstartedThreads--;
-            }
+            remove(t);
+            nUnstartedThreads++;
         }
     }
 

src/share/classes/java/lang/Throwable.java

 /*
- * Copyright (c) 1994, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1994, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -169,6 +169,36 @@ public class Throwable implements Serializable {
      */
     private String detailMessage;
 
+    /**
+     * A shared value for an empty stack.
+     */
+    private static final StackTraceElement[] EMPTY_STACK = new StackTraceElement[0];
+
+    /*
+     * To allow Throwable objects to be made immutable and safely
+     * reused by the JVM, such as OutOfMemoryErrors, fields of
+     * Throwable that are writable in response to user actions, cause
+     * and suppressedExceptions obey the following protocol:
+     *
+     * 1) The fields are initialized to a non-null sentinel value
+     * which indicates the value has logically not been set.
+     *
+     * 2) Writing a null to the field indicates further writes
+     * are forbidden
+     *
+     * 3) The sentinel value may be replaced with another non-null
+     * value.
+     *
+     * For example, implementations of the HotSpot JVM have
+     * preallocated OutOfMemoryError objects to provide for better
+     * diagnosability of that situation.  These objects are created
+     * without calling the constructor for that class and the fields
+     * in question are initialized to null.  To support this
+     * capability, any new fields added to Throwable that require
+     * being initialized to a non-null value require a coordinated JVM
+     * change.
+     */
+
     /**
      * The throwable that caused this throwable to get thrown, or null if this
      * throwable was not caused by another throwable, or if the causative
@@ -188,32 +218,30 @@ public class Throwable implements Serializable {
      * @since 1.4
      */
     private StackTraceElement[] stackTrace;
-    /*
-     * This field is lazily initialized on first use or serialization and
-     * nulled out when fillInStackTrace is called.
-     */
+
+    // Setting this static field introduces an acceptable
+    // initialization dependency on a few java.util classes.
+    private static final List<Throwable> SUPPRESSED_SENTINEL =
+        Collections.unmodifiableList(new ArrayList<Throwable>(0));
 
     /**
-     * The list of suppressed exceptions, as returned by
-     * {@link #getSuppressedExceptions()}.
+     * The list of suppressed exceptions, as returned by {@link
+     * #getSuppressed()}.  The list is initialized to a zero-element
+     * unmodifiable sentinel list.  When a serialized Throwable is
+     * read in, if the {@code suppressedExceptions} field points to a
+     * zero-element list, the field is reset to the sentinel value.
      *
      * @serial
      * @since 1.7
      */
-    private List<Throwable> suppressedExceptions = null;
-    /*
-     * This field is lazily initialized when the first suppressed
-     * exception is added.
-     *
-     * OutOfMemoryError is preallocated in the VM for better OOM
-     * diagnosability during VM initialization. Constructor can't
-     * be not invoked. If a new field to be added in the future must
-     * be initialized to non-null, it requires a synchronized VM change.
-     */
+    private List<Throwable> suppressedExceptions = SUPPRESSED_SENTINEL;
 
     /** Message for trying to suppress a null exception. */
     private static final String NULL_CAUSE_MESSAGE = "Cannot suppress a null exception.";
 
+    /** Message for trying to suppress oneself. */
+    private static final String SELF_SUPPRESSION_MESSAGE = "Self-suppression not permitted";
+
     /** Caption  for labeling causative exception stack traces */
     private static final String CAUSE_CAPTION = "Caused by: ";
 
@@ -572,7 +600,7 @@ public class Throwable implements Serializable {
                 s.println("\tat " + traceElement);
 
             // Print suppressed exceptions, if any
-            for (Throwable se : getSuppressedExceptions())
+            for (Throwable se : getSuppressed())
                 se.printEnclosedStackTrace(s, trace, SUPPRESSED_CAPTION, "\t", dejaVu);
 
             // Print cause, if any
@@ -613,7 +641,7 @@ public class Throwable implements Serializable {
                 s.println(prefix + "\t... " + framesInCommon + " more");
 
             // Print suppressed exceptions, if any
-            for (Throwable se : getSuppressedExceptions())
+            for (Throwable se : getSuppressed())
                 se.printEnclosedStackTrace(s, trace, SUPPRESSED_CAPTION,
                                            prefix +"\t", dejaVu);
 
@@ -780,25 +808,58 @@ public class Throwable implements Serializable {
      */
     native StackTraceElement getStackTraceElement(int index);
 
+    /**
+     * Read a {@code Throwable} from a stream, enforcing
+     * well-formedness constraints on fields.  Null entries and
+     * self-pointers are not allowed in the list of {@code
+     * suppressedExceptions}.  Null entries are not allowed for stack
+     * trace elements.
+     *
+     * Note that there are no constraints on the value the {@code
+     * cause} field can hold; both {@code null} and {@code this} are
+     * valid values for the field.
+     */
     private void readObject(ObjectInputStream s)
         throws IOException, ClassNotFoundException {
         s.defaultReadObject();     // read in all fields
-        List<Throwable> suppressed = null;
-        if (suppressedExceptions != null &&
-            !suppressedExceptions.isEmpty()) { // Copy Throwables to new list
-            suppressed = new ArrayList<Throwable>();
-            for (Throwable t : suppressedExceptions) {
-                if (t == null)
-                    throw new NullPointerException(NULL_CAUSE_MESSAGE);
-                suppressed.add(t);
+        if (suppressedExceptions != null) {
+            List<Throwable> suppressed = null;
+            if (suppressedExceptions.isEmpty()) {
+                // Use the sentinel for a zero-length list
+                suppressed = SUPPRESSED_SENTINEL;
+            } else { // Copy Throwables to new list
+                suppressed = new ArrayList<Throwable>(1);
+                for (Throwable t : suppressedExceptions) {
+                    // Enforce constraints on suppressed exceptions in
+                    // case of corrupt or malicious stream.
+                    if (t == null)
+                        throw new NullPointerException(NULL_CAUSE_MESSAGE);
+                    if (t == this)
+                        throw new IllegalArgumentException(SELF_SUPPRESSION_MESSAGE);
+                    suppressed.add(t);
+                }
+            }
+            suppressedExceptions = suppressed;
+        } // else a null suppressedExceptions field remains null
+
+        if (stackTrace != null) {
+            for (StackTraceElement ste : stackTrace) {
+                if (ste == null)
+                    throw new NullPointerException("null StackTraceElement in serial stream. ");
             }
+        } else {
+            // A null stackTrace field in the serial form can result from
+            // an exception serialized without that field in older JDK releases.
+            stackTrace = EMPTY_STACK;
         }
-        suppressedExceptions = suppressed;
+
     }
 
+    /**
+     * Write a {@code Throwable} object to a stream.
+     */
     private synchronized void writeObject(ObjectOutputStream s)
-        throws IOException
-    {
+        throws IOException {
         getOurStackTrace();  // Ensure that stackTrace field is initialized.
         s.defaultWriteObject();
     }
@@ -808,6 +869,14 @@ public class Throwable implements Serializable {
      * were suppressed, typically by the {@code try}-with-resources
      * statement, in order to deliver this exception.
      *
+     * If the first exception to be suppressed is {@code null}, that
+     * indicates suppressed exception information will <em>not</em> be
+     * recorded for this exception.  Subsequent calls to this method
+     * will not record any suppressed exceptions.  Otherwise,
+     * attempting to suppress {@code null} after an exception has
+     * already been successfully suppressed results in a {@code
+     * NullPointerException}.
+     *
      * <p>Note that when one exception {@linkplain
      * #initCause(Throwable) causes} another exception, the first
      * exception is usually caught and then the second exception is
@@ -819,20 +888,35 @@ public class Throwable implements Serializable {
      *
      * @param exception the exception to be added to the list of
      *        suppressed exceptions
-     * @throws NullPointerException if {@code exception} is null
      * @throws IllegalArgumentException if {@code exception} is this
      *         throwable; a throwable cannot suppress itself.
+     * @throws NullPointerException if {@code exception} is null and
+     *         an exception has already been suppressed by this exception
      * @since 1.7
      */
-    public synchronized void addSuppressedException(Throwable exception) {
-        if (exception == null)
-            throw new NullPointerException(NULL_CAUSE_MESSAGE);
+    public final synchronized void addSuppressed(Throwable exception) {
         if (exception == this)
-            throw new IllegalArgumentException("Self-suppression not permitted");
+            throw new IllegalArgumentException(SELF_SUPPRESSION_MESSAGE);
+
+        if (exception == null) {
+            if (suppressedExceptions == SUPPRESSED_SENTINEL) {
+                suppressedExceptions = null; // No suppression information recorded
+                return;
+            } else
+                throw new NullPointerException(NULL_CAUSE_MESSAGE);
+        } else {
+            assert exception != null && exception != this;
+
+            if (suppressedExceptions == null) // Suppressed exceptions not recorded
+                return;
+
+            if (suppressedExceptions == SUPPRESSED_SENTINEL)
+                suppressedExceptions = new ArrayList<Throwable>(1);
 
-        if (suppressedExceptions == null)
-            suppressedExceptions = new ArrayList<Throwable>();
-        suppressedExceptions.add(exception);
+            assert suppressedExceptions != SUPPRESSED_SENTINEL;
+
+            suppressedExceptions.add(exception);
+        }
     }
 
     private static final Throwable[] EMPTY_THROWABLE_ARRAY = new Throwable[0];
@@ -842,12 +926,15 @@ public class Throwable implements Serializable {
      * suppressed, typically by the {@code try}-with-resources
      * statement, in order to deliver this exception.
      *
+     * If no exceptions were suppressed, an empty array is returned.
+     *
      * @return an array containing all of the exceptions that were
      *         suppressed to deliver this exception.
      * @since 1.7
      */
-    public synchronized Throwable[] getSuppressedExceptions() {
-        if (suppressedExceptions == null)
+    public final synchronized Throwable[] getSuppressed() {
+        if (suppressedExceptions == SUPPRESSED_SENTINEL ||
+            suppressedExceptions == null)
             return EMPTY_THROWABLE_ARRAY;
         else
             return suppressedExceptions.toArray(EMPTY_THROWABLE_ARRAY);

src/share/classes/java/nio/channels/spi/AbstractInterruptibleChannel.java

@@ -88,7 +88,7 @@ public abstract class AbstractInterruptibleChannel
     implements Channel, InterruptibleChannel
 {
 
-    private Object closeLock = new Object();
+    private final Object closeLock = new Object();
     private volatile boolean open = true;
 
     /**
@@ -142,7 +142,7 @@ public abstract class AbstractInterruptibleChannel
     // -- Interruption machinery --
 
     private Interruptible interruptor;
-    private volatile boolean interrupted = false;
+    private volatile Thread interrupted;
 
     /**
      * Marks the beginning of an I/O operation that might block indefinitely.
@@ -155,12 +155,12 @@ public abstract class AbstractInterruptibleChannel
     protected final void begin() {
         if (interruptor == null) {
             interruptor = new Interruptible() {
-                    public void interrupt() {
+                    public void interrupt(Thread target) {
                         synchronized (closeLock) {
                             if (!open)
                                 return;
-                            interrupted = true;
                             open = false;
+                            interrupted = target;
                             try {
                                 AbstractInterruptibleChannel.this.implCloseChannel();
                             } catch (IOException x) { }
@@ -168,8 +168,9 @@ public abstract class AbstractInterruptibleChannel
                     }};
         }
         blockedOn(interruptor);
-        if (Thread.currentThread().isInterrupted())
-            interruptor.interrupt();
+        Thread me = Thread.currentThread();
+        if (me.isInterrupted())
+            interruptor.interrupt(me);
     }
 
     /**
@@ -195,12 +196,13 @@ public abstract class AbstractInterruptibleChannel
         throws AsynchronousCloseException
     {
         blockedOn(null);
-        if (completed) {
-            interrupted = false;
-            return;
+        Thread interrupted = this.interrupted;
+        if (interrupted != null && interrupted == Thread.currentThread()) {
+            interrupted = null;
+            throw new ClosedByInterruptException();
         }
-        if (interrupted) throw new ClosedByInterruptException();
-        if (!open) throw new AsynchronousCloseException();
+        if (!completed && !open)
+            throw new AsynchronousCloseException();
     }
 
 

src/share/classes/java/nio/channels/spi/AbstractSelector.java

@@ -206,13 +206,14 @@ public abstract class AbstractSelector
     protected final void begin() {
         if (interruptor == null) {
             interruptor = new Interruptible() {
-                    public void interrupt() {
+                    public void interrupt(Thread ignore) {
                         AbstractSelector.this.wakeup();
                     }};
         }
         AbstractInterruptibleChannel.blockedOn(interruptor);
-        if (Thread.currentThread().isInterrupted())
-            interruptor.interrupt();
+        Thread me = Thread.currentThread();
+        if (me.isInterrupted())
+            interruptor.interrupt(me);
     }
 
     /**

src/share/classes/java/util/concurrent/LinkedBlockingDeque.java

@@ -126,10 +126,8 @@ public class LinkedBlockingDeque<E>
          */
         Node<E> next;
 
-        Node(E x, Node<E> p, Node<E> n) {
+        Node(E x) {
             item = x;
-            prev = p;
-            next = n;
         }
     }
 
@@ -199,7 +197,7 @@ public class LinkedBlockingDeque<E>
             for (E e : c) {
                 if (e == null)
                     throw new NullPointerException();
-                if (!linkLast(e))
+                if (!linkLast(new Node<E>(e)))
                     throw new IllegalStateException("Deque full");
             }
         } finally {
@@ -211,38 +209,38 @@ public class LinkedBlockingDeque<E>
     // Basic linking and unlinking operations, called only while holding lock
 
     /**
-     * Links e as first element, or returns false if full.
+     * Links node as first element, or returns false if full.
      */
-    private boolean linkFirst(E e) {
+    private boolean linkFirst(Node<E> node) {
         // assert lock.isHeldByCurrentThread();
         if (count >= capacity)
             return false;
         Node<E> f = first;
-        Node<E> x = new Node<E>(e, null, f);
-        first = x;
+        node.next = f;
+        first = node;
         if (last == null)
-            last = x;
+            last = node;
         else
-            f.prev = x;
+            f.prev = node;
         ++count;
         notEmpty.signal();
         return true;
     }
 
