changeset 1944:d5a1c012921d

Merge
author tbell
date Sun, 29 Nov 2009 15:24:32 -0800
parents 5f452be1691e a7d0572340fd
children de45eac5670e
files test/sun/tools/native2ascii/test2
diffstat 55 files changed, 1586 insertions(+), 317 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/com/sun/jmx/mbeanserver/Introspector.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/src/share/classes/com/sun/jmx/mbeanserver/Introspector.java	Sun Nov 29 15:24:32 2009 -0800
@@ -26,6 +26,7 @@
 package com.sun.jmx.mbeanserver;
 
 import java.lang.annotation.Annotation;
+import java.lang.ref.SoftReference;
 import java.lang.reflect.AnnotatedElement;
 import java.lang.reflect.Constructor;
 import java.lang.reflect.Method;
@@ -33,8 +34,13 @@
 import java.lang.reflect.Proxy;
 import java.lang.reflect.UndeclaredThrowableException;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.HashMap;
+import java.util.List;
+import java.util.LinkedList;
+import java.util.Locale;
 import java.util.Map;
+import java.util.WeakHashMap;
 
 import javax.management.Descriptor;
 import javax.management.DescriptorKey;
@@ -506,11 +512,25 @@
             } else {
                 // Java Beans introspection
                 //
-                BeanInfo bi = java.beans.Introspector.getBeanInfo(complex.getClass());
-                PropertyDescriptor[] pds = bi.getPropertyDescriptors();
-                for (PropertyDescriptor pd : pds)
-                    if (pd.getName().equals(element))
-                        return pd.getReadMethod().invoke(complex);
+                Class<?> clazz = complex.getClass();
+                Method readMethod = null;
+                if (BeansHelper.isAvailable()) {
+                    Object bi = BeansHelper.getBeanInfo(clazz);
+                    Object[] pds = BeansHelper.getPropertyDescriptors(bi);
+                    for (Object pd: pds) {
+                        if (BeansHelper.getPropertyName(pd).equals(element)) {
+                            readMethod = BeansHelper.getReadMethod(pd);
+                            break;
+                        }
+                    }
+                } else {
+                    // Java Beans not available so use simple introspection
+                    // to locate method
+                    readMethod = SimpleIntrospector.getReadMethod(clazz, element);
+                }
+                if (readMethod != null)
+                    return readMethod.invoke(complex);
+
                 throw new AttributeNotFoundException(
                     "Could not find the getter method for the property " +
                     element + " using the Java Beans introspector");
@@ -524,4 +544,235 @@
                 new AttributeNotFoundException(e.getMessage()), e);
         }
     }
+
+    /**
+     * A simple introspector that uses reflection to analyze a class and
+     * identify its "getter" methods. This class is intended for use only when
+     * Java Beans is not present (which implies that there isn't explicit
+     * information about the bean available).
+     */
+    private static class SimpleIntrospector {
+        private SimpleIntrospector() { }
+
+        private static final String GET_METHOD_PREFIX = "get";
+        private static final String IS_METHOD_PREFIX = "is";
+
+        // cache to avoid repeated lookups
+        private static final Map<Class<?>,SoftReference<List<Method>>> cache =
+            Collections.synchronizedMap(
+                new WeakHashMap<Class<?>,SoftReference<List<Method>>> ());
+
+        /**
+         * Returns the list of methods cached for the given class, or {@code null}
+         * if not cached.
+         */
+        private static List<Method> getCachedMethods(Class<?> clazz) {
+            // return cached methods if possible
+            SoftReference<List<Method>> ref = cache.get(clazz);
+            if (ref != null) {
+                List<Method> cached = ref.get();
+                if (cached != null)
+                    return cached;
+            }
+            return null;
+        }
+
+        /**
+         * Returns {@code true} if the given method is a "getter" method (where
+         * "getter" method is a public method of the form getXXX or "boolean
+         * isXXX")
+         */
+        static boolean isReadMethod(Method method) {
+            // ignore static methods
+            int modifiers = method.getModifiers();
+            if (Modifier.isStatic(modifiers))
+                return false;
+
+            String name = method.getName();
+            Class<?>[] paramTypes = method.getParameterTypes();
+            int paramCount = paramTypes.length;
+
+            if (paramCount == 0 && name.length() > 2) {
+                // boolean isXXX()
+                if (name.startsWith(IS_METHOD_PREFIX))
+                    return (method.getReturnType() == boolean.class);
+                // getXXX()
+                if (name.length() > 3 && name.startsWith(GET_METHOD_PREFIX))
+                    return (method.getReturnType() != void.class);
+            }
+            return false;
+        }
+
+        /**
+         * Returns the list of "getter" methods for the given class. The list
+         * is ordered so that isXXX methods appear before getXXX methods - this
+         * is for compatability with the JavaBeans Introspector.
+         */
+        static List<Method> getReadMethods(Class<?> clazz) {
+            // return cached result if available
+            List<Method> cachedResult = getCachedMethods(clazz);
+            if (cachedResult != null)
+                return cachedResult;
+
+            // get list of public methods, filtering out methods that have
+            // been overridden to return a more specific type.
+            List<Method> methods =
+                StandardMBeanIntrospector.getInstance().getMethods(clazz);
+            methods = MBeanAnalyzer.eliminateCovariantMethods(methods);
+
+            // filter out the non-getter methods
+            List<Method> result = new LinkedList<Method>();
+            for (Method m: methods) {
+                if (isReadMethod(m)) {
+                    // favor isXXX over getXXX
+                    if (m.getName().startsWith(IS_METHOD_PREFIX)) {
+                        result.add(0, m);
+                    } else {
+                        result.add(m);
+                    }
+                }
+            }
+
+            // add result to cache
+            cache.put(clazz, new SoftReference<List<Method>>(result));
+
+            return result;
+        }
+
+        /**
+         * Returns the "getter" to read the given property from the given class or
+         * {@code null} if no method is found.
+         */
+        static Method getReadMethod(Class<?> clazz, String property) {
+            // first character in uppercase (compatability with JavaBeans)
+            property = property.substring(0, 1).toUpperCase(Locale.ENGLISH) +
+                property.substring(1);
+            String getMethod = GET_METHOD_PREFIX + property;
+            String isMethod = IS_METHOD_PREFIX + property;
+            for (Method m: getReadMethods(clazz)) {
+                String name = m.getName();
+                if (name.equals(isMethod) || name.equals(getMethod)) {
+                    return m;
+                }
+            }
+            return null;
+        }
+    }
+
+    /**
+     * A class that provides access to the JavaBeans Introspector and
+     * PropertyDescriptors without creating a static dependency on java.beans.
+     */
+    private static class BeansHelper {
+        private static final Class<?> introspectorClass =
+            getClass("java.beans.Introspector");
+        private static final Class<?> beanInfoClass =
+            (introspectorClass == null) ? null : getClass("java.beans.BeanInfo");
+        private static final Class<?> getPropertyDescriptorClass =
+            (beanInfoClass == null) ? null : getClass("java.beans.PropertyDescriptor");
+
+        private static final Method getBeanInfo =
+            getMethod(introspectorClass, "getBeanInfo", Class.class);
+        private static final Method getPropertyDescriptors =
+            getMethod(beanInfoClass, "getPropertyDescriptors");
+        private static final Method getPropertyName =
+            getMethod(getPropertyDescriptorClass, "getName");
+        private static final Method getReadMethod =
+            getMethod(getPropertyDescriptorClass, "getReadMethod");
+
+        private static Class<?> getClass(String name) {
+            try {
+                return Class.forName(name, true, null);
+            } catch (ClassNotFoundException e) {
+                return null;
+            }
+        }
+        private static Method getMethod(Class<?> clazz,
+                                        String name,
+                                        Class<?>... paramTypes)
+        {
+            if (clazz != null) {
+                try {
+                    return clazz.getMethod(name, paramTypes);
+                } catch (NoSuchMethodException e) {
+                    throw new AssertionError(e);
+                }
+            } else {
+                return null;
+            }
+        }
+
+        private BeansHelper() { }
+
+        /**
+         * Returns {@code true} if java.beans is available.
+         */
+        static boolean isAvailable() {
+            return introspectorClass != null;
+        }
+
+        /**
+         * Invokes java.beans.Introspector.getBeanInfo(Class)
+         */
+        static Object getBeanInfo(Class<?> clazz) throws Exception {
+            try {
+                return getBeanInfo.invoke(null, clazz);
+            } catch (InvocationTargetException e) {
+                Throwable cause = e.getCause();
+                if (cause instanceof Exception)
+                    throw (Exception)cause;
+                throw new AssertionError(e);
+            } catch (IllegalAccessException iae) {
+                throw new AssertionError(iae);
+            }
+        }
+
+        /**
+         * Invokes java.beans.BeanInfo.getPropertyDescriptors()
+         */
+        static Object[] getPropertyDescriptors(Object bi) {
+            try {
+                return (Object[])getPropertyDescriptors.invoke(bi);
+            } catch (InvocationTargetException e) {
+                Throwable cause = e.getCause();
+                if (cause instanceof RuntimeException)
+                    throw (RuntimeException)cause;
+                throw new AssertionError(e);
+            } catch (IllegalAccessException iae) {
+                throw new AssertionError(iae);
+            }
+        }
+
+        /**
+         * Invokes java.beans.PropertyDescriptor.getName()
+         */
+        static String getPropertyName(Object pd) {
+            try {
+                return (String)getPropertyName.invoke(pd);
+            } catch (InvocationTargetException e) {
+                Throwable cause = e.getCause();
+                if (cause instanceof RuntimeException)
+                    throw (RuntimeException)cause;
+                throw new AssertionError(e);
+            } catch (IllegalAccessException iae) {
+                throw new AssertionError(iae);
+            }
+        }
+
+        /**
+         * Invokes java.beans.PropertyDescriptor.getReadMethod()
+         */
+        static Method getReadMethod(Object pd) {
+            try {
+                return (Method)getReadMethod.invoke(pd);
+            } catch (InvocationTargetException e) {
+                Throwable cause = e.getCause();
+                if (cause instanceof RuntimeException)
+                    throw (RuntimeException)cause;
+                throw new AssertionError(e);
+            } catch (IllegalAccessException iae) {
+                throw new AssertionError(iae);
+            }
+        }
+    }
 }
--- a/src/share/classes/com/sun/jmx/mbeanserver/MBeanIntrospector.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/src/share/classes/com/sun/jmx/mbeanserver/MBeanIntrospector.java	Sun Nov 29 15:24:32 2009 -0800
@@ -175,7 +175,7 @@
     /**
      * Get the methods to be analyzed to build the MBean interface.
      */
-    List<Method> getMethods(final Class<?> mbeanType) throws Exception {
+    List<Method> getMethods(final Class<?> mbeanType) {
         return Arrays.asList(mbeanType.getMethods());
     }
 
--- a/src/share/classes/com/sun/security/jgss/ExtendedGSSContext.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/src/share/classes/com/sun/security/jgss/ExtendedGSSContext.java	Sun Nov 29 15:24:32 2009 -0800
@@ -99,4 +99,58 @@
      */
     public Object inquireSecContext(InquireType type)
             throws GSSException;
+
+    /**
+     * Requests that the delegation policy be respected. When a true value is
+     * requested, the underlying context would use the delegation policy
+     * defined by the environment as a hint to determine whether credentials
+     * delegation should be performed. This request can only be made on the
+     * context initiator's side and it has to be done prior to the first
+     * call to <code>initSecContext</code>.
+     * <p>
+     * When this flag is false, delegation will only be tried when the
+     * {@link GSSContext#requestCredDeleg(boolean) credentials delegation flag}
+     * is true.
+     * <p>
+     * When this flag is true but the
+     * {@link GSSContext#requestCredDeleg(boolean) credentials delegation flag}
+     * is false, delegation will be only tried if the delegation policy permits
+     * delegation.
+     * <p>
+     * When both this flag and the
+     * {@link GSSContext#requestCredDeleg(boolean) credentials delegation flag}
+     * are true, delegation will be always tried. However, if the delegation
+     * policy does not permit delegation, the value of
+     * {@link #getDelegPolicyState} will be false, even
+     * if delegation is performed successfully.
+     * <p>
+     * In any case, if the delegation is not successful, the value returned
+     * by {@link GSSContext#getCredDelegState()} is false, and the value
+     * returned by {@link #getDelegPolicyState()} is also false.
+     * <p>
+     * Not all mechanisms support delegation policy. Therefore, the
+     * application should check to see if the request was honored with the
+     * {@link #getDelegPolicyState() getDelegPolicyState} method. When
+     * delegation policy is not supported, <code>requestDelegPolicy</code>
+     * should return silently without throwing an exception.
+     * <p>
+     * Note: for the Kerberos 5 mechanism, the delegation policy is expressed
+     * through the OK-AS-DELEGATE flag in the service ticket. When it's true,
+     * the KDC permits delegation to the target server. In a cross-realm
+     * environment, in order for delegation be permitted, all cross-realm TGTs
+     * on the authentication path must also have the OK-AS-DELAGATE flags set.
+     * @param state true if the policy should be respected
+     * @throws GSSException containing the following
+     * major error codes:
+     *   {@link GSSException#FAILURE GSSException.FAILURE}
+     */
+    public void requestDelegPolicy(boolean state) throws GSSException;
+
+    /**
+     * Returns the delegation policy response. Called after a security context
+     * is established. This method can be only called on the initiator's side.
+     * See {@link ExtendedGSSContext#requestDelegPolicy}.
+     * @return the delegation policy response
+     */
+    public boolean getDelegPolicyState();
 }
--- a/src/share/classes/com/sun/tools/hat/internal/model/JavaStatic.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/src/share/classes/com/sun/tools/hat/internal/model/JavaStatic.java	Sun Nov 29 15:24:32 2009 -0800
@@ -57,7 +57,10 @@
             id = ((JavaObjectRef)value).getId();
         }
         value = value.dereference(snapshot, field);
-        if (value.isHeapAllocated()) {
+        if (value.isHeapAllocated() &&
+            clazz.getLoader() == snapshot.getNullThing()) {
+            // static fields are only roots if they are in classes
+            //    loaded by the root classloader.
             JavaHeapObject ho = (JavaHeapObject) value;
             String s = "Static reference from " + clazz.getName()
                        + "." + field.getName();
--- a/src/share/classes/com/sun/tracing/ProviderFactory.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/src/share/classes/com/sun/tracing/ProviderFactory.java	Sun Nov 29 15:24:32 2009 -0800
@@ -4,7 +4,10 @@
 import java.util.HashSet;
 import java.io.PrintStream;
 import java.lang.reflect.Field;
-import java.util.logging.Logger;
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import sun.security.action.GetPropertyAction;
 
 import sun.tracing.NullProviderFactory;
 import sun.tracing.PrintStreamProviderFactory;
@@ -52,23 +55,17 @@
         HashSet<ProviderFactory> factories = new HashSet<ProviderFactory>();
 
