From f18f44bce370711b5fbf1bc9dfe6b7aaf25c7abc Mon Sep 17 00:00:00 2001
From: Weijun Wang <weijun@openjdk.org>
Date: Wed, 17 Sep 2014 13:55:12 +0800
Subject: [PATCH] 8042900: Allow com.sun.security.jgss to be in different
 module than org.ietf.jgss

Reviewed-by: valeriep, alanb
---
 .../sun/security/jgss/ExtendedGSSContext.java |  41 ++++++-
 .../security/jgss/ExtendedGSSCredential.java  |  10 ++
 .../com/sun/security/jgss/Extender.java       |  56 +++++++++
 .../classes/org/ietf/jgss/GSSContext.java     |   1 -
 .../share/classes/org/ietf/jgss/GSSName.java  |   4 -
 .../protocol/http/spnego/NegotiatorImpl.java  |   6 +-
 .../sun/security/jgss/GSSContextImpl.java     |  36 ++++--
 .../sun/security/jgss/GSSCredentialImpl.java  |  18 ++-
 .../sun/security/jgss/GSSManagerImpl.java     |  28 ++++-
 .../sun/security/jgss/JgssExtender.java       |  81 ++++++++++++
 .../jgss/krb5/InitSecContextToken.java        |  13 +-
 .../sun/security/jgss/krb5/Krb5Context.java   |  22 ++--
 .../sun/security/jgss/spi/GSSContextSpi.java  |   3 +-
 .../security/jgss/spnego/SpNegoContext.java   |  21 ++--
 .../jgss/spnego/SpNegoCredElement.java        |   2 -
 .../jgss/wrapper/NativeGSSContext.java        |   3 +-
 jdk/test/sun/security/krb5/auto/Context.java  | 116 ++++++++----------
 .../security/krb5/auto/NewInquireTypes.java   |   7 +-
 .../sun/security/krb5/auto/OkAsDelegate.java  |   3 +-
 .../krb5/auto/OkAsDelegateXRealm.java         |   4 +-
 jdk/test/sun/security/krb5/auto/SSL.java      |   4 +-
 21 files changed, 334 insertions(+), 145 deletions(-)
 create mode 100644 jdk/src/java.security.jgss/share/classes/com/sun/security/jgss/Extender.java
 create mode 100644 jdk/src/java.security.jgss/share/classes/sun/security/jgss/JgssExtender.java

diff --git a/jdk/src/java.security.jgss/share/classes/com/sun/security/jgss/ExtendedGSSContext.java b/jdk/src/java.security.jgss/share/classes/com/sun/security/jgss/ExtendedGSSContext.java
index 0f3a27dfac9..32e6b0412e2 100644
--- a/jdk/src/java.security.jgss/share/classes/com/sun/security/jgss/ExtendedGSSContext.java
+++ b/jdk/src/java.security.jgss/share/classes/com/sun/security/jgss/ExtendedGSSContext.java
@@ -26,6 +26,8 @@
 package com.sun.security.jgss;
 
 import org.ietf.jgss.*;
+import sun.security.jgss.GSSContextImpl;
+import sun.security.krb5.internal.AuthorizationData;
 
 /**
  * The extended GSSContext interface for supporting additional
@@ -34,13 +36,48 @@ import org.ietf.jgss.*;
  */
 @jdk.Exported
 public interface ExtendedGSSContext extends GSSContext {
+
+    // The impl is almost identical to GSSContextImpl with only 2 differences:
+    // 1. It implements the extended interface
+    // 2. It translates result to data types here in inquireSecContext
+    static class ExtendedGSSContextImpl extends GSSContextImpl
+            implements ExtendedGSSContext {
+
+        public ExtendedGSSContextImpl(GSSContextImpl old) {
+            super(old);
+        }
+
+        @Override
+        public Object inquireSecContext(InquireType type) throws GSSException {
+            SecurityManager security = System.getSecurityManager();
+            if (security != null) {
+                security.checkPermission(
+                        new InquireSecContextPermission(type.toString()));
+            }
+            Object output = super.inquireSecContext(type.name());
+            if (output != null) {
+                if (type == InquireType.KRB5_GET_AUTHZ_DATA) {
+                    AuthorizationData ad = (AuthorizationData) output;
+                    AuthorizationDataEntry[] authzData =
+                            new AuthorizationDataEntry[ad.count()];
+                    for (int i = 0; i < ad.count(); i++) {
+                        authzData[i] = new AuthorizationDataEntry(
+                                ad.item(i).adType, ad.item(i).adData);
+                    }
+                    output = authzData;
+                }
+            }
+            return output;
+        }
+    }
+
     /**
      * Return the mechanism-specific attribute associated with {@code type}.
      * <p>
      * If there is a security manager, an {@link InquireSecContextPermission}
      * with the name {@code type.mech} must be granted. Otherwise, this could
-     * result in a {@link SecurityException}.<p>
-     *
+     * result in a {@link SecurityException}.
+     * <p>
      * Example:
      * <pre>
      *      GSSContext ctxt = m.createContext(...)
diff --git a/jdk/src/java.security.jgss/share/classes/com/sun/security/jgss/ExtendedGSSCredential.java b/jdk/src/java.security.jgss/share/classes/com/sun/security/jgss/ExtendedGSSCredential.java
index 6727ddd99ba..56fe1030744 100644
--- a/jdk/src/java.security.jgss/share/classes/com/sun/security/jgss/ExtendedGSSCredential.java
+++ b/jdk/src/java.security.jgss/share/classes/com/sun/security/jgss/ExtendedGSSCredential.java
@@ -26,6 +26,7 @@
 package com.sun.security.jgss;
 
 import org.ietf.jgss.*;
+import sun.security.jgss.GSSCredentialImpl;
 
