Merge

make/java/java/Makefile

@@ -390,7 +390,7 @@ clean::
 LOCALES_GEN_SH = localelist.sh
 
 $(GENSRCDIR)/sun/util/CoreResourceBundleControl.java: \
-	$(SHARE_SRC)/classes/sun/util/CoreResourceBundleControl-XLocales.java $(LOCALES_GEN_SH)
+	$(SHARE_SRC)/classes/sun/util/CoreResourceBundleControl-XLocales.java.template $(LOCALES_GEN_SH)
 	@$(prep-target) 
 	NAWK="$(NAWK)" SED="$(SED)" $(SH) $(LOCALES_GEN_SH) "$(JRE_NONEXIST_LOCALES)" \
 		$< $@ 

make/java/java/genlocales.gmk

@@ -68,7 +68,7 @@ NonEuro_Resources_properties := $(FILES_compiled_properties)
 FILES_java := $(FILES_java_orig)
 FILES_compiled_properties := $(FILES_compiled_properties_orig)
 
-LocaleDataMetaInfo_Src=$(SHARE_SRC)/classes/sun/util/LocaleDataMetaInfo-XLocales.java
+LocaleDataMetaInfo_Src=$(SHARE_SRC)/classes/sun/util/LocaleDataMetaInfo-XLocales.java.template
 LocaleDataMetaInfo_Dest=$(GENSRCDIR)/sun/util/LocaleDataMetaInfo.java
 LOCALEGEN_SH=localegen.sh
 RESOURCE_NAMES="FormatData CollationData TimeZoneNames LocaleNames CurrencyNames CalendarData"

make/java/java/localegen.sh

@@ -27,7 +27,7 @@
 
 #
 # This script is to generate the supported locale list string and replace the
-# LocaleDataMetaInfo-XLocales.java in <ws>/src/share/classes/sun/util
+# LocaleDataMetaInfo-XLocales.java.template in <ws>/src/share/classes/sun/util
 # 
 # SORT, NAWK & SED is passed in as environment variables.
 #

make/java/jli/Makefile

@@ -96,6 +96,7 @@ OTHER_CPPFLAGS += $(LIBARCH_DEFINES)
 
 
 ifneq ($(PLATFORM), windows)	# UNIX systems
+        LD_RUNPATH_EXTRAS += ..
 	LIB_LOCATION = $(LIBDIR)/$(LIBARCH)/jli
 	# Note: its important to keep this order meaning -lc is the
 	# last library otherwise it could cause compatibility issues

make/java/main/java/Makefile

@@ -61,8 +61,5 @@ OTHER_CPPFLAGS += -DLAUNCHER_NAME='"$(LAUNCHER_NAME)"'
 
 ifeq ($(PLATFORM), solaris)
 LDFLAGS += -R$(OPENWIN_LIB)
-endif
-
-ifeq ($(PLATFORM), solaris)
 LDFLAGS += -M mapfile-$(ARCH)
 endif

make/java/nio/Makefile

@@ -834,7 +834,7 @@ $(SCH_GEN)/SocketOptionRegistry.java: $(GENSOR_EXE)
 GENCSSRC = $(BUILDDIR)/tools/CharsetMapping
 CHARSETMAPPING_JARFILE = $(BUILDTOOLJARDIR)/charsetmapping.jar
 
-$(FILES_gensbcs_out): $(GENCSSRC)/SingleByte-X.java $(GENCSSRC)/sbcs
+$(FILES_gensbcs_out): $(GENCSSRC)/SingleByte-X.java.template $(GENCSSRC)/sbcs
 	@$(prep-target)
 	$(BOOT_JAVA_CMD) -jar $(CHARSETMAPPING_JARFILE) $(GENCSSRC) $(SCS_GEN) sbcs
 

make/java/redist/Makefile

@@ -194,10 +194,8 @@ endif
 # For backwards compatability, make a link of the 32-bit client JVM to $(LIBDIR)
 IMPORT_LIST += $(LIB_LOCATION)/$(JVM_NAME)
 
-# create a link from lib/libjvm.so to client/libjvm.so
 $(LIB_LOCATION)/$(JVM_NAME): $(LIB_LOCATION)/$(CLIENT_LOCATION)/$(JVM_NAME)
 	@$(prep-target)
-	$(LN) -s $(CLIENT_LOCATION)/$(JVM_NAME) $@
 
 #  solaris   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ solaris
 endif # 32bit solaris

make/netbeans/README

@@ -411,7 +411,7 @@ Creating your own NetBeans project
             java/util/regex/,\
             java/util/spi/,\
             java/util/zip/,\
-            **/*-XLocales.java
+            **/*-XLocales.java.template
         jtreg.tests=\
             java/util/**/*Collection/ \
             java/util/**/*Map/ \

make/sun/nio/Makefile

@@ -82,7 +82,9 @@ $(FILES_DAT): $(FILES_MAP)
 		$(FILES_MAP) $(FILES_DAT) sjis0213
 
 
-$(FILES_genout_extcs): $(GENCSDATASRC)/SingleByte-X.java  $(GENCSDATASRC)/DoubleByte-X.java \
+$(FILES_genout_extcs): \
+                $(GENCSDATASRC)/SingleByte-X.java.template  \
+		$(GENCSDATASRC)/DoubleByte-X.java.template \
 		$(GENCSDATASRC)/extsbcs $(GENCSDATASRC)/dbcs
 	@$(prep-target)
 	$(RM) -r $(GENCSEXT)

make/tools/src/build/tools/charsetmapping/GenerateDBCS.java

@@ -63,7 +63,7 @@ public class GenerateDBCS {
             int    b2Min    = toInteger(fields[8]);
             int    b2Max    = toInteger(fields[9]);
             System.out.printf("%s,%s,%s,%b,%s%n", clzName, csName, hisName, isASCII, pkgName);
-            genClass(args[0], args[1], "DoubleByte-X.java",
+            genClass(args[0], args[1], "DoubleByte-X.java.template",
                     clzName, csName, hisName, pkgName,
                     isASCII, type,
                     b1Min, b1Max, b2Min, b2Max);

make/tools/src/build/tools/charsetmapping/GenerateSBCS.java

@@ -55,7 +55,7 @@ public class GenerateSBCS {
             String pkgName  = fields[4];
             System.out.printf("%s,%s,%s,%b,%s%n", clzName, csName, hisName, isASCII, pkgName);
 
-            genClass(args[0], args[1], "SingleByte-X.java",
+            genClass(args[0], args[1], "SingleByte-X.java.template",
                      clzName, csName, hisName, pkgName, isASCII);
         }
     }

src/share/bin/java.c

 /*
- * Copyright 1995-2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1995-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -41,15 +41,13 @@
  * options are turned into "-foo" options to the vm.  This option
  * filtering is handled in a number of places in the launcher, some of
  * it in machine-dependent code.  In this file, the function
- * CheckJVMType removes vm style options and TranslateApplicationArgs
- * removes "-J" prefixes.  On unix platforms, the
- * CreateExecutionEnvironment function from the unix java_md.c file
- * processes and removes -d<n> options.  However, in case
- * CreateExecutionEnvironment does not need to exec because
- * LD_LIBRARY_PATH is set acceptably and the data model does not need
- * to be changed, ParseArguments will screen out the redundant -d<n>
- * options and prevent them from being passed to the vm; this is done
- * by RemovableOption.
+ * CheckJvmType removes vm style options and TranslateApplicationArgs
+ * removes "-J" prefixes.  The CreateExecutionEnvironment function processes
+ * and removes -d<n> options. On unix, there is a possibility that the running
+ * data model may not match to the desired data model, in this case an exec is
+ * required to start the desired model. If the data models match, then
+ * ParseArguments will remove the -d<n> flags. If the data models do not match
+ * the CreateExecutionEnviroment will remove the -d<n> flags.
  */
 
 
@@ -1891,11 +1889,11 @@ DumpState()
  * Return JNI_TRUE for an option string that has no effect but should
  * _not_ be passed on to the vm; return JNI_FALSE otherwise.  On
  * Solaris SPARC, this screening needs to be done if:
- * 1) LD_LIBRARY_PATH does _not_ need to be reset and
- * 2) -d32 or -d64 is passed to a binary with a matching data model
- *    (the exec in SetLibraryPath removes -d<n> options and points the
- *    exec to the proper binary).  When this exec is not done, these options
- *    would end up getting passed onto the vm.
+ *    -d32 or -d64 is passed to a binary with an unmatched data model
+ *    (the exec in CreateExecutionEnvironment removes -d<n> options and points the
+ *    exec to the proper binary).  In the case of when the data model and the
+ *    requested version is matched, an exec would not occur, and these options
+ *    were erroneously passed to the vm.
  */
 jboolean
 RemovableOption(char * option)

src/share/classes/com/sun/crypto/provider/HmacCore.java

@@ -36,7 +36,7 @@ import java.security.spec.*;
 
 /**
  * This class constitutes the core of HMAC-<MD> algorithms, where
- * <MD> can be SHA1 or MD5, etc.
+ * <MD> can be SHA1 or MD5, etc. See RFC 2104 for spec.
  *
  * It also contains the implementation classes for the SHA-256,
  * SHA-384, and SHA-512 HMACs.
@@ -116,7 +116,7 @@ final class HmacCore implements Cloneable {
         }
 
         byte[] secret = key.getEncoded();
-        if (secret == null || secret.length == 0) {
+        if (secret == null) {
             throw new InvalidKeyException("Missing key data");
         }
 

src/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java

 /*
- * Copyright 2005-2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2005-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,21 +25,19 @@
 
 package com.sun.crypto.provider;
 
-import java.io.*;
+import java.io.ObjectStreamException;
 import java.nio.ByteBuffer;
 import java.nio.CharBuffer;
 import java.nio.charset.Charset;
 import java.util.Arrays;
 import java.security.KeyRep;
 import java.security.GeneralSecurityException;
-import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
 import java.security.NoSuchProviderException;
 import java.security.spec.InvalidKeySpecException;
 import javax.crypto.Mac;
 import javax.crypto.SecretKey;
 import javax.crypto.spec.PBEKeySpec;
-import javax.crypto.spec.SecretKeySpec;
 
 /**
  * This class represents a PBE key derived using PBKDF2 defined
@@ -123,7 +121,7 @@ final class PBKDF2KeyImpl implements javax.crypto.interfaces.PBEKey {
         this.key = deriveKey(prf, passwdBytes, salt, iterCount, keyLength);
     }
 
-    private static byte[] deriveKey(Mac prf, byte[] password, byte[] salt,
+    private static byte[] deriveKey(final Mac prf, final byte[] password, byte[] salt,
                                     int iterCount, int keyLengthInBit) {
         int keyLength = keyLengthInBit/8;
         byte[] key = new byte[keyLength];
@@ -133,7 +131,34 @@ final class PBKDF2KeyImpl implements javax.crypto.interfaces.PBEKey {
             int intR = keyLength - (intL - 1)*hlen; // residue
             byte[] ui = new byte[hlen];
             byte[] ti = new byte[hlen];
-            SecretKey macKey = new SecretKeySpec(password, prf.getAlgorithm());
+            // SecretKeySpec cannot be used, since password can be empty here.
+            SecretKey macKey = new SecretKey() {
+                @Override
+                public String getAlgorithm() {
+                    return prf.getAlgorithm();
+                }
+                @Override
+                public String getFormat() {
+                    return "RAW";
+                }
+                @Override
+                public byte[] getEncoded() {
+                    return password;
+                }
+                @Override
+                public int hashCode() {
+                    return Arrays.hashCode(password) * 41 +
+                            prf.getAlgorithm().toLowerCase().hashCode();
+                }
+                @Override
+                public boolean equals(Object obj) {
+                    if (this == obj) return true;
+                    if (this.getClass() != obj.getClass()) return false;
+                    SecretKey sk = (SecretKey)obj;
+                    return prf.getAlgorithm().equalsIgnoreCase(sk.getAlgorithm()) &&
+                            Arrays.equals(password, sk.getEncoded());
+                }
+            };
             prf.init(macKey);
 
             byte[] ibytes = new byte[4];
@@ -230,7 +255,7 @@ final class PBKDF2KeyImpl implements javax.crypto.interfaces.PBEKey {
      * @throws ObjectStreamException if a new object representing
      * this PBE key could not be created
      */
-    private Object writeReplace() throws java.io.ObjectStreamException {
+    private Object writeReplace() throws ObjectStreamException {
             return new KeyRep(KeyRep.Type.SECRET, getAlgorithm(),
                               getFormat(), getEncoded());
     }

src/share/classes/com/sun/jmx/mbeanserver/Introspector.java

@@ -26,6 +26,7 @@
 package com.sun.jmx.mbeanserver;
 
 import java.lang.annotation.Annotation;
+import java.lang.ref.SoftReference;
 import java.lang.reflect.AnnotatedElement;
 import java.lang.reflect.Constructor;
 import java.lang.reflect.Method;
@@ -33,8 +34,13 @@ import java.lang.reflect.Modifier;
 import java.lang.reflect.Proxy;
 import java.lang.reflect.UndeclaredThrowableException;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashMap;
+import java.util.List;
+import java.util.LinkedList;
+import java.util.Locale;
 import java.util.Map;
+import java.util.WeakHashMap;
 