     /**
-     * Links e as last element, or returns false if full.
+     * Links node as last element, or returns false if full.
      */
-    private boolean linkLast(E e) {
+    private boolean linkLast(Node<E> node) {
         // assert lock.isHeldByCurrentThread();
         if (count >= capacity)
             return false;
         Node<E> l = last;
-        Node<E> x = new Node<E>(e, l, null);
-        last = x;
+        node.prev = l;
+        last = node;
         if (first == null)
-            first = x;
+            first = node;
         else
-            l.next = x;
+            l.next = node;
         ++count;
         notEmpty.signal();
         return true;
@@ -339,10 +337,11 @@ public class LinkedBlockingDeque<E>
      */
     public boolean offerFirst(E e) {
         if (e == null) throw new NullPointerException();
+        Node<E> node = new Node<E>(e);
         final ReentrantLock lock = this.lock;
         lock.lock();
         try {
-            return linkFirst(e);
+            return linkFirst(node);
         } finally {
             lock.unlock();
         }
@@ -353,10 +352,11 @@ public class LinkedBlockingDeque<E>
      */
     public boolean offerLast(E e) {
         if (e == null) throw new NullPointerException();
+        Node<E> node = new Node<E>(e);
         final ReentrantLock lock = this.lock;
         lock.lock();
         try {
-            return linkLast(e);
+            return linkLast(node);
         } finally {
             lock.unlock();
         }
@@ -368,10 +368,11 @@ public class LinkedBlockingDeque<E>
      */
     public void putFirst(E e) throws InterruptedException {
         if (e == null) throw new NullPointerException();
+        Node<E> node = new Node<E>(e);
         final ReentrantLock lock = this.lock;
         lock.lock();
         try {
-            while (!linkFirst(e))
+            while (!linkFirst(node))
                 notFull.await();
         } finally {
             lock.unlock();
@@ -384,10 +385,11 @@ public class LinkedBlockingDeque<E>
      */
     public void putLast(E e) throws InterruptedException {
         if (e == null) throw new NullPointerException();
+        Node<E> node = new Node<E>(e);
         final ReentrantLock lock = this.lock;
         lock.lock();
         try {
-            while (!linkLast(e))
+            while (!linkLast(node))
                 notFull.await();
         } finally {
             lock.unlock();
@@ -401,11 +403,12 @@ public class LinkedBlockingDeque<E>
     public boolean offerFirst(E e, long timeout, TimeUnit unit)
         throws InterruptedException {
         if (e == null) throw new NullPointerException();
+        Node<E> node = new Node<E>(e);
         long nanos = unit.toNanos(timeout);
         final ReentrantLock lock = this.lock;
         lock.lockInterruptibly();
         try {
-            while (!linkFirst(e)) {
+            while (!linkFirst(node)) {
                 if (nanos <= 0)
                     return false;
                 nanos = notFull.awaitNanos(nanos);
@@ -423,11 +426,12 @@ public class LinkedBlockingDeque<E>
     public boolean offerLast(E e, long timeout, TimeUnit unit)
         throws InterruptedException {
         if (e == null) throw new NullPointerException();
+        Node<E> node = new Node<E>(e);
         long nanos = unit.toNanos(timeout);
         final ReentrantLock lock = this.lock;
         lock.lockInterruptibly();
         try {
-            while (!linkLast(e)) {
+            while (!linkLast(node)) {
                 if (nanos <= 0)
                     return false;
                 nanos = notFull.awaitNanos(nanos);
@@ -955,7 +959,20 @@ public class LinkedBlockingDeque<E>
         final ReentrantLock lock = this.lock;
         lock.lock();
         try {
-            return super.toString();
+            Node<E> p = first;
+            if (p == null)
+                return "[]";
+
+            StringBuilder sb = new StringBuilder();
+            sb.append('[');
+            for (;;) {
+                E e = p.item;
+                sb.append(e == this ? "(this Collection)" : e);
+                p = p.next;
+                if (p == null)
+                    return sb.append(']').toString();
+                sb.append(',').append(' ');
+            }
         } finally {
             lock.unlock();
         }
@@ -1053,6 +1070,26 @@ public class LinkedBlockingDeque<E>
             }
         }
 
+        /**
+         * Returns the successor node of the given non-null, but
+         * possibly previously deleted, node.
+         */
+        private Node<E> succ(Node<E> n) {
+            // Chains of deleted nodes ending in null or self-links
+            // are possible if multiple interior nodes are removed.
+            for (;;) {
+                Node<E> s = nextNode(n);
+                if (s == null)
+                    return null;
+                else if (s.item != null)
+                    return s;
+                else if (s == n)
+                    return firstNode();
+                else
+                    n = s;
+            }
+        }
+
         /**
          * Advances next.
          */
@@ -1061,16 +1098,7 @@ public class LinkedBlockingDeque<E>
             lock.lock();
             try {
                 // assert next != null;
-                Node<E> s = nextNode(next);
-                if (s == next) {
-                    next = firstNode();
-                } else {
-                    // Skip over removed nodes.
-                    // May be necessary if multiple interior Nodes are removed.
-                    while (s != null && s.item == null)
-                        s = nextNode(s);
-                    next = s;
-                }
+                next = succ(next);
                 nextItem = (next == null) ? null : next.item;
             } finally {
                 lock.unlock();

src/share/classes/java/util/jar/JarInputStream.java

@@ -28,6 +28,7 @@ package java.util.jar;
 import java.util.zip.*;
 import java.io.*;
 import sun.security.util.ManifestEntryVerifier;
+import sun.misc.JarIndex;
 
 /**
  * The <code>JarInputStream</code> class is used to read the contents of
@@ -47,7 +48,8 @@ class JarInputStream extends ZipInputStream {
     private JarEntry first;
     private JarVerifier jv;
     private ManifestEntryVerifier mev;
-
+    private final boolean doVerify;
+    private boolean tryManifest;
 
     /**
      * Creates a new <code>JarInputStream</code> and reads the optional
@@ -72,25 +74,33 @@ class JarInputStream extends ZipInputStream {
      */
     public JarInputStream(InputStream in, boolean verify) throws IOException {
         super(in);
-        JarEntry e = (JarEntry)super.getNextEntry();
+        this.doVerify = verify;
 
+        // This implementation assumes the META-INF/MANIFEST.MF entry
+        // should be either the first or the second entry (when preceded
+        // by the dir META-INF/). It skips the META-INF/ and then
+        // "consumes" the MANIFEST.MF to initialize the Manifest object.
+        JarEntry e = (JarEntry)super.getNextEntry();
         if (e != null && e.getName().equalsIgnoreCase("META-INF/"))
             e = (JarEntry)super.getNextEntry();
+        first = checkManifest(e);
+    }
 
+    private JarEntry checkManifest(JarEntry e)
+        throws IOException
+    {
         if (e != null && JarFile.MANIFEST_NAME.equalsIgnoreCase(e.getName())) {
             man = new Manifest();
             byte bytes[] = getBytes(new BufferedInputStream(this));
             man.read(new ByteArrayInputStream(bytes));
-            //man.read(new BufferedInputStream(this));
             closeEntry();
-            if (verify) {
+            if (doVerify) {
                 jv = new JarVerifier(bytes);
                 mev = new ManifestEntryVerifier(man);
             }
-            first = getNextJarEntry();
-        } else {
-            first = e;
+            return (JarEntry)super.getNextEntry();
         }
+        return e;
     }
 
     private byte[] getBytes(InputStream is)
@@ -98,10 +108,7 @@ class JarInputStream extends ZipInputStream {
     {
         byte[] buffer = new byte[8192];
         ByteArrayOutputStream baos = new ByteArrayOutputStream(2048);
-
         int n;
-
-        baos.reset();
         while ((n = is.read(buffer, 0, buffer.length)) != -1) {
             baos.write(buffer, 0, n);
         }
@@ -133,8 +140,14 @@ class JarInputStream extends ZipInputStream {
         JarEntry e;
         if (first == null) {
             e = (JarEntry)super.getNextEntry();
+            if (tryManifest) {
+                e = checkManifest(e);
+                tryManifest = false;
+            }
         } else {
             e = first;
+            if (first.getName().equalsIgnoreCase(JarIndex.INDEX_NAME))
+                tryManifest = true;
             first = null;
         }
         if (jv != null && e != null) {

src/share/classes/java/util/jar/Pack200.java

@@ -30,9 +30,6 @@ import java.io.OutputStream;
 import java.io.File;
 import java.io.IOException;
 import java.beans.PropertyChangeListener;
-import java.beans.PropertyChangeEvent;
-import java.security.AccessController;
-import java.security.PrivilegedAction;
 
 
 
@@ -225,6 +222,10 @@ public abstract class Pack200 {
      *    If the input JAR-files contains a 1.6 class file, then the pack file
      * version will be set to 1.6.
      * <p>
+     * Note: Unless otherwise noted, passing a <tt>null</tt> argument to a
+     * constructor or method in this class will cause a {@link NullPointerException}
+     * to be thrown.
+     * <p>
      * @since 1.5
      */
     public interface Packer {
@@ -599,6 +600,10 @@ public abstract class Pack200 {
      * "<tt>PACK200</tt>" as a zip file comment.
      * This allows a deployer to detect if a JAR archive was packed and unpacked.
      * <p>
+     * Note: Unless otherwise noted, passing a <tt>null</tt> argument to a
+     * constructor or method in this class will cause a {@link NullPointerException}
+     * to be thrown.
+     * <p>
      * This version of the unpacker is compatible with all previous versions.
      * @since 1.5
      */

src/share/classes/javax/management/remote/rmi/RMIConnector.java

 /*
- * Copyright (c) 2002, 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -291,7 +291,24 @@ public class RMIConnector implements JMXConnector, Serializable, JMXAddressable
             if (tracing)
                 logger.trace("connect",idstr + " getting connection...");
             Object credentials = usemap.get(CREDENTIALS);
-            connection = getConnection(stub, credentials, checkStub);
+
+            try {
+                connection = getConnection(stub, credentials, checkStub);
+            } catch (java.rmi.RemoteException re) {
+                if (jmxServiceURL != null) {
+                    final String pro = jmxServiceURL.getProtocol();
+                    final String path = jmxServiceURL.getURLPath();
+
+                    if ("rmi".equals(pro) &&
+                        path.startsWith("/jndi/iiop:")) {
+                        MalformedURLException mfe = new MalformedURLException(
+                              "Protocol is rmi but JNDI scheme is iiop: " + jmxServiceURL);
+                        mfe.initCause(re);
+                        throw mfe;
+                    }
+                }
+                throw re;
+            }
 
             // Always use one of:
             //   ClassLoader provided in Map at connect time,

src/share/classes/javax/security/auth/Policy.java

 /*
- * Copyright (c) 1998, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -237,7 +237,7 @@ public abstract class Policy {
                     } catch (Exception e) {
                         throw new SecurityException
                                 (sun.security.util.ResourcesMgr.getString
-                                ("unable to instantiate Subject-based policy"));
+                                ("unable.to.instantiate.Subject.based.policy"));
                     }
                 }
             }

src/share/classes/javax/security/auth/PrivateCredentialPermission.java

 /*
- * Copyright (c) 1999, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -172,7 +172,7 @@ public final class PrivateCredentialPermission extends Permission {
 
         if (!"read".equalsIgnoreCase(actions))
             throw new IllegalArgumentException
-                (ResourcesMgr.getString("actions can only be 'read'"));
+                (ResourcesMgr.getString("actions.can.only.be.read."));
         init(name);
     }
 
@@ -344,12 +344,11 @@ public final class PrivateCredentialPermission extends Permission {
 
         if (tokenizer.hasMoreTokens() == false) {
             MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                ("permission name [name] syntax invalid: "));
+                ("permission.name.name.syntax.invalid."));
             Object[] source = {name};
             throw new IllegalArgumentException
                 (form.format(source) + ResourcesMgr.getString
-                        ("Credential Class not followed by a " +
-                        "Principal Class and Name"));
+                        ("Credential.Class.not.followed.by.a.Principal.Class.and.Name"));
         }
 
         while (tokenizer.hasMoreTokens()) {
@@ -364,11 +363,11 @@ public final class PrivateCredentialPermission extends Permission {
 
             if (tokenizer.hasMoreTokens() == false) {
                 MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                        ("permission name [name] syntax invalid: "));
+                        ("permission.name.name.syntax.invalid."));
                 Object[] source = {name};
                 throw new IllegalArgumentException
                         (form.format(source) + ResourcesMgr.getString
-                        ("Principal Class not followed by a Principal Name"));
+                        ("Principal.Class.not.followed.by.a.Principal.Name"));
             }
 
             // skip delimiter
@@ -379,11 +378,11 @@ public final class PrivateCredentialPermission extends Permission {
 
             if (!principalName.startsWith("\"")) {
                 MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                        ("permission name [name] syntax invalid: "));
+                        ("permission.name.name.syntax.invalid."));
                 Object[] source = {name};
                 throw new IllegalArgumentException
                         (form.format(source) + ResourcesMgr.getString
-                        ("Principal Name must be surrounded by quotes"));
+                        ("Principal.Name.must.be.surrounded.by.quotes"));
             }
 
             if (!principalName.endsWith("\"")) {
@@ -401,11 +400,11 @@ public final class PrivateCredentialPermission extends Permission {
                 if (!principalName.endsWith("\"")) {
                     MessageFormat form = new MessageFormat
                         (ResourcesMgr.getString
-                        ("permission name [name] syntax invalid: "));
+                        ("permission.name.name.syntax.invalid."));
                     Object[] source = {name};
                     throw new IllegalArgumentException
                         (form.format(source) + ResourcesMgr.getString
-                                ("Principal Name missing end quote"));
+                                ("Principal.Name.missing.end.quote"));
                 }
             }
 