 /**
  * The extended GSSCredential interface for supporting additional
@@ -34,6 +35,15 @@ import org.ietf.jgss.*;
  */
 @jdk.Exported
 public interface ExtendedGSSCredential extends GSSCredential {
+
+    static class ExtendedGSSCredentialImpl extends GSSCredentialImpl
+            implements ExtendedGSSCredential {
+
+        public ExtendedGSSCredentialImpl(GSSCredentialImpl old) {
+            super(old);
+        }
+    }
+
     /**
      * Impersonates a principal. In Kerberos, this can be implemented
      * using the Microsoft S4U2self extension.
diff --git a/jdk/src/java.security.jgss/share/classes/com/sun/security/jgss/Extender.java b/jdk/src/java.security.jgss/share/classes/com/sun/security/jgss/Extender.java
new file mode 100644
index 00000000000..c09d7b6a6a7
--- /dev/null
+++ b/jdk/src/java.security.jgss/share/classes/com/sun/security/jgss/Extender.java
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package com.sun.security.jgss;
+
+import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
+import sun.security.jgss.GSSContextImpl;
+import sun.security.jgss.GSSCredentialImpl;
+import sun.security.jgss.JgssExtender;
+
+// The com.sun.security.jgss extension to JGSS-API
+class Extender extends JgssExtender {
+
+    static {
+        JgssExtender.setExtender(new Extender());
+    }
+
+    public GSSCredential wrap(GSSCredential cred) {
+        if (cred instanceof ExtendedGSSCredential.ExtendedGSSCredentialImpl) {
+            return cred;
+        } else {
+            return new ExtendedGSSCredential.ExtendedGSSCredentialImpl((GSSCredentialImpl)cred);
+        }
+    }
+
+    public GSSContext wrap(GSSContext ctxt) {
+        if (ctxt instanceof ExtendedGSSContext.ExtendedGSSContextImpl) {
+            return ctxt;
+        } else {
+            return new ExtendedGSSContext.ExtendedGSSContextImpl((GSSContextImpl)ctxt);
+        }
+    }
+}
diff --git a/jdk/src/java.security.jgss/share/classes/org/ietf/jgss/GSSContext.java b/jdk/src/java.security.jgss/share/classes/org/ietf/jgss/GSSContext.java
index d0c6b833503..48c77e6988e 100644
--- a/jdk/src/java.security.jgss/share/classes/org/ietf/jgss/GSSContext.java
+++ b/jdk/src/java.security.jgss/share/classes/org/ietf/jgss/GSSContext.java
@@ -25,7 +25,6 @@
 
 package org.ietf.jgss;
 
-import sun.security.jgss.spi.*;
 import java.io.InputStream;
 import java.io.OutputStream;
 
diff --git a/jdk/src/java.security.jgss/share/classes/org/ietf/jgss/GSSName.java b/jdk/src/java.security.jgss/share/classes/org/ietf/jgss/GSSName.java
index c3626ac8c63..580ab39383a 100644
--- a/jdk/src/java.security.jgss/share/classes/org/ietf/jgss/GSSName.java
+++ b/jdk/src/java.security.jgss/share/classes/org/ietf/jgss/GSSName.java
@@ -25,10 +25,6 @@
 
 package org.ietf.jgss;
 
-import sun.security.jgss.spi.*;
-import java.util.Vector;
-import java.util.Enumeration;
-
 /**
  * This interface encapsulates a single GSS-API principal entity. The
  * application obtains an implementation of this interface
diff --git a/jdk/src/java.security.jgss/share/classes/sun/net/www/protocol/http/spnego/NegotiatorImpl.java b/jdk/src/java.security.jgss/share/classes/sun/net/www/protocol/http/spnego/NegotiatorImpl.java
index e241a36c708..60dea44e3b9 100644
--- a/jdk/src/java.security.jgss/share/classes/sun/net/www/protocol/http/spnego/NegotiatorImpl.java
+++ b/jdk/src/java.security.jgss/share/classes/sun/net/www/protocol/http/spnego/NegotiatorImpl.java
@@ -25,7 +25,6 @@
 
 package sun.net.www.protocol.http.spnego;
 
-import com.sun.security.jgss.ExtendedGSSContext;
 import java.io.IOException;
 
 import org.ietf.jgss.GSSContext;
@@ -36,6 +35,7 @@ import org.ietf.jgss.Oid;
 import sun.net.www.protocol.http.HttpCallerInfo;
 import sun.net.www.protocol.http.Negotiator;
 import sun.security.jgss.GSSManagerImpl;
+import sun.security.jgss.GSSContextImpl;
 import sun.security.jgss.GSSUtil;
 import sun.security.jgss.HttpCaller;
 
@@ -102,8 +102,8 @@ public class NegotiatorImpl extends Negotiator {
                                         GSSContext.DEFAULT_LIFETIME);
 