 import javax.management.Descriptor;
 import javax.management.DescriptorKey;
@@ -506,11 +512,25 @@ public class Introspector {
             } else {
                 // Java Beans introspection
                 //
-                BeanInfo bi = java.beans.Introspector.getBeanInfo(complex.getClass());
-                PropertyDescriptor[] pds = bi.getPropertyDescriptors();
-                for (PropertyDescriptor pd : pds)
-                    if (pd.getName().equals(element))
-                        return pd.getReadMethod().invoke(complex);
+                Class<?> clazz = complex.getClass();
+                Method readMethod = null;
+                if (BeansHelper.isAvailable()) {
+                    Object bi = BeansHelper.getBeanInfo(clazz);
+                    Object[] pds = BeansHelper.getPropertyDescriptors(bi);
+                    for (Object pd: pds) {
+                        if (BeansHelper.getPropertyName(pd).equals(element)) {
+                            readMethod = BeansHelper.getReadMethod(pd);
+                            break;
+                        }
+                    }
+                } else {
+                    // Java Beans not available so use simple introspection
+                    // to locate method
+                    readMethod = SimpleIntrospector.getReadMethod(clazz, element);
+                }
+                if (readMethod != null)
+                    return readMethod.invoke(complex);
+
                 throw new AttributeNotFoundException(
                     "Could not find the getter method for the property " +
                     element + " using the Java Beans introspector");
@@ -524,4 +544,235 @@ public class Introspector {
                 new AttributeNotFoundException(e.getMessage()), e);
         }
     }
+
+    /**
+     * A simple introspector that uses reflection to analyze a class and
+     * identify its "getter" methods. This class is intended for use only when
+     * Java Beans is not present (which implies that there isn't explicit
+     * information about the bean available).
+     */
+    private static class SimpleIntrospector {
+        private SimpleIntrospector() { }
+
+        private static final String GET_METHOD_PREFIX = "get";
+        private static final String IS_METHOD_PREFIX = "is";
+
+        // cache to avoid repeated lookups
+        private static final Map<Class<?>,SoftReference<List<Method>>> cache =
+            Collections.synchronizedMap(
+                new WeakHashMap<Class<?>,SoftReference<List<Method>>> ());
+
+        /**
+         * Returns the list of methods cached for the given class, or {@code null}
+         * if not cached.
+         */
+        private static List<Method> getCachedMethods(Class<?> clazz) {
+            // return cached methods if possible
+            SoftReference<List<Method>> ref = cache.get(clazz);
+            if (ref != null) {
+                List<Method> cached = ref.get();
+                if (cached != null)
+                    return cached;
+            }
+            return null;
+        }
+
+        /**
+         * Returns {@code true} if the given method is a "getter" method (where
+         * "getter" method is a public method of the form getXXX or "boolean
+         * isXXX")
+         */
+        static boolean isReadMethod(Method method) {
+            // ignore static methods
+            int modifiers = method.getModifiers();
+            if (Modifier.isStatic(modifiers))
+                return false;
+
+            String name = method.getName();
+            Class<?>[] paramTypes = method.getParameterTypes();
+            int paramCount = paramTypes.length;
+
+            if (paramCount == 0 && name.length() > 2) {
+                // boolean isXXX()
+                if (name.startsWith(IS_METHOD_PREFIX))
+                    return (method.getReturnType() == boolean.class);
+                // getXXX()
+                if (name.length() > 3 && name.startsWith(GET_METHOD_PREFIX))
+                    return (method.getReturnType() != void.class);
+            }
+            return false;
+        }
+
+        /**
+         * Returns the list of "getter" methods for the given class. The list
+         * is ordered so that isXXX methods appear before getXXX methods - this
+         * is for compatability with the JavaBeans Introspector.
+         */
+        static List<Method> getReadMethods(Class<?> clazz) {
+            // return cached result if available
+            List<Method> cachedResult = getCachedMethods(clazz);
+            if (cachedResult != null)
+                return cachedResult;
+
+            // get list of public methods, filtering out methods that have
+            // been overridden to return a more specific type.
+            List<Method> methods =
+                StandardMBeanIntrospector.getInstance().getMethods(clazz);
+            methods = MBeanAnalyzer.eliminateCovariantMethods(methods);
+
+            // filter out the non-getter methods
+            List<Method> result = new LinkedList<Method>();
+            for (Method m: methods) {
+                if (isReadMethod(m)) {
+                    // favor isXXX over getXXX
+                    if (m.getName().startsWith(IS_METHOD_PREFIX)) {
+                        result.add(0, m);
+                    } else {
+                        result.add(m);
+                    }
+                }
+            }
+
+            // add result to cache
+            cache.put(clazz, new SoftReference<List<Method>>(result));
+
+            return result;
+        }
+
+        /**
+         * Returns the "getter" to read the given property from the given class or
+         * {@code null} if no method is found.
+         */
+        static Method getReadMethod(Class<?> clazz, String property) {
+            // first character in uppercase (compatability with JavaBeans)
+            property = property.substring(0, 1).toUpperCase(Locale.ENGLISH) +
+                property.substring(1);
+            String getMethod = GET_METHOD_PREFIX + property;
+            String isMethod = IS_METHOD_PREFIX + property;
+            for (Method m: getReadMethods(clazz)) {
+                String name = m.getName();
+                if (name.equals(isMethod) || name.equals(getMethod)) {
+                    return m;
+                }
+            }
+            return null;
+        }
+    }
+
+    /**
+     * A class that provides access to the JavaBeans Introspector and
+     * PropertyDescriptors without creating a static dependency on java.beans.
+     */
+    private static class BeansHelper {
+        private static final Class<?> introspectorClass =
+            getClass("java.beans.Introspector");
+        private static final Class<?> beanInfoClass =
+            (introspectorClass == null) ? null : getClass("java.beans.BeanInfo");
+        private static final Class<?> getPropertyDescriptorClass =
+            (beanInfoClass == null) ? null : getClass("java.beans.PropertyDescriptor");
+
+        private static final Method getBeanInfo =
+            getMethod(introspectorClass, "getBeanInfo", Class.class);
+        private static final Method getPropertyDescriptors =
+            getMethod(beanInfoClass, "getPropertyDescriptors");
+        private static final Method getPropertyName =
+            getMethod(getPropertyDescriptorClass, "getName");
+        private static final Method getReadMethod =
+            getMethod(getPropertyDescriptorClass, "getReadMethod");
+
+        private static Class<?> getClass(String name) {
+            try {
+                return Class.forName(name, true, null);
+            } catch (ClassNotFoundException e) {
+                return null;
+            }
+        }
+        private static Method getMethod(Class<?> clazz,
+                                        String name,
+                                        Class<?>... paramTypes)
+        {
+            if (clazz != null) {
+                try {
+                    return clazz.getMethod(name, paramTypes);
+                } catch (NoSuchMethodException e) {
+                    throw new AssertionError(e);
+                }
+            } else {
+                return null;
+            }
+        }
+
+        private BeansHelper() { }
+
+        /**
+         * Returns {@code true} if java.beans is available.
+         */
+        static boolean isAvailable() {
+            return introspectorClass != null;
+        }
+
+        /**
+         * Invokes java.beans.Introspector.getBeanInfo(Class)
+         */
+        static Object getBeanInfo(Class<?> clazz) throws Exception {
+            try {
+                return getBeanInfo.invoke(null, clazz);
+            } catch (InvocationTargetException e) {
+                Throwable cause = e.getCause();
+                if (cause instanceof Exception)
+                    throw (Exception)cause;
+                throw new AssertionError(e);
+            } catch (IllegalAccessException iae) {
+                throw new AssertionError(iae);
+            }
+        }
+
+        /**
+         * Invokes java.beans.BeanInfo.getPropertyDescriptors()
+         */
+        static Object[] getPropertyDescriptors(Object bi) {
+            try {
+                return (Object[])getPropertyDescriptors.invoke(bi);
+            } catch (InvocationTargetException e) {
+                Throwable cause = e.getCause();
+                if (cause instanceof RuntimeException)
+                    throw (RuntimeException)cause;
+                throw new AssertionError(e);
+            } catch (IllegalAccessException iae) {
+                throw new AssertionError(iae);
+            }
+        }
+
+        /**
+         * Invokes java.beans.PropertyDescriptor.getName()
+         */
+        static String getPropertyName(Object pd) {
+            try {
+                return (String)getPropertyName.invoke(pd);
+            } catch (InvocationTargetException e) {
+                Throwable cause = e.getCause();
+                if (cause instanceof RuntimeException)
+                    throw (RuntimeException)cause;
+                throw new AssertionError(e);
+            } catch (IllegalAccessException iae) {
+                throw new AssertionError(iae);
+            }
+        }
+
+        /**
+         * Invokes java.beans.PropertyDescriptor.getReadMethod()
+         */
+        static Method getReadMethod(Object pd) {
+            try {
+                return (Method)getReadMethod.invoke(pd);
+            } catch (InvocationTargetException e) {
+                Throwable cause = e.getCause();
+                if (cause instanceof RuntimeException)
+                    throw (RuntimeException)cause;
+                throw new AssertionError(e);
+            } catch (IllegalAccessException iae) {
+                throw new AssertionError(iae);
+            }
+        }
+    }
 }

src/share/classes/com/sun/jmx/mbeanserver/MBeanIntrospector.java

@@ -175,7 +175,7 @@ abstract class MBeanIntrospector<M> {
     /**
      * Get the methods to be analyzed to build the MBean interface.
      */
-    List<Method> getMethods(final Class<?> mbeanType) throws Exception {
+    List<Method> getMethods(final Class<?> mbeanType) {
         return Arrays.asList(mbeanType.getMethods());
     }
 

src/share/classes/com/sun/security/auth/PolicyFile.java

@@ -34,8 +34,6 @@ import java.util.*;
 
 import java.security.AccessController;
 import java.security.CodeSource;
-import java.security.Identity;
-import java.security.IdentityScope;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.Permission;
@@ -267,7 +265,7 @@ public class PolicyFile extends javax.security.auth.Policy {
     private boolean initialized = false;
 
     private boolean expandProperties = true;
-    private boolean ignoreIdentityScope = false;
+    private boolean ignoreIdentityScope = true;
 
     // for use with the reflection API
 
@@ -459,9 +457,6 @@ public class PolicyFile extends javax.security.auth.Policy {
         }
     }
 
-    /** the scope to check */
-    private static IdentityScope scope = null;
-
     /**
      * Checks public key. If it is marked as trusted in
      * the identity database, add it to the policy

src/share/classes/com/sun/security/jgss/ExtendedGSSContext.java

@@ -99,4 +99,58 @@ public interface ExtendedGSSContext extends GSSContext {
      */
     public Object inquireSecContext(InquireType type)
             throws GSSException;
+
+    /**
+     * Requests that the delegation policy be respected. When a true value is
+     * requested, the underlying context would use the delegation policy
+     * defined by the environment as a hint to determine whether credentials
+     * delegation should be performed. This request can only be made on the
+     * context initiator's side and it has to be done prior to the first
+     * call to <code>initSecContext</code>.
+     * <p>
+     * When this flag is false, delegation will only be tried when the
+     * {@link GSSContext#requestCredDeleg(boolean) credentials delegation flag}
+     * is true.
+     * <p>
+     * When this flag is true but the
+     * {@link GSSContext#requestCredDeleg(boolean) credentials delegation flag}
+     * is false, delegation will be only tried if the delegation policy permits
+     * delegation.
+     * <p>
+     * When both this flag and the
+     * {@link GSSContext#requestCredDeleg(boolean) credentials delegation flag}
+     * are true, delegation will be always tried. However, if the delegation
+     * policy does not permit delegation, the value of
+     * {@link #getDelegPolicyState} will be false, even
+     * if delegation is performed successfully.
+     * <p>
+     * In any case, if the delegation is not successful, the value returned
+     * by {@link GSSContext#getCredDelegState()} is false, and the value
+     * returned by {@link #getDelegPolicyState()} is also false.
+     * <p>
+     * Not all mechanisms support delegation policy. Therefore, the
+     * application should check to see if the request was honored with the
+     * {@link #getDelegPolicyState() getDelegPolicyState} method. When
+     * delegation policy is not supported, <code>requestDelegPolicy</code>
+     * should return silently without throwing an exception.
+     * <p>
+     * Note: for the Kerberos 5 mechanism, the delegation policy is expressed
+     * through the OK-AS-DELEGATE flag in the service ticket. When it's true,
+     * the KDC permits delegation to the target server. In a cross-realm
+     * environment, in order for delegation be permitted, all cross-realm TGTs
+     * on the authentication path must also have the OK-AS-DELAGATE flags set.
+     * @param state true if the policy should be respected
+     * @throws GSSException containing the following
+     * major error codes:
+     *   {@link GSSException#FAILURE GSSException.FAILURE}
+     */
+    public void requestDelegPolicy(boolean state) throws GSSException;
+
+    /**
+     * Returns the delegation policy response. Called after a security context
+     * is established. This method can be only called on the initiator's side.
+     * See {@link ExtendedGSSContext#requestDelegPolicy}.
+     * @return the delegation policy response
+     */
+    public boolean getDelegPolicyState();
 }

src/share/classes/com/sun/tools/hat/internal/model/JavaStatic.java

@@ -57,7 +57,10 @@ public class JavaStatic {
             id = ((JavaObjectRef)value).getId();
         }
         value = value.dereference(snapshot, field);
-        if (value.isHeapAllocated()) {
+        if (value.isHeapAllocated() &&
+            clazz.getLoader() == snapshot.getNullThing()) {
+            // static fields are only roots if they are in classes
+            //    loaded by the root classloader.
             JavaHeapObject ho = (JavaHeapObject) value;
             String s = "Static reference from " + clazz.getName()
                        + "." + field.getName();

src/share/classes/com/sun/tracing/ProviderFactory.java

@@ -4,7 +4,10 @@ package com.sun.tracing;
 import java.util.HashSet;
 import java.io.PrintStream;
 import java.lang.reflect.Field;
-import java.util.logging.Logger;
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import sun.security.action.GetPropertyAction;
 
 import sun.tracing.NullProviderFactory;
 import sun.tracing.PrintStreamProviderFactory;
@@ -52,23 +55,17 @@ public abstract class ProviderFactory {
         HashSet<ProviderFactory> factories = new HashSet<ProviderFactory>();
 
         // Try to instantiate a DTraceProviderFactory
-        String prop = null;
-        try { prop = System.getProperty("com.sun.tracing.dtrace"); }
-        catch (java.security.AccessControlException e) {
-            Logger.getAnonymousLogger().fine(
-                "Cannot access property com.sun.tracing.dtrace");
-        }
+        String prop = AccessController.doPrivileged(
+            new GetPropertyAction("com.sun.tracing.dtrace"));
+
         if ( (prop == null || !prop.equals("disable")) &&
              DTraceProviderFactory.isSupported() ) {
             factories.add(new DTraceProviderFactory());
         }
 
         // Try to instantiate an output stream factory
-        try { prop = System.getProperty("sun.tracing.stream"); }
-        catch (java.security.AccessControlException e) {
-            Logger.getAnonymousLogger().fine(
-                "Cannot access property sun.tracing.stream");
-        }
+        prop = AccessController.doPrivileged(
+            new GetPropertyAction("sun.tracing.stream"));
         if (prop != null) {
             for (String spec : prop.split(",")) {
                 PrintStream ps = getPrintStreamFromSpec(spec);
@@ -89,22 +86,29 @@ public abstract class ProviderFactory {
         }
     }
 
-    private static PrintStream getPrintStreamFromSpec(String spec) {
+    private static PrintStream getPrintStreamFromSpec(final String spec) {
         try {
             // spec is in the form of <class>.<field>, where <class> is
             // a fully specified class name, and <field> is a static member
             // in that class.  The <field> must be a 'PrintStream' or subtype
             // in order to be used.
-            int fieldpos = spec.lastIndexOf('.');
-            Class<?> cls = Class.forName(spec.substring(0, fieldpos));
-            Field f = cls.getField(spec.substring(fieldpos + 1));
-            Class<?> fieldType = f.getType();
+            final int fieldpos = spec.lastIndexOf('.');
+            final Class<?> cls = Class.forName(spec.substring(0, fieldpos));
+
+            Field f = AccessController.doPrivileged(new PrivilegedExceptionAction<Field>() {
+                public Field run() throws NoSuchFieldException {
+                    return cls.getField(spec.substring(fieldpos + 1));
+                }
+            });
+
             return (PrintStream)f.get(null);
-        } catch (Exception e) {
-            Logger.getAnonymousLogger().warning(
-                "Could not parse sun.tracing.stream property: " + e);
+        } catch (ClassNotFoundException e) {
+            throw new AssertionError(e);
+        } catch (IllegalAccessException e) {
+            throw new AssertionError(e);
+        } catch (PrivilegedActionException e) {
+            throw new AssertionError(e);
         }
-        return null;
     }
 }
 

src/share/classes/java/lang/ClassLoader.java

@@ -175,15 +175,8 @@ import sun.security.util.SecurityConstants;
 public abstract class ClassLoader {
 
     private static native void registerNatives();
-
-    // Set of classes which are registered as parallel capable class loaders
-    private static final Set<Class<? extends ClassLoader>> parallelLoaders
-        = Collections.newSetFromMap(Collections.synchronizedMap
-              (new WeakHashMap<Class<? extends ClassLoader>, Boolean>()));
-
     static {
         registerNatives();
-        parallelLoaders.add(ClassLoader.class);
     }
 