         // Try to instantiate a DTraceProviderFactory
-        String prop = null;
-        try { prop = System.getProperty("com.sun.tracing.dtrace"); }
-        catch (java.security.AccessControlException e) {
-            Logger.getAnonymousLogger().fine(
-                "Cannot access property com.sun.tracing.dtrace");
-        }
+        String prop = AccessController.doPrivileged(
+            new GetPropertyAction("com.sun.tracing.dtrace"));
+
         if ( (prop == null || !prop.equals("disable")) &&
              DTraceProviderFactory.isSupported() ) {
             factories.add(new DTraceProviderFactory());
         }
 
         // Try to instantiate an output stream factory
-        try { prop = System.getProperty("sun.tracing.stream"); }
-        catch (java.security.AccessControlException e) {
-            Logger.getAnonymousLogger().fine(
-                "Cannot access property sun.tracing.stream");
-        }
+        prop = AccessController.doPrivileged(
+            new GetPropertyAction("sun.tracing.stream"));
         if (prop != null) {
             for (String spec : prop.split(",")) {
                 PrintStream ps = getPrintStreamFromSpec(spec);
@@ -89,22 +86,29 @@
         }
     }
 
-    private static PrintStream getPrintStreamFromSpec(String spec) {
+    private static PrintStream getPrintStreamFromSpec(final String spec) {
         try {
             // spec is in the form of <class>.<field>, where <class> is
             // a fully specified class name, and <field> is a static member
             // in that class.  The <field> must be a 'PrintStream' or subtype
             // in order to be used.
-            int fieldpos = spec.lastIndexOf('.');
-            Class<?> cls = Class.forName(spec.substring(0, fieldpos));
-            Field f = cls.getField(spec.substring(fieldpos + 1));
-            Class<?> fieldType = f.getType();
+            final int fieldpos = spec.lastIndexOf('.');
+            final Class<?> cls = Class.forName(spec.substring(0, fieldpos));
+
+            Field f = AccessController.doPrivileged(new PrivilegedExceptionAction<Field>() {
+                public Field run() throws NoSuchFieldException {
+                    return cls.getField(spec.substring(fieldpos + 1));
+                }
+            });
+
             return (PrintStream)f.get(null);
-        } catch (Exception e) {
-            Logger.getAnonymousLogger().warning(
-                "Could not parse sun.tracing.stream property: " + e);
+        } catch (ClassNotFoundException e) {
+            throw new AssertionError(e);
+        } catch (IllegalAccessException e) {
+            throw new AssertionError(e);
+        } catch (PrivilegedActionException e) {
+            throw new AssertionError(e);
         }
-        return null;
     }
 }
 
--- a/src/share/classes/java/net/CookieManager.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/src/share/classes/java/net/CookieManager.java	Sun Nov 29 15:24:32 2009 -0800
@@ -30,6 +30,7 @@
 import java.util.Collections;
 import java.util.Comparator;
 import java.io.IOException;
+import sun.util.logging.PlatformLogger;
 
 /**
  * CookieManager provides a concrete implementation of {@link CookieHandler},
@@ -263,6 +264,7 @@
         if (cookieJar == null)
             return;
 
+    PlatformLogger logger = PlatformLogger.getLogger("java.net.CookieManager");
         for (String headerKey : responseHeaders.keySet()) {
             // RFC 2965 3.2.2, key must be 'Set-Cookie2'
             // we also accept 'Set-Cookie' here for backward compatibility
@@ -277,7 +279,16 @@
 
             for (String headerValue : responseHeaders.get(headerKey)) {
                 try {
-                    List<HttpCookie> cookies = HttpCookie.parse(headerValue);
+                    List<HttpCookie> cookies;
+                    try {
+                        cookies = HttpCookie.parse(headerValue);
+                    } catch (IllegalArgumentException e) {
+                        // Bogus header, make an empty list and log the error
+                        cookies = java.util.Collections.EMPTY_LIST;
+                        if (logger.isLoggable(PlatformLogger.SEVERE)) {
+                            logger.severe("Invalid cookie for " + uri + ": " + headerValue);
+                        }
+                    }
                     for (HttpCookie cookie : cookies) {
                         if (cookie.getPath() == null) {
                             // If no path is specified, then by default
--- a/src/share/classes/java/net/HttpCookie.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/src/share/classes/java/net/HttpCookie.java	Sun Nov 29 15:24:32 2009 -0800
@@ -1036,7 +1036,7 @@
                         int version = Integer.parseInt(attrValue);
                         cookie.setVersion(version);
                     } catch (NumberFormatException ignored) {
-                        throw new IllegalArgumentException("Illegal cookie version attribute");
+                        // Just ignore bogus version, it will default to 0 or 1
                     }
                 }
             });
@@ -1147,12 +1147,15 @@
     }
 
     private static String stripOffSurroundingQuote(String str) {
-        if (str != null && str.length() > 0 &&
+        if (str != null && str.length() > 2 &&
             str.charAt(0) == '"' && str.charAt(str.length() - 1) == '"') {
             return str.substring(1, str.length() - 1);
-        } else {
-            return str;
         }
+        if (str != null && str.length() > 2 &&
+            str.charAt(0) == '\'' && str.charAt(str.length() - 1) == '\'') {
+            return str.substring(1, str.length() - 1);
+        }
+        return str;
     }
 
     private static boolean equalsIgnoreCase(String s, String t) {
--- a/src/share/classes/javax/security/auth/Subject.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/src/share/classes/javax/security/auth/Subject.java	Sun Nov 29 15:24:32 2009 -0800
@@ -40,7 +40,6 @@
 import java.security.PrivilegedActionException;
 import java.security.ProtectionDomain;
 import sun.security.util.ResourcesMgr;
-import sun.security.util.SecurityConstants;
 
 /**
  * <p> A <code>Subject</code> represents a grouping of related information
@@ -239,7 +238,7 @@
     public void setReadOnly() {
         java.lang.SecurityManager sm = System.getSecurityManager();
         if (sm != null) {
-            sm.checkPermission(new AuthPermission("setReadOnly"));
+            sm.checkPermission(AuthPermissionHolder.SET_READ_ONLY_PERMISSION);
         }
 
         this.readOnly = true;
@@ -285,7 +284,7 @@
 
         java.lang.SecurityManager sm = System.getSecurityManager();
         if (sm != null) {
-            sm.checkPermission(new AuthPermission("getSubject"));
+            sm.checkPermission(AuthPermissionHolder.GET_SUBJECT_PERMISSION);
         }
 
         if (acc == null) {
@@ -343,7 +342,7 @@
 
         java.lang.SecurityManager sm = System.getSecurityManager();
         if (sm != null) {
-            sm.checkPermission(SecurityConstants.DO_AS_PERMISSION);
+            sm.checkPermission(AuthPermissionHolder.DO_AS_PERMISSION);
         }
         if (action == null)
             throw new NullPointerException
@@ -402,7 +401,7 @@
 
         java.lang.SecurityManager sm = System.getSecurityManager();
         if (sm != null) {
-            sm.checkPermission(SecurityConstants.DO_AS_PERMISSION);
+            sm.checkPermission(AuthPermissionHolder.DO_AS_PERMISSION);
         }
 
         if (action == null)
@@ -456,7 +455,7 @@
 
         java.lang.SecurityManager sm = System.getSecurityManager();
         if (sm != null) {
-            sm.checkPermission(SecurityConstants.DO_AS_PRIVILEGED_PERMISSION);
+            sm.checkPermission(AuthPermissionHolder.DO_AS_PRIVILEGED_PERMISSION);
         }
 
         if (action == null)
@@ -520,7 +519,7 @@
 
         java.lang.SecurityManager sm = System.getSecurityManager();
         if (sm != null) {
-            sm.checkPermission(SecurityConstants.DO_AS_PRIVILEGED_PERMISSION);
+            sm.checkPermission(AuthPermissionHolder.DO_AS_PRIVILEGED_PERMISSION);
         }
 
         if (action == null)
@@ -1044,16 +1043,13 @@
                     if (sm != null) {
                         switch (which) {
                         case Subject.PRINCIPAL_SET:
-                            sm.checkPermission(new AuthPermission
-                                        ("modifyPrincipals"));
+                            sm.checkPermission(AuthPermissionHolder.MODIFY_PRINCIPALS_PERMISSION);
                             break;
                         case Subject.PUB_CREDENTIAL_SET:
-                            sm.checkPermission(new AuthPermission
-                                        ("modifyPublicCredentials"));
+                            sm.checkPermission(AuthPermissionHolder.MODIFY_PUBLIC_CREDENTIALS_PERMISSION);
                             break;
                         default:
-                            sm.checkPermission(new AuthPermission
-                                        ("modifyPrivateCredentials"));
+                            sm.checkPermission(AuthPermissionHolder.MODIFY_PRIVATE_CREDENTIALS_PERMISSION);
                             break;
                         }
                     }
@@ -1073,16 +1069,13 @@
             if (sm != null) {
                 switch (which) {
                 case Subject.PRINCIPAL_SET:
-                    sm.checkPermission
-                        (new AuthPermission("modifyPrincipals"));
+                    sm.checkPermission(AuthPermissionHolder.MODIFY_PRINCIPALS_PERMISSION);
                     break;
                 case Subject.PUB_CREDENTIAL_SET:
-                    sm.checkPermission
-                        (new AuthPermission("modifyPublicCredentials"));
+                    sm.checkPermission(AuthPermissionHolder.MODIFY_PUBLIC_CREDENTIALS_PERMISSION);
                     break;
                 default:
-                    sm.checkPermission
-                        (new AuthPermission("modifyPrivateCredentials"));
+                    sm.checkPermission(AuthPermissionHolder.MODIFY_PRIVATE_CREDENTIALS_PERMISSION);
                     break;
                 }
             }
@@ -1405,4 +1398,27 @@
             return set.add(o);
         }
     }
+
+    static class AuthPermissionHolder {
+        static final AuthPermission DO_AS_PERMISSION =
+            new AuthPermission("doAs");
+
+        static final AuthPermission DO_AS_PRIVILEGED_PERMISSION =
+            new AuthPermission("doAsPrivileged");
+
+        static final AuthPermission SET_READ_ONLY_PERMISSION =
+            new AuthPermission("setReadOnly");
+
+        static final AuthPermission GET_SUBJECT_PERMISSION =
+            new AuthPermission("getSubject");
+
+        static final AuthPermission MODIFY_PRINCIPALS_PERMISSION =
+            new AuthPermission("modifyPrincipals");
+
+        static final AuthPermission MODIFY_PUBLIC_CREDENTIALS_PERMISSION =
+            new AuthPermission("modifyPublicCredentials");
+
+        static final AuthPermission MODIFY_PRIVATE_CREDENTIALS_PERMISSION =
+            new AuthPermission("modifyPrivateCredentials");
+    }
 }
--- a/src/share/classes/org/ietf/jgss/GSSContext.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/src/share/classes/org/ietf/jgss/GSSContext.java	Sun Nov 29 15:24:32 2009 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright 2000-2001 Sun Microsystems, Inc.  All Rights Reserved.
+ * Copyright 2000-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -678,7 +678,7 @@
      * are not definitive then the method will attempt to treat all
      * available bytes as part of the token.<p>
      *
-     * Other than the possible blocking behaviour described above, this
+     * Other than the possible blocking behavior described above, this
      * method is equivalent to the byte array based {@link #unwrap(byte[],
      * int, int, MessageProp) unwrap} method.<p>
      *
@@ -826,7 +826,7 @@
      * are not definitive then the method will attempt to treat all
      * available bytes as part of the token.<p>
      *
-     * Other than the possible blocking behaviour described above, this
+     * Other than the possible blocking behavior described above, this
      * method is equivalent to the byte array based {@link #verifyMIC(byte[],
      * int, int, byte[], int, int, MessageProp) verifyMIC} method.<p>
      *
@@ -917,7 +917,7 @@
      * getMutualAuthState} method.<p>
      *
      * @param state a boolean value indicating whether mutual
-     * authentication shouls be used or not.
+     * authentication should be used or not.
      * @see #getMutualAuthState()
      *
      * @throws GSSException containing the following
@@ -928,7 +928,7 @@
 
     /**
      * Requests that replay detection be enabled for the
-     * per-message security services after context establishemnt. This
+     * per-message security services after context establishment. This
      * request can only be made on the context initiator's side and it has
      * to be done prior to the first call to
      * <code>initSecContext</code>. During context establishment replay
@@ -958,7 +958,7 @@
 
     /**
      * Requests that sequence checking be enabled for the
-     * per-message security services after context establishemnt. This
+     * per-message security services after context establishment. This
      * request can only be made on the context initiator's side and it has
      * to be done prior to the first call to
      * <code>initSecContext</code>. During context establishment sequence
--- a/src/share/classes/sun/net/www/protocol/http/spnego/NegotiatorImpl.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/src/share/classes/sun/net/www/protocol/http/spnego/NegotiatorImpl.java	Sun Nov 29 15:24:32 2009 -0800
@@ -25,6 +25,7 @@
 
 package sun.net.www.protocol.http.spnego;
 
+import com.sun.security.jgss.ExtendedGSSContext;
 import java.io.IOException;
 
 import org.ietf.jgss.GSSContext;
@@ -100,15 +101,10 @@
                                         null,
                                         GSSContext.DEFAULT_LIFETIME);
 
-        // In order to support credential delegation in HTTP/SPNEGO,
-        // we always request it before initSecContext. The current
-        // implementation will check the OK-AS-DELEGATE flag inside
-        // the service ticket of the web server, and only enable
-        // delegation when this flag is set. This check is only
-        // performed when the GSS caller is CALLER_HTTP_NEGOTIATE,
-        // so all other normal GSS-API calls are not affected.
-
-        context.requestCredDeleg(true);
+        // Always respect delegation policy in HTTP/SPNEGO.
+        if (context instanceof ExtendedGSSContext) {
+            ((ExtendedGSSContext)context).requestDelegPolicy(true);
+        }
         oneToken = context.initSecContext(new byte[0], 0, 0);
     }
 
--- a/src/share/classes/sun/security/jgss/GSSContextImpl.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/src/share/classes/sun/security/jgss/GSSContextImpl.java	Sun Nov 29 15:24:32 2009 -0800
@@ -89,7 +89,8 @@
  */
 class GSSContextImpl implements ExtendedGSSContext {
 
-    private GSSManagerImpl gssManager = null;
+    private final GSSManagerImpl gssManager;
+    private final boolean initiator;
 
     // private flags for the context state
     private static final int PRE_INIT = 1;
@@ -99,14 +100,12 @@
 