         // Always respect delegation policy in HTTP/SPNEGO.
-        if (context instanceof ExtendedGSSContext) {
-            ((ExtendedGSSContext)context).requestDelegPolicy(true);
+        if (context instanceof GSSContextImpl) {
+            ((GSSContextImpl)context).requestDelegPolicy(true);
         }
         oneToken = context.initSecContext(new byte[0], 0, 0);
     }
diff --git a/jdk/src/java.security.jgss/share/classes/sun/security/jgss/GSSContextImpl.java b/jdk/src/java.security.jgss/share/classes/sun/security/jgss/GSSContextImpl.java
index b25987ff93d..d1e09de1b77 100644
--- a/jdk/src/java.security.jgss/share/classes/sun/security/jgss/GSSContextImpl.java
+++ b/jdk/src/java.security.jgss/share/classes/sun/security/jgss/GSSContextImpl.java
@@ -33,7 +33,8 @@ import java.io.OutputStream;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
-import com.sun.security.jgss.*;
+import java.lang.reflect.Field;
+import java.lang.reflect.Modifier;
 
 /**
  * This class represents the JGSS security context and its associated
@@ -87,10 +88,10 @@ import com.sun.security.jgss.*;
  * per-message operations are returned in an instance of the MessageProp
  * class, which is used as an argument in these calls.</dl>
  */
-class GSSContextImpl implements ExtendedGSSContext {
+public class GSSContextImpl implements GSSContext {
 
-    private final GSSManagerImpl gssManager;
-    private final boolean initiator;
+    private GSSManagerImpl gssManager;
+    private boolean initiator;
 
     // private flags for the context state
     private static final int PRE_INIT = 1;
@@ -122,6 +123,22 @@ class GSSContextImpl implements ExtendedGSSContext {
     private boolean reqAnonState = false;
     private boolean reqDelegPolicyState = false;
 
+    public GSSContextImpl() {
+        // Useless
+    }
+
+    // Used by new ExtendedGSSContext.ExtendedGSSContextImpl(ctxt)
+    protected GSSContextImpl(GSSContextImpl src) {
+        for (Field f: GSSContextImpl.class.getDeclaredFields()) {
+            if (!Modifier.isStatic(f.getModifiers())) {
+                try {
+                    f.set(this, f.get(src));
+                } catch (Exception e) {
+                    throw new RuntimeException(e);
+                }
+            }
+        }
+    }
     /**
      * Creates a GSSContextImp on the context initiator's side.
      */
@@ -613,7 +630,7 @@ class GSSContextImpl implements ExtendedGSSContext {
                                    "No mechanism context yet!");
         GSSCredentialSpi delCredElement = mechCtxt.getDelegCred();
         return (delCredElement == null ?
-            null : new GSSCredentialImpl(gssManager, delCredElement));
+            null : GSSManagerImpl.wrap(new GSSCredentialImpl(gssManager, delCredElement)));
     }
 
     public boolean isInitiator() throws GSSException {
@@ -633,25 +650,18 @@ class GSSContextImpl implements ExtendedGSSContext {
 
     // ExtendedGSSContext methods:
 
-    @Override
-    public Object inquireSecContext(InquireType type) throws GSSException {
-        SecurityManager security = System.getSecurityManager();
-        if (security != null) {
-            security.checkPermission(new InquireSecContextPermission(type.toString()));
-        }
+    public Object inquireSecContext(String type) throws GSSException {
         if (mechCtxt == null) {
             throw new GSSException(GSSException.NO_CONTEXT);
         }
         return mechCtxt.inquireSecContext(type);
     }
 
-    @Override
     public void requestDelegPolicy(boolean state) throws GSSException {
         if (mechCtxt == null && initiator)
             reqDelegPolicyState = state;
     }
 
-    @Override
     public boolean getDelegPolicyState() {
         if (mechCtxt != null)
             return mechCtxt.getDelegPolicyState();
diff --git a/jdk/src/java.security.jgss/share/classes/sun/security/jgss/GSSCredentialImpl.java b/jdk/src/java.security.jgss/share/classes/sun/security/jgss/GSSCredentialImpl.java
index 0cff2fa7937..617505f8320 100644
--- a/jdk/src/java.security.jgss/share/classes/sun/security/jgss/GSSCredentialImpl.java
+++ b/jdk/src/java.security.jgss/share/classes/sun/security/jgss/GSSCredentialImpl.java
@@ -27,11 +27,11 @@ package sun.security.jgss;
 
 import org.ietf.jgss.*;
 import sun.security.jgss.spi.*;
+
 import java.util.*;
-import com.sun.security.jgss.*;
 import sun.security.jgss.spnego.SpNegoCredElement;
 
-public class GSSCredentialImpl implements ExtendedGSSCredential {
+public class GSSCredentialImpl implements GSSCredential {
 
     private GSSManagerImpl gssManager = null;
     private boolean destroyed = false;
@@ -47,6 +47,18 @@ public class GSSCredentialImpl implements ExtendedGSSCredential {
     // XXX Optimization for single mech usage
     private GSSCredentialSpi tempCred = null;
 