     // The parent class loader for delegation
@@ -191,6 +184,52 @@ public abstract class ClassLoader {
     // must be added *after* it.
     private final ClassLoader parent;
 
+    /**
+     * Encapsulates the set of parallel capable loader types.
+     */
+    private static class ParallelLoaders {
+        private ParallelLoaders() {}
+
+        // the set of parallel capable loader types
+        private static final Set<Class<? extends ClassLoader>> loaderTypes =
+            Collections.newSetFromMap(
+                new WeakHashMap<Class<? extends ClassLoader>, Boolean>());
+        static {
+            synchronized (loaderTypes) { loaderTypes.add(ClassLoader.class); }
+        }
+
+        /**
+         * Registers the given class loader type as parallel capabale.
+         * Returns {@code true} is successfully registered; {@code false} if
+         * loader's super class is not registered.
+         */
+        static boolean register(Class<? extends ClassLoader> c) {
+            synchronized (loaderTypes) {
+                if (loaderTypes.contains(c.getSuperclass())) {
+                    // register the class loader as parallel capable
+                    // if and only if all of its super classes are.
+                    // Note: given current classloading sequence, if
+                    // the immediate super class is parallel capable,
+                    // all the super classes higher up must be too.
+                    loaderTypes.add(c);
+                    return true;
+                } else {
+                    return false;
+                }
+            }
+        }
+
+        /**
+         * Returns {@code true} if the given class loader type is
+         * registered as parallel capable.
+         */
+        static boolean isRegistered(Class<? extends ClassLoader> c) {
+            synchronized (loaderTypes) {
+                return loaderTypes.contains(c);
+            }
+        }
+    }
+
     // Maps class name to the corresponding lock object when the current
     // class loader is parallel capable.
     // Note: VM also uses this field to decide if the current class loader
@@ -237,7 +276,7 @@ public abstract class ClassLoader {
 
     private ClassLoader(Void unused, ClassLoader parent) {
         this.parent = parent;
-        if (parallelLoaders.contains(this.getClass())) {
+        if (ParallelLoaders.isRegistered(this.getClass())) {
             parallelLockMap = new ConcurrentHashMap<String, Object>();
             package2certs = new ConcurrentHashMap<String, Certificate[]>();
             domains =
@@ -1194,24 +1233,7 @@ public abstract class ClassLoader {
      * @since   1.7
      */
     protected static boolean registerAsParallelCapable() {
-        Class<? extends ClassLoader> caller = getCaller(1);
-        Class superCls = caller.getSuperclass();
-        boolean result = false;
-        // Explicit synchronization needed for composite action
-        synchronized (parallelLoaders) {
-            if (!parallelLoaders.contains(caller)) {
-                if (parallelLoaders.contains(superCls)) {
-                    // register the immediate caller as parallel capable
-                    // if and only if all of its super classes are.
-                    // Note: given current classloading sequence, if
-                    // the immediate super class is parallel capable,
-                    // all the super classes higher up must be too.
-                    result = true;
-                    parallelLoaders.add(caller);
-                }
-            } else result = true;
-        }
-        return result;
+        return ParallelLoaders.register(getCaller(1));
     }
 
     /**
@@ -2174,4 +2196,3 @@ class SystemClassLoaderAction
         return sys;
     }
 }
-

src/share/classes/java/lang/System.java

@@ -619,6 +619,20 @@ public final class System {
         return props;
     }
 
+    /**
+     * Returns the system-dependent line separator string.  It always
+     * returns the same value - the initial value of the {@linkplain
+     * #getProperty(String) system property} {@code line.separator}.
+     *
+     * <p>On UNIX systems, it returns {@code "\n"}; on Microsoft
+     * Windows systems it returns {@code "\r\n"}.
+     */
+    public static String lineSeparator() {
+        return lineSeparator;
+    }
+
+    private static String lineSeparator;
+
     /**
      * Sets the system properties to the <code>Properties</code>
      * argument.
@@ -1104,6 +1118,7 @@ public final class System {
     private static void initializeSystemClass() {
         props = new Properties();
         initProperties(props);
+        lineSeparator = props.getProperty("line.separator");
         sun.misc.Version.init();
 
         // Workaround until DownloadManager initialization is revisited.
@@ -1192,7 +1207,7 @@ public final class System {
     }
 
     /* returns the class of the caller. */
-    static Class getCallerClass() {
+    static Class<?> getCallerClass() {
         // NOTE use of more generic Reflection.getCallerClass()
         return Reflection.getCallerClass(3);
     }

src/share/classes/java/net/CookieManager.java

@@ -30,6 +30,7 @@ import java.util.List;
 import java.util.Collections;
 import java.util.Comparator;
 import java.io.IOException;
+import sun.util.logging.PlatformLogger;
 
 /**
  * CookieManager provides a concrete implementation of {@link CookieHandler},
@@ -263,6 +264,7 @@ public class CookieManager extends CookieHandler
         if (cookieJar == null)
             return;
 
+    PlatformLogger logger = PlatformLogger.getLogger("java.net.CookieManager");
         for (String headerKey : responseHeaders.keySet()) {
             // RFC 2965 3.2.2, key must be 'Set-Cookie2'
             // we also accept 'Set-Cookie' here for backward compatibility
@@ -277,7 +279,16 @@ public class CookieManager extends CookieHandler
 
             for (String headerValue : responseHeaders.get(headerKey)) {
                 try {
-                    List<HttpCookie> cookies = HttpCookie.parse(headerValue);
+                    List<HttpCookie> cookies;
+                    try {
+                        cookies = HttpCookie.parse(headerValue);
+                    } catch (IllegalArgumentException e) {
+                        // Bogus header, make an empty list and log the error
+                        cookies = java.util.Collections.EMPTY_LIST;
+                        if (logger.isLoggable(PlatformLogger.SEVERE)) {
+                            logger.severe("Invalid cookie for " + uri + ": " + headerValue);
+                        }
+                    }
                     for (HttpCookie cookie : cookies) {
                         if (cookie.getPath() == null) {
                             // If no path is specified, then by default

src/share/classes/java/net/HttpCookie.java

@@ -1036,7 +1036,7 @@ public final class HttpCookie implements Cloneable {
                         int version = Integer.parseInt(attrValue);
                         cookie.setVersion(version);
                     } catch (NumberFormatException ignored) {
-                        throw new IllegalArgumentException("Illegal cookie version attribute");
+                        // Just ignore bogus version, it will default to 0 or 1
                     }
                 }
             });
@@ -1147,12 +1147,15 @@ public final class HttpCookie implements Cloneable {
     }
 
     private static String stripOffSurroundingQuote(String str) {
-        if (str != null && str.length() > 0 &&
+        if (str != null && str.length() > 2 &&
             str.charAt(0) == '"' && str.charAt(str.length() - 1) == '"') {
             return str.substring(1, str.length() - 1);
-        } else {
-            return str;
         }
+        if (str != null && str.length() > 2 &&
+            str.charAt(0) == '\'' && str.charAt(str.length() - 1) == '\'') {
+            return str.substring(1, str.length() - 1);
+        }
+        return str;
     }
 
     private static boolean equalsIgnoreCase(String s, String t) {

src/share/classes/java/nio/channels/Selector.java

@@ -25,6 +25,7 @@
 
 package java.nio.channels;
 
+import java.io.Closeable;
 import java.io.IOException;
 import java.nio.channels.spi.SelectorProvider;
 import java.util.Set;
@@ -202,7 +203,7 @@ import java.util.Set;
  * @see SelectionKey
  */
 
-public abstract class Selector {
+public abstract class Selector implements Closeable {
 
     /**
      * Initializes a new instance of this class.

src/share/classes/java/util/Formatter.java

@@ -2552,9 +2552,6 @@ public final class Formatter implements Closeable, Flushable {
         private boolean dt = false;
         private char c;
 
-        // cache the line separator
-        private String ls;
-
         private int index(String s) {
             if (s != null) {
                 try {
@@ -2702,9 +2699,7 @@ public final class Formatter implements Closeable, Flushable {
                 printHashCode(arg);
                 break;
             case Conversion.LINE_SEPARATOR:
-                if (ls == null)
-                    ls = System.getProperty("line.separator");
-                a.append(ls);
+                a.append(System.lineSeparator());
                 break;
             case Conversion.PERCENT_SIGN:
                 a.append('%');

src/share/classes/java/util/zip/Deflater.java

@@ -318,7 +318,7 @@ class Deflater {
     /**
      * Compresses the input data and fills specified buffer with compressed
      * data. Returns actual number of bytes of compressed data. A return value
-     * of 0 indicates that {@link needsInput() needsInput} should be called
+     * of 0 indicates that {@link #needsInput() needsInput} should be called
      * in order to determine if more input data is required.
      *
      * <p>This method uses {@link #NO_FLUSH} as its compression flush mode.
@@ -339,7 +339,7 @@ class Deflater {
     /**
      * Compresses the input data and fills specified buffer with compressed
      * data. Returns actual number of bytes of compressed data. A return value
-     * of 0 indicates that {@link needsInput() needsInput} should be called
+     * of 0 indicates that {@link #needsInput() needsInput} should be called
      * in order to determine if more input data is required.
      *
      * <p>This method uses {@link #NO_FLUSH} as its compression flush mode.

src/share/classes/java/util/zip/DeflaterOutputStream.java

@@ -66,7 +66,7 @@ class DeflaterOutputStream extends FilterOutputStream {
      * @param def the compressor ("deflater")
      * @param size the output buffer size
      * @param syncFlush
-     *        if {@code true} the {@link flush()} method of this
+     *        if {@code true} the {@link #flush()} method of this
      *        instance flushes the compressor with flush mode
      *        {@link Deflater#SYNC_FLUSH} before flushing the output
      *        stream, otherwise only flushes the output stream
@@ -114,7 +114,7 @@ class DeflaterOutputStream extends FilterOutputStream {
      * @param out the output stream
      * @param def the compressor ("deflater")
      * @param syncFlush
-     *        if {@code true} the {@link flush()} method of this
+     *        if {@code true} the {@link #flush()} method of this
      *        instance flushes the compressor with flush mode
      *        {@link Deflater#SYNC_FLUSH} before flushing the output
      *        stream, otherwise only flushes the output stream
@@ -151,7 +151,7 @@ class DeflaterOutputStream extends FilterOutputStream {
      *
      * @param out the output stream
      * @param syncFlush
-     *        if {@code true} the {@link flush()} method of this
+     *        if {@code true} the {@link #flush()} method of this
      *        instance flushes the compressor with flush mode
      *        {@link Deflater#SYNC_FLUSH} before flushing the output
      *        stream, otherwise only flushes the output stream
@@ -262,10 +262,10 @@ class DeflaterOutputStream extends FilterOutputStream {
     /**
      * Flushes the compressed output stream.
      *
-     * If {@link DeflaterOutputStream(OutputStream, Deflater, int, boolean)
+     * If {@link #DeflaterOutputStream(OutputStream, Deflater, int, boolean)
      * syncFlush} is {@code true} when this compressed output stream is
-     * constructed this method flushes the underlying {@code compressor}
-     * first with the flush mode {@link Deflater#SYNC_FLUSH} to force
+     * constructed, this method first flushes the underlying {@code compressor}
+     * with the flush mode {@link Deflater#SYNC_FLUSH} to force
      * all pending data to be flushed out to the output stream and then
      * flushes the output stream. Otherwise this method only flushes the
      * output stream without flushing the {@code compressor}.

src/share/classes/javax/naming/InitialContext.java

 /*
- * Copyright 1999-2005 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1999-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -198,6 +198,8 @@ public class InitialContext implements Context {
      *
      * <p> This constructor will not modify <tt>environment</tt>
      * or save a reference to it, but may save a clone.
+     * Caller should not modify mutable keys and values in
+     * <tt>environment</tt> after it has been passed to the constructor.
      *
      * @param environment
      *          environment used to create the initial context.

src/share/classes/javax/naming/directory/InitialDirContext.java

 /*
- * Copyright 1999-2004 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1999-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -86,6 +86,8 @@ public class InitialDirContext extends InitialContext implements DirContext {
      *
      * <p> This constructor will not modify <tt>environment</tt>
      * or save a reference to it, but may save a clone.
+     * Caller should not modify mutable keys and values in
+     * <tt>environment</tt> after it has been passed to the constructor.
      *
      * @param environment
      *          environment used to create the initial DirContext.

src/share/classes/javax/naming/ldap/InitialLdapContext.java

 /*
- * Copyright 1999-2004 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 1999-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -110,6 +110,8 @@ public class InitialLdapContext extends InitialDirContext implements LdapContext
      *
      * <p> This constructor will not modify its parameters or
      * save references to them, but may save a clone or copy.
+     * Caller should not modify mutable keys and values in
+     * <tt>environment</tt> after it has been passed to the constructor.
      *
      * <p> <tt>connCtls</tt> is used as the underlying context instance's
      * connection request controls.  See the class description

src/share/classes/javax/security/auth/Subject.java

@@ -40,7 +40,6 @@ import java.security.PrivilegedExceptionAction;
 import java.security.PrivilegedActionException;
 import java.security.ProtectionDomain;
 import sun.security.util.ResourcesMgr;
-import sun.security.util.SecurityConstants;
 