@@ -418,9 +417,7 @@ public final class PrivateCredentialPermission extends Permission {
             if (principalClass.equals("*") &&
                 !principalName.equals("*")) {
                     throw new IllegalArgumentException(ResourcesMgr.getString
-                        ("PrivateCredentialPermission Principal Class " +
-                        "can not be a wildcard (*) value if Principal Name " +
-                        "is not a wildcard (*) value"));
+                        ("PrivateCredentialPermission.Principal.Class.can.not.be.a.wildcard.value.if.Principal.Name.is.not.a.wildcard.value"));
             }
 
             if (testing)
@@ -556,8 +553,7 @@ public final class PrivateCredentialPermission extends Permission {
 
         public String toString() {
             MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                ("CredOwner:\n\tPrincipal Class = class\n\t" +
-                        "Principal Name = name"));
+                ("CredOwner.Principal.Class.class.Principal.Name.name"));
             Object[] source = {principalClass, principalName};
             return (form.format(source));
         }

src/share/classes/javax/security/auth/Subject.java

 /*
- * Copyright (c) 1998, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -204,7 +204,7 @@ public final class Subject implements java.io.Serializable {
             pubCredentials == null ||
             privCredentials == null)
             throw new NullPointerException
-                (ResourcesMgr.getString("invalid null input(s)"));
+                (ResourcesMgr.getString("invalid.null.input.s."));
 
         this.principals = Collections.synchronizedSet(new SecureSet<Principal>
                                 (this, PRINCIPAL_SET, principals));
@@ -289,7 +289,7 @@ public final class Subject implements java.io.Serializable {
 
         if (acc == null) {
             throw new NullPointerException(ResourcesMgr.getString
-                ("invalid null AccessControlContext provided"));
+                ("invalid.null.AccessControlContext.provided"));
         }
 
         // return the Subject from the DomainCombiner of the provided context
@@ -346,7 +346,7 @@ public final class Subject implements java.io.Serializable {
         }
         if (action == null)
             throw new NullPointerException
-                (ResourcesMgr.getString("invalid null action provided"));
+                (ResourcesMgr.getString("invalid.null.action.provided"));
 
         // set up the new Subject-based AccessControlContext
         // for doPrivileged
@@ -406,7 +406,7 @@ public final class Subject implements java.io.Serializable {
 
         if (action == null)
             throw new NullPointerException
-                (ResourcesMgr.getString("invalid null action provided"));
+                (ResourcesMgr.getString("invalid.null.action.provided"));
 
         // set up the new Subject-based AccessControlContext for doPrivileged
         final AccessControlContext currentAcc = AccessController.getContext();
@@ -460,7 +460,7 @@ public final class Subject implements java.io.Serializable {
 
         if (action == null)
             throw new NullPointerException
-                (ResourcesMgr.getString("invalid null action provided"));
+                (ResourcesMgr.getString("invalid.null.action.provided"));
 
         // set up the new Subject-based AccessControlContext
         // for doPrivileged
@@ -524,7 +524,7 @@ public final class Subject implements java.io.Serializable {
 
         if (action == null)
             throw new NullPointerException
-                (ResourcesMgr.getString("invalid null action provided"));
+                (ResourcesMgr.getString("invalid.null.action.provided"));
 
         // set up the new Subject-based AccessControlContext for doPrivileged
         final AccessControlContext callerAcc =
@@ -603,7 +603,7 @@ public final class Subject implements java.io.Serializable {
 
         if (c == null)
             throw new NullPointerException
-                (ResourcesMgr.getString("invalid null Class provided"));
+                (ResourcesMgr.getString("invalid.null.Class.provided"));
 
         // always return an empty Set instead of null
         // so LoginModules can add to the Set if necessary
@@ -697,7 +697,7 @@ public final class Subject implements java.io.Serializable {
 
         if (c == null)
             throw new NullPointerException
-                (ResourcesMgr.getString("invalid null Class provided"));
+                (ResourcesMgr.getString("invalid.null.Class.provided"));
 
         // always return an empty Set instead of null
         // so LoginModules can add to the Set if necessary
@@ -742,7 +742,7 @@ public final class Subject implements java.io.Serializable {
 
         if (c == null)
             throw new NullPointerException
-                (ResourcesMgr.getString("invalid null Class provided"));
+                (ResourcesMgr.getString("invalid.null.Class.provided"));
 
         // always return an empty Set instead of null
         // so LoginModules can add to the Set if necessary
@@ -832,15 +832,15 @@ public final class Subject implements java.io.Serializable {
      */
     String toString(boolean includePrivateCredentials) {
 
-        String s = ResourcesMgr.getString("Subject:\n");
+        String s = ResourcesMgr.getString("Subject.");
         String suffix = "";
 
         synchronized(principals) {
             Iterator<Principal> pI = principals.iterator();
             while (pI.hasNext()) {
                 Principal p = pI.next();
-                suffix = suffix + ResourcesMgr.getString("\tPrincipal: ") +
-                        p.toString() + ResourcesMgr.getString("\n");
+                suffix = suffix + ResourcesMgr.getString(".Principal.") +
+                        p.toString() + ResourcesMgr.getString("NEWLINE");
             }
         }
 
@@ -849,8 +849,8 @@ public final class Subject implements java.io.Serializable {
             while (pI.hasNext()) {
                 Object o = pI.next();
                 suffix = suffix +
-                        ResourcesMgr.getString("\tPublic Credential: ") +
-                        o.toString() + ResourcesMgr.getString("\n");
+                        ResourcesMgr.getString(".Public.Credential.") +
+                        o.toString() + ResourcesMgr.getString("NEWLINE");
             }
         }
 
@@ -861,12 +861,12 @@ public final class Subject implements java.io.Serializable {
                     try {
                         Object o = pI.next();
                         suffix += ResourcesMgr.getString
-                                        ("\tPrivate Credential: ") +
+                                        (".Private.Credential.") +
                                         o.toString() +
-                                        ResourcesMgr.getString("\n");
+                                        ResourcesMgr.getString("NEWLINE");
                     } catch (SecurityException se) {
                         suffix += ResourcesMgr.getString
-                                ("\tPrivate Credential inaccessible\n");
+                                (".Private.Credential.inaccessible.");
                         break;
                     }
                 }
@@ -1036,7 +1036,7 @@ public final class Subject implements java.io.Serializable {
 
                     if (subject.isReadOnly()) {
                         throw new IllegalStateException(ResourcesMgr.getString
-                                ("Subject is read-only"));
+                                ("Subject.is.read.only"));
                     }
 
                     java.lang.SecurityManager sm = System.getSecurityManager();
@@ -1062,7 +1062,7 @@ public final class Subject implements java.io.Serializable {
 
             if (subject.isReadOnly()) {
                 throw new IllegalStateException
-                        (ResourcesMgr.getString("Subject is read-only"));
+                        (ResourcesMgr.getString("Subject.is.read.only"));
             }
 
             java.lang.SecurityManager sm = System.getSecurityManager();
@@ -1084,9 +1084,7 @@ public final class Subject implements java.io.Serializable {
             case Subject.PRINCIPAL_SET:
                 if (!(o instanceof Principal)) {
                     throw new SecurityException(ResourcesMgr.getString
-                        ("attempting to add an object which is not an " +
-                        "instance of java.security.Principal to a " +
-                        "Subject's Principal Set"));
+                        ("attempting.to.add.an.object.which.is.not.an.instance.of.java.security.Principal.to.a.Subject.s.Principal.Set"));
                 }
                 break;
             default:
@@ -1389,8 +1387,7 @@ public final class Subject implements java.io.Serializable {
 
             if (!o.getClass().isAssignableFrom(c)) {
                 MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                        ("attempting to add an object which is not an " +
-                        "instance of class"));
+                        ("attempting.to.add.an.object.which.is.not.an.instance.of.class"));
                 Object[] source = {c.toString()};
                 throw new SecurityException(form.format(source));
             }

src/share/classes/javax/security/auth/login/AppConfigurationEntry.java

 /*
- * Copyright (c) 1998, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -167,7 +167,7 @@ public class AppConfigurationEntry {
          */
         public String toString() {
             return (sun.security.util.ResourcesMgr.getString
-                ("LoginModuleControlFlag: ") + controlFlag);
+                ("LoginModuleControlFlag.") + controlFlag);
         }
     }
 }

src/share/classes/javax/security/auth/login/LoginContext.java

 /*
- * Copyright (c) 1998, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -244,7 +244,7 @@ public class LoginContext {
 
         if (name == null)
             throw new LoginException
-                (ResourcesMgr.getString("Invalid null input: name"));
+                (ResourcesMgr.getString("Invalid.null.input.name"));
 
         // get the Configuration
         if (config == null) {
@@ -268,7 +268,7 @@ public class LoginContext {
             entries = config.getAppConfigurationEntry(OTHER);
             if (entries == null) {
                 MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                        ("No LoginModules configured for name"));
+                        ("No.LoginModules.configured.for.name"));
                 Object[] source = {name};
                 throw new LoginException(form.format(source));
             }
@@ -382,7 +382,7 @@ public class LoginContext {
         init(name);
         if (subject == null)
             throw new LoginException
-                (ResourcesMgr.getString("invalid null Subject provided"));
+                (ResourcesMgr.getString("invalid.null.Subject.provided"));
         this.subject = subject;
         subjectProvided = true;
         loadDefaultCallbackHandler();
@@ -418,7 +418,7 @@ public class LoginContext {
         init(name);
         if (callbackHandler == null)
             throw new LoginException(ResourcesMgr.getString
-                                ("invalid null CallbackHandler provided"));
+                                ("invalid.null.CallbackHandler.provided"));
         this.callbackHandler = new SecureCallbackHandler
                                 (java.security.AccessController.getContext(),
                                 callbackHandler);
@@ -459,7 +459,7 @@ public class LoginContext {
         this(name, subject);
         if (callbackHandler == null)
             throw new LoginException(ResourcesMgr.getString
-                                ("invalid null CallbackHandler provided"));
+                                ("invalid.null.CallbackHandler.provided"));
         this.callbackHandler = new SecureCallbackHandler
                                 (java.security.AccessController.getContext(),
                                 callbackHandler);
@@ -633,7 +633,7 @@ public class LoginContext {
     public void logout() throws LoginException {
         if (subject == null) {
             throw new LoginException(ResourcesMgr.getString
-                ("null subject - logout called before login"));
+                ("null.subject.logout.called.before.login"));
         }
 
         if (configProvided) {
@@ -811,21 +811,20 @@ public class LoginContext {
 
             } catch (NoSuchMethodException nsme) {
                 MessageFormat form = new MessageFormat(ResourcesMgr.getString
-                        ("unable to instantiate LoginModule, module, because " +
-                        "it does not provide a no-argument constructor"));
+                        ("unable.to.instantiate.LoginModule.module.because.it.does.not.provide.a.no.argument.constructor"));
                 Object[] source = {moduleStack[i].entry.getLoginModuleName()};
                 throwException(null, new LoginException(form.format(source)));
             } catch (InstantiationException ie) {
                 throwException(null, new LoginException(ResourcesMgr.getString
-                        ("unable to instantiate LoginModule: ") +
+                        ("unable.to.instantiate.LoginModule.") +
                         ie.getMessage()));
             } catch (ClassNotFoundException cnfe) {
                 throwException(null, new LoginException(ResourcesMgr.getString
-                        ("unable to find LoginModule class: ") +
+                        ("unable.to.find.LoginModule.class.") +
                         cnfe.getMessage()));
             } catch (IllegalAccessException iae) {
                 throwException(null, new LoginException(ResourcesMgr.getString
-                        ("unable to access LoginModule: ") +
+                        ("unable.to.access.LoginModule.") +
                         iae.getMessage()));
             } catch (InvocationTargetException ite) {
 
@@ -934,7 +933,7 @@ public class LoginContext {
         } else if (success == false) {
             // no module succeeded -- all modules were IGNORED
             throwException(new LoginException
-                (ResourcesMgr.getString("Login Failure: all modules ignored")),
+                (ResourcesMgr.getString("Login.Failure.all.modules.ignored")),
                 null);
         } else {
             // success

src/share/classes/javax/security/auth/x500/X500Principal.java

 /*
- * Copyright (c) 2000, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -155,12 +155,12 @@ public final class X500Principal implements Principal, java.io.Serializable {
         if (name == null) {
             throw new NullPointerException
                 (sun.security.util.ResourcesMgr.getString
-                ("provided null name"));
+                ("provided.null.name"));
         }
         if (keywordMap == null) {
             throw new NullPointerException
                 (sun.security.util.ResourcesMgr.getString
-                ("provided null keyword map"));
+                ("provided.null.keyword.map"));
         }
 
         try {
@@ -391,7 +391,7 @@ public final class X500Principal implements Principal, java.io.Serializable {
         if (oidMap == null) {
             throw new NullPointerException
                 (sun.security.util.ResourcesMgr.getString
-                ("provided null OID map"));
+                ("provided.null.OID.map"));
         }
         if (format != null) {
             if (format.equalsIgnoreCase(RFC1779)) {

src/share/classes/javax/sql/rowset/spi/SyncFactory.java

@@ -197,12 +197,6 @@ import javax.naming.*;
  */
 public class SyncFactory {
 
-    /*
-     * The variable that represents the singleton instance
-     * of the <code>SyncFactory</code> class.
-     */
-    private static SyncFactory syncFactory = null;
-
     /**
      * Creates a new <code>SyncFactory</code> object, which is the singleton
      * instance.
@@ -252,7 +246,7 @@ public class SyncFactory {
     /**
      * The <code>Logger</code> object to be used by the <code>SyncFactory</code>.
      */
-    private static Logger rsLogger;
+    private static volatile Logger rsLogger;
     /**
      *
      */
@@ -315,27 +309,12 @@ public class SyncFactory {
      * @return the <code>SyncFactory</code> instance
      */
     public static SyncFactory getSyncFactory() {
-
-        // This method uses the Singleton Design Pattern
-        // with Double-Checked Locking Pattern for
-        // 1. Creating single instance of the SyncFactory
-        // 2. Make the class thread safe, so that at one time
-        //    only one thread enters the synchronized block
-        //    to instantiate.
-
-        // if syncFactory object is already there
-        // don't go into synchronized block and return
-        // that object.
-        // else go into synchronized block
-
-        if (syncFactory == null) {
-            synchronized (SyncFactory.class) {
-                if (syncFactory == null) {
-                    syncFactory = new SyncFactory();
-                } //end if
-            } //end synchronized block
-        } //end if
-        return syncFactory;
+        /*
+         * Using Initialization on Demand Holder idiom as
+         * Effective Java 2nd Edition,ITEM 71, indicates it is more performant
+         * than the Double-Check Locking idiom.
+         */
+        return SyncFactoryHolder.factory;
     }
 