+    public GSSCredentialImpl() {
+        // Useless
+    }
+
+    // Used by new ExtendedGSSCredential.ExtendedGSSCredentialImpl(cred)
+    protected GSSCredentialImpl(GSSCredentialImpl src) {
+        this.gssManager = src.gssManager;
+        this.destroyed = src.destroyed;
+        this.hashtable = src.hashtable;
+        this.tempCred = src.tempCred;
+    }
+
     GSSCredentialImpl(GSSManagerImpl gssManager, int usage)
         throws GSSException {
         this(gssManager, null, GSSCredential.DEFAULT_LIFETIME,
@@ -140,7 +152,7 @@ public class GSSCredentialImpl implements ExtendedGSSCredential {
                                   ((GSSNameImpl)name).getElement(mech));
         GSSCredentialSpi cred = tempCred.impersonate(nameElement);
         return (cred == null ?
-            null : new GSSCredentialImpl(gssManager, cred));
+            null : GSSManagerImpl.wrap(new GSSCredentialImpl(gssManager, cred)));
     }
 
     public GSSName getName() throws GSSException {
diff --git a/jdk/src/java.security.jgss/share/classes/sun/security/jgss/GSSManagerImpl.java b/jdk/src/java.security.jgss/share/classes/sun/security/jgss/GSSManagerImpl.java
index 736ef98fcd8..9d27b53822b 100644
--- a/jdk/src/java.security.jgss/share/classes/sun/security/jgss/GSSManagerImpl.java
+++ b/jdk/src/java.security.jgss/share/classes/sun/security/jgss/GSSManagerImpl.java
@@ -145,35 +145,35 @@ public class GSSManagerImpl extends GSSManager {
 
     public GSSCredential createCredential(int usage)
         throws GSSException {
-        return new GSSCredentialImpl(this, usage);
+        return wrap(new GSSCredentialImpl(this, usage));
     }
 
     public GSSCredential createCredential(GSSName aName,
                                           int lifetime, Oid mech, int usage)
         throws GSSException {
-        return new GSSCredentialImpl(this, aName, lifetime, mech, usage);
+        return wrap(new GSSCredentialImpl(this, aName, lifetime, mech, usage));
     }
 
     public GSSCredential createCredential(GSSName aName,
                                           int lifetime, Oid mechs[], int usage)
         throws GSSException {
-        return new GSSCredentialImpl(this, aName, lifetime, mechs, usage);
+        return wrap(new GSSCredentialImpl(this, aName, lifetime, mechs, usage));
     }
 
     public GSSContext createContext(GSSName peer, Oid mech,
                                     GSSCredential myCred, int lifetime)
         throws GSSException {
-        return new GSSContextImpl(this, peer, mech, myCred, lifetime);
+        return wrap(new GSSContextImpl(this, peer, mech, myCred, lifetime));
     }
 
     public GSSContext createContext(GSSCredential myCred)
         throws GSSException {
-        return new GSSContextImpl(this, myCred);
+        return wrap(new GSSContextImpl(this, myCred));
     }
 
     public GSSContext createContext(byte[] interProcessToken)
         throws GSSException {
-        return new GSSContextImpl(this, interProcessToken);
+        return wrap(new GSSContextImpl(this, interProcessToken));
     }
 
     public void addProviderAtFront(Provider p, Oid mech)
@@ -257,4 +257,20 @@ public class GSSManagerImpl extends GSSManager {
         }
         return result;
     }
+
+    static {
+        // Load the extended JGSS interfaces if exist
+        try {
+            Class.forName("com.sun.security.jgss.Extender");
+        } catch (Exception e) {
+        }
+    }
+
+    static GSSCredential wrap(GSSCredentialImpl cred) {
+        return sun.security.jgss.JgssExtender.getExtender().wrap(cred);
+    }
+
+    static GSSContext wrap(GSSContextImpl ctxt) {
+        return sun.security.jgss.JgssExtender.getExtender().wrap(ctxt);
+    }
 }
diff --git a/jdk/src/java.security.jgss/share/classes/sun/security/jgss/JgssExtender.java b/jdk/src/java.security.jgss/share/classes/sun/security/jgss/JgssExtender.java
new file mode 100644
index 00000000000..4d204e5c652
--- /dev/null
+++ b/jdk/src/java.security.jgss/share/classes/sun/security/jgss/JgssExtender.java
@@ -0,0 +1,81 @@
+/*
+ * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.jgss;
+
+import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
+
+/**
+ * The extending point of basic JGSS-API.
+ * <p>
+ * If a module wants to extend basic JGSS-API classes, it should extends this
+ * class and register itself as "the extender" using the setExtender method.
+ * When various GSSManager.createXXX methods are called, they will call
+ * "the extender"'s wrap methods to create objects of extended types
+ * instead of basic types.
+ * <p>
+ * We have only one extension now defined in com.sun.security.jgss, and the
+ * registering process is triggered in {@link GSSManagerImpl} by calling
+ * Class.forName("com.sun.security.jgss.Extender"). Only GSSContext
+ * and GSSCredential are extended now.
+ * <p>
+ * The setExtender method should be called before any JGSS call.
+ */
+public class JgssExtender {
+
+    // "The extender"
+    private static volatile JgssExtender theOne = new JgssExtender();
+
+    /**
+     * Gets "the extender". GSSManager calls this method so that it can
+     * wrap basic objects into extended objects.
+     * @return the extender
+     */
+    public static JgssExtender getExtender() {
+        return theOne;
+    }
+
+    /**
+     * Set "the extender" so that GSSManager can create extended objects.
+     */
+    protected static void setExtender(JgssExtender theOne) {
+        JgssExtender.theOne = theOne;
+    }
+
+    /**
+     * Wraps a plain GSSCredential object into an extended type.
+     */
+    public GSSCredential wrap(GSSCredential cred) {
+        return cred;
+    }
+
+    /**
+     * Wraps a plain GSSContext object into an extended type.
+     */
+    public GSSContext wrap(GSSContext ctxt) {
+        return ctxt;
+    }
+}
diff --git a/jdk/src/java.security.jgss/share/classes/sun/security/jgss/krb5/InitSecContextToken.java b/jdk/src/java.security.jgss/share/classes/sun/security/jgss/krb5/InitSecContextToken.java
index 0077e7edb28..13c999b6472 100644
--- a/jdk/src/java.security.jgss/share/classes/sun/security/jgss/krb5/InitSecContextToken.java
+++ b/jdk/src/java.security.jgss/share/classes/sun/security/jgss/krb5/InitSecContextToken.java
@@ -25,7 +25,6 @@
 
 package sun.security.jgss.krb5;
 