 /**
  * <p> A <code>Subject</code> represents a grouping of related information
@@ -239,7 +238,7 @@ public final class Subject implements java.io.Serializable {
     public void setReadOnly() {
         java.lang.SecurityManager sm = System.getSecurityManager();
         if (sm != null) {
-            sm.checkPermission(new AuthPermission("setReadOnly"));
+            sm.checkPermission(AuthPermissionHolder.SET_READ_ONLY_PERMISSION);
         }
 
         this.readOnly = true;
@@ -285,7 +284,7 @@ public final class Subject implements java.io.Serializable {
 
         java.lang.SecurityManager sm = System.getSecurityManager();
         if (sm != null) {
-            sm.checkPermission(new AuthPermission("getSubject"));
+            sm.checkPermission(AuthPermissionHolder.GET_SUBJECT_PERMISSION);
         }
 
         if (acc == null) {
@@ -343,7 +342,7 @@ public final class Subject implements java.io.Serializable {
 
         java.lang.SecurityManager sm = System.getSecurityManager();
         if (sm != null) {
-            sm.checkPermission(SecurityConstants.DO_AS_PERMISSION);
+            sm.checkPermission(AuthPermissionHolder.DO_AS_PERMISSION);
         }
         if (action == null)
             throw new NullPointerException
@@ -402,7 +401,7 @@ public final class Subject implements java.io.Serializable {
 
         java.lang.SecurityManager sm = System.getSecurityManager();
         if (sm != null) {
-            sm.checkPermission(SecurityConstants.DO_AS_PERMISSION);
+            sm.checkPermission(AuthPermissionHolder.DO_AS_PERMISSION);
         }
 
         if (action == null)
@@ -456,7 +455,7 @@ public final class Subject implements java.io.Serializable {
 
         java.lang.SecurityManager sm = System.getSecurityManager();
         if (sm != null) {
-            sm.checkPermission(SecurityConstants.DO_AS_PRIVILEGED_PERMISSION);
+            sm.checkPermission(AuthPermissionHolder.DO_AS_PRIVILEGED_PERMISSION);
         }
 
         if (action == null)
@@ -520,7 +519,7 @@ public final class Subject implements java.io.Serializable {
 
         java.lang.SecurityManager sm = System.getSecurityManager();
         if (sm != null) {
-            sm.checkPermission(SecurityConstants.DO_AS_PRIVILEGED_PERMISSION);
+            sm.checkPermission(AuthPermissionHolder.DO_AS_PRIVILEGED_PERMISSION);
         }
 
         if (action == null)
@@ -1044,16 +1043,13 @@ public final class Subject implements java.io.Serializable {
                     if (sm != null) {
                         switch (which) {
                         case Subject.PRINCIPAL_SET:
-                            sm.checkPermission(new AuthPermission
-                                        ("modifyPrincipals"));
+                            sm.checkPermission(AuthPermissionHolder.MODIFY_PRINCIPALS_PERMISSION);
                             break;
                         case Subject.PUB_CREDENTIAL_SET:
-                            sm.checkPermission(new AuthPermission
-                                        ("modifyPublicCredentials"));
+                            sm.checkPermission(AuthPermissionHolder.MODIFY_PUBLIC_CREDENTIALS_PERMISSION);
                             break;
                         default:
-                            sm.checkPermission(new AuthPermission
-                                        ("modifyPrivateCredentials"));
+                            sm.checkPermission(AuthPermissionHolder.MODIFY_PRIVATE_CREDENTIALS_PERMISSION);
                             break;
                         }
                     }
@@ -1073,16 +1069,13 @@ public final class Subject implements java.io.Serializable {
             if (sm != null) {
                 switch (which) {
                 case Subject.PRINCIPAL_SET:
-                    sm.checkPermission
-                        (new AuthPermission("modifyPrincipals"));
+                    sm.checkPermission(AuthPermissionHolder.MODIFY_PRINCIPALS_PERMISSION);
                     break;
                 case Subject.PUB_CREDENTIAL_SET:
-                    sm.checkPermission
-                        (new AuthPermission("modifyPublicCredentials"));
+                    sm.checkPermission(AuthPermissionHolder.MODIFY_PUBLIC_CREDENTIALS_PERMISSION);
                     break;
                 default:
-                    sm.checkPermission
-                        (new AuthPermission("modifyPrivateCredentials"));
+                    sm.checkPermission(AuthPermissionHolder.MODIFY_PRIVATE_CREDENTIALS_PERMISSION);
                     break;
                 }
             }
@@ -1405,4 +1398,27 @@ public final class Subject implements java.io.Serializable {
             return set.add(o);
         }
     }
+
+    static class AuthPermissionHolder {
+        static final AuthPermission DO_AS_PERMISSION =
+            new AuthPermission("doAs");
+
+        static final AuthPermission DO_AS_PRIVILEGED_PERMISSION =
+            new AuthPermission("doAsPrivileged");
+
+        static final AuthPermission SET_READ_ONLY_PERMISSION =
+            new AuthPermission("setReadOnly");
+
+        static final AuthPermission GET_SUBJECT_PERMISSION =
+            new AuthPermission("getSubject");
+
+        static final AuthPermission MODIFY_PRINCIPALS_PERMISSION =
+            new AuthPermission("modifyPrincipals");
+
+        static final AuthPermission MODIFY_PUBLIC_CREDENTIALS_PERMISSION =
+            new AuthPermission("modifyPublicCredentials");
+
+        static final AuthPermission MODIFY_PRIVATE_CREDENTIALS_PERMISSION =
+            new AuthPermission("modifyPrivateCredentials");
+    }
 }

src/share/classes/org/ietf/jgss/GSSContext.java

 /*
- * Copyright 2000-2001 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -678,7 +678,7 @@ public interface GSSContext {
      * are not definitive then the method will attempt to treat all
      * available bytes as part of the token.<p>
      *
-     * Other than the possible blocking behaviour described above, this
+     * Other than the possible blocking behavior described above, this
      * method is equivalent to the byte array based {@link #unwrap(byte[],
      * int, int, MessageProp) unwrap} method.<p>
      *
@@ -826,7 +826,7 @@ public interface GSSContext {
      * are not definitive then the method will attempt to treat all
      * available bytes as part of the token.<p>
      *
-     * Other than the possible blocking behaviour described above, this
+     * Other than the possible blocking behavior described above, this
      * method is equivalent to the byte array based {@link #verifyMIC(byte[],
      * int, int, byte[], int, int, MessageProp) verifyMIC} method.<p>
      *
@@ -917,7 +917,7 @@ public interface GSSContext {
      * getMutualAuthState} method.<p>
      *
      * @param state a boolean value indicating whether mutual
-     * authentication shouls be used or not.
+     * authentication should be used or not.
      * @see #getMutualAuthState()
      *
      * @throws GSSException containing the following
@@ -928,7 +928,7 @@ public interface GSSContext {
 
     /**
      * Requests that replay detection be enabled for the
-     * per-message security services after context establishemnt. This
+     * per-message security services after context establishment. This
      * request can only be made on the context initiator's side and it has
      * to be done prior to the first call to
      * <code>initSecContext</code>. During context establishment replay
@@ -958,7 +958,7 @@ public interface GSSContext {
 
     /**
      * Requests that sequence checking be enabled for the
-     * per-message security services after context establishemnt. This
+     * per-message security services after context establishment. This
      * request can only be made on the context initiator's side and it has
      * to be done prior to the first call to
      * <code>initSecContext</code>. During context establishment sequence

src/share/classes/sun/net/www/protocol/http/spnego/NegotiatorImpl.java

@@ -25,6 +25,7 @@
 
 package sun.net.www.protocol.http.spnego;
 
+import com.sun.security.jgss.ExtendedGSSContext;
 import java.io.IOException;
 
 import org.ietf.jgss.GSSContext;
@@ -100,15 +101,10 @@ public class NegotiatorImpl extends Negotiator {
                                         null,
                                         GSSContext.DEFAULT_LIFETIME);
 
-        // In order to support credential delegation in HTTP/SPNEGO,
-        // we always request it before initSecContext. The current
-        // implementation will check the OK-AS-DELEGATE flag inside
-        // the service ticket of the web server, and only enable
-        // delegation when this flag is set. This check is only
-        // performed when the GSS caller is CALLER_HTTP_NEGOTIATE,
-        // so all other normal GSS-API calls are not affected.
-
-        context.requestCredDeleg(true);
+        // Always respect delegation policy in HTTP/SPNEGO.
+        if (context instanceof ExtendedGSSContext) {
+            ((ExtendedGSSContext)context).requestDelegPolicy(true);
+        }
         oneToken = context.initSecContext(new byte[0], 0, 0);
     }
 

src/share/classes/sun/security/jgss/GSSContextImpl.java

@@ -89,7 +89,8 @@ import com.sun.security.jgss.*;
  */
 class GSSContextImpl implements ExtendedGSSContext {
 
-    private GSSManagerImpl gssManager = null;
+    private final GSSManagerImpl gssManager;
+    private final boolean initiator;
 
     // private flags for the context state
     private static final int PRE_INIT = 1;
@@ -99,14 +100,12 @@ class GSSContextImpl implements ExtendedGSSContext {
 
     // instance variables
     private int currentState = PRE_INIT;
-    private boolean initiator;
 
     private GSSContextSpi mechCtxt = null;
     private Oid mechOid = null;
     private ObjectIdentifier objId = null;
 
     private GSSCredentialImpl myCred = null;
-    private GSSCredentialImpl delegCred = null;
 
     private GSSNameImpl srcName = null;
     private GSSNameImpl targName = null;
@@ -121,6 +120,7 @@ class GSSContextImpl implements ExtendedGSSContext {
     private boolean reqSequenceDetState = true;
     private boolean reqCredDelegState = false;
     private boolean reqAnonState = false;
+    private boolean reqDelegPolicyState = false;
 
     /**
      * Creates a GSSContextImp on the context initiator's side.
@@ -221,6 +221,7 @@ class GSSContextImpl implements ExtendedGSSContext {
                 mechCtxt.requestSequenceDet(reqSequenceDetState);
                 mechCtxt.requestAnonymity(reqAnonState);
                 mechCtxt.setChannelBinding(channelBindings);
+                mechCtxt.requestDelegPolicy(reqDelegPolicyState);
 
                 objId = new ObjectIdentifier(mechOid.toString());
 
@@ -465,42 +466,42 @@ class GSSContextImpl implements ExtendedGSSContext {
     }
 
     public void requestMutualAuth(boolean state) throws GSSException {
-        if (mechCtxt == null)
+        if (mechCtxt == null && initiator)
             reqMutualAuthState = state;
     }
 
     public void requestReplayDet(boolean state) throws GSSException {
-        if (mechCtxt == null)
+        if (mechCtxt == null && initiator)
             reqReplayDetState = state;
     }
 
     public void requestSequenceDet(boolean state) throws GSSException {
-        if (mechCtxt == null)
+        if (mechCtxt == null && initiator)
             reqSequenceDetState = state;
     }
 
     public void requestCredDeleg(boolean state) throws GSSException {
-        if (mechCtxt == null)
+        if (mechCtxt == null && initiator)
             reqCredDelegState = state;
     }
 
     public void requestAnonymity(boolean state) throws GSSException {
-        if (mechCtxt == null)
+        if (mechCtxt == null && initiator)
             reqAnonState = state;
     }
 
     public void requestConf(boolean state) throws GSSException {
-        if (mechCtxt == null)
+        if (mechCtxt == null && initiator)
             reqConfState = state;
     }
 
     public void requestInteg(boolean state) throws GSSException {
-        if (mechCtxt == null)
+        if (mechCtxt == null && initiator)
             reqIntegState = state;
     }
 
     public void requestLifetime(int lifetime) throws GSSException {
-        if (mechCtxt == null)
+        if (mechCtxt == null && initiator)
             reqLifetime = lifetime;
     }
 
@@ -630,6 +631,8 @@ class GSSContextImpl implements ExtendedGSSContext {
         targName = null;
     }
 
+    // ExtendedGSSContext methods:
+
     @Override
     public Object inquireSecContext(InquireType type) throws GSSException {
         SecurityManager security = System.getSecurityManager();
@@ -641,4 +644,18 @@ class GSSContextImpl implements ExtendedGSSContext {
         }
         return mechCtxt.inquireSecContext(type);
     }
+
+    @Override
+    public void requestDelegPolicy(boolean state) throws GSSException {
+        if (mechCtxt == null && initiator)
+            reqDelegPolicyState = state;
+    }
+
+    @Override
+    public boolean getDelegPolicyState() {
+        if (mechCtxt != null)
+            return mechCtxt.getDelegPolicyState();
+        else
+            return reqDelegPolicyState;
+    }
 }

src/share/classes/sun/security/jgss/krb5/InitialToken.java

@@ -85,32 +85,39 @@ abstract class InitialToken extends Krb5Token {
             int size = CHECKSUM_LENGTH_SIZE + CHECKSUM_BINDINGS_SIZE +
                 CHECKSUM_FLAGS_SIZE;
 
+            if (!tgt.isForwardable()) {
+                context.setCredDelegState(false);
+                context.setDelegPolicyState(false);
+            } else if (context.getCredDelegState()) {
+                if (context.getDelegPolicyState()) {
+                    if (!serviceTicket.checkDelegate()) {
+                        // delegation not permitted by server policy, mark it
+                        context.setDelegPolicyState(false);
+                    }
+                }
+            } else if (context.getDelegPolicyState()) {
+                if (serviceTicket.checkDelegate()) {
+                    context.setCredDelegState(true);
+                } else {
+                    context.setDelegPolicyState(false);
+                }
+            }
+
             if (context.getCredDelegState()) {
-                if (context.getCaller() instanceof HttpCaller &&
-                        !serviceTicket.getFlags()[Krb5.TKT_OPTS_DELEGATE]) {
-                    // When the caller is HTTP/SPNEGO and OK-AS-DELEGATE
-                    // is not present in the service ticket, delegation
-                    // is disabled.
-                    context.setCredDelegState(false);
-                } else if (!tgt.isForwardable()) {
-                    // XXX log this resetting of delegation state
-                    context.setCredDelegState(false);
+                KrbCred krbCred = null;
+                CipherHelper cipherHelper =
+                    context.getCipherHelper(serviceTicket.getSessionKey());
+                if (useNullKey(cipherHelper)) {
+                    krbCred = new KrbCred(tgt, serviceTicket,
+                                              EncryptionKey.NULL_KEY);
                 } else {
-                    KrbCred krbCred = null;
-                    CipherHelper cipherHelper =
-                        context.getCipherHelper(serviceTicket.getSessionKey());
-                    if (useNullKey(cipherHelper)) {
-                        krbCred = new KrbCred(tgt, serviceTicket,
-                                                  EncryptionKey.NULL_KEY);
-                    } else {
-                        krbCred = new KrbCred(tgt, serviceTicket,
-                                        serviceTicket.getSessionKey());
-                    }
-                    krbCredMessage = krbCred.getMessage();
-                    size += CHECKSUM_DELEG_OPT_SIZE +
-                            CHECKSUM_DELEG_LGTH_SIZE +
-                            krbCredMessage.length;
+                    krbCred = new KrbCred(tgt, serviceTicket,
+                                    serviceTicket.getSessionKey());
                 }
+                krbCredMessage = krbCred.getMessage();
+                size += CHECKSUM_DELEG_OPT_SIZE +
+                        CHECKSUM_DELEG_LGTH_SIZE +
+                        krbCredMessage.length;
             }
 
             checksumBytes = new byte[size];
@@ -296,6 +303,7 @@ abstract class InitialToken extends Krb5Token {
             return delegCreds;
         }
 