     /**
@@ -435,11 +414,7 @@ public class SyncFactory {
             }
         }
     }
-    /**
-     * The internal boolean switch that indicates whether a JNDI
-     * context has been established or not.
-     */
-    private static boolean jndiCtxEstablished = false;
+
     /**
      * The internal debug switch.
      */
@@ -621,6 +596,7 @@ public class SyncFactory {
      * @param logger A Logger object instance
      * @throws java.lang.SecurityException if a security manager exists and its
      *   {@code checkPermission} method denies calling {@code setLogger}
+     * @throws NullPointerException if the logger is null
      * @see SecurityManager#checkPermission
      */
     public static void setLogger(Logger logger) {
@@ -629,6 +605,10 @@ public class SyncFactory {
         if (sec != null) {
             sec.checkPermission(SET_SYNCFACTORY_PERMISSION);
         }
+
+        if(logger == null){
+            throw new NullPointerException("You must provide a Logger");
+        }
         rsLogger = logger;
     }
 
@@ -654,6 +634,7 @@ public class SyncFactory {
      *   {@code checkPermission} method denies calling {@code setLogger}
      * @throws java.util.logging.LoggingPermission if a security manager exists and its
      *   {@code checkPermission} method denies calling {@code setLevel}
+     * @throws NullPointerException if the logger is null
      * @see SecurityManager#checkPermission
      * @see LoggingPermission
      */
@@ -663,8 +644,12 @@ public class SyncFactory {
         if (sec != null) {
             sec.checkPermission(SET_SYNCFACTORY_PERMISSION);
         }
+
+        if(logger == null){
+            throw new NullPointerException("You must provide a Logger");
+        }
+        logger.setLevel(level);
         rsLogger = logger;
-        rsLogger.setLevel(level);
     }
 
     /**
@@ -674,11 +659,14 @@ public class SyncFactory {
      * @throws SyncFactoryException if no logging object has been set.
      */
     public static Logger getLogger() throws SyncFactoryException {
+
+        Logger result = rsLogger;
         // only one logger per session
-        if (rsLogger == null) {
+        if (result == null) {
             throw new SyncFactoryException("(SyncFactory) : No logger has been set");
         }
-        return rsLogger;
+
+        return result;
     }
 
     /**
@@ -699,7 +687,7 @@ public class SyncFactory {
      *  {@code checkPermission} method denies calling {@code setJNDIContext}
      * @see SecurityManager#checkPermission
      */
-    public static void setJNDIContext(javax.naming.Context ctx)
+    public static synchronized void setJNDIContext(javax.naming.Context ctx)
             throws SyncFactoryException {
         SecurityManager sec = System.getSecurityManager();
         if (sec != null) {
@@ -709,17 +697,16 @@ public class SyncFactory {
             throw new SyncFactoryException("Invalid JNDI context supplied");
         }
         ic = ctx;
-        jndiCtxEstablished = true;
     }
 
     /**
-     * Controls JNDI context intialization.
+     * Controls JNDI context initialization.
      *
      * @throws SyncFactoryException if an error occurs parsing the JNDI context
      */
-    private static void initJNDIContext() throws SyncFactoryException {
+    private static synchronized void initJNDIContext() throws SyncFactoryException {
 
-        if (jndiCtxEstablished && (ic != null) && (lazyJNDICtxRefresh == false)) {
+        if ((ic != null) && (lazyJNDICtxRefresh == false)) {
             try {
                 parseProperties(parseJNDIContext());
                 lazyJNDICtxRefresh = true; // touch JNDI namespace once.
@@ -793,6 +780,13 @@ public class SyncFactory {
             enumerateBindings(bindings, properties);
         }
     }
+
+    /**
+     * Lazy initialization Holder class used by {@code getSyncFactory}
+     */
+    private static class SyncFactoryHolder {
+        static final SyncFactory factory = new SyncFactory();
+    }
 }
 
 /**

src/share/classes/sun/nio/ch/FileChannelImpl.java

@@ -460,6 +460,16 @@ public class FileChannelImpl
                 } finally {
                     unmap(dbb);
                 }
+            } catch (ClosedByInterruptException e) {
+                // target closed by interrupt as ClosedByInterruptException needs
+                // to be thrown after closing this channel.
+                assert !target.isOpen();
+                try {
+                    close();
+                } catch (IOException ignore) {
+                    // nothing we can do
+                }
+                throw e;
             } catch (IOException ioe) {
                 // Only throw exception if no bytes have been written
                 if (remaining == count)

src/share/classes/sun/nio/ch/Interruptible.java

@@ -23,14 +23,14 @@
  * questions.
  */
 
-/*
+/**
+ * An object that interrupts a thread blocked in an I/O operation.
  */
 
 package sun.nio.ch;
 
-
 public interface Interruptible {
 
-    public void interrupt();
+    public void interrupt(Thread t);
 
 }

src/share/classes/sun/security/krb5/Config.java

@@ -111,7 +111,7 @@ public class Config {
     public static synchronized void refresh() throws KrbException {
         singleton = new Config();
         KeyTab.refresh();
-        KrbKdcReq.initStatic();
+        KdcComm.initStatic();
     }
 
 

src/share/classes/sun/security/krb5/Credentials.java

@@ -347,94 +347,6 @@ public class Credentials {
         }
     }
 
-    /**
-     * Returns a TGT for the given client principal via an AS-Exchange.
-     * This method causes pre-authentication data to be sent in the
-     * AS-REQ.
-     *
-     * @param princ the client principal. This value cannot be null.
-     * @param secretKey the secret key of the client principal.This value
-     * cannot be null.
-     * @returns the TGT credentials
-     */
-    public static Credentials acquireTGT(PrincipalName princ,
-                                         EncryptionKey[] secretKeys,
-                                         char[] password)
-        throws KrbException, IOException {
-
-        if (princ == null)
-            throw new IllegalArgumentException(
-                        "Cannot have null principal to do AS-Exchange");
-
-        if (secretKeys == null)
-            throw new IllegalArgumentException(
-                        "Cannot have null secretKey to do AS-Exchange");
-
-        KrbAsRep asRep = null;
-        try {
-            asRep = sendASRequest(princ, secretKeys, null);
-        } catch (KrbException ke) {
-            if ((ke.returnCode() == Krb5.KDC_ERR_PREAUTH_FAILED) ||
-                (ke.returnCode() == Krb5.KDC_ERR_PREAUTH_REQUIRED)) {
-                // process pre-auth info
-                if (DEBUG) {
-                    System.out.println("AcquireTGT: PREAUTH FAILED/REQUIRED," +
-                                " re-send AS-REQ");
-                }
-
-                KRBError error = ke.getError();
-                // update salt in PrincipalName
-                String newSalt = error.getSalt();
-                if (newSalt != null && newSalt.length() > 0) {
-                    princ.setSalt(newSalt);
-                }
-
-                // refresh keys
-                if (password != null) {
-                    secretKeys = EncryptionKey.acquireSecretKeys(password,
-                                princ.getSalt(), true,
-                                error.getEType(), error.getParams());
-                }
-                asRep = sendASRequest(princ, secretKeys, ke.getError());
-            } else {
-                throw ke;
-            }
-        }
-        return asRep.getCreds();
-    }
-
-    /**
-     * Sends the AS-REQ
-     */
-    private static KrbAsRep sendASRequest(PrincipalName princ,
-        EncryptionKey[] secretKeys, KRBError error)
-        throws KrbException, IOException {
-
-        // %%%
-        KrbAsReq asReq = null;
-        if (error == null) {
-            asReq = new KrbAsReq(princ, secretKeys);
-        } else {
-            asReq = new KrbAsReq(princ, secretKeys, true,
-                        error.getEType(), error.getSalt(), error.getParams());
-        }
-
-        String kdc = null;
-        KrbAsRep asRep  = null;
-        try {
-            kdc = asReq.send();
-            asRep =  asReq.getReply(secretKeys);
-        } catch (KrbException ke) {
-                if (ke.returnCode() == Krb5.KRB_ERR_RESPONSE_TOO_BIG) {
-                    asReq.send(princ.getRealmString(), kdc, true);
-                    asRep =  asReq.getReply(secretKeys);
-                } else {
-                    throw ke;
-                }
-        }
-        return asRep;
-    }
-
     /**
      * Acquires default credentials.
      * <br>The possible locations for default credentials cache is searched in
@@ -529,29 +441,6 @@ public class Credentials {
         return CredentialsUtil.acquireServiceCreds(service, ccreds);
     }
 
-
-    /*
-     * This method does the real job to request the service credential.
-     */
-
-    private static Credentials serviceCreds(ServiceName service,
-                                            Credentials ccreds)
-        throws KrbException, IOException {
-        return new KrbTgsReq(
-                new KDCOptions(),
-                ccreds,
-                service,
-                null, // KerberosTime from
-                null, // KerberosTime till
-                null, // KerberosTime rtime
-                null, // int[] eTypes
-                null, // HostAddresses addresses
-                null, // AuthorizationData
-                null, // Ticket[] additionalTickets
-                null  // EncryptionKey subSessionKey
-                ).sendAndGetCreds();
-    }
-
     public CredentialsCache getCache() {
         return cache;
     }

src/share/classes/sun/security/krb5/EncryptionKey.java

@@ -156,6 +156,22 @@ public class EncryptionKey
         return ktab.readServiceKeys(princ);
     }
 
+    /**
+     * Obtains a key for a given etype with salt and optional s2kparams
+     * @param password NOT null
+     * @param salt NOT null
+     * @param etype
+     * @param s2kparams can be NULL
+     */
+    public static EncryptionKey acquireSecretKey(char[] password,
+            String salt, int etype, byte[] s2kparams)
+            throws KrbException {
+
+        return new EncryptionKey(
+                        stringToKey(password, salt, s2kparams, etype),
+                        etype, null);
+    }
+
     /**
      * Generate a list of keys using the given principal and password.
      * Construct a key for each configured etype.
@@ -169,19 +185,8 @@ public class EncryptionKey
      * as the default in that case. If default_tkt_enctypes was set in
      * the libdefaults of krb5.conf, then use that sequence.
      */
-         // Used in Krb5LoginModule
     public static EncryptionKey[] acquireSecretKeys(char[] password,
-        String salt) throws KrbException {
-        return (acquireSecretKeys(password, salt, false, 0, null));
-    }
-
-    /**
-     * Generates a list of keys using the given principal, password,
-     * and the pre-authentication values.
-     */
-    public static EncryptionKey[] acquireSecretKeys(char[] password,
-        String salt, boolean pa_exists, int pa_etype, byte[] pa_s2kparams)
-        throws KrbException {
+            String salt) throws KrbException {
 
         int[] etypes = EType.getDefaults("default_tkt_enctypes");
         if (etypes == null) {
@@ -191,10 +196,8 @@ public class EncryptionKey
         EncryptionKey[] encKeys = new EncryptionKey[etypes.length];
         for (int i = 0; i < etypes.length; i++) {
             if (EType.isSupported(etypes[i])) {
-                byte[] s2kparams = (pa_exists && etypes[i] == pa_etype)
-                        ? pa_s2kparams : null;
                 encKeys[i] = new EncryptionKey(
-                        stringToKey(password, salt, s2kparams, etypes[i]),
+                        stringToKey(password, salt, null, etypes[i]),
                         etypes[i], null);
             } else {
                 if (DEBUG) {

src/share/classes/sun/security/krb5/KrbKdcReq.java → src/share/classes/sun/security/krb5/KdcComm.java

@@ -31,13 +31,11 @@
 
 package sun.security.krb5;
 
-import java.security.AccessController;
 import java.security.PrivilegedAction;
 import java.security.Security;
 import java.util.Locale;
 import sun.security.krb5.internal.Krb5;
-import sun.security.krb5.internal.UDPClient;
-import sun.security.krb5.internal.TCPClient;
+import sun.security.krb5.internal.NetClient;
 import java.io.IOException;
 import java.net.SocketTimeoutException;
 import java.util.StringTokenizer;
@@ -48,8 +46,13 @@ import java.util.ArrayList;
 import java.util.List;
 import java.util.Set;
 import java.util.HashSet;
+import sun.security.krb5.internal.KRBError;
 
-public abstract class KrbKdcReq {
+/**
+ * KDC-REQ/KDC-REP communication. No more base class for KrbAsReq and
+ * KrbTgsReq. This class is now communication only.
+ */
+public final class KdcComm {
 
     // The following settings can be configured in [libdefaults]
     // section of krb5.conf, which are global for all realms. Each of
@@ -161,20 +164,23 @@ public abstract class KrbKdcReq {
         KdcAccessibility.reset();
     }
 
-    protected byte[] obuf;
-    protected byte[] ibuf;
-
     /**
-     * Sends the provided data to the KDC of the specified realm.
-     * Returns the response from the KDC.
-     * Default realm/KDC is used if realm is null.
-     * @param realm the realm of the KDC where data is to be sent.
-     * @returns the kdc to which the AS request was sent to
-     * @exception InterruptedIOException if timeout expires
-     * @exception KrbException
+     * The instance fields
      */
+    private String realm;
+
+    public KdcComm(String realm) throws KrbException {
+        if (realm == null) {
+           realm = Config.getInstance().getDefaultRealm();
+            if (realm == null) {
+                throw new KrbException(Krb5.KRB_ERR_GENERIC,
+                                       "Cannot find default realm");
+            }
+        }
+        this.realm = realm;
+    }
 
-    public String send(String realm)
+    public byte[] send(byte[] obuf)
         throws IOException, KrbException {
         int udpPrefLimit = getRealmSpecificValue(
                 realm, "udp_preference_limit", defaultUdpPrefLimit);
@@ -182,10 +188,10 @@ public abstract class KrbKdcReq {
         boolean useTCP = (udpPrefLimit > 0 &&
              (obuf != null && obuf.length > udpPrefLimit));
 