     // instance variables
     private int currentState = PRE_INIT;
-    private boolean initiator;
 
     private GSSContextSpi mechCtxt = null;
     private Oid mechOid = null;
     private ObjectIdentifier objId = null;
 
     private GSSCredentialImpl myCred = null;
-    private GSSCredentialImpl delegCred = null;
 
     private GSSNameImpl srcName = null;
     private GSSNameImpl targName = null;
@@ -121,6 +120,7 @@
     private boolean reqSequenceDetState = true;
     private boolean reqCredDelegState = false;
     private boolean reqAnonState = false;
+    private boolean reqDelegPolicyState = false;
 
     /**
      * Creates a GSSContextImp on the context initiator's side.
@@ -221,6 +221,7 @@
                 mechCtxt.requestSequenceDet(reqSequenceDetState);
                 mechCtxt.requestAnonymity(reqAnonState);
                 mechCtxt.setChannelBinding(channelBindings);
+                mechCtxt.requestDelegPolicy(reqDelegPolicyState);
 
                 objId = new ObjectIdentifier(mechOid.toString());
 
@@ -465,42 +466,42 @@
     }
 
     public void requestMutualAuth(boolean state) throws GSSException {
-        if (mechCtxt == null)
+        if (mechCtxt == null && initiator)
             reqMutualAuthState = state;
     }
 
     public void requestReplayDet(boolean state) throws GSSException {
-        if (mechCtxt == null)
+        if (mechCtxt == null && initiator)
             reqReplayDetState = state;
     }
 
     public void requestSequenceDet(boolean state) throws GSSException {
-        if (mechCtxt == null)
+        if (mechCtxt == null && initiator)
             reqSequenceDetState = state;
     }
 
     public void requestCredDeleg(boolean state) throws GSSException {
-        if (mechCtxt == null)
+        if (mechCtxt == null && initiator)
             reqCredDelegState = state;
     }
 
     public void requestAnonymity(boolean state) throws GSSException {
-        if (mechCtxt == null)
+        if (mechCtxt == null && initiator)
             reqAnonState = state;
     }
 
     public void requestConf(boolean state) throws GSSException {
-        if (mechCtxt == null)
+        if (mechCtxt == null && initiator)
             reqConfState = state;
     }
 
     public void requestInteg(boolean state) throws GSSException {
-        if (mechCtxt == null)
+        if (mechCtxt == null && initiator)
             reqIntegState = state;
     }
 
     public void requestLifetime(int lifetime) throws GSSException {
-        if (mechCtxt == null)
+        if (mechCtxt == null && initiator)
             reqLifetime = lifetime;
     }
 
@@ -630,6 +631,8 @@
         targName = null;
     }
 
+    // ExtendedGSSContext methods:
+
     @Override
     public Object inquireSecContext(InquireType type) throws GSSException {
         SecurityManager security = System.getSecurityManager();
@@ -641,4 +644,18 @@
         }
         return mechCtxt.inquireSecContext(type);
     }
+
+    @Override
+    public void requestDelegPolicy(boolean state) throws GSSException {
+        if (mechCtxt == null && initiator)
+            reqDelegPolicyState = state;
+    }
+
+    @Override
+    public boolean getDelegPolicyState() {
+        if (mechCtxt != null)
+            return mechCtxt.getDelegPolicyState();
+        else
+            return reqDelegPolicyState;
+    }
 }
--- a/src/share/classes/sun/security/jgss/krb5/InitialToken.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/src/share/classes/sun/security/jgss/krb5/InitialToken.java	Sun Nov 29 15:24:32 2009 -0800
@@ -85,32 +85,39 @@
             int size = CHECKSUM_LENGTH_SIZE + CHECKSUM_BINDINGS_SIZE +
                 CHECKSUM_FLAGS_SIZE;
 
+            if (!tgt.isForwardable()) {
+                context.setCredDelegState(false);
+                context.setDelegPolicyState(false);
+            } else if (context.getCredDelegState()) {
+                if (context.getDelegPolicyState()) {
+                    if (!serviceTicket.checkDelegate()) {
+                        // delegation not permitted by server policy, mark it
+                        context.setDelegPolicyState(false);
+                    }
+                }
+            } else if (context.getDelegPolicyState()) {
+                if (serviceTicket.checkDelegate()) {
+                    context.setCredDelegState(true);
+                } else {
+                    context.setDelegPolicyState(false);
+                }
+            }
+
             if (context.getCredDelegState()) {
-                if (context.getCaller() instanceof HttpCaller &&
-                        !serviceTicket.getFlags()[Krb5.TKT_OPTS_DELEGATE]) {
-                    // When the caller is HTTP/SPNEGO and OK-AS-DELEGATE
-                    // is not present in the service ticket, delegation
-                    // is disabled.
-                    context.setCredDelegState(false);
-                } else if (!tgt.isForwardable()) {
-                    // XXX log this resetting of delegation state
-                    context.setCredDelegState(false);
+                KrbCred krbCred = null;
+                CipherHelper cipherHelper =
+                    context.getCipherHelper(serviceTicket.getSessionKey());
+                if (useNullKey(cipherHelper)) {
+                    krbCred = new KrbCred(tgt, serviceTicket,
+                                              EncryptionKey.NULL_KEY);
                 } else {
-                    KrbCred krbCred = null;
-                    CipherHelper cipherHelper =
-                        context.getCipherHelper(serviceTicket.getSessionKey());
-                    if (useNullKey(cipherHelper)) {
-                        krbCred = new KrbCred(tgt, serviceTicket,
-                                                  EncryptionKey.NULL_KEY);
-                    } else {
-                        krbCred = new KrbCred(tgt, serviceTicket,
-                                        serviceTicket.getSessionKey());
-                    }
-                    krbCredMessage = krbCred.getMessage();
-                    size += CHECKSUM_DELEG_OPT_SIZE +
-                            CHECKSUM_DELEG_LGTH_SIZE +
-                            krbCredMessage.length;
+                    krbCred = new KrbCred(tgt, serviceTicket,
+                                    serviceTicket.getSessionKey());
                 }
+                krbCredMessage = krbCred.getMessage();
+                size += CHECKSUM_DELEG_OPT_SIZE +
+                        CHECKSUM_DELEG_LGTH_SIZE +
+                        krbCredMessage.length;
             }
 
             checksumBytes = new byte[size];
@@ -296,6 +303,7 @@
             return delegCreds;
         }
 
+        // Only called by acceptor
         public void setContextFlags(Krb5Context context) {
                 // default for cred delegation is false
             if ((flags & CHECKSUM_DELEG_FLAG) > 0)
--- a/src/share/classes/sun/security/jgss/krb5/Krb5Context.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/src/share/classes/sun/security/jgss/krb5/Krb5Context.java	Sun Nov 29 15:24:32 2009 -0800
@@ -78,6 +78,7 @@
     private boolean sequenceDetState  = true;
     private boolean confState  = true;
     private boolean integState  = true;
+    private boolean delegPolicyState = false;
 
     private int mySeqNumber;
     private int peerSeqNumber;
@@ -299,6 +300,21 @@
         return sequenceDetState || replayDetState;
     }
 
+    /**
+     * Requests that the deleg policy be respected.
+     */
+    public final void requestDelegPolicy(boolean value) {
+        if (state == STATE_NEW && isInitiator())
+            delegPolicyState = value;
+    }
+
+    /**
+     * Is deleg policy respected?
+     */
+    public final boolean getDelegPolicyState() {
+        return delegPolicyState;
+    }
+
     /*
      * Anonymity is a little different in that after an application
      * requests anonymity it will want to know whether the mechanism
@@ -422,6 +438,10 @@
         integState = state;
     }
 
+    final void setDelegPolicyState(boolean state) {
+        delegPolicyState = state;
+    }
+
     /**
      * Sets the channel bindings to be used during context
      * establishment.
--- a/src/share/classes/sun/security/jgss/spi/GSSContextSpi.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/src/share/classes/sun/security/jgss/spi/GSSContextSpi.java	Sun Nov 29 15:24:32 2009 -0800
@@ -124,6 +124,8 @@
 
     public void requestInteg(boolean state) throws GSSException;
 
+    public void requestDelegPolicy(boolean state) throws GSSException;
+
     public void setChannelBinding(ChannelBinding cb) throws GSSException;
 
     public boolean getCredDelegState();
@@ -136,6 +138,8 @@
 
     public boolean getAnonymityState();
 
+    public boolean getDelegPolicyState();
+
     public boolean isTransferable() throws GSSException;
 
     public boolean isProtReady();
--- a/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java	Sun Nov 29 15:24:32 2009 -0800
@@ -63,6 +63,7 @@
     private boolean sequenceDetState = true;
     private boolean confState = true;
     private boolean integState = true;
+    private boolean delegPolicyState = false;
 
     private GSSNameSpi peerName = null;
     private GSSNameSpi myName = null;
@@ -154,6 +155,14 @@
     }
 
     /**
+     * Requests that deleg policy be respected.
+     */
+    public final void requestDelegPolicy(boolean value) throws GSSException {
+        if (state == STATE_NEW && isInitiator())
+            delegPolicyState = value;
+    }
+
+    /**
      * Is integrity available?
      */
     public final boolean getIntegState() {
@@ -161,6 +170,19 @@
     }
 
     /**
+     * Is deleg policy respected?
+     */
+    public final boolean getDelegPolicyState() {
+        if (isInitiator() && mechContext != null &&
+                mechContext instanceof ExtendedGSSContext &&
+                (state == STATE_IN_PROCESS || state == STATE_DONE)) {
+            return ((ExtendedGSSContext)mechContext).getDelegPolicyState();
+        } else {
+            return delegPolicyState;
+        }
+    }
+
+    /**
      * Requests that credential delegation be done during context
      * establishment.
      */
@@ -173,7 +195,7 @@
      * Is credential delegation enabled?
      */
     public final boolean getCredDelegState() {
-        if (mechContext != null &&
+        if (isInitiator() && mechContext != null &&
                 (state == STATE_IN_PROCESS || state == STATE_DONE)) {
             return mechContext.getCredDelegState();
         } else {
@@ -201,30 +223,6 @@
         return mutualAuthState;
     }
 
-    final void setCredDelegState(boolean state) {
-        credDelegState = state;
-    }
-
-    final void setMutualAuthState(boolean state) {
-        mutualAuthState = state;
-    }
-
-    final void setReplayDetState(boolean state) {
-        replayDetState = state;
-    }
-
-    final void setSequenceDetState(boolean state) {
-        sequenceDetState = state;
-    }
-
-    final void setConfState(boolean state) {
-        confState = state;
-    }
-
-    final void setIntegState(boolean state) {
-        integState = state;
-    }
-
     /**
      * Returns the mechanism oid.
      *
@@ -319,14 +317,9 @@
                 mechToken = GSS_initSecContext(null);
 
                 errorCode = GSSException.DEFECTIVE_TOKEN;
-                byte[] micToken = null;
-                if (!GSSUtil.useMSInterop()) {
-                    // calculate MIC only in normal mode
-                    micToken = generateMechListMIC(DER_mechTypes);
-                }
                 // generate SPNEGO token
                 initToken = new NegTokenInit(DER_mechTypes, getContextFlags(),
-                                        mechToken, micToken);
+                                        mechToken, null);
                 if (DEBUG) {
                     System.out.println("SpNegoContext.initSecContext: " +
                                 "sending token of type = " +
@@ -585,15 +578,9 @@
                                 "negotiated result = " + negoResult);
                 }
 
-                // calculate MIC only in normal mode
-                byte[] micToken = null;
-                if (!GSSUtil.useMSInterop() && valid) {
-                    micToken = generateMechListMIC(DER_mechTypes);
-                }
-
                 // generate SPNEGO token
                 NegTokenTarg targToken = new NegTokenTarg(negoResult.ordinal(),
-                                mech_wanted, accept_token, micToken);
+                                mech_wanted, accept_token, null);
                 if (DEBUG) {
                     System.out.println("SpNegoContext.acceptSecContext: " +
                                 "sending token of type = " +
@@ -653,6 +640,10 @@
             throw gssException;
         }
 
+        if (state == STATE_DONE) {
+            // now set the context flags for acceptor
+            setContextFlags();
+        }
         return retVal;
     }
 
@@ -703,36 +694,39 @@
         return out;
     }
 
+    // Only called on acceptor side. On the initiator side, most flags
+    // are already set at request. For those that might get chanegd,
+    // state from mech below is used.
     private void setContextFlags() {
 
         if (mechContext != null) {
             // default for cred delegation is false
             if (mechContext.getCredDelegState()) {
-                setCredDelegState(true);
+                credDelegState = true;
             }
             // default for the following are true
             if (!mechContext.getMutualAuthState()) {
-                setMutualAuthState(false);
+                mutualAuthState = false;
             }
             if (!mechContext.getReplayDetState()) {
-                setReplayDetState(false);
+                replayDetState = false;
             }
             if (!mechContext.getSequenceDetState()) {
-                setSequenceDetState(false);
+                sequenceDetState = false;
             }
             if (!mechContext.getIntegState()) {
-                setIntegState(false);
+                integState = false;
             }
             if (!mechContext.getConfState()) {
-                setConfState(false);
+                confState = false;
             }
         }
     }
 
     /**
-     * generate MIC on mechList
+     * generate MIC on mechList. Not used at the moment.
      */
-    private byte[] generateMechListMIC(byte[] mechTypes)
+    /*private byte[] generateMechListMIC(byte[] mechTypes)
         throws GSSException {
 
         // sanity check the required input
@@ -769,7 +763,7 @@
             }
         }
         return mic;
-    }
+    }*/
 
     /**
      * verify MIC on MechList
@@ -837,6 +831,10 @@
             mechContext.requestMutualAuth(mutualAuthState);
             mechContext.requestReplayDet(replayDetState);
             mechContext.requestSequenceDet(sequenceDetState);
+            if (mechContext instanceof ExtendedGSSContext) {
+                ((ExtendedGSSContext)mechContext).requestDelegPolicy(
+                        delegPolicyState);
+            }
         }
 
         // pass token
@@ -1202,5 +1200,5 @@
                     "inquireSecContext not supported by underlying mech.");
         }
     }
+}
 
-}
--- a/src/share/classes/sun/security/jgss/spnego/SpNegoMechFactory.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/src/share/classes/sun/security/jgss/spnego/SpNegoMechFactory.java	Sun Nov 29 15:24:32 2009 -0800
@@ -57,6 +57,12 @@
                         GSSName.NT_HOSTBASED_SERVICE,
                         GSSName.NT_EXPORT_NAME};
 