+        // Only called by acceptor
         public void setContextFlags(Krb5Context context) {
                 // default for cred delegation is false
             if ((flags & CHECKSUM_DELEG_FLAG) > 0)

src/share/classes/sun/security/jgss/krb5/Krb5Context.java

@@ -78,6 +78,7 @@ class Krb5Context implements GSSContextSpi {
     private boolean sequenceDetState  = true;
     private boolean confState  = true;
     private boolean integState  = true;
+    private boolean delegPolicyState = false;
 
     private int mySeqNumber;
     private int peerSeqNumber;
@@ -299,6 +300,21 @@ class Krb5Context implements GSSContextSpi {
         return sequenceDetState || replayDetState;
     }
 
+    /**
+     * Requests that the deleg policy be respected.
+     */
+    public final void requestDelegPolicy(boolean value) {
+        if (state == STATE_NEW && isInitiator())
+            delegPolicyState = value;
+    }
+
+    /**
+     * Is deleg policy respected?
+     */
+    public final boolean getDelegPolicyState() {
+        return delegPolicyState;
+    }
+
     /*
      * Anonymity is a little different in that after an application
      * requests anonymity it will want to know whether the mechanism
@@ -422,6 +438,10 @@ class Krb5Context implements GSSContextSpi {
         integState = state;
     }
 
+    final void setDelegPolicyState(boolean state) {
+        delegPolicyState = state;
+    }
+
     /**
      * Sets the channel bindings to be used during context
      * establishment.

src/share/classes/sun/security/jgss/spi/GSSContextSpi.java

@@ -124,6 +124,8 @@ public interface GSSContextSpi {
 
     public void requestInteg(boolean state) throws GSSException;
 
+    public void requestDelegPolicy(boolean state) throws GSSException;
+
     public void setChannelBinding(ChannelBinding cb) throws GSSException;
 
     public boolean getCredDelegState();
@@ -136,6 +138,8 @@ public interface GSSContextSpi {
 
     public boolean getAnonymityState();
 
+    public boolean getDelegPolicyState();
+
     public boolean isTransferable() throws GSSException;
 
     public boolean isProtReady();

src/share/classes/sun/security/jgss/spnego/SpNegoContext.java

@@ -63,6 +63,7 @@ public class SpNegoContext implements GSSContextSpi {
     private boolean sequenceDetState = true;
     private boolean confState = true;
     private boolean integState = true;
+    private boolean delegPolicyState = false;
 
     private GSSNameSpi peerName = null;
     private GSSNameSpi myName = null;
@@ -153,6 +154,14 @@ public class SpNegoContext implements GSSContextSpi {
             integState  = value;
     }
 
+    /**
+     * Requests that deleg policy be respected.
+     */
+    public final void requestDelegPolicy(boolean value) throws GSSException {
+        if (state == STATE_NEW && isInitiator())
+            delegPolicyState = value;
+    }
+
     /**
      * Is integrity available?
      */
@@ -160,6 +169,19 @@ public class SpNegoContext implements GSSContextSpi {
         return integState;
     }
 
+    /**
+     * Is deleg policy respected?
+     */
+    public final boolean getDelegPolicyState() {
+        if (isInitiator() && mechContext != null &&
+                mechContext instanceof ExtendedGSSContext &&
+                (state == STATE_IN_PROCESS || state == STATE_DONE)) {
+            return ((ExtendedGSSContext)mechContext).getDelegPolicyState();
+        } else {
+            return delegPolicyState;
+        }
+    }
+
     /**
      * Requests that credential delegation be done during context
      * establishment.
@@ -173,7 +195,7 @@ public class SpNegoContext implements GSSContextSpi {
      * Is credential delegation enabled?
      */
     public final boolean getCredDelegState() {
-        if (mechContext != null &&
+        if (isInitiator() && mechContext != null &&
                 (state == STATE_IN_PROCESS || state == STATE_DONE)) {
             return mechContext.getCredDelegState();
         } else {
@@ -201,30 +223,6 @@ public class SpNegoContext implements GSSContextSpi {
         return mutualAuthState;
     }
 
-    final void setCredDelegState(boolean state) {
-        credDelegState = state;
-    }
-
-    final void setMutualAuthState(boolean state) {
-        mutualAuthState = state;
-    }
-
-    final void setReplayDetState(boolean state) {
-        replayDetState = state;
-    }
-
-    final void setSequenceDetState(boolean state) {
-        sequenceDetState = state;
-    }
-
-    final void setConfState(boolean state) {
-        confState = state;
-    }
-
-    final void setIntegState(boolean state) {
-        integState = state;
-    }
-
     /**
      * Returns the mechanism oid.
      *
@@ -319,14 +317,9 @@ public class SpNegoContext implements GSSContextSpi {
                 mechToken = GSS_initSecContext(null);
 
                 errorCode = GSSException.DEFECTIVE_TOKEN;
-                byte[] micToken = null;
-                if (!GSSUtil.useMSInterop()) {
-                    // calculate MIC only in normal mode
-                    micToken = generateMechListMIC(DER_mechTypes);
-                }
                 // generate SPNEGO token
                 initToken = new NegTokenInit(DER_mechTypes, getContextFlags(),
-                                        mechToken, micToken);
+                                        mechToken, null);
                 if (DEBUG) {
                     System.out.println("SpNegoContext.initSecContext: " +
                                 "sending token of type = " +
@@ -585,15 +578,9 @@ public class SpNegoContext implements GSSContextSpi {
                                 "negotiated result = " + negoResult);
                 }
 
-                // calculate MIC only in normal mode
-                byte[] micToken = null;
-                if (!GSSUtil.useMSInterop() && valid) {
-                    micToken = generateMechListMIC(DER_mechTypes);
-                }
-
                 // generate SPNEGO token
                 NegTokenTarg targToken = new NegTokenTarg(negoResult.ordinal(),
-                                mech_wanted, accept_token, micToken);
+                                mech_wanted, accept_token, null);
                 if (DEBUG) {
                     System.out.println("SpNegoContext.acceptSecContext: " +
                                 "sending token of type = " +
@@ -653,6 +640,10 @@ public class SpNegoContext implements GSSContextSpi {
             throw gssException;
         }
 
+        if (state == STATE_DONE) {
+            // now set the context flags for acceptor
+            setContextFlags();
+        }
         return retVal;
     }
 
@@ -703,36 +694,39 @@ public class SpNegoContext implements GSSContextSpi {
         return out;
     }
 
+    // Only called on acceptor side. On the initiator side, most flags
+    // are already set at request. For those that might get chanegd,
+    // state from mech below is used.
     private void setContextFlags() {
 
         if (mechContext != null) {
             // default for cred delegation is false
             if (mechContext.getCredDelegState()) {
-                setCredDelegState(true);
+                credDelegState = true;
             }
             // default for the following are true
             if (!mechContext.getMutualAuthState()) {
-                setMutualAuthState(false);
+                mutualAuthState = false;
             }
             if (!mechContext.getReplayDetState()) {
-                setReplayDetState(false);
+                replayDetState = false;
             }
             if (!mechContext.getSequenceDetState()) {
-                setSequenceDetState(false);
+                sequenceDetState = false;
             }
             if (!mechContext.getIntegState()) {
-                setIntegState(false);
+                integState = false;
             }
             if (!mechContext.getConfState()) {
-                setConfState(false);
+                confState = false;
             }
         }
     }
 
     /**
-     * generate MIC on mechList
+     * generate MIC on mechList. Not used at the moment.
      */
-    private byte[] generateMechListMIC(byte[] mechTypes)
+    /*private byte[] generateMechListMIC(byte[] mechTypes)
         throws GSSException {
 
         // sanity check the required input
@@ -769,7 +763,7 @@ public class SpNegoContext implements GSSContextSpi {
             }
         }
         return mic;
-    }
+    }*/
 
     /**
      * verify MIC on MechList
@@ -837,6 +831,10 @@ public class SpNegoContext implements GSSContextSpi {
             mechContext.requestMutualAuth(mutualAuthState);
             mechContext.requestReplayDet(replayDetState);
             mechContext.requestSequenceDet(sequenceDetState);
+            if (mechContext instanceof ExtendedGSSContext) {
+                ((ExtendedGSSContext)mechContext).requestDelegPolicy(
+                        delegPolicyState);
+            }
         }
 
         // pass token
@@ -1202,5 +1200,5 @@ public class SpNegoContext implements GSSContextSpi {
                     "inquireSecContext not supported by underlying mech.");
         }
     }
-
 }
+

src/share/classes/sun/security/jgss/spnego/SpNegoMechFactory.java

@@ -57,6 +57,12 @@ public final class SpNegoMechFactory implements MechanismFactory {
                         GSSName.NT_HOSTBASED_SERVICE,
                         GSSName.NT_EXPORT_NAME};
 
+    // The default underlying mech of SPNEGO, must not be SPNEGO itself.
+    private static final Oid DEFAULT_SPNEGO_MECH_OID =
+            ProviderList.DEFAULT_MECH_OID.equals(GSS_SPNEGO_MECH_OID)?
+                GSSUtil.GSS_KRB5_MECH_OID:
+                ProviderList.DEFAULT_MECH_OID;
+
     // Use an instance of a GSSManager whose provider list
     // does not include native provider
     final GSSManagerImpl manager;
@@ -100,18 +106,27 @@ public final class SpNegoMechFactory implements MechanismFactory {
                 availableMechs[j++] = mechs[i];
             }
         }
+        // Move the preferred mech to first place
+        for (int i=0; i<availableMechs.length; i++) {
+            if (availableMechs[i].equals(DEFAULT_SPNEGO_MECH_OID)) {
+                if (i != 0) {
+                    availableMechs[i] = availableMechs[0];
+                    availableMechs[0] = DEFAULT_SPNEGO_MECH_OID;
+                }
+                break;
+            }
+        }
     }
 
     public GSSNameSpi getNameElement(String nameStr, Oid nameType)
-        throws GSSException {
-        // get NameElement for the default Mechanism
-        return manager.getNameElement(nameStr, nameType, null);
+            throws GSSException {
+        return manager.getNameElement(
+                nameStr, nameType, DEFAULT_SPNEGO_MECH_OID);
     }
 
     public GSSNameSpi getNameElement(byte[] name, Oid nameType)
-        throws GSSException {
-        // get NameElement for the default Mechanism
-        return manager.getNameElement(name, nameType, null);
+            throws GSSException {
+        return manager.getNameElement(name, nameType, DEFAULT_SPNEGO_MECH_OID);
     }
 
     public GSSCredentialSpi getCredentialElement(GSSNameSpi name,

src/share/classes/sun/security/jgss/wrapper/NativeGSSContext.java

@@ -549,6 +549,9 @@ class NativeGSSContext implements GSSContextSpi {
     public void requestInteg(boolean state) throws GSSException {
         changeFlags(GSS_C_INTEG_FLAG, state);
     }
+    public void requestDelegPolicy(boolean state) throws GSSException {
+        // Not supported, ignore
+    }
     public void requestLifetime(int lifetime) throws GSSException {
         if (isInitiator && pContext == 0) {
             this.lifetime = lifetime;
@@ -590,6 +593,9 @@ class NativeGSSContext implements GSSContextSpi {
     public boolean getIntegState() {
         return checkFlags(GSS_C_INTEG_FLAG);
     }
+    public boolean getDelegPolicyState() {
+        return false;
+    }
     public int getLifetime() {
         return cStub.getContextTime(pContext);
     }

src/share/classes/sun/security/krb5/Credentials.java

@@ -234,7 +234,19 @@ public class Credentials {
      * @return true if OK-AS_DELEGATE flag is set, otherwise, return false.
      */
     public boolean checkDelegate() {
-        return (flags.get(Krb5.TKT_OPTS_DELEGATE));
+        return flags.get(Krb5.TKT_OPTS_DELEGATE);
+    }
+
+    /**
+     * Reset TKT_OPTS_DELEGATE to false, called at credentials acquirement
+     * when one of the cross-realm TGTs does not have the OK-AS-DELEGATE
+     * flag set. This info must be preservable and restorable through
+     * the Krb5Util.credsToTicket/ticketToCreds() methods so that even if
+     * the service ticket is cached it still remembers the cross-realm
+     * authentication result.
+     */
+    public void resetDelegate() {
+        flags.set(Krb5.TKT_OPTS_DELEGATE, false);
     }
 
     public Credentials renew() throws KrbException, IOException {

src/share/classes/sun/security/krb5/internal/CredentialsUtil.java

 /*
- * Portions Copyright 2001-2004 Sun Microsystems, Inc.  All Rights Reserved.
+ * Portions Copyright 2001-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -117,6 +117,7 @@ rs.
 
         // Get a list of realms to traverse
         String[] realms = Realm.getRealmsList(localRealm, serviceRealm);
+        boolean okAsDelegate = true;
 
         if (realms == null || realms.length == 0)
         {
@@ -194,6 +195,15 @@ rs.
              */
 
             newTgtRealm = newTgt.getServer().getInstanceComponent();
+            if (okAsDelegate && !newTgt.checkDelegate()) {
+                if (DEBUG)
+                {
+                    System.out.println(">>> Credentials acquireServiceCreds: " +
+                            "global OK-AS-DELEGATE turned off at " +
+                            newTgt.getServer());
+                }
+                okAsDelegate = false;
+            }
 
             if (DEBUG)
             {
@@ -283,6 +293,9 @@ rs.
                 System.out.println(">>> Credentials acquireServiceCreds: returning creds:");
                 Credentials.printDebug(theCreds);
             }
+            if (!okAsDelegate) {
+                theCreds.resetDelegate();
+            }
             return theCreds;
         }
         throw new KrbApErrException(Krb5.KRB_AP_ERR_GEN_CRED,

src/share/classes/sun/security/pkcs/PKCS10.java

@@ -44,7 +44,6 @@ import sun.security.util.*;
 import sun.security.x509.AlgorithmId;
 import sun.security.x509.X509Key;
 import sun.security.x509.X500Name;
-import sun.security.x509.X500Signer;
 
 /**
  * A PKCS #10 certificate request is created and sent to a Certificate
@@ -183,13 +182,13 @@ public class PKCS10 {
      * Create the signed certificate request.  This will later be
      * retrieved in either string or binary format.
      *
-     * @param requester identifies the signer (by X.500 name)
-     *          and provides the private key used to sign.
+     * @param subject identifies the signer (by X.500 name).
+     * @param signature private key and signing algorithm to use.
      * @exception IOException on errors.
      * @exception CertificateException on certificate handling errors.
      * @exception SignatureException on signature handling errors.
      */
-    public void encodeAndSign(X500Signer requester)
+    public void encodeAndSign(X500Name subject, Signature signature)
     throws CertificateException, IOException, SignatureException {
         DerOutputStream out, scratch;
         byte[]          certificateRequestInfo;
@@ -198,7 +197,7 @@ public class PKCS10 {
         if (encoded != null)
             throw new SignatureException("request is already signed");
 
-        subject = requester.getSigner();
+        this.subject = subject;
 