-        return (send(realm, useTCP));
+        return send(obuf, useTCP);
     }
 
-    public String send(String realm, boolean useTCP)
+    private byte[] send(byte[] obuf, boolean useTCP)
         throws IOException, KrbException {
 
         if (obuf == null)
@@ -206,10 +212,21 @@ public abstract class KrbKdcReq {
             throw new KrbException("Cannot get kdc for realm " + realm);
         }
         String tempKdc = null; // may include the port number also
+        byte[] ibuf = null;
         for (String tmp: KdcAccessibility.list(kdcList)) {
             tempKdc = tmp;
             try {
-                send(realm,tempKdc,useTCP);
+                ibuf = send(obuf,tempKdc,useTCP);
+                KRBError ke = null;
+                try {
+                    ke = new KRBError(ibuf);
+                } catch (Exception e) {
+                    // OK
+                }
+                if (ke != null && ke.getErrorCode() ==
+                        Krb5.KRB_ERR_RESPONSE_TOO_BIG) {
+                    ibuf = send(obuf, tempKdc, true);
+                }
                 KdcAccessibility.removeBad(tempKdc);
                 break;
             } catch (Exception e) {
@@ -229,16 +246,16 @@ public abstract class KrbKdcReq {
                 throw (KrbException) savedException;
             }
         }
-        return tempKdc;
+        return ibuf;
     }
 
     // send the AS Request to the specified KDC
 
-    public void send(String realm, String tempKdc, boolean useTCP)
+    private byte[] send(byte[] obuf, String tempKdc, boolean useTCP)
         throws IOException, KrbException {
 
         if (obuf == null)
-            return;
+            return null;
 
         int port = Krb5.KDC_INET_DEFAULT_PORT;
         int retries = getRealmSpecificValue(
@@ -303,11 +320,12 @@ public abstract class KrbKdcReq {
         KdcCommunication kdcCommunication =
             new KdcCommunication(kdc, port, useTCP, timeout, retries, obuf);
         try {
-            ibuf = AccessController.doPrivileged(kdcCommunication);
+            byte[] ibuf = AccessController.doPrivileged(kdcCommunication);
             if (DEBUG) {
                 System.out.println(">>> KrbKdcReq send: #bytes read="
                         + (ibuf != null ? ibuf.length : 0));
             }
+            return ibuf;
         } catch (PrivilegedActionException e) {
             Exception wrappedException = e.getException();
             if (wrappedException instanceof IOException) {
@@ -316,10 +334,6 @@ public abstract class KrbKdcReq {
                 throw (KrbException) wrappedException;
             }
         }
-        if (DEBUG) {
-            System.out.println(">>> KrbKdcReq send: #bytes read="
-                               + (ibuf != null ? ibuf.length : 0));
-        }
     }
 
     private static class KdcCommunication
@@ -349,12 +363,16 @@ public abstract class KrbKdcReq {
 
             byte[] ibuf = null;
 
-            if (useTCP) {
-                TCPClient kdcClient = new TCPClient(kdc, port);
+            for (int i=1; i <= retries; i++) {
+                String proto = useTCP?"TCP":"UDP";
+                NetClient kdcClient = NetClient.getInstance(
+                        proto, kdc, port, timeout);
                 if (DEBUG) {
                     System.out.println(">>> KDCCommunication: kdc=" + kdc
-                           + " TCP:"
-                           +  port
+                           + " " + proto + ":"
+                           +  port +  ", timeout="
+                           + timeout
+                           + ",Attempt =" + i
                            + ", #bytes=" + obuf.length);
                 }
                 try {
@@ -366,50 +384,18 @@ public abstract class KrbKdcReq {
                      * And get a response.
                      */
                     ibuf = kdcClient.receive();
-                } finally {
-                    kdcClient.close();
-                }
-
-            } else {
-                // For each KDC we try defaultKdcRetryLimit times to
-                // get the response
-                for (int i=1; i <= retries; i++) {
-                    UDPClient kdcClient = new UDPClient(kdc, port, timeout);
-
+                    break;
+                } catch (SocketTimeoutException se) {
                     if (DEBUG) {
-                        System.out.println(">>> KDCCommunication: kdc=" + kdc
-                               + (useTCP ? " TCP:":" UDP:")
-                               +  port +  ", timeout="
-                               + timeout
-                               + ",Attempt =" + i
-                               + ", #bytes=" + obuf.length);
+                        System.out.println ("SocketTimeOutException with " +
+                                            "attempt: " + i);
                     }
-                    try {
-                        /*
-                         * Send the data to the kdc.
-                         */
-
-                        kdcClient.send(obuf);
-
-                        /*
-                         * And get a response.
-                         */
-                        try {
-                            ibuf = kdcClient.receive();
-                            break;
-                        } catch (SocketTimeoutException se) {
-                            if (DEBUG) {
-                                System.out.println ("SocketTimeOutException with " +
-                                                    "attempt: " + i);
-                            }
-                            if (i == retries) {
-                                ibuf = null;
-                                throw se;
-                            }
-                        }
-                    } finally {
-                        kdcClient.close();
+                    if (i == retries) {
+                        ibuf = null;
+                        throw se;
                     }
+                } finally {
+                    kdcClient.close();
                 }
             }
             return ibuf;

src/share/classes/sun/security/krb5/KrbAsRep.java

@@ -36,25 +36,24 @@ import sun.security.krb5.internal.crypto.KeyUsage;
 import sun.security.krb5.internal.crypto.EType;
 import sun.security.util.*;
 import java.io.IOException;
+import java.util.Objects;
 
 /**
  * This class encapsulates a AS-REP message that the KDC sends to the
  * client.
  */
-public class KrbAsRep extends KrbKdcRep {
+class KrbAsRep extends KrbKdcRep {
 
-    private ASRep rep;
-    private Credentials creds;
+    private ASRep rep;  // The AS-REP message
+    private Credentials creds;  // The Credentials provide by the AS-REP
+                                // message, created by initiator after calling
+                                // the decrypt() method
 
     private boolean DEBUG = Krb5.DEBUG;
 
-    KrbAsRep(byte[] ibuf, EncryptionKey[] keys, KrbAsReq asReq) throws
-    KrbException, Asn1Exception, IOException {
-        if (keys == null)
-            throw new KrbException(Krb5.API_INVALID_ARG);
+    KrbAsRep(byte[] ibuf) throws
+            KrbException, Asn1Exception, IOException {
         DerValue encoding = new DerValue(ibuf);
-        ASReq req = asReq.getMessage();
-        ASRep rep = null;
         try {
             rep = new ASRep(encoding);
         } catch (Asn1Exception e) {
@@ -83,25 +82,77 @@ public class KrbAsRep extends KrbKdcRep {
             ke.initCause(e);
             throw ke;
         }
+    }
 
-        int encPartKeyType = rep.encPart.getEType();
-        EncryptionKey dkey = EncryptionKey.findKey(encPartKeyType, keys);
+    // KrbAsReqBuilder need to read back the PA for key generation
+    PAData[] getPA() {
+        return rep.pAData;
+    }
 
+    /**
+     * Called by KrbAsReqBuilder to resolve a AS-REP message using keys.
+     * @param keys user provided keys, not null
+     * @param asReq the original AS-REQ sent, used to validate AS-REP
+     */
+    void decryptUsingKeys(EncryptionKey[] keys, KrbAsReq asReq)
+            throws KrbException, Asn1Exception, IOException {
+        EncryptionKey dkey = null;
+        int encPartKeyType = rep.encPart.getEType();
+        Integer encPartKvno = rep.encPart.kvno;
+        try {
+            dkey = EncryptionKey.findKey(encPartKeyType, encPartKvno, keys);
+        } catch (KrbException ke) {
+            if (ke.returnCode() == Krb5.KRB_AP_ERR_BADKEYVER) {
+                // Fallback to no kvno. In some cases, keytab is generated
+                // not by sysadmin but Java's ktab command
+                dkey = EncryptionKey.findKey(encPartKeyType, keys);
+            }
+        }
         if (dkey == null) {
             throw new KrbException(Krb5.API_INVALID_ARG,
-                "Cannot find key of appropriate type to decrypt AS REP - " +
-                EType.toString(encPartKeyType));
+                "Cannot find key for type/kvno to decrypt AS REP - " +
+                EType.toString(encPartKeyType) + "/" + encPartKvno);
         }
+        decrypt(dkey, asReq);
+    }
 
+    /**
+     * Called by KrbAsReqBuilder to resolve a AS-REP message using a password.
+     * @param password user provided password. not null
+     * @param asReq the original AS-REQ sent, used to validate AS-REP
+     * @param cname the user principal name, used to provide salt
+     */
+    void decryptUsingPassword(char[] password,
+            KrbAsReq asReq, PrincipalName cname)
+            throws KrbException, Asn1Exception, IOException {
+        int encPartKeyType = rep.encPart.getEType();
+        PAData.SaltAndParams snp =
+                PAData.getSaltAndParams(encPartKeyType, rep.pAData);
+        EncryptionKey dkey = null;
+        dkey = EncryptionKey.acquireSecretKey(password,
+                snp.salt == null ? cname.getSalt() : snp.salt,
+                encPartKeyType,
+                snp.params);
+        decrypt(dkey, asReq);
+    }
+
+    /**
+     * Decrypts encrypted content inside AS-REP. Called by initiator.
+     * @param dkey the decryption key to use
+     * @param asReq the original AS-REQ sent, used to validate AS-REP
+     */
+    private void decrypt(EncryptionKey dkey, KrbAsReq asReq)
+            throws KrbException, Asn1Exception, IOException {
         byte[] enc_as_rep_bytes = rep.encPart.decrypt(dkey,
             KeyUsage.KU_ENC_AS_REP_PART);
         byte[] enc_as_rep_part = rep.encPart.reset(enc_as_rep_bytes);
 
-        encoding = new DerValue(enc_as_rep_part);
+        DerValue encoding = new DerValue(enc_as_rep_part);
         EncASRepPart enc_part = new EncASRepPart(encoding);
         rep.ticket.sname.setRealm(rep.ticket.realm);
         rep.encKDCRepPart = enc_part;
 
+        ASReq req = asReq.getMessage();
         check(req, rep);
 
         creds = new Credentials(
@@ -119,17 +170,13 @@ public class KrbAsRep extends KrbKdcRep {
             System.out.println(">>> KrbAsRep cons in KrbAsReq.getReply " +
                                req.reqBody.cname.getNameString());
         }
-
-        this.rep = rep;
-        this.creds = creds;
     }
 
-    public Credentials getCreds() {
-        return creds;
+    Credentials getCreds() {
+        return Objects.nonNull(creds, "Creds not available yet.");
     }
 
-    // made public for Kinit
-    public sun.security.krb5.internal.ccache.Credentials setCredentials() {
+    sun.security.krb5.internal.ccache.Credentials getCCreds() {
         return new sun.security.krb5.internal.ccache.Credentials(rep);
     }
 }

src/share/classes/sun/security/krb5/KrbAsReq.java

@@ -32,291 +32,39 @@
 package sun.security.krb5;
 
 import sun.security.krb5.internal.*;
-import sun.security.krb5.internal.crypto.EType;
 import sun.security.krb5.internal.crypto.Nonce;
 import sun.security.krb5.internal.crypto.KeyUsage;
-import sun.security.util.*;
 import java.io.IOException;
-import java.io.ByteArrayInputStream;
-import java.net.UnknownHostException;
-import java.util.StringTokenizer;
 
 /**
  * This class encapsulates the KRB-AS-REQ message that the client
  * sends to the KDC.
  */
-public class KrbAsReq extends KrbKdcReq {
-    private PrincipalName princName;
+public class KrbAsReq {
     private ASReq asReqMessg;
 
     private boolean DEBUG = Krb5.DEBUG;
-    private static KDCOptions defaultKDCOptions = new KDCOptions();
-
-    // pre-auth info
-    private boolean PA_ENC_TIMESTAMP_REQUIRED = false;
-    private boolean pa_exists = false;
-    private int pa_etype = 0;
-    private String pa_salt = null;
-    private byte[] pa_s2kparams = null;
-
-    // default is address-less tickets
-    private boolean KDC_EMPTY_ADDRESSES_ALLOWED = true;
 