+    // The default underlying mech of SPNEGO, must not be SPNEGO itself.
+    private static final Oid DEFAULT_SPNEGO_MECH_OID =
+            ProviderList.DEFAULT_MECH_OID.equals(GSS_SPNEGO_MECH_OID)?
+                GSSUtil.GSS_KRB5_MECH_OID:
+                ProviderList.DEFAULT_MECH_OID;
+
     // Use an instance of a GSSManager whose provider list
     // does not include native provider
     final GSSManagerImpl manager;
@@ -100,18 +106,27 @@
                 availableMechs[j++] = mechs[i];
             }
         }
+        // Move the preferred mech to first place
+        for (int i=0; i<availableMechs.length; i++) {
+            if (availableMechs[i].equals(DEFAULT_SPNEGO_MECH_OID)) {
+                if (i != 0) {
+                    availableMechs[i] = availableMechs[0];
+                    availableMechs[0] = DEFAULT_SPNEGO_MECH_OID;
+                }
+                break;
+            }
+        }
     }
 
     public GSSNameSpi getNameElement(String nameStr, Oid nameType)
-        throws GSSException {
-        // get NameElement for the default Mechanism
-        return manager.getNameElement(nameStr, nameType, null);
+            throws GSSException {
+        return manager.getNameElement(
+                nameStr, nameType, DEFAULT_SPNEGO_MECH_OID);
     }
 
     public GSSNameSpi getNameElement(byte[] name, Oid nameType)
-        throws GSSException {
-        // get NameElement for the default Mechanism
-        return manager.getNameElement(name, nameType, null);
+            throws GSSException {
+        return manager.getNameElement(name, nameType, DEFAULT_SPNEGO_MECH_OID);
     }
 
     public GSSCredentialSpi getCredentialElement(GSSNameSpi name,
--- a/src/share/classes/sun/security/jgss/wrapper/NativeGSSContext.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/src/share/classes/sun/security/jgss/wrapper/NativeGSSContext.java	Sun Nov 29 15:24:32 2009 -0800
@@ -549,6 +549,9 @@
     public void requestInteg(boolean state) throws GSSException {
         changeFlags(GSS_C_INTEG_FLAG, state);
     }
+    public void requestDelegPolicy(boolean state) throws GSSException {
+        // Not supported, ignore
+    }
     public void requestLifetime(int lifetime) throws GSSException {
         if (isInitiator && pContext == 0) {
             this.lifetime = lifetime;
@@ -590,6 +593,9 @@
     public boolean getIntegState() {
         return checkFlags(GSS_C_INTEG_FLAG);
     }
+    public boolean getDelegPolicyState() {
+        return false;
+    }
     public int getLifetime() {
         return cStub.getContextTime(pContext);
     }
--- a/src/share/classes/sun/security/krb5/Credentials.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/src/share/classes/sun/security/krb5/Credentials.java	Sun Nov 29 15:24:32 2009 -0800
@@ -234,7 +234,19 @@
      * @return true if OK-AS_DELEGATE flag is set, otherwise, return false.
      */
     public boolean checkDelegate() {
-        return (flags.get(Krb5.TKT_OPTS_DELEGATE));
+        return flags.get(Krb5.TKT_OPTS_DELEGATE);
+    }
+
+    /**
+     * Reset TKT_OPTS_DELEGATE to false, called at credentials acquirement
+     * when one of the cross-realm TGTs does not have the OK-AS-DELEGATE
+     * flag set. This info must be preservable and restorable through
+     * the Krb5Util.credsToTicket/ticketToCreds() methods so that even if
+     * the service ticket is cached it still remembers the cross-realm
+     * authentication result.
+     */
+    public void resetDelegate() {
+        flags.set(Krb5.TKT_OPTS_DELEGATE, false);
     }
 
     public Credentials renew() throws KrbException, IOException {
--- a/src/share/classes/sun/security/krb5/internal/CredentialsUtil.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/src/share/classes/sun/security/krb5/internal/CredentialsUtil.java	Sun Nov 29 15:24:32 2009 -0800
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright 2001-2004 Sun Microsystems, Inc.  All Rights Reserved.
+ * Portions Copyright 2001-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -117,6 +117,7 @@
 
         // Get a list of realms to traverse
         String[] realms = Realm.getRealmsList(localRealm, serviceRealm);
+        boolean okAsDelegate = true;
 
         if (realms == null || realms.length == 0)
         {
@@ -194,6 +195,15 @@
              */
 
             newTgtRealm = newTgt.getServer().getInstanceComponent();
+            if (okAsDelegate && !newTgt.checkDelegate()) {
+                if (DEBUG)
+                {
+                    System.out.println(">>> Credentials acquireServiceCreds: " +
+                            "global OK-AS-DELEGATE turned off at " +
+                            newTgt.getServer());
+                }
+                okAsDelegate = false;
+            }
 
             if (DEBUG)
             {
@@ -283,6 +293,9 @@
                 System.out.println(">>> Credentials acquireServiceCreds: returning creds:");
                 Credentials.printDebug(theCreds);
             }
+            if (!okAsDelegate) {
+                theCreds.resetDelegate();
+            }
             return theCreds;
         }
         throw new KrbApErrException(Krb5.KRB_AP_ERR_GEN_CRED,
--- a/src/share/classes/sun/security/provider/certpath/OCSPChecker.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/src/share/classes/sun/security/provider/certpath/OCSPChecker.java	Sun Nov 29 15:24:32 2009 -0800
@@ -335,10 +335,13 @@
             response = OCSP.check(Collections.singletonList(certId), uri,
                 responderCert, pkixParams.getDate());
         } catch (Exception e) {
-            // Wrap all exceptions in CertPathValidatorException so that
-            // we can fallback to CRLs, if enabled.
-            throw new CertPathValidatorException
-                ("Unable to send OCSP request", e);
+            if (e instanceof CertPathValidatorException) {
+                throw (CertPathValidatorException) e;
+            } else {
+                // Wrap exceptions in CertPathValidatorException so that
+                // we can fallback to CRLs, if enabled.
+                throw new CertPathValidatorException(e);
+            }
         }
 
         RevocationStatus rs = (RevocationStatus) response.getSingleResponse(certId);
--- a/src/share/classes/sun/security/util/SecurityConstants.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/src/share/classes/sun/security/util/SecurityConstants.java	Sun Nov 29 15:24:32 2009 -0800
@@ -33,7 +33,6 @@
 import java.security.BasicPermission;
 import java.security.SecurityPermission;
 import java.security.AllPermission;
-import javax.security.auth.AuthPermission;
 
 /**
  * Permission constants and string constants used to create permissions
@@ -259,12 +258,4 @@
     // java.lang.SecurityManager
     public static final SocketPermission LOCAL_LISTEN_PERMISSION =
         new SocketPermission("localhost:1024-", SOCKET_LISTEN_ACTION);
-
-    // javax.security.auth.Subject
-    public static final AuthPermission DO_AS_PERMISSION =
-        new AuthPermission("doAs");
-
-    // javax.security.auth.Subject
-    public static final AuthPermission DO_AS_PRIVILEGED_PERMISSION =
-        new AuthPermission("doAsPrivileged");
 }
--- a/src/share/classes/sun/security/validator/PKIXValidator.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/src/share/classes/sun/security/validator/PKIXValidator.java	Sun Nov 29 15:24:32 2009 -0800
@@ -150,9 +150,17 @@
                 ("null or zero-length certificate chain");
         }
         if (TRY_VALIDATOR) {
-            // check if chain contains trust anchor
+            // check that chain is in correct order and check if chain contains
+            // trust anchor
+            X500Principal prevIssuer = null;
             for (int i = 0; i < chain.length; i++) {
-                if (trustedCerts.contains(chain[i])) {
+                X509Certificate cert = chain[i];
+                if (i != 0 &&
+                    !cert.getSubjectX500Principal().equals(prevIssuer)) {
+                    // chain is not ordered correctly, call builder instead
+                    return doBuild(chain, otherCerts);
+                }
+                if (trustedCerts.contains(cert)) {
                     if (i == 0) {
                         return new X509Certificate[] {chain[0]};
                     }
@@ -161,6 +169,7 @@
                     System.arraycopy(chain, 0, newChain, 0, i);
                     return doValidate(newChain);
                 }
+                prevIssuer = cert.getIssuerX500Principal();
             }
 
             // apparently issued by trust anchor?
@@ -303,5 +312,4 @@
                 ("PKIX path building failed: " + e.toString(), e);
         }
     }
-
 }
--- a/src/share/classes/sun/tracing/MultiplexProviderFactory.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/src/share/classes/sun/tracing/MultiplexProviderFactory.java	Sun Nov 29 15:24:32 2009 -0800
@@ -30,7 +30,6 @@
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Set;
-import java.util.logging.Logger;
 
 import com.sun.tracing.ProviderFactory;
 import com.sun.tracing.Provider;
@@ -65,13 +64,7 @@
             providers.add(factory.createProvider(cls));
         }
         MultiplexProvider provider = new MultiplexProvider(cls, providers);
-        try {
-            provider.init();
-        } catch (Exception e) {
-            // Probably a permission problem (can't get declared members)
-            Logger.getAnonymousLogger().warning(
-                "Could not initialize tracing provider: " + e.getMessage());
-        }
+        provider.init();
         return provider.newProxyInstance();
     }
 }
--- a/src/share/classes/sun/tracing/NullProviderFactory.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/src/share/classes/sun/tracing/NullProviderFactory.java	Sun Nov 29 15:24:32 2009 -0800
@@ -26,7 +26,6 @@
 package sun.tracing;
 
 import java.lang.reflect.Method;
-import java.util.logging.Logger;
 
 import com.sun.tracing.ProviderFactory;
 import com.sun.tracing.Provider;
@@ -53,13 +52,7 @@
      */
     public <T extends Provider> T createProvider(Class<T> cls) {
         NullProvider provider = new NullProvider(cls);
-        try {
-            provider.init();
-        } catch (Exception e) {
-            // Probably a permission problem (can't get declared members)
-            Logger.getAnonymousLogger().warning(
-                "Could not initialize tracing provider: " + e.getMessage());
-        }
+        provider.init();
         return provider.newProxyInstance();
     }
 }
--- a/src/share/classes/sun/tracing/PrintStreamProviderFactory.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/src/share/classes/sun/tracing/PrintStreamProviderFactory.java	Sun Nov 29 15:24:32 2009 -0800
@@ -28,7 +28,6 @@
 import java.lang.reflect.Method;
 import java.io.PrintStream;
 import java.util.HashMap;
-import java.util.logging.Logger;
 
 import com.sun.tracing.ProviderFactory;
 import com.sun.tracing.Provider;
@@ -54,13 +53,7 @@
 
     public <T extends Provider> T createProvider(Class<T> cls) {
         PrintStreamProvider provider = new PrintStreamProvider(cls, stream);
-        try {
-            provider.init();
-        } catch (Exception e) {
-            // Probably a permission problem (can't get declared members)
-            Logger.getAnonymousLogger().warning(
-                "Could not initialize tracing provider: " + e.getMessage());
-        }
+        provider.init();
         return provider.newProxyInstance();
     }
 }
--- a/src/share/classes/sun/tracing/ProviderSkeleton.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/src/share/classes/sun/tracing/ProviderSkeleton.java	Sun Nov 29 15:24:32 2009 -0800
@@ -32,6 +32,8 @@
 import java.lang.reflect.AnnotatedElement;
 import java.lang.annotation.Annotation;
 import java.util.HashMap;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 
 import com.sun.tracing.Provider;
 import com.sun.tracing.Probe;
@@ -99,7 +101,13 @@
      * It is up to the factory implementations to call this after construction.
      */
     public void init() {
-        for (Method m : providerType.getDeclaredMethods()) {
+        Method[] methods = AccessController.doPrivileged(new PrivilegedAction<Method[]>() {
+            public Method[] run() {
+                return providerType.getDeclaredMethods();
+            }
+        });
+
+        for (Method m : methods) {
             if ( m.getReturnType() != Void.TYPE ) {
                 throw new IllegalArgumentException(
                    "Return value of method is not void");
--- a/src/share/classes/sun/tracing/dtrace/DTraceProviderFactory.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/src/share/classes/sun/tracing/dtrace/DTraceProviderFactory.java	Sun Nov 29 15:24:32 2009 -0800
@@ -29,7 +29,6 @@
 import java.util.Set;
 import java.util.HashMap;
 import java.util.HashSet;
-import java.util.logging.Logger;
 import java.security.Permission;
 
 import com.sun.tracing.ProviderFactory;
@@ -80,15 +79,8 @@
         DTraceProvider jsdt = new DTraceProvider(cls);
         T proxy = jsdt.newProxyInstance();
         jsdt.setProxy(proxy);
-        try {
-            jsdt.init();
-            new Activation(jsdt.getModuleName(), new DTraceProvider[] { jsdt });
-        } catch (Exception e) {
-            // Probably a permission problem (can't get declared members)
-            Logger.getAnonymousLogger().warning(
-                "Could not initialize tracing provider: " + e.getMessage());
-            jsdt.dispose();
-        }
+        jsdt.init();
+        new Activation(jsdt.getModuleName(), new DTraceProvider[] { jsdt });
         return proxy;
     }
 
--- a/test/Makefile	Tue Nov 24 18:12:46 2009 -0800
+++ b/test/Makefile	Sun Nov 29 15:24:32 2009 -0800
@@ -337,9 +337,11 @@
 # jtreg tests
 
 # Expect JT_HOME to be set for jtreg tests. (home for jtreg)
-JT_HOME = $(SLASH_JAVA)/re/jtreg/4.0/promoted/latest/binaries/jtreg
-ifdef JPRT_JTREG_HOME
-  JT_HOME = $(JPRT_JTREG_HOME)
+ifndef JT_HOME
+  JT_HOME = $(SLASH_JAVA)/re/jtreg/4.0/promoted/latest/binaries/jtreg
+  ifdef JPRT_JTREG_HOME
+    JT_HOME = $(JPRT_JTREG_HOME)
+  endif
 endif
 
 # Expect JPRT to set TESTDIRS to the jtreg test dirs
@@ -361,21 +363,22 @@
 
 # Some tests annoy me and fail frequently
 PROBLEM_LIST=ProblemList.txt
+PROBLEM_LISTS=$(PROBLEM_LIST) $(wildcard closed/$(PROBLEM_LIST))
 EXCLUDELIST=$(ABS_TEST_OUTPUT_DIR)/excludelist.txt
 