         /*
          * Encode cert request info, wrap in a sequence for signing
@@ -217,14 +216,20 @@ public class PKCS10 {
         /*
          * Sign it ...
          */
-        requester.update(certificateRequestInfo, 0,
+        signature.update(certificateRequestInfo, 0,
                 certificateRequestInfo.length);
-        sig = requester.sign();
+        sig = signature.sign();
 
         /*
          * Build guts of SIGNED macro
          */
-        requester.getAlgorithmId().encode(scratch);     // sig algorithm
+        AlgorithmId algId = null;
+        try {
+            algId = AlgorithmId.getAlgorithmId(signature.getAlgorithm());
+        } catch (NoSuchAlgorithmException nsae) {
+            throw new SignatureException(nsae);
+        }
+        algId.encode(scratch);     // sig algorithm
         scratch.putBitString(sig);                      // sig
 
         /*

src/share/classes/sun/security/provider/IdentityDatabase.java

-/*
- * Copyright 1996-2006 Sun Microsystems, Inc.  All Rights Reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Sun designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Sun in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
- * CA 95054 USA or visit www.sun.com if you need additional information or
- * have any questions.
- */
-
-package sun.security.provider;
-
-import java.io.*;
-import java.util.*;
-import java.security.*;
-
-/**
- * An implementation of IdentityScope as a persistent identity
- * database.
- *
- * @see Identity
- * @see Key
- *
- * @author Benjamin Renaud
- */
-public
-class IdentityDatabase extends IdentityScope implements Serializable {
-
-    /** use serialVersionUID from JDK 1.1. for interoperability */
-    private static final long serialVersionUID = 4923799573357658384L;
-
-    /* Are we debugging? */
-    private static final boolean debug = false;
-
-    /* Are we printing out error messages? */
-    private static final boolean error = true;
-
-    /* The source file, if any, for this database.*/
-    File sourceFile;
-
-    /* The private representation of the database.*/
-    Hashtable<String, Identity> identities;
-
-    IdentityDatabase() throws InvalidParameterException {
-        this("restoring...");
-    }
-
-    /**
-     * Construct a new, empty database with a specified source file.
-     *
-     * @param file the source file.
-     */
-    public IdentityDatabase(File file) throws InvalidParameterException {
-        this(file.getName());
-        sourceFile = file;
-    }
-
-    /**
-     * Construct a new, empty database.
-     */
-    public IdentityDatabase(String name) throws InvalidParameterException {
-        super(name);
-        identities = new Hashtable<String, Identity>();
-    }
-
-    /**
-     * Initialize an identity database from a stream. The stream should
-     * contain data to initialized a serialized IdentityDatabase
-     * object.
-     *
-     * @param is the input stream from which to restore the database.
-     *
-     * @exception IOException if a stream IO exception occurs
-     */
-    public static IdentityDatabase fromStream(InputStream is)
-    throws IOException {
-        IdentityDatabase db = null;
-        try {
-            ObjectInputStream ois = new ObjectInputStream(is);
-            db = (IdentityDatabase)ois.readObject();
-        } catch (ClassNotFoundException e) {
-            // this can't happen.
-            debug("This should not be happening.", e);
-            error(
-                "The version of the database is obsolete. Cannot initialize.");
-
-        } catch (InvalidClassException e) {
-            // this may happen in developers workspaces happen.
-            debug("This should not be happening.", e);
-            error("Unable to initialize system identity scope: " +
-                  " InvalidClassException. \nThis is most likely due to " +
-                  "a serialization versioning problem: a class used in " +
-                  "key management was obsoleted");
-
-        } catch (StreamCorruptedException e) {
-            debug("The serialization stream is corrupted. Unable to load.", e);
-            error("Unable to initialize system identity scope." +
-                  " StreamCorruptedException.");
-        }
-
-        if (db == null) {
-            db = new IdentityDatabase("uninitialized");
-        }
-
-        return db;
-    }
-
-    /**
-     * Initialize an IdentityDatabase from file.
-     *
-     * @param f the filename where the identity database is stored.
-     *
-     * @exception IOException a file-related exception occurs (e.g.
-     * the directory of the file passed does not exists, etc.
-     *
-     * @IOException if a file IO exception occurs.
-     */
-    public static IdentityDatabase fromFile(File f) throws IOException {
-        FileInputStream fis = new FileInputStream(f);
-        IdentityDatabase edb = fromStream(fis);
-        edb.sourceFile = f;
-        return edb;
-    }
-
-
-
-    /**
-     * @return the number of identities in the database.
-     */
-   public int size() {
-       return identities.size();
-   }
-
-
-    /**
-     * @param name the name of the identity to be retrieved.
-     *
-     * @return the identity named name, or null if there are
-     * no identities named name in the database.
-     */
-    public Identity getIdentity(String name) {
-        Identity id = identities.get(name);
-        if (id instanceof Signer) {
-            localCheck("get.signer");
-        }
-        return id;
-    }
-
-    /**
-     * Get an identity by key.
-     *
-     * @param name the key of the identity to be retrieved.
-     *
-     * @return the identity with a given key, or null if there are no
-     * identities with that key in the database.
-     */
-    public Identity getIdentity(PublicKey key) {
-        if (key == null) {
-            return null;
-        }
-        Enumeration<Identity> e = identities();
-        while (e.hasMoreElements()) {
-            Identity i = e.nextElement();
-            PublicKey k = i.getPublicKey();
-            if (k != null && keyEqual(k, key)) {
-                if (i instanceof Signer) {
-                    localCheck("get.signer");
-                }
-                return i;
-            }
-        }
-        return null;
-    }
-
-    private boolean keyEqual(Key key1, Key key2) {
-        if (key1 == key2) {
-            return true;
-        } else {
-            return MessageDigest.isEqual(key1.getEncoded(), key2.getEncoded());
-        }
-    }
-
-    /**
-     * Adds an identity to the database.
-     *
-     * @param identity the identity to be added.
-     *
-     * @exception KeyManagementException if a name or key clash
-     * occurs, or if another exception occurs.
-     */
-    public void addIdentity(Identity identity)
-    throws KeyManagementException {
-        localCheck("add.identity");
-        Identity byName = getIdentity(identity.getName());
-        Identity byKey = getIdentity(identity.getPublicKey());
-        String msg = null;
-
-        if (byName != null) {
-            msg = "name conflict";
-        }
-        if (byKey != null) {
-            msg = "key conflict";
-        }
-        if (msg != null) {
-            throw new KeyManagementException(msg);
-        }
-        identities.put(identity.getName(), identity);
-    }
-
-    /**
-     * Removes an identity to the database.
-     */
-    public void removeIdentity(Identity identity)
-    throws KeyManagementException {
-        localCheck("remove.identity");
-        String name = identity.getName();
-        if (identities.get(name) == null) {
-            throw new KeyManagementException("there is no identity named " +
-                                             name + " in " + this);
-        }
-        identities.remove(name);
-    }
-
-    /**
-     * @return an enumeration of all identities in the database.
-     */
-    public Enumeration<Identity> identities() {
-        return identities.elements();
-    }
-
-    /**
-     * Set the source file for this database.
-     */
-    void setSourceFile(File f) {
-        sourceFile = f;
-    }
-
-    /**
-     * @return the source file for this database.
-     */
-    File getSourceFile() {
-        return sourceFile;
-    }
-
-    /**
-     * Save the database in its current state to an output stream.
-     *
-     * @param os the output stream to which the database should be serialized.
-     *
-     * @exception IOException if an IO exception is raised by stream
-     * operations.
-     */
-    public void save(OutputStream os) throws IOException {
-        try {
-            ObjectOutputStream oos = new ObjectOutputStream(os);
-            oos.writeObject(this);
-            oos.flush();
-        } catch (InvalidClassException e) {
-            debug("This should not be happening.", e);
-            return;
-        }
-    }
-
-    /**
-     * Save the database to a file.
-     *
-     * @exception IOException if an IO exception is raised by stream
-     * operations.
-     */
-    void save(File f) throws IOException {
-        setSourceFile(f);
-        FileOutputStream fos = new FileOutputStream(f);
-        save(fos);
-    }
-
-    /**
-     * Saves the database to the default source file.
-     *
-     * @exception KeyManagementException when there is no default source
-     * file specified for this database.
-     */
-    public void save() throws IOException {
-        if (sourceFile == null) {
-            throw new IOException("this database has no source file");
-        }
-        save(sourceFile);
-    }
-
-    /**
-     * This method returns the file from which to initialize the
-     * system database.
-     */
-    private static File systemDatabaseFile() {
-
-        // First figure out where the identity database is hiding, if anywhere.
-        String dbPath = Security.getProperty("identity.database");
-        // if nowhere, it's the canonical place.
-        if (dbPath == null) {
-            dbPath = System.getProperty("user.home") + File.separatorChar +
-                "identitydb.obj";
-        }
-        return new File(dbPath);
-    }
-
-
-    /* This block initializes the system database, if there is one. */
-    static {
-        java.security.AccessController.doPrivileged(
-            new java.security.PrivilegedAction<Void>() {
-            public Void run() {
-                initializeSystem();
-                return null;
-            }
-        });
-    }
-
-    /**
-     * This method initializes the system's identity database. The
-     * canonical location is
-     * <user.home>/identitydatabase.obj. This is settable through
-     * the identity.database property.  */
-    private static void initializeSystem() {
-
-        IdentityDatabase systemDatabase;
-        File dbFile = systemDatabaseFile();
-
-        // Second figure out if it's there, and if it isn't, create one.
-        try {
-            if (dbFile.exists()) {
-                debug("loading system database from file: " + dbFile);
-                systemDatabase = fromFile(dbFile);
-            } else {
-                systemDatabase = new IdentityDatabase(dbFile);
-            }
-            IdentityScope.setSystemScope(systemDatabase);
-            debug("System database initialized: " + systemDatabase);
-        } catch (IOException e) {
-            debug("Error initializing identity database: " + dbFile, e);
-            return;
-        } catch (InvalidParameterException e) {
-            debug("Error trying to instantiate a system identities db in " +
-                               dbFile, e);
-            return;
-        }
-    }
-
-    /*
-    private static File securityPropFile(String filename) {
-        // maybe check for a system property which will specify where to
-        // look.
-        String sep = File.separator;
-        return new File(System.getProperty("java.home") +
-                        sep + "lib" + sep + "security" +
-                        sep + filename);
-    }
-    */
-
-    public String toString() {
-        return "sun.security.provider.IdentityDatabase, source file: " +
-            sourceFile;
-    }
-
-
-    private static void debug(String s) {
-        if (debug) {
-            System.err.println(s);
-        }
-    }
-
-    private static void debug(String s, Throwable t) {
-        if (debug) {
-            t.printStackTrace();
-            System.err.println(s);
-        }
-    }
-
-    private static void error(String s) {
-        if (error) {
-            System.err.println(s);
-        }
-    }
-
-    void localCheck(String directive) {
-        SecurityManager security = System.getSecurityManager();
-        if (security != null) {
-            directive = this.getClass().getName() + "." +
-                directive + "." + localFullName();
-            security.checkSecurityAccess(directive);
-        }
-    }
-
-    /**
-     * Returns a parsable name for identity: identityName.scopeName
-     */
-    String localFullName() {
-        String parsable = getName();
-        if (getScope() != null) {
-            parsable += "." +getScope().getName();
-        }
-        return parsable;
-    }
-
-    /**
-     * Serialization write.
-     */
-    private synchronized void writeObject (java.io.ObjectOutputStream stream)
-    throws IOException {
-        localCheck("serialize.identity.database");
-        stream.writeObject(identities);
-        stream.writeObject(sourceFile);
-    }
-}

src/share/classes/sun/security/provider/PolicyFile.java

@@ -295,16 +295,13 @@ public class PolicyFile extends java.security.Policy {
 
     private static final int DEFAULT_CACHE_SIZE = 1;
 
-    /** the scope to check */
-    private static IdentityScope scope = null;
-
     // contains the policy grant entries, PD cache, and alias mapping
     private AtomicReference<PolicyInfo> policyInfo =
         new AtomicReference<PolicyInfo>();
     private boolean constructed = false;
 
     private boolean expandProperties = true;
-    private boolean ignoreIdentityScope = false;
+    private boolean ignoreIdentityScope = true;
     private boolean allowSystemProperties = true;
     private boolean notUtf8 = false;
     private URL url;
@@ -2024,85 +2021,9 @@ public class PolicyFile extends java.security.Policy {
     private boolean checkForTrustedIdentity(final Certificate cert,
         PolicyInfo myInfo)
     {
-        if (cert == null)
-            return false;
-
-        // see if we are ignoring the identity scope or not
-        if (ignoreIdentityScope)
-            return false;
-
-        // try to initialize scope
-        synchronized(PolicyFile.class) {
-            if (scope == null) {
-                IdentityScope is = IdentityScope.getSystemScope();
-
-                if (is instanceof sun.security.provider.IdentityDatabase) {
-                    scope = is;
-                } else {
-                    // leave scope null
-                }
-            }
-        }
-
-        if (scope == null) {
-            ignoreIdentityScope = true;
-            return false;
-        }
-
-        // need privileged block for getIdentity in case we are trying
-        // to get a signer
-        final Identity id = AccessController.doPrivileged(
-                              new java.security.PrivilegedAction<Identity>() {
-            public Identity run() {
-                return scope.getIdentity(cert.getPublicKey());
-            }
-        });
-
-        if (isTrusted(id)) {
-            if (debug != null) {
-                debug.println("Adding policy entry for trusted Identity: ");
-                //needed for identity toString!
-                AccessController.doPrivileged(
-                      new java.security.PrivilegedAction<Void>() {
-                    public Void run() {
-                        debug.println("  identity = " + id);
-                        return null;
-                    }
-                });
-                debug.println("");
-            }
-
-            // add it to the policy for future reference
-            Certificate certs[] = new Certificate[] {cert};
-            PolicyEntry pe = new PolicyEntry(new CodeSource(null, certs));
-            pe.add(SecurityConstants.ALL_PERMISSION);
-
-            myInfo.identityPolicyEntries.add(pe);
-
-            // add it to the mapping as well so
-            // we don't have to go through this again
-            myInfo.aliasMapping.put(cert, id.getName());
-
-            return true;
-        }
         return false;
     }
 