     /**
-     * Creates a KRB-AS-REQ to send to the default KDC
-     * @throws KrbException
-     * @throws IOException
+     * Constructs an AS-REQ message.
      */
-     // Called by Credentials
-    KrbAsReq(PrincipalName principal, EncryptionKey[] keys)
-        throws KrbException, IOException {
-        this(keys, // for pre-authentication
-             false, 0, null, null, // pre-auth values
-             defaultKDCOptions,
-             principal,
-             null, // PrincipalName sname
-             null, // KerberosTime from
-             null, // KerberosTime till
-             null, // KerberosTime rtime
-             null, // int[] eTypes
-             null, // HostAddresses addresses
-             null); // Ticket[] additionalTickets
-    }
-
-    /**
-     * Creates a KRB-AS-REQ to send to the default KDC
-     * with pre-authentication values
-     */
-    KrbAsReq(PrincipalName principal, EncryptionKey[] keys,
-        boolean pa_exists, int etype, String salt, byte[] s2kparams)
-        throws KrbException, IOException {
-        this(keys, // for pre-authentication
-             pa_exists, etype, salt, s2kparams, // pre-auth values
-             defaultKDCOptions,
-             principal,
-             null, // PrincipalName sname
-             null, // KerberosTime from
-             null, // KerberosTime till
-             null, // KerberosTime rtime
-             null, // int[] eTypes
-             null, // HostAddresses addresses
-             null); // Ticket[] additionalTickets
-    }
-
-     private static int[] getETypesFromKeys(EncryptionKey[] keys) {
-         int[] types = new int[keys.length];
-         for (int i = 0; i < keys.length; i++) {
-             types[i] = keys[i].getEType();
-         }
-         return types;
-     }
-
-    // update with pre-auth info
-    public void updatePA(int etype, String salt, byte[] params, PrincipalName name) {
-        // set the pre-auth values
-        pa_exists = true;
-        pa_etype = etype;
-        pa_salt = salt;
-        pa_s2kparams = params;
-
-        // update salt in PrincipalName
-        if (salt != null && salt.length() > 0) {
-            name.setSalt(salt);
-            if (DEBUG) {
-                System.out.println("Updated salt from pre-auth = " + name.getSalt());
-            }
-        }
-        PA_ENC_TIMESTAMP_REQUIRED = true;
-    }
-
-     // Used by Kinit
-    public KrbAsReq(
-                    char[] password,
-                    KDCOptions options,
-                    PrincipalName cname,
-                    PrincipalName sname,
-                    KerberosTime from,
-                    KerberosTime till,
-                    KerberosTime rtime,
-                    int[] eTypes,
-                    HostAddresses addresses,
-                    Ticket[] additionalTickets)
-        throws KrbException, IOException {
-        this(password,
-             false, 0, null, null, // pre-auth values
-             options,
-             cname,
-             sname, // PrincipalName sname
-             from,  // KerberosTime from
-             till,  // KerberosTime till
-             rtime, // KerberosTime rtime
-             eTypes, // int[] eTypes
-             addresses, // HostAddresses addresses
-             additionalTickets); // Ticket[] additionalTickets
-    }
-
-     // Used by Kinit
-    public KrbAsReq(
-                    char[] password,
-                    boolean pa_exists,
-                    int etype,
-                    String salt,
-                    byte[] s2kparams,
-                    KDCOptions options,
-                    PrincipalName cname,
-                    PrincipalName sname,
-                    KerberosTime from,
-                    KerberosTime till,
-                    KerberosTime rtime,
-                    int[] eTypes,
-                    HostAddresses addresses,
-                    Ticket[] additionalTickets)
-        throws KrbException, IOException {
-
-        EncryptionKey[] keys = null;
-
-        // update with preauth info
-        if (pa_exists) {
-            updatePA(etype, salt, s2kparams, cname);
+                                                // Can be null? has default?
+    public KrbAsReq(EncryptionKey pakey,        // ok
+                      KDCOptions options,       // ok, new KDCOptions()
+                      PrincipalName cname,      // NO and must have realm
+                      PrincipalName sname,      // ok, krgtgt@CREALM
+                      KerberosTime from,        // ok
+                      KerberosTime till,        // ok, will use
+                      KerberosTime rtime,       // ok
+                      int[] eTypes,             // NO
+                      HostAddresses addresses   // ok
+                      )
+            throws KrbException, IOException {
+
+        if (options == null) {
+            options = new KDCOptions();
         }
 
-        if (password != null) {
-            keys = EncryptionKey.acquireSecretKeys(password, cname.getSalt(), pa_exists,
-                                                        pa_etype, pa_s2kparams);
-        }
-        if (DEBUG) {
-            System.out.println(">>>KrbAsReq salt is " + cname.getSalt());
-        }
-
-        try {
-            init(
-                 keys,
-                 options,
-                 cname,
-                 sname,
-                 from,
-                 till,
-                 rtime,
-                 eTypes,
-                 addresses,
-                 additionalTickets);
-        }
-        finally {
-            /*
-             * Its ok to destroy the key here because we created it and are
-             * now done with it.
-             */
-             if (keys != null) {
-                 for (int i = 0; i < keys.length; i++) {
-                     keys[i].destroy();
-                 }
-             }
-        }
-    }
-
-     // Used in Kinit
-    public KrbAsReq(
-                    EncryptionKey[] keys,
-                    KDCOptions options,
-                    PrincipalName cname,
-                    PrincipalName sname,
-                    KerberosTime from,
-                    KerberosTime till,
-                    KerberosTime rtime,
-                    int[] eTypes,
-                    HostAddresses addresses,
-                    Ticket[] additionalTickets)
-        throws KrbException, IOException {
-        this(keys,
-             false, 0, null, null, // pre-auth values
-             options,
-             cname,
-             sname, // PrincipalName sname
-             from,  // KerberosTime from
-             till,  // KerberosTime till
-             rtime, // KerberosTime rtime
-             eTypes, // int[] eTypes
-             addresses, // HostAddresses addresses
-             additionalTickets); // Ticket[] additionalTickets
-    }
-
-    // Used by Kinit
-    public KrbAsReq(
-                    EncryptionKey[] keys,
-                    boolean pa_exists,
-                    int etype,
-                    String salt,
-                    byte[] s2kparams,
-                    KDCOptions options,
-                    PrincipalName cname,
-                    PrincipalName sname,
-                    KerberosTime from,
-                    KerberosTime till,
-                    KerberosTime rtime,
-                    int[] eTypes,
-                    HostAddresses addresses,
-                    Ticket[] additionalTickets)
-        throws KrbException, IOException {
-
-        // update with preauth info
-        if (pa_exists) {
-            // update pre-auth info
-            updatePA(etype, salt, s2kparams, cname);
-
-            if (DEBUG) {
-                System.out.println(">>>KrbAsReq salt is " + cname.getSalt());
-            }
-        }
-
-        init(
-             keys,
-             options,
-             cname,
-             sname,
-             from,
-             till,
-             rtime,
-             eTypes,
-             addresses,
-             additionalTickets);
-    }
-
-     /*
-    private KrbAsReq(KDCOptions options,
-             PrincipalName cname,
-             PrincipalName sname,
-             KerberosTime from,
-             KerberosTime till,
-             KerberosTime rtime,
-             int[] eTypes,
-             HostAddresses addresses,
-             Ticket[] additionalTickets)
-        throws KrbException, IOException {
-        init(null,
-             options,
-             cname,
-             sname,
-             from,
-             till,
-             rtime,
-             eTypes,
-             addresses,
-             additionalTickets);
-    }
-*/
-
-    private void init(EncryptionKey[] keys,
-                      KDCOptions options,
-                      PrincipalName cname,
-                      PrincipalName sname,
-                      KerberosTime from,
-                      KerberosTime till,
-                      KerberosTime rtime,
-                      int[] eTypes,
-                      HostAddresses addresses,
-                      Ticket[] additionalTickets )
-        throws KrbException, IOException {
-
         // check if they are valid arguments. The optional fields should be
         // consistent with settings in KDCOptions. Mar 17 2000
         if (options.get(KDCOptions.FORWARDED) ||
@@ -341,189 +89,66 @@ public class KrbAsReq extends KrbKdcReq {
             if (rtime != null)  rtime = null;
         }
 
-        princName = cname;
-        int[] tktETypes = EType.getDefaults("default_tkt_enctypes", keys);
         PAData[] paData = null;
-        if (PA_ENC_TIMESTAMP_REQUIRED) {
-            EncryptionKey key = null;
-            if (pa_etype != EncryptedData.ETYPE_NULL) {
-                if (DEBUG) {
-                    System.out.println("Pre-Authenticaton: find key for etype = " + pa_etype);
-                }
-                key = EncryptionKey.findKey(pa_etype, keys);
-            } else {
-                if (tktETypes.length > 0) {
-                    key = EncryptionKey.findKey(tktETypes[0], keys);
-                }
-            }
-            if (DEBUG) {
-                System.out.println("AS-REQ: Add PA_ENC_TIMESTAMP now");
-            }
+        if (pakey != null) {
             PAEncTSEnc ts = new PAEncTSEnc();
             byte[] temp = ts.asn1Encode();
-            if (key != null) {
-                // Use first key in list
-                EncryptedData encTs = new EncryptedData(key, temp,
-                    KeyUsage.KU_PA_ENC_TS);
-                paData = new PAData[1];
-                paData[0] = new PAData( Krb5.PA_ENC_TIMESTAMP,
-                                        encTs.asn1Encode());
-            }
+            EncryptedData encTs = new EncryptedData(pakey, temp,
+                KeyUsage.KU_PA_ENC_TS);
+            paData = new PAData[1];
+            paData[0] = new PAData( Krb5.PA_ENC_TIMESTAMP,
+                                    encTs.asn1Encode());
         }
 
-        if (DEBUG) {
-            System.out.println(">>> KrbAsReq calling createMessage");
+        if (cname.getRealm() == null) {
+            throw new RealmException(Krb5.REALM_NULL,
+                                     "default realm not specified ");
         }
 
-        if (eTypes == null) {
-            eTypes = tktETypes;
+        if (DEBUG) {
+            System.out.println(">>> KrbAsReq creating message");
         }
 
         // check to use addresses in tickets
-        if (Config.getInstance().useAddresses()) {
-            KDC_EMPTY_ADDRESSES_ALLOWED = false;
-        }
-        // get the local InetAddress if required
-        if (addresses == null && !KDC_EMPTY_ADDRESSES_ALLOWED) {
+        if (addresses == null && Config.getInstance().useAddresses()) {
             addresses = HostAddresses.getLocalAddresses();
         }
 
-        asReqMessg = createMessage(
-                                   paData,
-                                   options,
-                                   cname,
-                                   cname.getRealm(),
-                                   sname,
-                                   from,
-                                   till,
-                                   rtime,
-                                   eTypes,
-                                   addresses,
-                                   additionalTickets);
-        obuf = asReqMessg.asn1Encode();
-    }
-
-    /**
-     * Returns an AS-REP message corresponding to the AS-REQ that
-     * was sent.
-     * @param password The password that will be used to derive the
-     * secret key that will decrypt the AS-REP from  the KDC.
-     * @exception KrbException if an error occurs while reading the data.
-     * @exception IOException if an I/O error occurs while reading encoded data.
-     */
-    public KrbAsRep getReply(char[] password)
-        throws KrbException, IOException {
-
-        if (password == null)
-            throw new KrbException(Krb5.API_INVALID_ARG);
-        KrbAsRep temp = null;
-        EncryptionKey[] keys = null;
-        try {
-            keys = EncryptionKey.acquireSecretKeys(password,
-                princName.getSalt(), pa_exists, pa_etype, pa_s2kparams);
-            temp = getReply(keys);
-        } finally {
-            /*
-             * Its ok to destroy the key here because we created it and are
-             * now done with it.
-             */
-             if (keys != null) {
-                for (int i = 0; i < keys.length; i++) {
-                    keys[i].destroy();
-                }
-             }
-        }
-        return temp;
-    }
-
-    /**
-     * Sends an AS request to the realm of the client.
-     * returns the KDC hostname that the request was sent to
-     */
-
-    public String send()
-        throws IOException, KrbException
-    {
-        String realmStr = null;
-        if (princName != null)
-            realmStr = princName.getRealmString();
-
-        return (send(realmStr));
-    }
-
-    /**
-     * Returns an AS-REP message corresponding to the AS-REQ that
-     * was sent.
-     * @param keys The secret keys that will decrypt the AS-REP from
-     * the KDC; key selected depends on etype used to encrypt data.
-     * @exception KrbException if an error occurs while reading the data.
-     * @exception IOException if an I/O error occurs while reading encoded
-     * data.
-     *
-     */
-    public KrbAsRep getReply(EncryptionKey[] keys)
-        throws KrbException,IOException {
-        return new KrbAsRep(ibuf, keys, this);
-    }
-
-    private ASReq createMessage(
-                        PAData[] paData,
-                        KDCOptions kdc_options,
-                        PrincipalName cname,
-                        Realm crealm,
-                        PrincipalName sname,
-                        KerberosTime from,
-                        KerberosTime till,
-                        KerberosTime rtime,
-                        int[] eTypes,
-                        HostAddresses addresses,
-                        Ticket[] additionalTickets
-                        ) throws Asn1Exception, KrbApErrException,
-                        RealmException, UnknownHostException, IOException {
-
-        if (DEBUG) {
-            System.out.println(">>> KrbAsReq in createMessage");
-        }
-
-        PrincipalName req_sname = null;
         if (sname == null) {
-            if (crealm == null) {
-                throw new RealmException(Krb5.REALM_NULL,
-                                         "default realm not specified ");
-            }
-            req_sname = new PrincipalName(
-                                          "krbtgt" +
-                                          PrincipalName.NAME_COMPONENT_SEPARATOR +
-                                          crealm.toString(),
-                                          PrincipalName.KRB_NT_SRV_INST);
-        } else
-            req_sname = sname;
+            sname = new PrincipalName("krbtgt" +
+                                      PrincipalName.NAME_COMPONENT_SEPARATOR +
+                                      cname.getRealmAsString(),
+                            PrincipalName.KRB_NT_SRV_INST);
+        }
 
-        KerberosTime req_till = null;
         if (till == null) {
-            req_till = new KerberosTime();
-        } else {
-            req_till = till;
+            till = new KerberosTime(0); // Choose KDC maximum allowed
         }
 
-        KDCReqBody kdc_req_body = new KDCReqBody(kdc_options,
+        // enc-authorization-data and additional-tickets never in AS-REQ
+        KDCReqBody kdc_req_body = new KDCReqBody(options,
                                                  cname,
-                                                 crealm,
-                                                 req_sname,
+                                                 cname.getRealm(),
+                                                 sname,
                                                  from,
-                                                 req_till,
+                                                 till,
                                                  rtime,
                                                  Nonce.value(),
                                                  eTypes,
                                                  addresses,
                                                  null,
-                                                 additionalTickets);
+                                                 null);
 
-        return new ASReq(
+        asReqMessg = new ASReq(
                          paData,
                          kdc_req_body);
     }
 