 # Create exclude list for this platform and arch
 ifdef NO_EXCLUDES
-$(EXCLUDELIST): $(PROBLEM_LIST) $(TESTDIRS)
+$(EXCLUDELIST): $(PROBLEM_LISTS) $(TESTDIRS)
 	@$(ECHO) "NOTHING_EXCLUDED" > $@
 else
-$(EXCLUDELIST): $(PROBLEM_LIST) $(TESTDIRS)
+$(EXCLUDELIST): $(PROBLEM_LISTS) $(TESTDIRS)
 	@$(RM) $@ $@.temp1 $@.temp2
-	@( ( $(EGREP) -- '$(OS_NAME)-all'           $< ) ;\
-	   ( $(EGREP) -- '$(OS_NAME)-$(OS_ARCH)'    $< ) ;\
-	   ( $(EGREP) -- '$(OS_NAME)-$(OS_VERSION)' $< ) ;\
-	   ( $(EGREP) -- 'generic-$(OS_ARCH)'       $< ) ;\
-           ( $(EGREP) -- 'generic-all'              $< ) ;\
-           ( $(ECHO) "#") ;\
+	@(($(CAT) $(PROBLEM_LISTS) | $(EGREP) -- '$(OS_NAME)-all'          ) ;\
+	  ($(CAT) $(PROBLEM_LISTS) | $(EGREP) -- '$(OS_NAME)-$(OS_ARCH)'   ) ;\
+	  ($(CAT) $(PROBLEM_LISTS) | $(EGREP) -- '$(OS_NAME)-$(OS_VERSION)') ;\
+	  ($(CAT) $(PROBLEM_LISTS) | $(EGREP) -- 'generic-$(OS_ARCH)'      ) ;\
+          ($(CAT) $(PROBLEM_LISTS) | $(EGREP) -- 'generic-all'             ) ;\
+          ($(ECHO) "#") ;\
         ) | $(SED) -e 's@^[\ ]*@@' \
           | $(EGREP) -v '^#' > $@.temp1
 	@for tdir in $(TESTDIRS) ; do \
@@ -386,14 +389,18 @@
 	@$(ECHO) "Excluding list contains `$(EXPAND) $@ | $(WC) -l` items"
 endif
 
+# Select list of directories that exist
+define TestDirs
+$(foreach i,$1,$(wildcard ${i})) $(foreach i,$1,$(wildcard closed/${i}))
+endef
 # Running batches of tests with or without samevm
 define RunSamevmBatch
-$(ECHO) "Running tests in samevm mode: $?"
-$(MAKE) TESTDIRS="$?" USE_JTREG_SAMEVM=true  UNIQUE_DIR=$@ jtreg_tests
+$(ECHO) "Running tests in samevm mode: $(call TestDirs, $?)"
+$(MAKE) TESTDIRS="$(call TestDirs, $?)" USE_JTREG_SAMEVM=true  UNIQUE_DIR=$@ jtreg_tests
 endef
 define RunOthervmBatch
-$(ECHO) "Running tests in othervm mode: $?"
-$(MAKE) TESTDIRS="$?" USE_JTREG_SAMEVM=false UNIQUE_DIR=$@ jtreg_tests
+$(ECHO) "Running tests in othervm mode: $(call TestDirs, $?)"
+$(MAKE) TESTDIRS="$(call TestDirs, $?)" USE_JTREG_SAMEVM=false UNIQUE_DIR=$@ jtreg_tests
 endef
 define SummaryInfo
 $(ECHO) "Summary for: $?"
@@ -428,6 +435,9 @@
 jdk_beans3: java/beans/XMLEncoder
 	$(call RunOthervmBatch)
 
+jdk_beans: jdk_beans1 jdk_beans2 jdk_beans3
+	@$(SummaryInfo)
+
 # Stable samevm testruns (minus items from PROBLEM_LIST)
 JDK_ALL_TARGETS += jdk_io
 jdk_io: java/io
@@ -450,6 +460,9 @@
 jdk_management2: com/sun/jmx com/sun/management sun/management
 	$(call RunOthervmBatch)
 
+jdk_management: jdk_management1 jdk_management2
+	@$(SummaryInfo)
+
 # Stable samevm testruns (minus items from PROBLEM_LIST)
 JDK_ALL_TARGETS += jdk_math
 jdk_math: java/math
@@ -482,6 +495,9 @@
 jdk_nio3: com/sun/nio sun/nio
 	$(call RunOthervmBatch)
 
+jdk_nio: jdk_nio1 jdk_nio2 jdk_nio3
+	@$(SummaryInfo)
+
 # Stable othervm testruns (minus items from PROBLEM_LIST)
 #   Using samevm has serious problems with these tests
 JDK_ALL_TARGETS += jdk_rmi
@@ -502,6 +518,9 @@
 jdk_security3: com/sun/security lib/security javax/security sun/security
 	$(call RunOthervmBatch)
 
+jdk_security: jdk_security1 jdk_security2 jdk_security3
+	@$(SummaryInfo)
+
 # Stable othervm testruns (minus items from PROBLEM_LIST)
 #   Using samevm has problems, and doesn't help performance as much as others.
 JDK_ALL_TARGETS += jdk_swing
@@ -517,11 +536,14 @@
 #   Using samevm has serious problems with these tests
 JDK_ALL_TARGETS += jdk_tools1
 jdk_tools1: com/sun/jdi
-	$(call RunOthervmBatch)
+	$(call RunSamevmBatch)
 JDK_ALL_TARGETS += jdk_tools2
 jdk_tools2: com/sun/tools sun/jvmstat sun/tools tools vm com/sun/servicetag com/sun/tracing
 	$(call RunOthervmBatch)
 
+jdk_tools: jdk_tools1 jdk_tools2
+	@$(SummaryInfo)
+
 # Stable samevm testruns (minus items from PROBLEM_LIST)
 JDK_ALL_TARGETS += jdk_util
 jdk_util: java/util sun/util
--- a/test/ProblemList.txt	Tue Nov 24 18:12:46 2009 -0800
+++ b/test/ProblemList.txt	Sun Nov 29 15:24:32 2009 -0800
@@ -344,6 +344,9 @@
 # Some of these tests (like java/lang/management) may just need to be marked
 #   othervm, but that is partially speculation.
 
+# Samevm failure on OpenSolaris, security manager?
+java/lang/ClassLoader/UninitializedParent.java			generic-all
+
 # Times out on solaris 10 sparc
 java/lang/ClassLoader/Assert.java				generic-all
 
@@ -538,6 +541,18 @@
 # Missing close on file wbmp*, windows samevm
 javax/imageio/plugins/wbmp/CanDecodeTest.java			generic-all
 
+# Failures on OpenSolaris, cannot read input files? samevm issues?
+javax/imageio/metadata/BooleanAttributes.java			generic-all
+javax/imageio/plugins/bmp/BMPSubsamplingTest.java		generic-all
+javax/imageio/plugins/bmp/TopDownTest.java			generic-all
+javax/imageio/plugins/gif/EncodeSubImageTest.java		generic-all
+javax/imageio/plugins/gif/GifTransparencyTest.java		generic-all
+javax/imageio/plugins/png/GrayPngTest.java			generic-all
+javax/imageio/plugins/png/ItxtUtf8Test.java			generic-all
+javax/imageio/plugins/png/MergeStdCommentTest.java		generic-all
+javax/imageio/plugins/png/ShortHistogramTest.java		generic-all
+javax/imageio/plugins/shared/BitDepth.java			generic-all
+
 # Exclude all javax/print tests, even if they passed, they may need samevm work
 
 # Times out on solaris-sparc, sparcv9, x64 -server, some on i586 -client
@@ -1073,9 +1088,6 @@
 #  So most if not all tools tests are now being run with "othervm" mode.
 #  Some of these tools tests have a tendency to use fixed ports, bad idea.
 
-# Solaris 10 client x86, java.lang.IndexOutOfBoundsException resumer Interrupted
-com/sun/jdi/SimulResumerTest.java				generic-all
-
 # Output of jps differs from expected output.
 #   Invalid argument count on solaris-sparc and x64
 sun/tools/jstatd/jstatdPort.sh					generic-all
@@ -1090,9 +1102,6 @@
 # Server name error, port 2098 problem?
 sun/tools/jstatd/jstatdServerName.sh				generic-all
 
-# Solaris, handshake failed, othervm mode
-com/sun/jdi/RedefineException.sh				generic-all
-
 # These tests fail on solaris sparc, all the time
 com/sun/servicetag/DeleteServiceTag.java			generic-all
 com/sun/servicetag/DuplicateNotFound.java			generic-all
@@ -1117,9 +1126,6 @@
 # Unexpected Monitor Exception, solaris sparc -client
 sun/jvmstat/monitor/MonitoredVm/MonitorVmStartTerminate.sh	generic-all
 
-# Probably should be samevm, but seem to cause errors even in othervm at times
-sun/tools/jhat/HatHeapDump1Test.java			 	generic-all
-
 # Problems on windows, jmap.exe hangs? (these run jmap)
 sun/tools/jmap/Basic.sh						windows-all
 
@@ -1129,9 +1135,6 @@
 # Solaris sparcv9, jps output does not match, x64 different
 sun/tools/jstatd/jstatdExternalRegistry.sh		 	solaris-all
 
-# Probably should be samevm, but seem to cause errors even in othervm at times
-sun/tools/native2ascii/NativeErrors.java		 	generic-all
-
 # Solaris 10 sparc 32bit -client, java.lang.AssertionError: Some tests failed
 tools/jar/JarEntryTime.java					generic-all
 
--- a/test/com/sun/jdi/BadHandshakeTest.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/test/com/sun/jdi/BadHandshakeTest.java	Sun Nov 29 15:24:32 2009 -0800
@@ -112,6 +112,8 @@
         String arch = System.getProperty("os.arch");
         if (arch.equals("sparcv9")) {
             exe += "sparcv9/java";
+        } else if (arch.equals("amd64")) {
+            exe += "amd64/java";
         } else {
             exe += "java";
         }
--- a/test/com/sun/jdi/DoubleAgentTest.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/test/com/sun/jdi/DoubleAgentTest.java	Sun Nov 29 15:24:32 2009 -0800
@@ -94,6 +94,8 @@
         String arch = System.getProperty("os.arch");
         if (arch.equals("sparcv9")) {
             exe += "sparcv9/java";
+        } else if (arch.equals("amd64")) {
+            exe += "amd64/java";
         } else {
             exe += "java";
         }
--- a/test/com/sun/jdi/ExclusiveBind.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/test/com/sun/jdi/ExclusiveBind.java	Sun Nov 29 15:24:32 2009 -0800
@@ -101,6 +101,8 @@
         String arch = System.getProperty("os.arch");
         if (arch.equals("sparcv9")) {
             exe += "sparcv9/java";
+        } else if (arch.equals("amd64")) {
+            exe += "amd64/java";
         } else {
             exe += "java";
         }
--- a/test/com/sun/jdi/JITDebug.sh	Tue Nov 24 18:12:46 2009 -0800
+++ b/test/com/sun/jdi/JITDebug.sh	Sun Nov 29 15:24:32 2009 -0800
@@ -103,10 +103,10 @@
    #if running standalone (no test harness of any kind), compile the
    #support files and the test case
    ${TESTJAVA}/bin/javac -d ${TESTCLASSES} \
-            -classpath "$TESTJAVA/lib/tools.jar${PATHSEP}." \
+            -classpath "$TESTJAVA/lib/tools.jar${PATHSEP}${TESTSRC}" \
             TestScaffold.java VMConnection.java TargetListener.java TargetAdapter.java
    ${TESTJAVA}/bin/javac  -d ${TESTCLASSES} \
-            -classpath "$TESTJAVA/lib/tools.jar${PATHSEP}." -g \
+            -classpath "$TESTJAVA/lib/tools.jar${PATHSEP}${TESTSRC}" -g \
             JITDebug.java
 fi
 echo "JDK under test is: $TESTJAVA"
--- a/test/com/sun/jdi/RepStep.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/test/com/sun/jdi/RepStep.java	Sun Nov 29 15:24:32 2009 -0800
@@ -29,7 +29,7 @@
  *  @run compile -g RepStepTarg.java
  *  @run build VMConnection RepStep
  *
- *  @run main RepStep
+ *  @run main/othervm RepStep
  *
  * @summary RepStep detects missed step events due to lack of
  * frame pop events (in back-end).
--- a/test/com/sun/jdi/RunToExit.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/test/com/sun/jdi/RunToExit.java	Sun Nov 29 15:24:32 2009 -0800
@@ -26,7 +26,7 @@
  * @summary Test that with server=y, when VM runs to System.exit() no error happens
  *
  * @build VMConnection RunToExit Exit0
- * @run main RunToExit
+ * @run main/othervm RunToExit
  */
 import java.io.InputStream;
 import java.io.IOException;
@@ -117,6 +117,8 @@
         String arch = System.getProperty("os.arch");
         if (arch.equals("sparcv9")) {
             exe += "sparcv9/java";
+        } else if (arch.equals("amd64")) {
+            exe += "amd64/java";
         } else {
             exe += "java";
         }
--- a/test/com/sun/jdi/ShellScaffold.sh	Tue Nov 24 18:12:46 2009 -0800
+++ b/test/com/sun/jdi/ShellScaffold.sh	Sun Nov 29 15:24:32 2009 -0800
@@ -1,7 +1,7 @@
 #!/bin/sh
 
 #
-# Copyright 2002-2005 Sun Microsystems, Inc.  All Rights Reserved.
+# Copyright 2002-2009 Sun Microsystems, Inc.  All Rights Reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -194,7 +194,7 @@
     # Return 0 if $1 is the pid of a running process.
     if [ -z "$isWin98" ] ; then
         if [ "$osname" = SunOS ] ; then
-            #Solaris and OpenSolaris use pgrep and not ps in psCmd
+            # Solaris and OpenSolaris use pgrep and not ps in psCmd
             findPidCmd="$psCmd"
         else
             #   Never use plain 'ps', which requires a "controlling terminal"
@@ -298,15 +298,15 @@
          # On linux, core files take a long time, and can leave
          # zombie processes
          if [ "$osname" = SunOS ] ; then
-             #Experiments show Solaris '/usr/ucb/ps -axwww' and
-             #'/usr/bin/pgrep -f -l' provide the same small amount of the
-             #argv string (PRARGSZ=80 in /usr/include/sys/procfs.h)
-             # 1) This seems to have been working OK in ShellScaffold.
-             # 2) OpenSolaris does not provide /usr/ucb/ps, so use pgrep
-             #    instead
-             #The alternative would be to use /usr/bin/pargs [pid] to get
-             #all the args for a process, splice them back into one
-             #long string, then grep.
+             # Experiments show Solaris '/usr/ucb/ps -axwww' and
+             # '/usr/bin/pgrep -f -l' provide the same small amount of the
+             # argv string (PRARGSZ=80 in /usr/include/sys/procfs.h)
+             #  1) This seems to have been working OK in ShellScaffold.
+             #  2) OpenSolaris does not provide /usr/ucb/ps, so use pgrep
+             #     instead
+             # The alternative would be to use /usr/bin/pargs [pid] to get
+             # all the args for a process, splice them back into one
+             # long string, then grep.
              UU=`/usr/xpg4/bin/id -u -n`
              psCmd="pgrep -f -l -U $UU"
          else
@@ -519,7 +519,7 @@
         # if jdb got a cont cmd that caused the debuggee
         # to run to completion, jdb can be gone before
         # we get here.
-        echo quit >& 2
+        echo "--Sending cmd: quit" >& 2
         echo quit
         # See 6562090. Maybe there is a way that the exit
         # can cause jdb to not get the quit.
@@ -531,7 +531,7 @@
     # because after starting jdb, we waited 
     # for the prompt.
     fileSize=`wc -c $jdbOutFile | awk '{ print $1 }'`
-    echo $* >&2
+    echo "--Sending cmd: " $* >&2
 