-import com.sun.security.jgss.AuthorizationDataEntry;
 import org.ietf.jgss.*;
 import java.io.InputStream;
 import java.io.IOException;
@@ -152,17 +151,7 @@ class InitSecContextToken extends InitialToken {
                 new KerberosTime(apReq.getCreds().getAuthTime()).toString());
         context.setTktFlags(apReq.getCreds().getFlags());
         AuthorizationData ad = apReq.getCreds().getAuthzData();
-        if (ad == null) {
-            context.setAuthzData(null);
-        } else {
-            AuthorizationDataEntry[] authzData =
-                    new AuthorizationDataEntry[ad.count()];
-            for (int i=0; i<ad.count(); i++) {
-                authzData[i] = new AuthorizationDataEntry(
-                        ad.item(i).adType, ad.item(i).adData);
-            }
-            context.setAuthzData(authzData);
-        }
+        context.setAuthzData(ad);
     }
 
     public final KrbApReq getKrbApReq() {
diff --git a/jdk/src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Context.java b/jdk/src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Context.java
index abce4c05987..8b1c6def532 100644
--- a/jdk/src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Context.java
+++ b/jdk/src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Context.java
@@ -25,7 +25,6 @@
 
 package sun.security.jgss.krb5;
 
-import com.sun.security.jgss.InquireType;
 import org.ietf.jgss.*;
 import sun.misc.HexDumpEncoder;
 import sun.security.jgss.GSSUtil;
@@ -48,6 +47,7 @@ import javax.security.auth.kerberos.KerberosCredMessage;
 import javax.security.auth.kerberos.KerberosPrincipal;
 import javax.security.auth.kerberos.KerberosTicket;
 import sun.security.krb5.internal.Ticket;
+import sun.security.krb5.internal.AuthorizationData;
 
 /**
  * Implements the mechanism specific context class for the Kerberos v5
@@ -1419,30 +1419,30 @@ class Krb5Context implements GSSContextSpi {
     /**
      * Return the mechanism-specific attribute associated with {@code type}.
      */
-    public Object inquireSecContext(InquireType type)
+    public Object inquireSecContext(String type)
             throws GSSException {
         if (!isEstablished()) {
              throw new GSSException(GSSException.NO_CONTEXT, -1,
                      "Security context not established.");
         }
         switch (type) {
-            case KRB5_GET_SESSION_KEY:
+            case "KRB5_GET_SESSION_KEY":
                 return new KerberosSessionKey(key);
-            case KRB5_GET_SESSION_KEY_EX:
+            case "KRB5_GET_SESSION_KEY_EX":
                 return new javax.security.auth.kerberos.EncryptionKey(
                         key.getBytes(), key.getEType());
-            case KRB5_GET_TKT_FLAGS:
+            case "KRB5_GET_TKT_FLAGS":
                 return tktFlags.clone();
-            case KRB5_GET_AUTHZ_DATA:
+            case "KRB5_GET_AUTHZ_DATA":
                 if (isInitiator()) {
                     throw new GSSException(GSSException.UNAVAILABLE, -1,
                             "AuthzData not available on initiator side.");
                 } else {
-                    return (authzData==null)?null:authzData.clone();
+                    return authzData;
                 }
-            case KRB5_GET_AUTHTIME:
+            case "KRB5_GET_AUTHTIME":
                 return authTime;
-            case KRB5_GET_KRB_CRED:
+            case "KRB5_GET_KRB_CRED":
                 if (!isInitiator()) {
                     throw new GSSException(GSSException.UNAVAILABLE, -1,
                             "KRB_CRED not available on acceptor side.");
@@ -1470,7 +1470,7 @@ class Krb5Context implements GSSContextSpi {
     // Helpers for inquireSecContext
     private boolean[] tktFlags;
     private String authTime;
-    private com.sun.security.jgss.AuthorizationDataEntry[] authzData;
+    private AuthorizationData authzData;
 
     public void setTktFlags(boolean[] tktFlags) {
         this.tktFlags = tktFlags;
@@ -1480,7 +1480,7 @@ class Krb5Context implements GSSContextSpi {
         this.authTime = authTime;
     }
 
-    public void setAuthzData(com.sun.security.jgss.AuthorizationDataEntry[] authzData) {
+    public void setAuthzData(AuthorizationData authzData) {
         this.authzData = authzData;
     }
 
diff --git a/jdk/src/java.security.jgss/share/classes/sun/security/jgss/spi/GSSContextSpi.java b/jdk/src/java.security.jgss/share/classes/sun/security/jgss/spi/GSSContextSpi.java
index 1a68a4456c8..500557b4a8e 100644
--- a/jdk/src/java.security.jgss/share/classes/sun/security/jgss/spi/GSSContextSpi.java
+++ b/jdk/src/java.security.jgss/share/classes/sun/security/jgss/spi/GSSContextSpi.java
@@ -34,7 +34,6 @@ import org.ietf.jgss.*;
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.security.Provider;
-import com.sun.security.jgss.*;
 