+    byte[] encoding() throws IOException, Asn1Exception {
+        return asReqMessg.asn1Encode();
+    }
+
+    // Used by KrbAsRep to validate AS-REP
     ASReq getMessage() {
         return asReqMessg;
     }

src/share/classes/sun/security/krb5/KrbAsReqBuilder.java

+/*
+ * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.krb5;
+
+import java.io.IOException;
+import java.util.Arrays;
+import sun.security.krb5.internal.HostAddresses;
+import sun.security.krb5.internal.KDCOptions;
+import sun.security.krb5.internal.KRBError;
+import sun.security.krb5.internal.KerberosTime;
+import sun.security.krb5.internal.Krb5;
+import sun.security.krb5.internal.PAData;
+import sun.security.krb5.internal.crypto.EType;
+
+/**
+ * A manager class for AS-REQ communications.
+ *
+ * This class does:
+ * 1. Gather information to create AS-REQ
+ * 2. Create and send AS-REQ
+ * 3. Receive AS-REP and KRB-ERROR (-KRB_ERR_RESPONSE_TOO_BIG) and parse them
+ * 4. Emit credentials and secret keys (for JAAS storeKey=true)
+ *
+ * This class does not:
+ * 1. Deal with real communications (KdcComm does it, and TGS-REQ)
+ *    a. Name of KDCs for a realm
+ *    b. Server availability, timeout, UDP or TCP
+ *    d. KRB_ERR_RESPONSE_TOO_BIG
+ *
+ * With this class:
+ * 1. KrbAsReq has only one constructor
+ * 2. Krb5LoginModule and Kinit call a single builder
+ * 3. Better handling of sensitive info
+ *
+ * @since 1.7
+ */
+
+public final class KrbAsReqBuilder {
+
+    // Common data for AS-REQ fields
+    private KDCOptions options;
+    private PrincipalName cname;
+    private PrincipalName sname;
+    private KerberosTime from;
+    private KerberosTime till;
+    private KerberosTime rtime;
+    private HostAddresses addresses;
+
+    // Secret source: can't be changed once assigned, only one (of the two
+    // sources) can be set and should be non-null
+    private EncryptionKey[] keys;
+    private char[] password;
+
+    // Used to create a ENC-TIMESTAMP in the 2nd AS-REQ
+    private EncryptionKey pakey;
+    private PAData[] paList;        // PA-DATA from both KRB-ERROR and AS-REP.
+                                    // Used by getKeys() only.
+                                    // Only AS-REP should be enough per RFC,
+                                    // combined in case etypes are different.
+
+    // The generated and received:
+    int[] eTypes;
+    private KrbAsReq req;
+    private KrbAsRep rep;
+
+    private static enum State {
+        INIT,       // Initialized, can still add more initialization info
+        REQ_OK,     // AS-REQ performed
+        DESTROYED,  // Destroyed, not usable anymore
+    }
+    private State state;
+
+    // Called by other constructors
+    private KrbAsReqBuilder(PrincipalName cname)
+            throws KrbException {
+        if (cname.getRealm() == null) {
+            cname.setRealm(Config.getInstance().getDefaultRealm());
+        }
+        this.cname = cname;
+        state = State.INIT;
+    }
+
+    /**
+     * Creates a builder to be used by {@code cname} with existing keys.
+     *
+     * @param cname the client of the AS-REQ. Must not be null. Might have no
+     * realm, where default realm will be used. This realm will be the target
+     * realm for AS-REQ. I believe a client should only get initial TGT from
+     * its own realm.
+     * @param keys must not be null. if empty, might be quite useless.
+     * This argument will neither be modified nor stored by the method.
+     * @throws KrbException
+     */
+    public KrbAsReqBuilder(PrincipalName cname, EncryptionKey[] keys)
+            throws KrbException {
+        this(cname);
+        this.keys = new EncryptionKey[keys.length];
+        for (int i=0; i<keys.length; i++) {
+            this.keys[i] = (EncryptionKey)keys[i].clone();
+        }
+        eTypes = EType.getDefaults("default_tkt_enctypes", keys);
+    }
+
+    /**
+     * Creates a builder to be used by {@code cname} with a known password.
+     *
+     * @param cname the client of the AS-REQ. Must not be null. Might have no
+     * realm, where default realm will be used. This realm will be the target
+     * realm for AS-REQ. I believe a client should only get initial TGT from
+     * its own realm.
+     * @param pass must not be null. This argument will neither be modified
+     * nor stored by the method.
+     * @throws KrbException
+     */
+    public KrbAsReqBuilder(PrincipalName cname, char[] pass)
+            throws KrbException {
+        this(cname);
+        this.password = pass.clone();
+        eTypes = EType.getDefaults("default_tkt_enctypes");
+    }
+
+    /**
+     * Retrieves an array of secret keys for the client. This is useful if
+     * the client supplies password but need keys to act as an acceptor
+     * (in JAAS words, isInitiator=true and storeKey=true)
+     * @return original keys if initiated with keys, or generated keys if
+     * password. In latter case, PA-DATA from server might be used to
+     * generate keys. All "default_tkt_enctypes" keys will be generated,
+     * Never null.
+     * @throws KrbException
+     */
+    public EncryptionKey[] getKeys() throws KrbException {
+        checkState(State.REQ_OK, "Cannot get keys");
+        if (keys != null) {
+            EncryptionKey[] result = new EncryptionKey[keys.length];
+            for (int i=0; i<keys.length; i++) {
+                result[i] = (EncryptionKey)keys[i].clone();
+            }
+            return result;
+        } else {
+            EncryptionKey[] result = new EncryptionKey[eTypes.length];
+
+            /*
+             * Returns an array of keys. Before KrbAsReqBuilder, all etypes
+             * use the same salt which is either the default one or a new salt
+             * coming from PA-DATA. After KrbAsReqBuilder, each etype uses its
+             * own new salt from PA-DATA. For an etype with no PA-DATA new salt
+             * at all, what salt should it use?
+             *
+             * Commonly, the stored keys are only to be used by an acceptor to
+             * decrypt service ticket in AP-REQ. Most impls only allow keys
+             * from a keytab on acceptor, but unfortunately (?) Java supports
+             * acceptor using password. In this case, if the service ticket is
+             * encrypted using an etype which we don't have PA-DATA new salt,
+             * using the default salt is normally wrong (say, case-insensitive
+             * user name). Instead, we would use the new salt of another etype.
+             */
+
+            String salt = null;     // the saved new salt
+            for (int i=0; i<eTypes.length; i++) {
+                PAData.SaltAndParams snp =
+                        PAData.getSaltAndParams(eTypes[i], paList);
+                // First round, only calculate those with new salt
+                if (snp.salt != null) {
+                    salt = snp.salt;
+                    result[i] = EncryptionKey.acquireSecretKey(password,
+                            snp.salt,
+                            eTypes[i],
+                            snp.params);
+                }
+            }
+            if (salt == null) salt = cname.getSalt();
+            for (int i=0; i<eTypes.length; i++) {
+                // Second round, calculate those with no new salt
+                if (result[i] == null) {
+                    PAData.SaltAndParams snp =
+                            PAData.getSaltAndParams(eTypes[i], paList);
+                    result[i] = EncryptionKey.acquireSecretKey(password,
+                            salt,
+                            eTypes[i],
+                            snp.params);
+                }
+            }
+            return result;
+        }
+    }
+
+    /**
+     * Sets or clears options. If cleared, default options will be used
+     * at creation time.
+     * @param options
+     */
+    public void setOptions(KDCOptions options) {
+        checkState(State.INIT, "Cannot specify options");
+        this.options = options;
+    }
+
+    /**
+     * Sets or clears target. If cleared, KrbAsReq might choose krbtgt
+     * for cname realm
+     * @param sname
+     */
+    public void setTarget(PrincipalName sname) {
+        checkState(State.INIT, "Cannot specify target");
+        this.sname = sname;
+    }
+
+    /**
+     * Adds or clears addresses. KrbAsReq might add some if empty
+     * field not allowed
+     * @param addresses
+     */
+    public void setAddresses(HostAddresses addresses) {
+        checkState(State.INIT, "Cannot specify addresses");
+        this.addresses = addresses;
+    }
+
+    /**
+     * Build a KrbAsReq object from all info fed above. Normally this method
+     * will be called twice: initial AS-REQ and second with pakey
+     * @return the KrbAsReq object
+     * @throws KrbException
+     * @throws IOException
+     */
+    private KrbAsReq build() throws KrbException, IOException {
+        return new KrbAsReq(pakey,
+            options,
+            cname,
+            sname,
+            from,
+            till,
+            rtime,
+            eTypes,
+            addresses);
+    }
+
+    /**
+     * Parses AS-REP, decrypts enc-part, retrieves ticket and session key
+     * @throws KrbException
+     * @throws Asn1Exception
+     * @throws IOException
+     */
+    private KrbAsReqBuilder resolve() throws KrbException, Asn1Exception, IOException {
+        if (keys != null) {
+            rep.decryptUsingKeys(keys, req);
+        } else {
+            rep.decryptUsingPassword(password, req, cname);
+        }
+        if (rep.getPA() != null) {
+            if (paList == null || paList.length == 0) {
+                paList = rep.getPA();
+            } else {
+                int extraLen = rep.getPA().length;
+                if (extraLen > 0) {
+                    int oldLen = paList.length;
+                    paList = Arrays.copyOf(paList, paList.length + extraLen);
+                    System.arraycopy(rep.getPA(), 0, paList, oldLen, extraLen);
+                }
+            }
+        }
+        return this;
+    }
+
+    /**
+     * Communication until AS-REP or non preauth-related KRB-ERROR received
+     * @throws KrbException
+     * @throws IOException
+     */
+    private KrbAsReqBuilder send() throws KrbException, IOException {
+        boolean preAuthFailedOnce = false;
+        KdcComm comm = new KdcComm(cname.getRealmAsString());
+        while (true) {
+            try {
+                req = build();
+                rep = new KrbAsRep(comm.send(req.encoding()));
+                return this;
+            } catch (KrbException ke) {
+                if (!preAuthFailedOnce && (
+                        ke.returnCode() == Krb5.KDC_ERR_PREAUTH_FAILED ||
+                        ke.returnCode() == Krb5.KDC_ERR_PREAUTH_REQUIRED)) {
+                    if (Krb5.DEBUG) {
+                        System.out.println("KrbAsReqBuilder: " +
+                                "PREAUTH FAILED/REQ, re-send AS-REQ");
+                    }
+                    preAuthFailedOnce = true;
+                    KRBError kerr = ke.getError();
+                    if (password == null) {
+                        pakey = EncryptionKey.findKey(kerr.getEType(), keys);
+                    } else {
+                        PAData.SaltAndParams snp = PAData.getSaltAndParams(
+                                kerr.getEType(), kerr.getPA());
+                        if (kerr.getEType() == 0) {
+                            // Possible if PA-PW-SALT is in KRB-ERROR. RFC
+                            // does not recommend this
+                            pakey = EncryptionKey.acquireSecretKey(password,
+                                    snp.salt == null ? cname.getSalt() : snp.salt,
+                                    eTypes[0],
+                                    null);
+                        } else {
+                            pakey = EncryptionKey.acquireSecretKey(password,
+                                    snp.salt == null ? cname.getSalt() : snp.salt,
+                                    kerr.getEType(),
+                                    snp.params);
+                        }
+                    }
+                    paList = kerr.getPA();  // Update current paList
+                } else {
+                    throw ke;
+                }
+            }
+        }
+    }
+
+    /**
+     * Performs AS-REQ send and AS-REP receive.
+     * Maybe a state is needed here, to divide prepare process and getCreds.
+     * @throws KrbException
+     * @throws Asn1Exception
+     * @throws IOException
+     */
+    public KrbAsReqBuilder action()
+            throws KrbException, Asn1Exception, IOException {
+        checkState(State.INIT, "Cannot call action");
+        state = State.REQ_OK;
+        return send().resolve();
+    }
+
+    /**
+     * Gets Credentials object after action
+     */
+    public Credentials getCreds() {
+        checkState(State.REQ_OK, "Cannot retrieve creds");
+        return rep.getCreds();
+    }
+
+    /**
+     * Gets another type of Credentials after action
+     */
+    public sun.security.krb5.internal.ccache.Credentials getCCreds() {
+        checkState(State.REQ_OK, "Cannot retrieve CCreds");
+        return rep.getCCreds();
+    }
+
+    /**
+     * Destroys the object and clears keys and password info.
+     */
+    public void destroy() {
+        state = State.DESTROYED;
+        if (keys != null) {
+            for (EncryptionKey k: keys) {
+                k.destroy();
+            }
+            keys = null;
+        }
+        if (password != null) {
+            Arrays.fill(password, (char)0);
+            password = null;
+        }
+    }
+
+    /**
+     * Checks if the current state is the specified one.
+     * @param st the expected state
+     * @param msg error message if state is not correct
+     * @throws IllegalStateException if state is not correct
+     */
+    private void checkState(State st, String msg) {
+        if (state != st) {
+            throw new IllegalStateException(msg + " at " + st + " state");
+        }
+    }
+}

src/share/classes/sun/security/krb5/KrbTgsReq.java

 /*
- * Copyright (c) 2000, 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -31,20 +31,16 @@
 
 package sun.security.krb5;
 
-import sun.security.util.*;
-import sun.security.krb5.EncryptionKey;
 import sun.security.krb5.internal.*;
 import sun.security.krb5.internal.crypto.*;
 import java.io.IOException;
 import java.net.UnknownHostException;
-import java.util.StringTokenizer;
-import java.io.InterruptedIOException;
 
 /**
  * This class encapsulates a Kerberos TGS-REQ that is sent from the
  * client to the KDC.
  */
-public class KrbTgsReq extends KrbKdcReq {
+public class KrbTgsReq {
 
     private PrincipalName princName;
     private PrincipalName servName;
@@ -56,7 +52,8 @@ public class KrbTgsReq extends KrbKdcReq {
 
     private static final boolean DEBUG = Krb5.DEBUG;
 
-    private int defaultTimeout = 30*1000; // 30 seconds
+    private byte[] obuf;
+    private byte[] ibuf;
 
      // Used in CredentialsUtil
     public KrbTgsReq(Credentials asCreds,
@@ -182,11 +179,12 @@ public class KrbTgsReq extends KrbKdcReq {
      * @throws KrbException
      * @throws IOException
      */
-    public String send() throws IOException, KrbException {
+    public void send() throws IOException, KrbException {
         String realmStr = null;
         if (servName != null)
             realmStr = servName.getRealmString();
-        return (send(realmStr));
+        KdcComm comm = new KdcComm(realmStr);
+        ibuf = comm.send(obuf);
     }
 
     public KrbTgsRep getReply()
@@ -201,18 +199,8 @@ public class KrbTgsReq extends KrbKdcReq {
     public Credentials sendAndGetCreds() throws IOException, KrbException {
         KrbTgsRep tgs_rep = null;
         String kdc = null;
-        try {
-            kdc = send();
-            tgs_rep = getReply();
-        } catch (KrbException ke) {
-            if (ke.returnCode() == Krb5.KRB_ERR_RESPONSE_TOO_BIG) {
-                // set useTCP and retry
-                send(servName.getRealmString(), kdc, true);
-                tgs_rep = getReply();
-            } else {
-                throw ke;
-            }
-        }
+        send();
+        tgs_rep = getReply();
         return tgs_rep.getCreds();
     }
 