-    private static boolean isTrusted(Identity id) {
-            if (id instanceof SystemIdentity) {
-                SystemIdentity sysid = (SystemIdentity)id;
-                if (sysid.isTrusted()) {
-                    return true;
-                }
-            } else if (id instanceof SystemSigner) {
-                SystemSigner sysid = (SystemSigner)id;
-                if (sysid.isTrusted()) {
-                    return true;
-                }
-            }
-            return false;
-    }
-
     /**
      * Each entry in the policy configuration file is represented by a
      * PolicyEntry object.  <p>

src/share/classes/sun/security/provider/SystemIdentity.java

-/*
- * Copyright 1996-2000 Sun Microsystems, Inc.  All Rights Reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Sun designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Sun in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
- * CA 95054 USA or visit www.sun.com if you need additional information or
- * have any questions.
- */
-
-package sun.security.provider;
-
-import java.io.Serializable;
-import java.util.Enumeration;
-import java.security.*;
-
-/**
- * An identity with a very simple trust mechanism.
- *
- * @author      Benjamin Renaud
- */
-
-public class SystemIdentity extends Identity implements Serializable {
-
-    /** use serialVersionUID from JDK 1.1. for interoperability */
-    private static final long serialVersionUID = 9060648952088498478L;
-
-    /* This should be changed to ACL */
-    boolean trusted = false;
-
-    /* Free form additional information about this identity. */
-    private String info;
-
-    public SystemIdentity(String name, IdentityScope scope)
-    throws InvalidParameterException, KeyManagementException {
-        super(name, scope);
-    }
-
-    /**
-     * Is this identity trusted by sun.* facilities?
-     */
-    public boolean isTrusted() {
-        return trusted;
-    }
-
-    /**
-     * Set the trust status of this identity.
-     */
-    protected void setTrusted(boolean trusted) {
-        this.trusted = trusted;
-    }
-
-    void setIdentityInfo(String info) {
-        super.setInfo(info);
-    }
-
-    String getIndentityInfo() {
-        return super.getInfo();
-    }
-
-    /**
-     * Call back method into a protected method for package friends.
-     */
-    void setIdentityPublicKey(PublicKey key) throws KeyManagementException {
-        setPublicKey(key);
-    }
-
-    /**
-     * Call back method into a protected method for package friends.
-     */
-    void addIdentityCertificate(Certificate cert)
-    throws KeyManagementException {
-        addCertificate(cert);
-    }
-
-    void clearCertificates() throws KeyManagementException {
-        Certificate[] certs = certificates();
-        for (int i = 0; i < certs.length; i++) {
-            removeCertificate(certs[i]);
-        }
-    }
-
-    public String toString() {
-        String trustedString = "not trusted";
-        if (trusted) {
-            trustedString = "trusted";
-        }
-        return super.toString() + "[" + trustedString + "]";
-    }
-
-
-}

src/share/classes/sun/security/provider/SystemSigner.java

-/*
- * Copyright 1996-2000 Sun Microsystems, Inc.  All Rights Reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Sun designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Sun in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
- * CA 95054 USA or visit www.sun.com if you need additional information or
- * have any questions.
- */
-
-package sun.security.provider;
-
-import java.util.*;
-import java.security.*;
-
-/**
- * SunSecurity signer. Like SystemIdentity, it has a trust bit, which
- * can be set by SunSecurity classes, and a set of accessors for other
- * classes in sun.security.*.
- *
- * @author Benjamin Renaud
- */
-
-public class SystemSigner extends Signer {
-
-    /** use serialVersionUID from JDK 1.1. for interoperability */
-    private static final long serialVersionUID = -2127743304301557711L;
-
-    /* Is this signer trusted */
-    private boolean trusted = false;
-
-    /**
-     * Construct a signer with a given name.
-     */
-    public SystemSigner(String name) {
-        super(name);
-    }
-
-    /**
-     * Construct a signer with a name and a scope.
-     *
-     * @param name the signer's name.
-     *
-     * @param scope the scope for this signer.
-     */
-    public SystemSigner(String name, IdentityScope scope)
-     throws KeyManagementException {
-
-        super(name, scope);
-    }
-
-    /* Set the trust status of this signer */
-    void setTrusted(boolean trusted) {
-        this.trusted = trusted;
-    }
-
-    /**
-     * Returns true if this signer is trusted.
-     */
-    public boolean isTrusted() {
-        return trusted;
-    }
-
-    /* friendly callback for set keys */
-    void setSignerKeyPair(KeyPair pair)
-    throws InvalidParameterException, KeyException {
-        setKeyPair(pair);
-    }
-
-    /* friendly callback for getting private keys */
-    PrivateKey getSignerPrivateKey() {
-        return getPrivateKey();
-    }
-
-    void setSignerInfo(String s) {
-        setInfo(s);
-    }
-
-    /**
-     * Call back method into a protected method for package friends.
-     */
-    void addSignerCertificate(Certificate cert) throws KeyManagementException {
-        addCertificate(cert);
-    }
-
-    void clearCertificates() throws KeyManagementException {
-        Certificate[] certs = certificates();
-        for (int i = 0; i < certs.length; i++) {
-            removeCertificate(certs[i]);
-        }
-    }
-
-    public String toString() {
-        String trustedString = "not trusted";
-        if (trusted) {
-            trustedString = "trusted";
-        }
-        return super.toString() + "[" + trustedString + "]";
-    }
-}

src/share/classes/sun/security/provider/certpath/OCSPChecker.java

@@ -335,10 +335,13 @@ class OCSPChecker extends PKIXCertPathChecker {
             response = OCSP.check(Collections.singletonList(certId), uri,
                 responderCert, pkixParams.getDate());
         } catch (Exception e) {
-            // Wrap all exceptions in CertPathValidatorException so that
-            // we can fallback to CRLs, if enabled.
-            throw new CertPathValidatorException
-                ("Unable to send OCSP request", e);
+            if (e instanceof CertPathValidatorException) {
+                throw (CertPathValidatorException) e;
+            } else {
+                // Wrap exceptions in CertPathValidatorException so that
+                // we can fallback to CRLs, if enabled.
+                throw new CertPathValidatorException(e);
+            }
         }
 
         RevocationStatus rs = (RevocationStatus) response.getSingleResponse(certId);

src/share/classes/sun/security/tools/JarSigner.java

@@ -118,8 +118,6 @@ public class JarSigner {
     KeyStore store;                 // the keystore specified by -keystore
                                     // or the default keystore, never null
 
-    IdentityScope scope;
-
     String keystore; // key store file
     boolean nullStream = false; // null keystore input stream (NONE)
     boolean token = false; // token-based keystore
@@ -212,7 +210,6 @@ public class JarSigner {
             if (verify) {
                 try {
                     loadKeyStore(keystore, false);
-                    scope = IdentityScope.getSystemScope();
                 } catch (Exception e) {
                     if ((keystore != null) || (storepass != null)) {
                         System.out.println(rb.getString("jarsigner error: ") +
@@ -984,13 +981,6 @@ public class JarSigner {
                         result |= IN_KEYSTORE;
                     }
                 }
-                if (!found && (scope != null)) {
-                    Identity id = scope.getIdentity(c.getPublicKey());
-                    if (id != null) {
-                        result |= IN_SCOPE;
-                        storeHash.put(c, "[" + id.getName() + "]");
-                    }
-                }
                 if (ckaliases.contains(alias)) {
                     result |= SIGNED_BY_ALIAS;
                 }

src/share/classes/sun/security/tools/KeyTool.java

@@ -40,7 +40,6 @@ import java.security.UnrecoverableEntryException;
 import java.security.UnrecoverableKeyException;
 import java.security.Principal;
 import java.security.Provider;
-import java.security.Identity;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
@@ -57,9 +56,6 @@ import java.net.URLClassLoader;
 import sun.misc.BASE64Encoder;
 import sun.security.util.ObjectIdentifier;
 import sun.security.pkcs.PKCS10;
-import sun.security.provider.IdentityDatabase;
-import sun.security.provider.SystemSigner;
-import sun.security.provider.SystemIdentity;
 import sun.security.provider.X509Factory;
 import sun.security.util.DerOutputStream;
 import sun.security.util.Password;
@@ -1163,18 +1159,16 @@ public final class KeyTool {
         Signature signature = Signature.getInstance(sigAlgName);
         signature.initSign(privateKey);
 
-        X500Signer signer = new X500Signer(signature, issuer);
-
         X509CertInfo info = new X509CertInfo();
         info.set(X509CertInfo.VALIDITY, interval);
         info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(
                     new java.util.Random().nextInt() & 0x7fffffff));
         info.set(X509CertInfo.VERSION,
-                     new CertificateVersion(CertificateVersion.V3));
+                    new CertificateVersion(CertificateVersion.V3));
         info.set(X509CertInfo.ALGORITHM_ID,
-                     new CertificateAlgorithmId(signer.getAlgorithmId()));
-        info.set(X509CertInfo.ISSUER,
-                     new CertificateIssuerName(signer.getSigner()));
+                    new CertificateAlgorithmId(
+                        AlgorithmId.getAlgorithmId(sigAlgName)));
+        info.set(X509CertInfo.ISSUER, new CertificateIssuerName(issuer));
 
         BufferedReader reader = new BufferedReader(new InputStreamReader(in));
         boolean canRead = false;
@@ -1249,7 +1243,7 @@ public final class KeyTool {
         request.getAttributes().setAttribute(X509CertInfo.EXTENSIONS,
                 new PKCS10Attribute(PKCS9Attribute.EXTENSION_REQUEST_OID, ext));
 
-        // Construct an X500Signer object, so that we can sign the request
+        // Construct a Signature object, so that we can sign the request
         if (sigAlgName == null) {
             sigAlgName = getCompatibleSigAlgName(privKey.getAlgorithm());
         }
@@ -1259,10 +1253,9 @@ public final class KeyTool {
         X500Name subject = dname == null?
                 new X500Name(((X509Certificate)cert).getSubjectDN().toString()):
                 new X500Name(dname);
-        X500Signer signer = new X500Signer(signature, subject);
 
         // Sign the request and base-64 encode it
-        request.encodeAndSign(signer);
+        request.encodeAndSign(subject, signature);
         request.print(out);
     }
 
@@ -1564,75 +1557,8 @@ public final class KeyTool {
     private void doImportIdentityDatabase(InputStream in)
         throws Exception
     {
-        byte[] encoded;
-        ByteArrayInputStream bais;
-        java.security.cert.X509Certificate newCert;
-        java.security.cert.Certificate[] chain = null;
-        PrivateKey privKey;
-        boolean modified = false;
-
-        IdentityDatabase idb = IdentityDatabase.fromStream(in);
-        for (Enumeration<Identity> enum_ = idb.identities();
-                                        enum_.hasMoreElements();) {
-            Identity id = enum_.nextElement();
-            newCert = null;
-            // only store trusted identities in keystore
-            if ((id instanceof SystemSigner && ((SystemSigner)id).isTrusted())
-                || (id instanceof SystemIdentity
-                    && ((SystemIdentity)id).isTrusted())) {
-                // ignore if keystore entry with same alias name already exists
-                if (keyStore.containsAlias(id.getName())) {
-                    MessageFormat form = new MessageFormat
-                        (rb.getString("Keystore entry for <id.getName()> already exists"));
-                    Object[] source = {id.getName()};
-                    System.err.println(form.format(source));
-                    continue;
-                }
-                java.security.Certificate[] certs = id.certificates();
-                if (certs!=null && certs.length>0) {
-                    // we can only store one user cert per identity.
-                    // convert old-style to new-style cert via the encoding
-                    DerOutputStream dos = new DerOutputStream();
-                    certs[0].encode(dos);
-                    encoded = dos.toByteArray();
-                    bais = new ByteArrayInputStream(encoded);
-                    newCert = (X509Certificate)cf.generateCertificate(bais);
-                    bais.close();
-
-                    // if certificate is self-signed, make sure it verifies
-                    if (isSelfSigned(newCert)) {
-                        PublicKey pubKey = newCert.getPublicKey();
-                        try {
-                            newCert.verify(pubKey);
-                        } catch (Exception e) {
-                            // ignore this cert
-                            continue;
-                        }
-                    }
-
-                    if (id instanceof SystemSigner) {
-                        MessageFormat form = new MessageFormat(rb.getString
-                            ("Creating keystore entry for <id.getName()> ..."));
-                        Object[] source = {id.getName()};
-                        System.err.println(form.format(source));
-                        if (chain==null) {
-                            chain = new java.security.cert.Certificate[1];
-                        }
-                        chain[0] = newCert;
-                        privKey = ((SystemSigner)id).getPrivateKey();
-                        keyStore.setKeyEntry(id.getName(), privKey, storePass,
-                                             chain);
-                    } else {
-                        keyStore.setCertificateEntry(id.getName(), newCert);
-                    }
-                    kssave = true;
-                }
-            }
-        }
-        if (!kssave) {
-            System.err.println(rb.getString
-                ("No entries from identity database added"));
-        }
+        System.err.println(rb.getString
+            ("No entries from identity database added"));
     }
 
     /**

src/share/classes/sun/security/util/SecurityConstants.java

@@ -33,7 +33,6 @@ import java.security.Permission;
 import java.security.BasicPermission;
 import java.security.SecurityPermission;
 import java.security.AllPermission;
-import javax.security.auth.AuthPermission;
 
 /**
  * Permission constants and string constants used to create permissions
@@ -259,12 +258,4 @@ public final class SecurityConstants {
     // java.lang.SecurityManager
     public static final SocketPermission LOCAL_LISTEN_PERMISSION =
         new SocketPermission("localhost:1024-", SOCKET_LISTEN_ACTION);
-
-    // javax.security.auth.Subject
-    public static final AuthPermission DO_AS_PERMISSION =
-        new AuthPermission("doAs");
-
-    // javax.security.auth.Subject
-    public static final AuthPermission DO_AS_PRIVILEGED_PERMISSION =
-        new AuthPermission("doAsPrivileged");
 }

src/share/classes/sun/security/validator/PKIXValidator.java

@@ -150,9 +150,17 @@ public final class PKIXValidator extends Validator {
                 ("null or zero-length certificate chain");
         }
         if (TRY_VALIDATOR) {
-            // check if chain contains trust anchor
+            // check that chain is in correct order and check if chain contains
+            // trust anchor
+            X500Principal prevIssuer = null;
             for (int i = 0; i < chain.length; i++) {
-                if (trustedCerts.contains(chain[i])) {
+                X509Certificate cert = chain[i];
+                if (i != 0 &&
+                    !cert.getSubjectX500Principal().equals(prevIssuer)) {
+                    // chain is not ordered correctly, call builder instead
+                    return doBuild(chain, otherCerts);
+                }
+                if (trustedCerts.contains(cert)) {
                     if (i == 0) {
                         return new X509Certificate[] {chain[0]};
                     }
@@ -161,6 +169,7 @@ public final class PKIXValidator extends Validator {
                     System.arraycopy(chain, 0, newChain, 0, i);
                     return doValidate(newChain);
                 }
+                prevIssuer = cert.getIssuerX500Principal();
             }
 