 /**
  * This interface is implemented by a mechanism specific instance of a GSS
@@ -403,6 +402,6 @@ public interface GSSContextSpi {
      * @throws GSSException see {@link ExtendedGSSContext#inquireSecContext}
      * for details
      */
-    public Object inquireSecContext(InquireType type)
+    public Object inquireSecContext(String type)
             throws GSSException;
 }
diff --git a/jdk/src/java.security.jgss/share/classes/sun/security/jgss/spnego/SpNegoContext.java b/jdk/src/java.security.jgss/share/classes/sun/security/jgss/spnego/SpNegoContext.java
index 2390639537b..355816dc887 100644
--- a/jdk/src/java.security.jgss/share/classes/sun/security/jgss/spnego/SpNegoContext.java
+++ b/jdk/src/java.security.jgss/share/classes/sun/security/jgss/spnego/SpNegoContext.java
@@ -25,8 +25,6 @@
 
 package sun.security.jgss.spnego;
 
-import com.sun.security.jgss.ExtendedGSSContext;
-import com.sun.security.jgss.InquireType;
 import java.io.*;
 import java.security.Provider;
 import org.ietf.jgss.*;
@@ -174,9 +172,9 @@ public class SpNegoContext implements GSSContextSpi {
      */
     public final boolean getDelegPolicyState() {
         if (isInitiator() && mechContext != null &&
-                mechContext instanceof ExtendedGSSContext &&
+                mechContext instanceof GSSContextImpl &&
                 (state == STATE_IN_PROCESS || state == STATE_DONE)) {
-            return ((ExtendedGSSContext)mechContext).getDelegPolicyState();
+            return ((GSSContextImpl)mechContext).getDelegPolicyState();
         } else {
             return delegPolicyState;
         }
@@ -850,7 +848,7 @@ public class SpNegoContext implements GSSContextSpi {
                     myCred.getInternalCred());
             }
             mechContext =
-                factory.manager.createContext(serverName,
+                    factory.manager.createContext(serverName,
                     internal_mech, cred, GSSContext.DEFAULT_LIFETIME);
             mechContext.requestConf(confState);
             mechContext.requestInteg(integState);
@@ -858,8 +856,8 @@ public class SpNegoContext implements GSSContextSpi {
             mechContext.requestMutualAuth(mutualAuthState);
             mechContext.requestReplayDet(replayDetState);
             mechContext.requestSequenceDet(sequenceDetState);
-            if (mechContext instanceof ExtendedGSSContext) {
-                ((ExtendedGSSContext)mechContext).requestDelegPolicy(
+            if (mechContext instanceof GSSContextImpl) {
+                ((GSSContextImpl)mechContext).requestDelegPolicy(
                         delegPolicyState);
             }
         }
@@ -890,8 +888,7 @@ public class SpNegoContext implements GSSContextSpi {
                 cred = new GSSCredentialImpl(factory.manager,
                 myCred.getInternalCred());
             }
-            mechContext =
-                factory.manager.createContext(cred);
+            mechContext = factory.manager.createContext(cred);
         }
 
         // pass token to mechanism acceptSecContext
@@ -1217,14 +1214,14 @@ public class SpNegoContext implements GSSContextSpi {
     /**
      * Retrieve attribute of the context for {@code type}.
      */
-    public Object inquireSecContext(InquireType type)
+    public Object inquireSecContext(String type)
             throws GSSException {
         if (mechContext == null) {
             throw new GSSException(GSSException.NO_CONTEXT, -1,
                     "Underlying mech not established.");
         }
-        if (mechContext instanceof ExtendedGSSContext) {
-            return ((ExtendedGSSContext)mechContext).inquireSecContext(type);
+        if (mechContext instanceof GSSContextImpl) {
+            return ((GSSContextImpl)mechContext).inquireSecContext(type);
         } else {
             throw new GSSException(GSSException.BAD_MECH, -1,
                     "inquireSecContext not supported by underlying mech.");
diff --git a/jdk/src/java.security.jgss/share/classes/sun/security/jgss/spnego/SpNegoCredElement.java b/jdk/src/java.security.jgss/share/classes/sun/security/jgss/spnego/SpNegoCredElement.java
index 3a6138329f8..c7cf9477424 100644
--- a/jdk/src/java.security.jgss/share/classes/sun/security/jgss/spnego/SpNegoCredElement.java
+++ b/jdk/src/java.security.jgss/share/classes/sun/security/jgss/spnego/SpNegoCredElement.java
@@ -27,8 +27,6 @@ package sun.security.jgss.spnego;
 import org.ietf.jgss.*;
 import java.security.Provider;
 import sun.security.jgss.GSSUtil;
-import sun.security.jgss.ProviderList;
-import sun.security.jgss.GSSCredentialImpl;
 import sun.security.jgss.spi.GSSNameSpi;
 import sun.security.jgss.spi.GSSCredentialSpi;
 
diff --git a/jdk/src/java.security.jgss/share/classes/sun/security/jgss/wrapper/NativeGSSContext.java b/jdk/src/java.security.jgss/share/classes/sun/security/jgss/wrapper/NativeGSSContext.java
index 83754ae5765..0e0f38d177b 100644
--- a/jdk/src/java.security.jgss/share/classes/sun/security/jgss/wrapper/NativeGSSContext.java
+++ b/jdk/src/java.security.jgss/share/classes/sun/security/jgss/wrapper/NativeGSSContext.java
@@ -36,7 +36,6 @@ import sun.security.util.ObjectIdentifier;
 import sun.security.jgss.spnego.NegTokenInit;
 import sun.security.jgss.spnego.NegTokenTarg;
 import javax.security.auth.kerberos.DelegationPermission;
-import com.sun.security.jgss.InquireType;
 import java.io.*;
 