@@ -240,7 +228,7 @@ public class KrbTgsReq extends KrbKdcReq {
                UnknownHostException, KrbCryptoException {
         KerberosTime req_till = null;
         if (till == null) {
-            req_till = new KerberosTime();
+            req_till = new KerberosTime(0);
         } else {
             req_till = till;
         }

src/share/classes/sun/security/krb5/PrincipalName.java

@@ -511,10 +511,6 @@ public class PrincipalName
         return salt;
     }
 
-    public void setSalt(String salt) {
-        this.salt = salt;
-    }
-
     public String toString() {
         StringBuffer str = new StringBuffer();
         for (int i = 0; i < nameStrings.length; i++) {

src/share/classes/sun/security/krb5/internal/KDCRep.java

@@ -32,7 +32,6 @@ package sun.security.krb5.internal;
 
 import sun.security.krb5.*;
 import sun.security.util.*;
-import java.util.Vector;
 import java.io.IOException;
 import java.math.BigInteger;
 
@@ -69,7 +68,7 @@ public class KDCRep {
     public EncKDCRepPart encKDCRepPart; //not part of ASN.1 encoding
     private int pvno;
     private int msgType;
-    private PAData[] pAData = null; //optional
+    public PAData[] pAData = null; //optional
     private boolean DEBUG = Krb5.DEBUG;
 
     public KDCRep(

src/share/classes/sun/security/krb5/internal/KRBError.java

 /*
- * Copyright (c) 2000, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -41,7 +41,9 @@ import sun.security.util.*;
 import java.io.IOException;
 import java.io.ObjectInputStream;
 import java.math.BigInteger;
+import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.List;
 import sun.security.krb5.internal.util.KerberosString;
 /**
  * Implements the ASN.1 KRBError type.
@@ -96,10 +98,8 @@ public class KRBError implements java.io.Serializable {
     private byte[] eData; //optional
     private Checksum eCksum; //optional
 
-    // pre-auth info
-    private int etype = 0;
-    private String salt = null;
-    private byte[] s2kparams = null;
+    private PAData[] pa;    // PA-DATA in eData
+    private int pa_eType;   // The 1st etype appeared in salt-related PAData
 
     private static boolean DEBUG = Krb5.DEBUG;
 
@@ -260,10 +260,12 @@ public class KRBError implements java.io.Serializable {
     private void parsePAData(byte[] data)
             throws IOException, Asn1Exception {
         DerValue derPA = new DerValue(data);
+        List<PAData> paList = new ArrayList<PAData>();
         while (derPA.data.available() > 0) {
             // read the PA-DATA
             DerValue tmp = derPA.data.getDerValue();
             PAData pa_data = new PAData(tmp);
+            paList.add(pa_data);
             int pa_type = pa_data.getType();
             byte[] pa_value = pa_data.getValue();
             if (DEBUG) {
@@ -280,24 +282,13 @@ public class KRBError implements java.io.Serializable {
                 case Krb5.PA_ETYPE_INFO:
                     if (pa_value != null) {
                         DerValue der = new DerValue(pa_value);
-                        DerValue value = der.data.getDerValue();
-                        ETypeInfo info = new ETypeInfo(value);
-                        etype = info.getEType();
-                        salt = info.getSalt();
-                        if (DEBUG) {
-                            System.out.println("\t PA-ETYPE-INFO etype = " + etype);
-                            System.out.println("\t PA-ETYPE-INFO salt = " + salt);
-                        }
                         while (der.data.available() > 0) {
-                            value = der.data.getDerValue();
-                            info = new ETypeInfo(value);
+                            DerValue value = der.data.getDerValue();
+                            ETypeInfo info = new ETypeInfo(value);
+                            if (pa_eType == 0) pa_eType = info.getEType();
                             if (DEBUG) {
-                                etype = info.getEType();
-                                System.out.println("\t salt for " + etype
-                                        + " is " + info.getSalt());
-                            }
-                            if (salt == null || salt.isEmpty()) {
-                                salt = info.getSalt();
+                                System.out.println("\t PA-ETYPE-INFO etype = " + info.getEType());
+                                System.out.println("\t PA-ETYPE-INFO salt = " + info.getSalt());
                             }
                         }
                     }
@@ -305,25 +296,13 @@ public class KRBError implements java.io.Serializable {
                 case Krb5.PA_ETYPE_INFO2:
                     if (pa_value != null) {
                         DerValue der = new DerValue(pa_value);
-                        DerValue value = der.data.getDerValue();
-                        ETypeInfo2 info2 = new ETypeInfo2(value);
-                        etype = info2.getEType();
-                        salt = info2.getSalt();
-                        s2kparams = info2.getParams();
-                        if (DEBUG) {
-                            System.out.println("\t PA-ETYPE-INFO2 etype = " + etype);
-                            System.out.println("\t PA-ETYPE-INFO salt = " + salt);
-                        }
                         while (der.data.available() > 0) {
-                            value = der.data.getDerValue();
-                            info2 = new ETypeInfo2(value);
+                            DerValue value = der.data.getDerValue();
+                            ETypeInfo2 info2 = new ETypeInfo2(value);
+                            if (pa_eType == 0) pa_eType = info2.getEType();
                             if (DEBUG) {
-                                etype = info2.getEType();
-                                System.out.println("\t salt for " + etype
-                                        + " is " + info2.getSalt());
-                            }
-                            if (salt == null || salt.isEmpty()) {
-                                salt = info2.getSalt();
+                                System.out.println("\t PA-ETYPE-INFO2 etype = " + info2.getEType());
+                                System.out.println("\t PA-ETYPE-INFO2 salt = " + info2.getSalt());
                             }
                         }
                     }
@@ -333,6 +312,7 @@ public class KRBError implements java.io.Serializable {
                     break;
             }
         }
+        pa = paList.toArray(new PAData[paList.size()]);
     }
 
     public final KerberosTime getServerTime() {
@@ -356,18 +336,12 @@ public class KRBError implements java.io.Serializable {
     }
 
     // access pre-auth info
-    public final int getEType() {
-        return etype;
-    }
-
-    // access pre-auth info
-    public final String getSalt() {
-        return salt;
+    public final PAData[] getPA() {
+        return pa;
     }
 
-    // access pre-auth info
-    public final byte[] getParams() {
-        return ((s2kparams == null) ? null : s2kparams.clone());
+    public final int getEType() {
+        return pa_eType;
     }
 
     public final String getErrorString() {

src/share/classes/sun/security/krb5/internal/KerberosTime.java

@@ -77,11 +77,6 @@ public class KerberosTime implements Cloneable {
     public static final boolean NOW = true;
     public static final boolean UNADJUSTED_NOW = false;
 
-    //defaults to zero instead of now; use setNow() for current time
-    public KerberosTime() {
-        kerberosTime = 0;
-    }
-
     public KerberosTime(long time) {
         kerberosTime = time;
     }

src/share/classes/sun/security/krb5/internal/TCPClient.java → src/share/classes/sun/security/krb5/internal/NetClient.java

 /*
- * Copyright (c) 2000, 2003, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -34,18 +34,38 @@ package sun.security.krb5.internal;
 import java.io.*;
 import java.net.*;
 
-public class TCPClient {
+public abstract class NetClient {
+    public static NetClient getInstance(String protocol, String hostname, int port,
+            int timeout) throws IOException {
+        if (protocol.equals("TCP")) {
+            return new TCPClient(hostname, port, timeout);
+        } else {
+            return new UDPClient(hostname, port, timeout);
+        }
+    }
+
+    abstract public void send(byte[] data) throws IOException;
+
+    abstract public byte[] receive() throws IOException;
+
+    abstract public void close() throws IOException;
+}
+
+class TCPClient extends NetClient {
 
     private Socket tcpSocket;
     private BufferedOutputStream out;
     private BufferedInputStream in;
 
-    public TCPClient(String hostname, int port) throws IOException {
+    TCPClient(String hostname, int port, int timeout)
+            throws IOException {
         tcpSocket = new Socket(hostname, port);
         out = new BufferedOutputStream(tcpSocket.getOutputStream());
         in = new BufferedInputStream(tcpSocket.getInputStream());
+        tcpSocket.setSoTimeout(timeout);
     }
 
+    @Override
     public void send(byte[] data) throws IOException {
         byte[] lenField = new byte[4];
         intToNetworkByteOrder(data.length, lenField, 0, 4);
@@ -55,6 +75,7 @@ public class TCPClient {
         out.flush();
     }
 
+    @Override
     public byte[] receive() throws IOException {
         byte[] lenField = new byte[4];
         int count = readFully(lenField, 4);
@@ -94,6 +115,7 @@ public class TCPClient {
         }
     }
 
+    @Override
     public void close() throws IOException {
         tcpSocket.close();
     }
@@ -120,7 +142,7 @@ public class TCPClient {
     /**
      * Returns the integer represented by 4 bytes in network byte order.
      */
-    private static final int networkByteOrderToInt(byte[] buf, int start,
+    private static int networkByteOrderToInt(byte[] buf, int start,
         int count) {
         if (count > 4) {
             throw new IllegalArgumentException(
@@ -140,7 +162,7 @@ public class TCPClient {
      * Encodes an integer into 4 bytes in network byte order in the buffer
      * supplied.
      */
-    private static final void intToNetworkByteOrder(int num, byte[] buf,
+    private static void intToNetworkByteOrder(int num, byte[] buf,
         int start, int count) {
         if (count > 4) {
             throw new IllegalArgumentException(
@@ -153,3 +175,47 @@ public class TCPClient {
         }
     }
 }
+
+class UDPClient extends NetClient {
+    InetAddress iaddr;
+    int iport;
+    int bufSize = 65507;
+    DatagramSocket dgSocket;
+    DatagramPacket dgPacketIn;
+
+    UDPClient(String hostname, int port, int timeout)
+        throws UnknownHostException, SocketException {
+        iaddr = InetAddress.getByName(hostname);
+        iport = port;
+        dgSocket = new DatagramSocket();
+        dgSocket.setSoTimeout(timeout);
+    }
+
+    @Override
+    public void send(byte[] data) throws IOException {
+        DatagramPacket dgPacketOut = new DatagramPacket(data, data.length,
+                                                        iaddr, iport);
+        dgSocket.send(dgPacketOut);
+    }
+
+    @Override
+    public byte[] receive() throws IOException {
+        byte ibuf[] = new byte[bufSize];
+        dgPacketIn = new DatagramPacket(ibuf, ibuf.length);
+        try {
+            dgSocket.receive(dgPacketIn);
+        }
+        catch (SocketException e) {
+            dgSocket.receive(dgPacketIn);
+        }
+        byte[] data = new byte[dgPacketIn.getLength()];
+        System.arraycopy(dgPacketIn.getData(), 0, data, 0,
+                         dgPacketIn.getLength());
+        return data;
+    }
+
+    @Override
+    public void close() {
+        dgSocket.close();
+    }
+}

src/share/classes/sun/security/krb5/internal/PAData.java

@@ -30,9 +30,11 @@
 
 package sun.security.krb5.internal;
 
+import sun.security.krb5.KrbException;
 import sun.security.util.*;
 import sun.security.krb5.Asn1Exception;
 import java.io.IOException;
+import sun.security.krb5.internal.util.KerberosString;
 
 /**
  * Implements the ASN.1 PA-DATA type.
@@ -135,4 +137,75 @@ public class PAData {
     public byte[] getValue() {
         return ((pADataValue == null) ? null : pADataValue.clone());
     }
+
+    /**
+     * A place to store a pair of salt and s2kparams.
+     * An empty salt is changed to null, to be interopable
+     * with Windows 2000 server.
+     */
+    public static class SaltAndParams {
+        public final String salt;
+        public final byte[] params;
+        public SaltAndParams(String s, byte[] p) {
+            if (s != null && s.isEmpty()) s = null;
+            this.salt = s;
+            this.params = p;
+        }
+    }
+
+    /**
+     * Fetches salt and s2kparams value for eType in a series of PA-DATAs.
+     * The preference order is PA-ETYPE-INFO2 > PA-ETYPE-INFO > PA-PW-SALT.
+     * If multiple PA-DATA for the same etype appears, use the last one.
+     * (This is useful when PA-DATAs from KRB-ERROR and AS-REP are combined).
+     * @return salt and s2kparams. never null, its field might be null.
+     */
+    public static SaltAndParams getSaltAndParams(int eType, PAData[] pas)
+            throws Asn1Exception, KrbException {
+
+        if (pas == null || pas.length == 0) {
+            return new SaltAndParams(null, null);
+        }
+
+        String paPwSalt = null;
+        ETypeInfo2 info2 = null;
+        ETypeInfo info = null;
+
+        for (PAData p: pas) {
+            if (p.getValue() != null) {
+                try {
+                    switch (p.getType()) {
+                        case Krb5.PA_PW_SALT:
+                            paPwSalt = new String(p.getValue(),
+                                    KerberosString.MSNAME?"UTF8":"8859_1");
+                            break;
+                        case Krb5.PA_ETYPE_INFO:
+                            DerValue der = new DerValue(p.getValue());
+                            while (der.data.available() > 0) {
+                                DerValue value = der.data.getDerValue();
+                                ETypeInfo tmp = new ETypeInfo(value);
+                                if (tmp.getEType() == eType) info = tmp;
+                            }
+                            break;
+                        case Krb5.PA_ETYPE_INFO2:
+                            der = new DerValue(p.getValue());
+                            while (der.data.available() > 0) {
+                                DerValue value = der.data.getDerValue();
+                                ETypeInfo2 tmp = new ETypeInfo2(value);
+                                if (tmp.getEType() == eType) info2 = tmp;
+                            }
+                            break;
+                    }
+                } catch (IOException ioe) {
+                    // Ignored
+                }
+            }
+        }
+        if (info2 != null) {
+            return new SaltAndParams(info2.getSalt(), info2.getParams());
+        } else if (info != null) {
+            return new SaltAndParams(info.getSalt(), null);
+        }
+        return new SaltAndParams(paPwSalt, null);
+    }
 }