     # jjh: We have a few intermittent failures here.
     # It is as if every so often, jdb doesn't
@@ -558,12 +558,85 @@
     # seen the ].  
     echo $*
 
-    # wait for jdb output to appear
+    # Now we have to wait for the next jdb prompt.  We wait for a pattern
+    # to appear in the last line of jdb output.  Normally, the prompt is
+    #
+    # 1) ^main[89] @
+    #
+    # where ^ means start of line, and @ means end of file with no end of line
+    # and 89 is the current command counter. But we have complications e.g.,
+    # the following jdb output can appear:
+    #
+    # 2) a[89] = 10
+    #
+    # The above form is an array assignment and not a prompt.
+    #
+    # 3) ^main[89] main[89] ...
+    #
+    # This occurs if the next cmd is one that causes no jdb output, e.g.,
+    # 'trace methods'.
+    #
+    # 4) ^main[89] [main[89]] .... > @
+    #
+    # jdb prints a > as a prompt after something like a cont.
+    # Thus, even though the above is the last 'line' in the file, it
+    # isn't the next prompt we are waiting for after the cont completes.
+    # HOWEVER, sometimes we see this for a cont command:
+    #
+    #   ^main[89] $
+    #      <lines output for hitting a bkpt>
+    #
+    # 5) ^main[89] > @
+    #
+    # i.e., the > prompt comes out AFTER the prompt we we need to wait for.
+    #
+    # So, how do we know when the next prompt has appeared??
+    # 1.  Search for 
+    #         main[89] $
+    #     This will handle cases 1, 2, 3
+    # 2.  This leaves cases 4 and 5.
+    #
+    # What if we wait for 4 more chars to appear and then search for
+    #
+    #    main[89] [>]$
+    #
+    # on the last line?
+    #
+    # a.  if we are currently at
+    #
+    #       ^main[89] main[89] @
+    #
+    #     and a 'trace methods comes in, we will wait until at least
+    #
+    #       ^main[89] main[89] main@
+    #
+    #     and then the search will find the new prompt when it completes.
+    #
+    # b.  if we are currently at
+    #
+    #       ^main[89] main[89] @
+    #
+    #     and the first form of cont comes in, then we will see
+    #
+    #       ^main[89] main[89] > $
+    #       ^x@
+    #
+    #     where x is the first char of the msg output when the bkpt is hit
+    #     and we will start our search, which will find the prompt
+    #     when it comes out after the bkpt output, with or without the
+    #     trailing >
+    #
+
+    # wait for 4 new chars to appear in the jdb output
     count=0
+    desiredFileSize=`expr $fileSize + 4`
     msg1=`echo At start: cmd/size/waiting : $* / $fileSize / \`date\``
     while [ 1 = 1 ] ; do
         newFileSize=`wc -c $jdbOutFile | awk '{ print $1 } '`
-        if [ "$fileSize" != "$newFileSize" ] ; then
+        #echo jj: desired = $desiredFileSize, new = $newFileSize >& 2
+
+        done=`expr $newFileSize \>= $desiredFileSize`
+        if [ $done = 1 ] ; then
             break
         fi
         sleep ${sleep_seconds}
@@ -573,14 +646,19 @@
             echo "--DEBUG: jdb $$ didn't responded to command in $count secs: $*" >& 2
             echo "--DEBUG:" $msg1 >& 2
             echo "--DEBUG: "done size/waiting : / $newFileSize  / `date` >& 2
-            $psCmd | sed -e '/com.sun.javatest/d' -e '/nsk/d' >& 2
+            echo "-- $jdbOutFile follows-------------------------------" >& 2
+            cat $jdbOutFile >& 2
+            echo "------------------------------------------" >& 2
+            dojstack
+            #$psCmd | sed -e '/com.sun.javatest/d' -e '/nsk/d' >& 2
             if [ $count = 60 ] ; then
                 dofail "jdb never responded to command: $*"
             fi
         fi
     done
-
-    waitForJdbMsg '^.*\[[0-9]*\] $' 1 allowExit
+    # Note that this assumes just these chars in thread names.
+    waitForJdbMsg '[a-zA-Z0-9_-][a-zA-Z0-9_-]*\[[1-9][0-9]*\] [ >]*$' \
+        1 allowExit
 }
 
 setBkpts()
@@ -596,15 +674,19 @@
 runToBkpt()
 {
     cmd run
+    # Don't need to do this - the above waits for the next prompt which comes out
+    # AFTER the Breakpoint hit message.
     # Wait for jdb to hit the bkpt
-    waitForJdbMsg "Breakpoint hit" 5
+    #waitForJdbMsg "Breakpoint hit" 5
 }
 
 contToBkpt()
 {
     cmd cont
+    # Don't need to do this - the above waits for the next prompt which comes out
+    # AFTER the Breakpoint hit message.
     # Wait for jdb to hit the bkpt
-    waitForJdbMsg "Breakpoint hit" 5
+    #waitForJdbMsg "Breakpoint hit" 5
 }
 
 
@@ -618,7 +700,7 @@
     nlines=$2
     allowExit="$3"
     myCount=0
-    timeLimit=40  # wait a max of 40 secs for a response from a jdb command
+    timeLimit=40  # wait a max of this many secs for a response from a jdb command
     while [ 1 = 1 ] ; do 
         if [  -r $jdbOutFile ] ; then
             # Something here causes jdb to complain about Unrecognized cmd on x86.
@@ -654,8 +736,11 @@
 
         myCount=`expr $myCount + ${sleep_seconds}`
         if [ $myCount -gt $timeLimit ] ; then
+            echo "--Fail: waitForJdbMsg timed out after $timeLimit seconds, looking for /$1/, in $nlines lines; exitting" >> $failFile
+            echo "vv jdbOutFile  vvvvvvvvvvvvvvvvvvvvvvvvvvvv" >& 2
+            cat $jdbOutFile >& 2
+            echo "^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^" >& 2
             dojstack
-            echo "--Fail: waitForJdbMsg timed out after $timeLimit seconds; exitting" >> $failFile
             exit 1
         fi
     done
@@ -865,35 +950,29 @@
     # get inserted into the string we are searching for 
     # so ignore those chars.
     if [ -z "$3" ] ; then
-        case "$2" in 
-          *\>*)
-            # Target string contains a > so we better
-            # not ignore it
-            $grep -s "$2" $1  > $devnull 2>&1
-            stat=$?
-            ;;
-          *)
-            # Target string does not contain a >.
-            # Ignore > and '> ' in the file.
-            cat $1 | sed -e 's@> @@g' -e 's@>@@g' | $grep -s "$2" > $devnull 2>&1
-            stat=$?
-        esac
+        theCmd=cat
     else
-        case "$2" in 
-          *\>*)
-            # Target string contains a > so we better
-            # not ignore it
-            tail -$3 $1 | $grep -s "$2"  > $devnull 2>&1
-            stat=$?
-            ;;
-          *)
-            # Target string does not contain a >.
-            # Ignore > and '> ' in the file.
-            tail -$3 $1 | sed -e 's@> @@g' -e 's@>@@g' | $grep -s "$2" > $devnull 2>&1
-            stat=$?
-            ;;
-        esac
+        theCmd="tail -$3"
     fi
+    case "$2" in 
+      *\>*)
+        # Target string contains a > so we better
+        # not ignore it
+        $theCmd $1 | $grep -s "$2"  > $devnull 2>&1
+        return $?
+        ;;
+    esac
+    # Target string does not contain a >.
+    # Ignore > and '> ' in the file.
+    # NOTE:  if $1 does not end with a new line, piping it to sed doesn't include the
+    # chars on the last line.  Detect this case, and add a new line.
+    cp $1 $1.tmp
+    if [ `tail -1 $1.tmp | wc -l | sed -e 's@ @@g'` = 0 ] ; then
+        echo >> $1.tmp
+    fi
+    $theCmd $1.tmp | sed -e 's@> @@g' -e 's@>@@g' | $grep -s "$2" > $devnull 2>&1
+    stat=$?
+    rm -f $1.tmp
     return $stat
 }
 
--- a/test/com/sun/jdi/SimulResumerTest.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/test/com/sun/jdi/SimulResumerTest.java	Sun Nov 29 15:24:32 2009 -0800
@@ -30,7 +30,7 @@
  *
  *  @run build TestScaffold VMConnection TargetListener TargetAdapter
  *  @run compile -g SimulResumerTest.java
- *  @run main SimulResumerTest
+ *  @run main/othervm SimulResumerTest
  */
 import com.sun.jdi.*;
 import com.sun.jdi.event.*;
--- a/test/com/sun/jdi/Solaris32AndSolaris64Test.sh	Tue Nov 24 18:12:46 2009 -0800
+++ b/test/com/sun/jdi/Solaris32AndSolaris64Test.sh	Sun Nov 29 15:24:32 2009 -0800
@@ -164,10 +164,10 @@
 if [ -n "${STANDALONE}" ] ; then 
    #if running standalone, compile the support files
    ${TESTJAVA}/bin/javac -d ${TESTCLASSES} \
-            -classpath "$TESTJAVA/lib/tools.jar${PATHSEP}." \
+            -classpath "$TESTJAVA/lib/tools.jar${PATHSEP}${TESTSRC}" \
             TestScaffold.java VMConnection.java TargetListener.java TargetAdapter.java
    ${TESTJAVA}/bin/javac -d ${TESTCLASSES} \
-            -classpath "$TESTJAVA/lib/tools.jar${PATHSEP}." -g \
+            -classpath "$TESTJAVA/lib/tools.jar${PATHSEP}${TESTSRC}" -g \
             FetchLocals.java DataModelTest.java
 fi
 
--- a/test/com/sun/jdi/VMConnection.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/test/com/sun/jdi/VMConnection.java	Sun Nov 29 15:24:32 2009 -0800
@@ -57,6 +57,7 @@
         if (testClasses == null) {
             return retVal;
         }
+        retVal += "-classpath " + testClasses + " ";
         File myFile = new File(testClasses, "@debuggeeVMOptions");
 
         if (!myFile.canRead()) {
@@ -97,7 +98,7 @@
             if (line.length() != 0 && !line.startsWith("#")) {
                 System.out.println("-- Added debuggeeVM options from file " +
                                    wholePath + ": " + line);
-                retVal = line;
+                retVal += line;
                 break;
             }
             // Else, read he next line.
--- a/test/com/sun/jdi/connect/spi/DebugUsingCustomConnector.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/test/com/sun/jdi/connect/spi/DebugUsingCustomConnector.java	Sun Nov 29 15:24:32 2009 -0800
@@ -28,7 +28,7 @@
  * This tests launches a debuggee using a custom LaunchingConnector.
  *
  * @build DebugUsingCustomConnector SimpleLaunchingConnector Foo NullTransportService
- * @run main DebugUsingCustomConnector
+ * @run main/othervm DebugUsingCustomConnector
  */
 import com.sun.jdi.*;
 import com.sun.jdi.connect.*;
--- a/test/com/sun/jdi/connect/spi/GeneratedConnectors.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/test/com/sun/jdi/connect/spi/GeneratedConnectors.java	Sun Nov 29 15:24:32 2009 -0800
@@ -31,7 +31,7 @@
  * created and that they have an "address" argument.
  *
  * @build GeneratedConnectors NullTransportService
- * @run main GeneratedConnectors
+ * @run main/othervm GeneratedConnectors
  */
 
 import com.sun.jdi.*;
--- a/test/com/sun/jdi/connect/spi/SimpleLaunchingConnector.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/test/com/sun/jdi/connect/spi/SimpleLaunchingConnector.java	Sun Nov 29 15:24:32 2009 -0800
@@ -147,11 +147,15 @@
         String arch = System.getProperty("os.arch");
         if (arch.equals("sparcv9")) {
             exe += "sparcv9/java";
+        } else if (arch.equals("amd64")) {
+            exe += "amd64/java";
         } else {
             exe += "java";
         }
         String cmd = exe + " -Xdebug -Xrunjdwp:transport=dt_socket,timeout=15000,address=" +
-            key.address() + "" + className;
+            key.address() +
+            " -classpath " + System.getProperty("test.classes") +
+            " " + className;
         Process process = Runtime.getRuntime().exec(cmd);
         Connection conn = ts.accept(key, 30*1000, 9*1000);
         ts.stopListening(key);
--- a/test/com/sun/jdi/redefine/RedefineTest.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/test/com/sun/jdi/redefine/RedefineTest.java	Sun Nov 29 15:24:32 2009 -0800
@@ -34,7 +34,7 @@
  *  @run build TestScaffold VMConnection TargetListener TargetAdapter
  *  @run compile -g RedefineTest.java
  *  @run shell RedefineSetUp.sh
- *  @run main RedefineTest
+ *  @run main/othervm RedefineTest
  */
 import com.sun.jdi.*;
 import com.sun.jdi.event.*;
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/com/sun/tracing/BasicWithSecurityMgr.java	Sun Nov 29 15:24:32 2009 -0800
@@ -0,0 +1,149 @@
+/*
+ * Copyright 2008 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/**
+ * @test
+ * @bug 6899605
+ * @summary Basic unit test for tracing framework with security manager
+ *          enabled
+ */
+
+import com.sun.tracing.*;
+import java.lang.reflect.Method;
+
+@ProviderName("NamedProvider")
+interface BasicProvider extends Provider {
+    void plainProbe();
+    void probeWithArgs(int a, float f, String s, Long l);
+    @ProbeName("namedProbe") void probeWithName();
+    void overloadedProbe();
+    void overloadedProbe(int i);
+}
+
+interface InvalidProvider extends Provider {
+    int nonVoidProbe();
+}
+
+public class BasicWithSecurityMgr {
+
+    public static ProviderFactory factory;
+    public static BasicProvider bp;
+
+    public static void main(String[] args) throws Exception {
+        // enable security manager
+        System.setSecurityManager(new SecurityManager());
+
+        factory = ProviderFactory.getDefaultFactory();
+        if (factory != null) {
+            bp = factory.createProvider(BasicProvider.class);
+        }
+
+        testProviderFactory();
+        testProbe();
+        testProvider();
+    }
+
+    static void fail(String s) throws Exception {
+        throw new Exception(s);
+    }
+
+    static void testProviderFactory() throws Exception {
+        if (factory == null) {
+            fail("ProviderFactory.getDefaultFactory: Did not create factory");
+        }
+        if (bp == null) {
+            fail("ProviderFactory.createProvider: Did not create provider");
+        }
+        try {
+            factory.createProvider(null);
+            fail("ProviderFactory.createProvider: Did not throw NPE for null");
+        } catch (NullPointerException e) {}
+
+       try {
+           factory.createProvider(InvalidProvider.class);
+           fail("Factory.createProvider: Should error with non-void probes");
+       } catch (IllegalArgumentException e) {}
+    }
+
+    public static void testProvider() throws Exception {
+
+       // These just shouldn't throw any exeptions:
+       bp.plainProbe();
+       bp.probeWithArgs(42, (float)3.14, "spam", new Long(2L));
+       bp.probeWithArgs(42, (float)3.14, null, null);
+       bp.probeWithName();
+       bp.overloadedProbe();
+       bp.overloadedProbe(42);
+
+       Method m = BasicProvider.class.getMethod("plainProbe");
+       Probe p = bp.getProbe(m);
+       if (p == null) {
+           fail("Provider.getProbe: Did not return probe");
+       }
+
+       Method m2 = BasicWithSecurityMgr.class.getMethod("testProvider");
+       p = bp.getProbe(m2);
+       if (p != null) {
+           fail("Provider.getProbe: Got probe with invalid spec");
+       }
+
+       bp.dispose();
+       // These just shouldn't throw any exeptions:
+       bp.plainProbe();
+       bp.probeWithArgs(42, (float)3.14, "spam", new Long(2L));
+       bp.probeWithArgs(42, (float)3.14, null, null);
+       bp.probeWithName();
+       bp.overloadedProbe();
+       bp.overloadedProbe(42);
+
+       if (bp.getProbe(m) != null) {
+           fail("Provider.getProbe: Should return null after dispose()");
+       }
+
+       bp.dispose(); // just to make sure nothing bad happens
+    }
+
+    static void testProbe() throws Exception {
+       Method m = BasicProvider.class.getMethod("plainProbe");
+       Probe p = bp.getProbe(m);
+       p.isEnabled(); // just make sure it doesn't do anything bad
+       p.trigger();
+
+       try {
+         p.trigger(0);
+         fail("Probe.trigger: too many arguments not caught");
+       } catch (IllegalArgumentException e) {}
+
+       p = bp.getProbe(BasicProvider.class.getMethod(
+           "probeWithArgs", int.class, float.class, String.class, Long.class));
+       try {
+         p.trigger();
+         fail("Probe.trigger: too few arguments not caught");
+       } catch (IllegalArgumentException e) {}
+
+       try {
+         p.trigger((float)3.14, (float)3.14, "", new Long(0L));
+         fail("Probe.trigger: wrong type primitive arguments not caught");
+       } catch (IllegalArgumentException e) {}
+    }
+}
--- a/test/java/net/CookieHandler/TestHttpCookie.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/test/java/net/CookieHandler/TestHttpCookie.java	Sun Nov 29 15:24:32 2009 -0800
@@ -24,7 +24,7 @@
 /**
  * @test
  * @summary Unit test for java.net.HttpCookie
- * @bug 6244040 6277796 6277801 6277808 6294071 6692802 6790677
+ * @bug 6244040 6277796 6277801 6277808 6294071 6692802 6790677 6901170
  * @author Edward Wang
  */
 