 
@@ -623,7 +622,7 @@ class NativeGSSContext implements GSSContextSpi {
         dispose();
     }
 
-    public Object inquireSecContext(InquireType type)
+    public Object inquireSecContext(String type)
             throws GSSException {
         throw new GSSException(GSSException.UNAVAILABLE, -1,
                 "Inquire type not supported.");
diff --git a/jdk/test/sun/security/krb5/auto/Context.java b/jdk/test/sun/security/krb5/auto/Context.java
index 28395d61295..02beb2ef773 100644
--- a/jdk/test/sun/security/krb5/auto/Context.java
+++ b/jdk/test/sun/security/krb5/auto/Context.java
@@ -22,15 +22,14 @@
  */
 
 import com.sun.security.auth.module.Krb5LoginModule;
-import java.security.Key;
+
+import java.lang.reflect.Method;
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
 import java.util.Arrays;
-import java.util.Base64;
 import java.util.HashMap;
 import java.util.Map;
 import javax.security.auth.Subject;
-import javax.security.auth.kerberos.KerberosCredMessage;
 import javax.security.auth.kerberos.KerberosKey;
 import javax.security.auth.kerberos.KerberosTicket;
 import javax.security.auth.login.LoginContext;
@@ -41,10 +40,6 @@ import org.ietf.jgss.GSSManager;
 import org.ietf.jgss.GSSName;
 import org.ietf.jgss.MessageProp;
 import org.ietf.jgss.Oid;
-import com.sun.security.jgss.ExtendedGSSContext;
-import com.sun.security.jgss.InquireType;
-import com.sun.security.jgss.AuthorizationDataEntry;
-import com.sun.security.jgss.ExtendedGSSCredential;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.security.Principal;
@@ -78,7 +73,7 @@ import java.security.Principal;
 public class Context {
 
     private Subject s;
-    private ExtendedGSSContext x;
+    private GSSContext x;
     private String name;
     private GSSCredential cred;     // see static method delegated().
 
@@ -143,7 +138,6 @@ public class Context {
     /**
      * Logins with username/password as an existing Subject. The
      * same subject can be used multiple times to simulate multiple logins.
-     * @param s existing subject
      */
     public static Context fromUserPass(Subject s,
             String user, char[] pass, boolean storeKey) throws Exception {
@@ -222,7 +216,7 @@ public class Context {
             @Override
             public byte[] run(Context me, byte[] dummy) throws Exception {
                 GSSManager m = GSSManager.getInstance();
-                me.x = (ExtendedGSSContext)m.createContext(
+                me.x = m.createContext(
                           target.indexOf('@') < 0 ?
                             m.createName(target, null) :
                             m.createName(target, GSSName.NT_HOSTBASED_SERVICE),
@@ -267,7 +261,7 @@ public class Context {
                         asInitiator?
                                 GSSCredential.INITIATE_AND_ACCEPT:
                                 GSSCredential.ACCEPT_ONLY);
-                me.x = (ExtendedGSSContext)m.createContext(me.cred);
+                me.x = m.createContext(me.cred);
                 return null;
             }
         }, null);
@@ -285,7 +279,7 @@ public class Context {
      *
      * @return the GSSContext object
      */
-    public ExtendedGSSContext x() {
+    public GSSContext x() {
         return x;
     }
 