             // apparently issued by trust anchor?
@@ -303,5 +312,4 @@ public final class PKIXValidator extends Validator {
                 ("PKIX path building failed: " + e.toString(), e);
         }
     }
-
 }

src/share/classes/sun/security/x509/CertAndKeyGen.java

@@ -189,41 +189,6 @@ public final class CertAndKeyGen {
     }
 
 
-    /**
-     * Returns a self-signed X.509v1 certificate for the public key.
-     * The certificate is immediately valid.
-     *
-     * <P>Such certificates normally are used to identify a "Certificate
-     * Authority" (CA).  Accordingly, they will not always be accepted by
-     * other parties.  However, such certificates are also useful when
-     * you are bootstrapping your security infrastructure, or deploying
-     * system prototypes.
-     *
-     * @deprecated Use the new <a href =
-     * "#getSelfCertificate(sun.security.x509.X500Name, long)">
-     *
-     * @param myname X.500 name of the subject (who is also the issuer)
-     * @param validity how long the certificate should be valid, in seconds
-     */
-    @Deprecated
-    public X509Cert             getSelfCert (X500Name myname, long validity)
-    throws InvalidKeyException, SignatureException, NoSuchAlgorithmException
-    {
-        X509Certificate cert;
-
-        try {
-            cert = getSelfCertificate(myname, validity);
-            return new X509Cert(cert.getEncoded());
-        } catch (CertificateException e) {
-            throw new SignatureException(e.getMessage());
-        } catch (NoSuchProviderException e) {
-            throw new NoSuchAlgorithmException(e.getMessage());
-        } catch (IOException e) {
-            throw new SignatureException(e.getMessage());
-        }
-    }
-
-
     /**
      * Returns a self-signed X.509v3 certificate for the public key.
      * The certificate is immediately valid. No extensions.
@@ -248,13 +213,10 @@ public final class CertAndKeyGen {
     throws CertificateException, InvalidKeyException, SignatureException,
         NoSuchAlgorithmException, NoSuchProviderException
     {
-        X500Signer      issuer;
         X509CertImpl    cert;
         Date            lastDate;
 
         try {
-            issuer = getSigner (myname);
-
             lastDate = new Date ();
             lastDate.setTime (firstDate.getTime () + validity * 1000);
 
@@ -267,14 +229,13 @@ public final class CertAndKeyGen {
                      new CertificateVersion(CertificateVersion.V3));
             info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(
                     new java.util.Random().nextInt() & 0x7fffffff));
-            AlgorithmId algID = issuer.getAlgorithmId();
+            AlgorithmId algID = AlgorithmId.getAlgorithmId(sigAlg);
             info.set(X509CertInfo.ALGORITHM_ID,
                      new CertificateAlgorithmId(algID));
             info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(myname));
             info.set(X509CertInfo.KEY, new CertificateX509Key(publicKey));
             info.set(X509CertInfo.VALIDITY, interval);
-            info.set(X509CertInfo.ISSUER,
-                     new CertificateIssuerName(issuer.getSigner()));
+            info.set(X509CertInfo.ISSUER, new CertificateIssuerName(myname));
 
             cert = new X509CertImpl(info);
             cert.sign(privateKey, this.sigAlg);
@@ -315,7 +276,9 @@ public final class CertAndKeyGen {
         PKCS10  req = new PKCS10 (publicKey);
 
         try {
-            req.encodeAndSign (getSigner (myname));
+            Signature signature = Signature.getInstance(sigAlg);
+            signature.initSign (privateKey);
+            req.encodeAndSign(myname, signature);
 
         } catch (CertificateException e) {
             throw new SignatureException (sigAlg + " CertificateException");
@@ -330,18 +293,6 @@ public final class CertAndKeyGen {
         return req;
     }
 
-    private X500Signer getSigner (X500Name me)
-    throws InvalidKeyException, NoSuchAlgorithmException
-    {
-        Signature signature = Signature.getInstance(sigAlg);
-
-        // XXX should have a way to pass prng to the signature
-        // algorithm ... appropriate for DSS/DSA, not RSA
-
-        signature.initSign (privateKey);
-        return new X500Signer (signature, me);
-    }
-
     private SecureRandom        prng;
     private String              sigAlg;
     private KeyPairGenerator    keyGen;

src/share/classes/sun/security/x509/X500Signer.java

-/*
- * Copyright 1996-2003 Sun Microsystems, Inc.  All Rights Reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Sun designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Sun in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
- * CA 95054 USA or visit www.sun.com if you need additional information or
- * have any questions.
- */
-
-package sun.security.x509;
-
-import java.security.Signature;
-import java.security.SignatureException;
-import java.security.Signer;
-import java.security.NoSuchAlgorithmException;
-
-/**
- * This class provides a binding between a Signature object and an
- * authenticated X.500 name (from an X.509 certificate chain), which
- * is needed in many public key signing applications.
- *
- * <P>The name of the signer is important, both because knowing it is the
- * whole point of the signature, and because the associated X.509 certificate
- * is always used to verify the signature.
- *
- * <P><em>The X.509 certificate chain is temporarily not associated with
- * the signer, but this omission will be resolved.</em>
- *
- *
- * @author David Brownell
- * @author Amit Kapoor
- * @author Hemma Prafullchandra
- */
-public final class X500Signer extends Signer
-{
-    private static final long serialVersionUID = -8609982645394364834L;
-
-    /**
-     * Called for each chunk of the data being signed.  That
-     * is, you can present the data in many chunks, so that
-     * it doesn't need to be in a single sequential buffer.
-     *
-     * @param buf buffer holding the next chunk of the data to be signed
-     * @param offset starting point of to-be-signed data
-     * @param len how many bytes of data are to be signed
-     * @exception SignatureException on errors.
-     */
-    public void update(byte buf[], int offset, int len)
-    throws SignatureException {
-        sig.update (buf, offset, len);
-    }
-
-    /**
-     * Produces the signature for the data processed by update().
-     *
-     * @exception SignatureException on errors.
-     */
-    public byte[] sign() throws SignatureException {
-        return sig.sign();
-    }
-
-    /**
-     * Returns the algorithm used to sign.
-     */
-    public AlgorithmId  getAlgorithmId() {
-        return algid;
-    }
-
-    /**
-     * Returns the name of the signing agent.
-     */
-    public X500Name     getSigner() {
-        return agent;
-    }
-
-    /*
-     * Constructs a binding between a signature and an X500 name
-     * from an X.509 certificate.
-     */
-    // package private  ----hmmmmm ?????
-    public X500Signer(Signature sig, X500Name agent) {
-        if (sig == null || agent == null)
-            throw new IllegalArgumentException ("null parameter");
-
-        this.sig = sig;
-        this.agent = agent;
-
-        try {
-          this.algid = AlgorithmId.getAlgorithmId(sig.getAlgorithm());
-
-        } catch (NoSuchAlgorithmException e) {
-            throw new RuntimeException("internal error! " + e.getMessage());
-        }
-    }
-
-    private Signature   sig;
-    private X500Name    agent;          // XXX should be X509CertChain
-    private AlgorithmId algid;
-}

src/share/classes/sun/tools/jar/JarVerifierStream.java

-/*
- * Copyright 1996-2008 Sun Microsystems, Inc.  All Rights Reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Sun designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Sun in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
- * CA 95054 USA or visit www.sun.com if you need additional information or
- * have any questions.
- */
-
-package sun.tools.jar;
-
-import java.io.*;
-import java.util.*;
-import java.util.zip.*;
-import java.util.jar.*;
-import java.security.cert.Certificate;
-import java.security.AccessController;
-import java.security.cert.X509Certificate;
-import java.security.PublicKey;
-import java.security.Principal;
-import sun.security.provider.SystemIdentity;
-
-/**
- * This is OBSOLETE. DO NOT USE THIS. Use
- * java.util.jar.JarEntry.getCertificates instead. It has to stay here
- * because some apps (namely HJ and HJV) call directly into it.
- *
- * This class is stripped down greatly from JDK 1.1.x.
- *
- * @author Roland Schemers
- */
-public class JarVerifierStream extends ZipInputStream {
-
-    private JarEntry current;
-    private Hashtable<String, Vector<SystemIdentity>> verified
-        = new Hashtable<String, Vector<SystemIdentity>>();
-    private JarInputStream jis;
-    private sun.tools.jar.Manifest man = null;
-
-    /**
-     * construct a JarVerfierStream from an input stream.
-     */
-    public JarVerifierStream(InputStream is)
-         throws IOException
-    {
-        super(is);
-        jis = new JarInputStream(is);
-    }
-
-    public void close()
-        throws IOException
-    {
-        jis.close();
-    }
-
-    public void closeEntry() throws IOException {
-        jis.closeEntry();
-    }
-
-    /**
-     * This method scans to see which entry we're parsing and
-     * keeps various state information depending on what type of
-     * file is being parsed. Files it treats specially are: <ul>
-     *
-     * <li>Manifest files. At any point, this stream can be queried
-     * for a manifest. If it is present, a Manifest object will be
-     * returned.
-     *
-     * <li>Block Signature file. Like with the manifest, the stream
-     * can be queried at any time for all blocks parsed thus far.
-     *
-     * </ul>
-     */
-    public synchronized ZipEntry getNextEntry() throws IOException {
-        current = (JarEntry) jis.getNextEntry();
-        return current;
-    }
-
-    /**
-     * read a single byte.
-     */
-    public int read() throws IOException {
-        int n = jis.read();
-        if (n == -1) {
-            addIds();
-        }
-        return n;
-    }
-
-    /**
-     * read an array of bytes.
-     */
-    public int read(byte[] b, int off, int len) throws IOException {
-        int n = jis.read(b, off, len);
-        if (n == -1) {
-            addIds();
-        }
-        return n;
-    }
-
-    private void addIds()
-    {
-
-        if (current != null) {
-            Certificate[] certs = current.getCertificates();
-            if (certs != null) {
-                Vector<SystemIdentity> ids = getIds(certs);
-                if (ids != null) {
-                    verified.put(current.getName(), ids);
-                }
-            }
-        }
-    }
-
-    /**
-     * Returns a Hashtable mapping filenames to vectors of identities.
-     */
-    public Hashtable getVerifiedSignatures() {
-        /* we may want to return a copy of this at some point.
-           For now we simply trust the caller */
-        if (verified.isEmpty())
-            return null;
-        else
-            return verified;
-    }
-
-    /**
-     * Returns an enumeration of PKCS7 blocks. This looks bogus,
-     * but Hotjava just checks to see if enumeration is not null
-     * to see if anything was signed!
-     */
-    public Enumeration getBlocks() {
-        if (verified.isEmpty()) {
-            return null;
-        } else {
-            return new Enumeration() {
-                public boolean hasMoreElements() { return false; }
-                public Object nextElement() { return null; }
-            };
-        }
-    }
-
-    /**
-     * This method used to be called by various versions of
-     * AppletResourceLoader, even though they didn't do anything with
-     * the result. We leave them and return null for backwards compatability.
-     */
-    public Hashtable getNameToHash() {
-        return null;
-    }
-
-    /**
-     * Convert java.util.jar.Manifest object to a sun.tools.jar.Manifest
-     * object.
-     */
-
-    public sun.tools.jar.Manifest getManifest() {
-        if (man == null) {
-            try {
-                java.util.jar.Manifest jman = jis.getManifest();
-                if (jman == null)
-                    return null;
-                ByteArrayOutputStream baos = new ByteArrayOutputStream();
-                jman.write(baos);
-                byte[] data = baos.toByteArray();
-                man = new sun.tools.jar.Manifest(data);
-            } catch (IOException ioe) {
-                // return null
-            }
-        }
-        return man;
-    }
-
-    static class CertCache {
-        Certificate [] certs;
-        Vector<SystemIdentity> ids;
-
-        boolean equals(Certificate[] certs) {
-                if (this.certs == null) {
-                    if (certs!= null)
-                        return false;
-                    else
-                        return true;
-                }
-
-                if (certs == null)
-                    return false;
-
-                boolean match;
-
-                for (int i = 0; i < certs.length; i++) {
-                    match = false;
-                    for (int j = 0; j < this.certs.length; j++) {
-                        if (certs[i].equals(this.certs[j])) {
-                            match = true;
-                            break;
-                        }
-                    }
-                    if (!match) return false;
-                }
-
-                for (int i = 0; i < this.certs.length; i++) {
-                    match = false;
-                    for (int j = 0; j < certs.length; j++) {
-                        if (this.certs[i].equals(certs[j])) {
-                            match = true;
-                            break;
-                        }
-                    }
-                    if (!match) return false;
-                }
-                return true;
-        }
-    }
-
-    private ArrayList<CertCache> certCache = null;
-
-
-    /**
-     * Returns the Identity vector for the given array of Certificates
-     */
-    protected Vector<SystemIdentity> getIds(Certificate[] certs) {
-        if (certs == null)
-            return null;
-
-        if (certCache == null)
-            certCache = new ArrayList<CertCache>();
-        CertCache cc;
-        for (int i = 0; i < certCache.size(); i++) {
-            cc = certCache.get(i);
-            if (cc.equals(certs)) {
-                return cc.ids;
-            }
-        }
-        cc = new CertCache();
-        cc.certs = certs;
-
-        if (certs.length > 0) {
-            for (int i=0; i<certs.length; i++) {
-                try {
-                    X509Certificate cert = (X509Certificate) certs[i];
-                    Principal tmpName = cert.getSubjectDN();
-                    final SystemIdentity id = new SystemIdentity(
-                                                           tmpName.getName(),
-                                                           null);
-
-                    byte[] encoded = cert.getEncoded();
-                    final java.security.Certificate oldC =
-                        new sun.security.x509.X509Cert(encoded);
-                    try {
-                        AccessController.doPrivileged(
-                         new java.security.PrivilegedExceptionAction<Void>() {
-                            public Void run()
-                                throws java.security.KeyManagementException
-                            {
-                                id.addCertificate(oldC);
-                                return null;
-                            }
-                        });
-                    } catch (java.security.PrivilegedActionException pae) {
-                        throw (java.security.KeyManagementException)
-                            pae.getException();
-                    }
-                    if (cc.ids == null)
-                        cc.ids = new Vector<SystemIdentity>();
-                    cc.ids.addElement(id);
-                } catch (java.security.KeyManagementException kme) {
-                    // ignore if we can't create Identity
-                } catch (IOException ioe) {
-                    // ignore if we can't parse
-                } catch (java.security.cert.CertificateEncodingException cee) {
-                    // ignore if we can't encode
-                }
-            }
-        }
-        certCache.add(cc);
-        return cc.ids;
-    }
-}

src/share/classes/sun/tracing/MultiplexProviderFactory.java

@@ -30,7 +30,6 @@ import java.lang.reflect.InvocationTargetException;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Set;
-import java.util.logging.Logger;
 
 import com.sun.tracing.ProviderFactory;
 import com.sun.tracing.Provider;
@@ -65,13 +64,7 @@ public class MultiplexProviderFactory extends ProviderFactory {
             providers.add(factory.createProvider(cls));
         }
         MultiplexProvider provider = new MultiplexProvider(cls, providers);
-        try {
-            provider.init();
-        } catch (Exception e) {
-            // Probably a permission problem (can't get declared members)
-            Logger.getAnonymousLogger().warning(
-                "Could not initialize tracing provider: " + e.getMessage());
-        }
+        provider.init();
         return provider.newProxyInstance();
     }
 }