@@ -335,6 +335,9 @@
         // bug 6277801
         test("set-cookie: CUSTOMER=WILE_E_COYOTE; path=/; expires=Wednesday, 09-Nov-99 23:12:40 GMT; path=\"/acme\"")
         .n("CUSTOMER").v("WILE_E_COYOTE").p("/").ver(0);
+
+        // bug 6901170
+        test("set-cookie: CUSTOMER=WILE_E_COYOTE; version='1'").ver(1);
     }
 
     static void misc() {
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/jgss/spnego/NoSpnegoAsDefMech.java	Sun Nov 29 15:24:32 2009 -0800
@@ -0,0 +1,43 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/*
+ * @test
+ * @bug 6770883
+ * @summary Infinite loop if SPNEGO specified as sun.security.jgss.mechanism
+ */
+
+import org.ietf.jgss.*;
+import sun.security.jgss.*;
+
+public class NoSpnegoAsDefMech {
+
+    public static void main(String[] argv) throws Exception {
+        System.setProperty("sun.security.jgss.mechanism", GSSUtil.GSS_SPNEGO_MECH_OID.toString());
+        try {
+            GSSManager.getInstance().createName("service@host", GSSName.NT_HOSTBASED_SERVICE, new Oid("1.3.6.1.5.5.2"));
+        } catch (GSSException e) {
+            // This is OK, for example, krb5.conf is missing or other problems
+        }
+    }
+}
--- a/test/sun/security/krb5/auto/Context.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/test/sun/security/krb5/auto/Context.java	Sun Nov 29 15:24:32 2009 -0800
@@ -72,7 +72,7 @@
 public class Context {
 
     private Subject s;
-    private GSSContext x;
+    private ExtendedGSSContext x;
     private boolean f;      // context established?
     private String name;
     private GSSCredential cred;     // see static method delegated().
@@ -147,8 +147,8 @@
             @Override
             public byte[] run(Context me, byte[] dummy) throws Exception {
                 GSSManager m = GSSManager.getInstance();
-                me.x = m.createContext(
-                        target.indexOf('@') < 0 ?
+                me.x = (ExtendedGSSContext)m.createContext(
+                          target.indexOf('@') < 0 ?
                             m.createName(target, null) :
                             m.createName(target, GSSName.NT_HOSTBASED_SERVICE),
                         mech,
@@ -170,7 +170,7 @@
             @Override
             public byte[] run(Context me, byte[] dummy) throws Exception {
                 GSSManager m = GSSManager.getInstance();
-                me.x = m.createContext(m.createCredential(
+                me.x = (ExtendedGSSContext)m.createContext(m.createCredential(
                         null,
                         GSSCredential.INDEFINITE_LIFETIME,
                         mech,
@@ -193,7 +193,7 @@
      *
      * @return the GSSContext object
      */
-    public GSSContext x() {
+    public ExtendedGSSContext x() {
         return x;
     }
 
@@ -255,6 +255,11 @@
             if (x.getSequenceDetState()) {
                 sb.append("seq det, ");
             }
+            if (x instanceof ExtendedGSSContext) {
+                if (((ExtendedGSSContext)x).getDelegPolicyState()) {
+                    sb.append("deleg policy, ");
+                }
+            }
             System.out.println("Context status of " + name + ": " + sb.toString());
             System.out.println(x.getSrcName() + " -> " + x.getTargName());
         } catch (Exception e) {
--- a/test/sun/security/krb5/auto/KDC.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/test/sun/security/krb5/auto/KDC.java	Sun Nov 29 15:24:32 2009 -0800
@@ -63,6 +63,14 @@
  * settings after calling a KDC method, call <code>Config.refresh()</code> to
  * make sure your changes are reflected in the <code>Config</code> object.
  * </ol>
+ * System properties recognized:
+ * <ul>
+ * <li>test.kdc.save.ccache
+ * </ul>
+ * Support policies:
+ * <ul>
+ * <li>ok-as-delegate
+ * </ul>
  * Issues and TODOs:
  * <ol>
  * <li> Generates krb5.conf to be used on another machine, currently the kdc is
@@ -151,7 +159,7 @@
      * A standalone KDC server.
      */
     public static void main(String[] args) throws Exception {
-        KDC kdc = create("RABBIT.HOLE", "kdc.rabbit,hole", 0, false);
+        KDC kdc = create("RABBIT.HOLE", "kdc.rabbit.hole", 0, false);
         kdc.addPrincipal("dummy", "bogus".toCharArray());
         kdc.addPrincipal("foo", "bar".toCharArray());
         kdc.addPrincipalRandKey("krbtgt/RABBIT.HOLE");
@@ -426,14 +434,17 @@
      * @throws sun.security.krb5.KrbException when the principal is not inside
      *         the database.
      */
-    private char[] getPassword(PrincipalName p) throws KrbException {
+    private char[] getPassword(PrincipalName p, boolean server)
+            throws KrbException {
         String pn = p.toString();
         if (p.getRealmString() == null) {
             pn = pn + "@" + getRealm();
         }
         char[] pass = passwords.get(pn);
         if (pass == null) {
-            throw new KrbException(Krb5.KDC_ERR_C_PRINCIPAL_UNKNOWN);
+            throw new KrbException(server?
+                Krb5.KDC_ERR_S_PRINCIPAL_UNKNOWN:
+                Krb5.KDC_ERR_C_PRINCIPAL_UNKNOWN);
         }
         return pass;
     }
@@ -457,10 +468,12 @@
      * Returns the key for a given principal of the given encryption type
      * @param p the principal
      * @param etype the encryption type
+     * @param server looking for a server principal?
      * @return the key
      * @throws sun.security.krb5.KrbException for unknown/unsupported etype
      */
-    private EncryptionKey keyForUser(PrincipalName p, int etype) throws KrbException {
+    private EncryptionKey keyForUser(PrincipalName p, int etype, boolean server)
+            throws KrbException {
         try {
             // Do not call EncryptionKey.acquireSecretKeys(), otherwise
             // the krb5.conf config file would be loaded.
@@ -469,22 +482,71 @@
             Integer kvno = null;
             // For service whose password ending with a number, use it as kvno
             if (p.toString().indexOf('/') >= 0) {
-                char[] pass = getPassword(p);
+                char[] pass = getPassword(p, server);
                 if (Character.isDigit(pass[pass.length-1])) {
                     kvno = pass[pass.length-1] - '0';
                 }
             }
             return new EncryptionKey((byte[]) stringToKey.invoke(
-                    null, getPassword(p), getSalt(p), null, etype),
+                    null, getPassword(p, server), getSalt(p), null, etype),
                     etype, kvno);
         } catch (InvocationTargetException ex) {
             KrbException ke = (KrbException)ex.getCause();
             throw ke;
+        } catch (KrbException ke) {
+            throw ke;
         } catch (Exception e) {
             throw new RuntimeException(e);  // should not happen
         }
     }
 
+    private Map<String,String> policies = new HashMap<String,String>();
+
+    public void setPolicy(String rule, String value) {
+        if (value == null) {
+            policies.remove(rule);
+        } else {
+            policies.put(rule, value);
+        }
+    }
+    /**
+     * If the provided client/server pair matches a rule
+     *
+     * A system property named test.kdc.policy.RULE will be consulted.
+     * If it's unset, returns false. If its value is "", any pair is
+     * matched. Otherwise, it should contains the server name matched.
+     *
+     * TODO: client name is not used currently.
+     *
+     * @param c client name
+     * @param s server name
+     * @param rule rule name
+     * @return if a match is found
+     */
+    private boolean configMatch(String c, String s, String rule) {
+        String policy = policies.get(rule);
+        boolean result = false;
+        if (policy == null) {
+            result = false;
+        } else if (policy.length() == 0) {
+            result = true;
+        } else {
+            String[] names = policy.split("\\s+");
+            for (String name: names) {
+                if (name.equals(s)) {
+                    result = true;
+                    break;
+                }
+            }
+        }
+        if (result) {
+            System.out.printf(">>>> Policy match result (%s vs %s on %s) %b\n",
+                    c, s, rule, result);
+        }
+        return result;
+    }
+
+
     /**
      * Processes an incoming request and generates a response.
      * @param in the request
@@ -530,7 +592,7 @@
                         tkt = apReq.ticket;
                         etype = tkt.encPart.getEType();
                         tkt.sname.setRealm(tkt.realm);
-                        EncryptionKey kkey = keyForUser(tkt.sname, etype);
+                        EncryptionKey kkey = keyForUser(tkt.sname, etype, true);
                         byte[] bb = tkt.encPart.decrypt(kkey, KeyUsage.KU_TICKET);
                         DerInputStream derIn = new DerInputStream(bb);
                         DerValue der = derIn.getDerValue();
@@ -541,7 +603,7 @@
                     throw new KrbException(Krb5.KDC_ERR_PADATA_TYPE_NOSUPP);
                 }
             }
-            EncryptionKey skey = keyForUser(body.sname, etype);
+            EncryptionKey skey = keyForUser(body.sname, etype, true);
             if (skey == null) {
                 throw new KrbException(Krb5.KDC_ERR_SUMTYPE_NOSUPP); // TODO
             }
@@ -581,6 +643,10 @@
             if (body.kdcOptions.get(KDCOptions.ALLOW_POSTDATE)) {
                 bFlags[Krb5.TKT_OPTS_MAY_POSTDATE] = true;
             }
+
+            if (configMatch("", body.sname.getNameString(), "ok-as-delegate")) {
+                bFlags[Krb5.TKT_OPTS_DELEGATE] = true;
+            }
             bFlags[Krb5.TKT_OPTS_INITIAL] = true;
 
             TicketFlags tFlags = new TicketFlags(bFlags);
@@ -671,8 +737,8 @@
             eTypes = (int[])f.get(body);
             int eType = eTypes[0];
 
-            EncryptionKey ckey = keyForUser(body.cname, eType);
-            EncryptionKey skey = keyForUser(body.sname, eType);
+            EncryptionKey ckey = keyForUser(body.cname, eType, false);
+            EncryptionKey skey = keyForUser(body.sname, eType, true);
             if (ckey == null) {
                 throw new KrbException(Krb5.KDC_ERR_ETYPE_NOSUPP);
             }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/krb5/auto/OkAsDelegate.java	Sun Nov 29 15:24:32 2009 -0800
@@ -0,0 +1,104 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+import com.sun.security.jgss.ExtendedGSSContext;
+import org.ietf.jgss.GSSCredential;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.Oid;
+import sun.security.jgss.GSSUtil;
+import sun.security.krb5.Config;
+
+public class OkAsDelegate {
+
+    public static void main(String[] args)
+            throws Exception {
+        OkAsDelegate ok = new OkAsDelegate();
+        ok.go(
+                Boolean.valueOf(args[0]),   // FORWARDABLE in krb5.conf on?
+                Boolean.valueOf(args[1]),   // requestDelegState
+                Boolean.valueOf(args[2]),   // requestDelegPolicyState
+                Boolean.valueOf(args[3]),   // DelegState in response
+                Boolean.valueOf(args[4]),   // DelegPolicyState in response
+                Boolean.valueOf(args[5])    // getDelegCred OK?
+                );
+    }
+
+    void go(
+            boolean forwardable,
+            boolean requestDelegState,
+            boolean requestDelegPolicyState,
+            boolean delegState,
+            boolean delegPolicyState,
+            boolean delegated
+            ) throws Exception {
+        OneKDC kdc = new OneKDC(null);
+        kdc.setPolicy("ok-as-delegate",
+                System.getProperty("test.kdc.policy.ok-as-delegate"));
+        kdc.writeJAASConf();
+        if (!forwardable) {
+            // The default OneKDC always includes "forwardable = true"
+            // in krb5.conf, override it.
+            KDC.saveConfig(OneKDC.KRB5_CONF, kdc,
+                    "default_keytab_name = " + OneKDC.KTAB);
+            Config.refresh();
+        }
+
+        Context c, s;
+        c = Context.fromJAAS("client");
+        s = Context.fromJAAS("server");
+
+        Oid mech = GSSUtil.GSS_KRB5_MECH_OID;
+        if (System.getProperty("test.spnego") != null) {
+            mech = GSSUtil.GSS_SPNEGO_MECH_OID;
+        }
+        c.startAsClient(OneKDC.SERVER, mech);
+        ExtendedGSSContext cx = (ExtendedGSSContext)c.x();
+        cx.requestCredDeleg(requestDelegState);
+        cx.requestDelegPolicy(requestDelegPolicyState);
+        s.startAsServer(mech);
+        ExtendedGSSContext sx = (ExtendedGSSContext)s.x();
+
+        Context.handshake(c, s);
+
+        if (cx.getCredDelegState() != delegState) {
+            throw new Exception("Initiator cred state error");
+        }
+        if (sx.getCredDelegState() != delegState) {
+            throw new Exception("Acceptor cred state error");
+        }
+        if (cx.getDelegPolicyState() != delegPolicyState) {
+            throw new Exception("Initiator cred policy state error");
+        }
+
+        GSSCredential cred = null;
+        try {
+            cred = s.x().getDelegCred();
+        } catch (GSSException e) {
+            // leave cred as null
+        }
+
+        if (delegated != (cred != null)) {
+            throw new Exception("get cred error");
+        }
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/krb5/auto/OkAsDelegateXRealm.java	Sun Nov 29 15:24:32 2009 -0800
@@ -0,0 +1,156 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+import com.sun.security.jgss.ExtendedGSSContext;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.security.Security;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.GSSManager;
+import org.ietf.jgss.GSSName;
+import sun.security.jgss.GSSUtil;
+import sun.security.krb5.Config;
+
+public class OkAsDelegateXRealm implements CallbackHandler {
+
+    /**
+     * @param args boolean if the program should succeed
+     */
+    public static void main(String[] args)
+            throws Exception {
+
+        // Create and start the KDCs. Here we have 3 realms: R1, R2 and R3.
+        // R1 is trusted by R2, and R2 trusted by R3.
+        KDC kdc1 = KDC.create("R1");
+        kdc1.setPolicy("ok-as-delegate",
+                System.getProperty("test.kdc.policy.ok-as-delegate"));
+        kdc1.addPrincipal("dummy", "bogus".toCharArray());
+        kdc1.addPrincipalRandKey("krbtgt/R1");
+        kdc1.addPrincipal("krbtgt/R2@R1", "r1->r2".toCharArray());
+
+        KDC kdc2 = KDC.create("R2");
+        kdc2.setPolicy("ok-as-delegate",
+                System.getProperty("test.kdc.policy.ok-as-delegate"));
+        kdc2.addPrincipalRandKey("krbtgt/R2");
+        kdc2.addPrincipal("krbtgt/R2@R1", "r1->r2".toCharArray());
+        kdc2.addPrincipal("krbtgt/R3@R2", "r2->r3".toCharArray());
+
+        KDC kdc3 = KDC.create("R3");
+        kdc3.setPolicy("ok-as-delegate",
+                System.getProperty("test.kdc.policy.ok-as-delegate"));
+        kdc3.addPrincipalRandKey("krbtgt/R3");
+        kdc3.addPrincipal("krbtgt/R3@R2", "r2->r3".toCharArray());
+        kdc3.addPrincipalRandKey("host/host.r3.local");
+
+        KDC.saveConfig("krb5-localkdc.conf", kdc1, kdc2, kdc3,
+                "forwardable=true",
+                "[capaths]",
+                "R1 = {",
+                "    R2 = .",
+                "    R3 = R2",
+                "}",
+                "[domain_realm]",
+                ".r3.local=R3"
+                );
+
+        System.setProperty("java.security.krb5.conf", "krb5-localkdc.conf");
+        kdc3.writeKtab("localkdc.ktab");
+
+        FileOutputStream fos = new FileOutputStream("jaas-localkdc.conf");
+
+        // Defines the client and server on R1 and R3 respectively.
+        fos.write(("com.sun.security.jgss.krb5.initiate {\n" +
+                "    com.sun.security.auth.module.Krb5LoginModule\n" +
+                "    required\n" +
+                "    principal=dummy\n" +
+                "    doNotPrompt=false\n" +
+                "    useTicketCache=false\n" +
+                "    ;\n};\n" +
+                "com.sun.security.jgss.krb5.accept {\n" +
+                "    com.sun.security.auth.module.Krb5LoginModule required\n" +
+                "    principal=\"host/host.r3.local@R3\"\n" +
+                "    useKeyTab=true\n" +
+                "    keyTab=localkdc.ktab\n" +
+                "    isInitiator=false\n" +
+                "    storeKey=true;\n};\n" +
+                "\n").getBytes());
+        fos.close();
+
+        Security.setProperty("auth.login.defaultCallbackHandler",
+                "OkAsDelegateXRealm");
+
+        System.setProperty("java.security.auth.login.config", "jaas-localkdc.conf");
+
+        new File("krb5-localkdc.conf").deleteOnExit();
+        new File("localkdc.ktab").deleteOnExit();
+        new File("jaas-localkdc.conf").deleteOnExit();
+        Config.refresh();
+
+        Context c = Context.fromJAAS("com.sun.security.jgss.krb5.initiate");
+        Context s = Context.fromJAAS("com.sun.security.jgss.krb5.accept");
+
+        // Test twice. The frist time the whole cross realm process is tried,
+        // the second time the cached service ticket is used. This is to make sure
+        // the behaviors are the same, especailly for the case when one of the
+        // cross-realm TGTs does not have OK-AS-DELEGATE on.
+
+        for (int i=0; i<2; i++) {
+            c.startAsClient("host@host.r3.local", GSSUtil.GSS_KRB5_MECH_OID);
+            s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
+            c.x().requestDelegPolicy(true);
+
+            Context.handshake(c, s);
+            boolean succeed = true;
+            try {
+                s.x().getDelegCred();
+            } catch (GSSException gsse) {
+                succeed = false;
+            }
+            if (succeed != Boolean.parseBoolean(args[0])) {
+                throw new Exception("Test fail at round #" + i);
+            }
+        }
+    }
+
+    @Override
+    public void handle(Callback[] callbacks)
+            throws IOException, UnsupportedCallbackException {
+        for (Callback callback : callbacks) {
+            if (callback instanceof NameCallback) {
+                ((NameCallback) callback).setName("dummy");
+            }
+            if (callback instanceof PasswordCallback) {
+                ((PasswordCallback) callback).setPassword("bogus".toCharArray());
+            }
+        }
+    }
+}
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/krb5/auto/ok-as-delegate-xrealm.sh	Sun Nov 29 15:24:32 2009 -0800
@@ -0,0 +1,79 @@
+#
+# Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+# CA 95054 USA or visit www.sun.com if you need additional information or
+# have any questions.
+#
+
+# @test
+# @bug 6853328
+# @summary Support OK-AS-DELEGATE flag
+# @run shell/timeout=600 ok-as-delegate-xrealm.sh
+#
+
+if [ "${TESTSRC}" = "" ] ; then
+  TESTSRC=`dirname $0`
+fi
+
+if [ "${TESTJAVA}" = "" ] ; then
+  JAVAC_CMD=`which javac`
+  TESTJAVA=`dirname $JAVAC_CMD`/..
+fi
+
+# set platform-dependent variables
+OS=`uname -s`
+case "$OS" in
+  Windows_* )
+    FS="\\"
+    SEP=";"
+    ;;
+  CYGWIN* )
+    FS="/"
+    SEP=";"
+    ;;
+  * )
+    FS="/"
+    SEP=":"
+    ;;
+esac
+
+${TESTJAVA}${FS}bin${FS}javac -XDignore.symbol.file -d . \
+    ${TESTSRC}${FS}OkAsDelegateXRealm.java \
+    ${TESTSRC}${FS}KDC.java \
+    ${TESTSRC}${FS}OneKDC.java \
+    ${TESTSRC}${FS}Action.java \
+    ${TESTSRC}${FS}Context.java \
+    || exit 10
+
+# Add $TESTSRC to classpath so that customized nameservice can be used
+J="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}."
+
+# KDC no OK-AS-DELEGATE, fail
+$J OkAsDelegateXRealm false || exit 1
+
+# KDC set OK-AS-DELEGATE for all, succeed
+$J -Dtest.kdc.policy.ok-as-delegate OkAsDelegateXRealm true || exit 2
+
+# KDC set OK-AS-DELEGATE for host/host.r3.local only, fail
+$J -Dtest.kdc.policy.ok-as-delegate=host/host.r3.local OkAsDelegateXRealm false || exit 3
+
+# KDC set OK-AS-DELEGATE for all, succeed
+$J "-Dtest.kdc.policy.ok-as-delegate=host/host.r3.local krbtgt/R2 krbtgt/R3" OkAsDelegateXRealm true || exit 4
+
+exit 0
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/krb5/auto/ok-as-delegate.sh	Sun Nov 29 15:24:32 2009 -0800
@@ -0,0 +1,118 @@
+#
+# Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+# CA 95054 USA or visit www.sun.com if you need additional information or
+# have any questions.
+#
+
+# @test
+# @bug 6853328
+# @summary Support OK-AS-DELEGATE flag
+# @run shell/timeout=600 ok-as-delegate.sh
+#
+
+if [ "${TESTSRC}" = "" ] ; then
+  TESTSRC=`dirname $0`
+fi
+
+if [ "${TESTJAVA}" = "" ] ; then
+  JAVAC_CMD=`which javac`
+  TESTJAVA=`dirname $JAVAC_CMD`/..
+fi
+
+# set platform-dependent variables
+OS=`uname -s`
+case "$OS" in
+  Windows_* )
+    FS="\\"
+    SEP=";"
+    ;;
+  CYGWIN* )
+    FS="/"
+    SEP=";"
+    ;;
+  * )
+    FS="/"
+    SEP=":"
+    ;;
+esac
+
+${TESTJAVA}${FS}bin${FS}javac -XDignore.symbol.file -d . \
+    ${TESTSRC}${FS}OkAsDelegate.java \
+    ${TESTSRC}${FS}KDC.java \
+    ${TESTSRC}${FS}OneKDC.java \
+    ${TESTSRC}${FS}Action.java \
+    ${TESTSRC}${FS}Context.java \
+    || exit 10
+
+# Testing Kerberos 5
+
+# Add $TESTSRC to classpath so that customized nameservice can be used
+J="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}. OkAsDelegate"
+JOK="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}. -Dtest.kdc.policy.ok-as-delegate OkAsDelegate"
+
+# FORWARDABLE ticket not allowed, always fail
+$J false true true false false false || exit 1
+
+# Service ticket no OK-AS-DELEGATE
+
+# Request nothing, gain nothing
+$J true false false false false false || exit 2
+# Request deleg policy, gain nothing
+$J true false true false false false || exit 3
+# Request deleg, granted
+$J true true false true false true || exit 4
+# Request deleg and deleg policy, granted, with info not by policy
+$J true true true true false true || exit 5
+
+# Service ticket has OK-AS-DELEGATE
+
+# Request deleg policy, granted
+$JOK true false true true true true || exit 6
+# Request deleg and deleg policy, granted, with info by policy
+$JOK true true true true true true || exit 7
+
+# Testing SPNEGO
+
+# Add $TESTSRC to classpath so that customized nameservice can be used
+J="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}. -Dtest.spnego OkAsDelegate"
+JOK="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}. -Dtest.spnego -Dtest.kdc.policy.ok-as-delegate OkAsDelegate"
+
+# FORWARDABLE ticket not allowed, always fail
+$J false true true false false false || exit 11
+
+# Service ticket no OK-AS-DELEGATE
+
+# Request nothing, gain nothing
+$J true false false false false false || exit 12
+# Request deleg policy, gain nothing
+$J true false true false false false || exit 13
+# Request deleg, granted
+$J true true false true false true || exit 14
+# Request deleg and deleg policy, granted, with info not by policy
+$J true true true true false true || exit 15
+
+# Service ticket has OK-AS-DELEGATE
+
+# Request deleg policy, granted
+$JOK true false true true true true || exit 16
+# Request deleg and deleg policy, granted, with info by policy
+$JOK true true true true true true || exit 17
+
+exit 0
--- a/test/sun/tools/jhat/HatRun.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/test/sun/tools/jhat/HatRun.java	Sun Nov 29 15:24:32 2009 -0800
@@ -186,11 +186,13 @@
          */
         int nvm_options = 0;
         if ( vm_options != null ) nvm_options = vm_options.length;
-        String cmd[]     = new String[1 + (d64?1:0) + 5 + nvm_options];
+        String cmd[]     = new String[1 + (d64?1:0) + 7 + nvm_options];
         int i,j;
 
         i = 0;
         cmd[i++] = java;
+        cmd[i++] = "-cp";
+        cmd[i++] = cdir;
         cmd[i++] = "-Dtest.classes=" + cdir;
         if ( d64 ) {
             cmd[i++] = "-d64";
--- a/test/sun/tools/native2ascii/NativeErrors.java	Tue Nov 24 18:12:46 2009 -0800
+++ b/test/sun/tools/native2ascii/NativeErrors.java	Sun Nov 29 15:24:32 2009 -0800
@@ -59,15 +59,28 @@
         in = new BufferedReader(new InputStreamReader(p.getInputStream()));
         checkResult(in, "err.bad.arg");
 
-        command = getComString("test123");
+        File f0 = new File(System.getProperty("test.src", "."), "test123");
+        String path0 = f0.getPath();
+        if ( f0.exists() ) {
+            throw new Error("Input file should not exist: " + path0);
+        }
+
+        command = getComString(path0);
         p = Runtime.getRuntime().exec(command);
         in = new BufferedReader(new InputStreamReader(p.getInputStream()));
         checkResult(in, "err.cannot.read");
 
         File f1 = new File(System.getProperty("test.src", "."), "test1");
-        File f2 = new File(System.getProperty("test.src", "."), "test2");
+        File f2 = File.createTempFile("test2", ".tmp");
         String path1 = f1.getPath();
         String path2 = f2.getPath();
+        if ( !f1.exists() ) {
+            throw new Error("Missing input file: " + path1);
+        }
+        if ( !f2.setWritable(false) ) {
+            throw new Error("Output file cannot be made read only: " + path2);
+        }
+        f2.deleteOnExit();
 
         command = getComString(path1, path2);
         p = Runtime.getRuntime().exec(command);
@@ -80,7 +93,9 @@
                                                            throws Exception {
         String errorReceived;
         errorReceived = in.readLine();
+        assert errorReceived != null : "First readline cannot be null";
         errorExpected = rsrc.getString(errorExpected);
+        assert errorExpected != null : "Expected message cannot be null";
         StringBuffer error = new StringBuffer(errorExpected);
         int start = errorExpected.indexOf("{0}");
         if (start >= 0) {
@@ -128,6 +143,7 @@
             f = new File(path);
             if (!f.exists())
                 throw new RuntimeException("Cannot find native2ascii at "+path);
+            System.out.println("Using native2ascii at "+path);
         }
         return path;
     }
--- a/test/sun/tools/native2ascii/test2	Tue Nov 24 18:12:46 2009 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,1 +0,0 @@
-This file exists as a non-writable placeholder for NativeErrors.java