@@ -339,7 +333,7 @@ public class Context {
      */
     public void status() throws Exception {
         System.out.println("STATUS OF " + name.toUpperCase());
-        try {
+        if (x != null) {
             StringBuffer sb = new StringBuffer();
             if (x.getAnonymityState()) {
                 sb.append("anon, ");
@@ -362,19 +356,15 @@ public class Context {
             if (x.getSequenceDetState()) {
                 sb.append("seq det, ");
             }
-            if (x instanceof ExtendedGSSContext) {
-                if (((ExtendedGSSContext)x).getDelegPolicyState()) {
-                    sb.append("deleg policy, ");
-                }
+            System.out.println("   Context status of " + name + ": " + sb.toString());
+            if (x.isProtReady() || x.isEstablished()) {
+                System.out.println("   " + x.getSrcName() + " -> " + x.getTargName());
             }
-            System.out.println("Context status of " + name + ": " + sb.toString());
-            System.out.println(x.getSrcName() + " -> " + x.getTargName());
-        } catch (Exception e) {
-            ;// Don't care
         }
+        xstatus();
         if (s != null) {
             System.out.println("====== START SUBJECT CONTENT =====");
-            for (Principal p: s.getPrincipals()) {
+            for (Principal p : s.getPrincipals()) {
                 System.out.println("    Principal: " + p);
             }
             for (Object o : s.getPublicCredentials()) {
@@ -405,51 +395,42 @@ public class Context {
             }
             System.out.println("====== END SUBJECT CONTENT =====");
         }
-        if (x != null && x instanceof ExtendedGSSContext) {
-            if (x.isEstablished()) {
-                ExtendedGSSContext ex = (ExtendedGSSContext)x;
-                Key k = (Key)ex.inquireSecContext(
-                        InquireType.KRB5_GET_SESSION_KEY);
-                if (k == null) {
-                    throw new Exception("(Old) Session key cannot be null");
-                }
-                System.out.println("(Old) Session key is: " + k);
-                Key k2 = (Key)ex.inquireSecContext(
-                        InquireType.KRB5_GET_SESSION_KEY_EX);
-                if (k2 == null) {
-                    throw new Exception("Session key cannot be null");
-                }
-                System.out.println("Session key is: " + k);
-                boolean[] flags = (boolean[])ex.inquireSecContext(
-                        InquireType.KRB5_GET_TKT_FLAGS);
-                if (flags == null) {
-                    throw new Exception("Ticket flags cannot be null");
-                }
-                System.out.println("Ticket flags is: " + Arrays.toString(flags));
-                String authTime = (String)ex.inquireSecContext(
-                        InquireType.KRB5_GET_AUTHTIME);
-                if (authTime == null) {
-                    throw new Exception("Auth time cannot be null");
-                }
-                System.out.println("AuthTime is: " + authTime);
-                if (!x.isInitiator()) {
-                    AuthorizationDataEntry[] ad = (AuthorizationDataEntry[])ex.inquireSecContext(
-                            InquireType.KRB5_GET_AUTHZ_DATA);
-                    System.out.println("AuthzData is: " + Arrays.toString(ad));
-                }
-                try {
-                    KerberosCredMessage tok = (KerberosCredMessage)ex.inquireSecContext(
-                            InquireType.KRB5_GET_KRB_CRED);
-                    System.out.println("KRB_CRED is " +
-                            (tok == null?"not ":"") + "available");
-                    if (tok != null) {
-                        System.out.println("From " + tok.getSender() + " to "
-                                + tok.getRecipient());
-                        System.out.println(Base64.getEncoder().encodeToString(tok.getEncoded()));
+    }
+
+    public void xstatus() throws Exception {
+        System.out.println("   Extended context status:");
+        if (x != null) {
+            try {
+                Class<?> clazz = Class.forName("com.sun.security.jgss.ExtendedGSSContext");
+                if (clazz.isAssignableFrom(x.getClass())) {
+                    if (clazz.getMethod("getDelegPolicyState").invoke(x) == Boolean.TRUE) {
+                        System.out.println("   deleg policy");
+                    }
+                    if (x.isEstablished()) {
+                        Class<?> inqType = Class.forName("com.sun.security.jgss.InquireType");
+                        Method inqMethod = clazz.getMethod("inquireSecContext", inqType);
+                        for (Object o : inqType.getEnumConstants()) {
+                            System.out.println("   " + o + ":");
+                            try {
+                                System.out.println("      " + inqMethod.invoke(x, o));
+                            } catch (Exception e) {
+                                System.out.println(e.getCause());
+                            }
+                        }
                     }
-                } catch (Exception e) {
-                    System.out.println("KRB_CRED is not available: " + e);
                 }
+            } catch (ClassNotFoundException cnfe) {
+                System.out.println("   -- ExtendedGSSContext not available");
+            }
+        }
+        if (cred != null) {
+            try {
+                Class<?> clazz2 = Class.forName("com.sun.security.jgss.ExtendedGSSCredential");
+                if (!clazz2.isAssignableFrom(cred.getClass())) {
+                    throw new Exception("cred is not extended");
+                }
+            } catch (ClassNotFoundException cnfe) {
+                System.out.println("   -- ExtendedGSSCredential not available");
             }
         }
     }
@@ -591,7 +572,10 @@ public class Context {
                     if (Context.this.cred == null) {
                         Context.this.cred = m.createCredential(GSSCredential.INITIATE_ONLY);
                     }
-                    return ((ExtendedGSSCredential)Context.this.cred).impersonate(other);
+                    return (GSSCredential)
+                            Class.forName("com.sun.security.jgss.ExtendedGSSCredential")
+                            .getMethod("impersonate", GSSName.class)
+                            .invoke(Context.this.cred, other);
                 }
             });
             Context out = new Context();
diff --git a/jdk/test/sun/security/krb5/auto/NewInquireTypes.java b/jdk/test/sun/security/krb5/auto/NewInquireTypes.java
index 0a922468b62..bb4d041b413 100644
--- a/jdk/test/sun/security/krb5/auto/NewInquireTypes.java
+++ b/jdk/test/sun/security/krb5/auto/NewInquireTypes.java
@@ -29,6 +29,7 @@
  * @run main/othervm NewInquireTypes
  */
 
+import com.sun.security.jgss.ExtendedGSSContext;
 import com.sun.security.jgss.InquireType;
 import sun.security.jgss.GSSUtil;
 import sun.security.krb5.internal.KRBCred;
@@ -52,10 +53,12 @@ public class NewInquireTypes {
 
         Context.handshake(c, s);
 
+        ExtendedGSSContext ctxt = (ExtendedGSSContext)c.x();
         EncryptionKey key = (EncryptionKey)
-                c.x().inquireSecContext(InquireType.KRB5_GET_SESSION_KEY_EX);
+                ctxt.inquireSecContext(InquireType.KRB5_GET_SESSION_KEY_EX);
         KerberosCredMessage cred = (KerberosCredMessage)
-                c.x().inquireSecContext(InquireType.KRB5_GET_KRB_CRED);
+                ctxt.inquireSecContext(InquireType.KRB5_GET_KRB_CRED);
+        c.status();
 
         // Confirm the KRB_CRED message is encrypted with the session key.
         new KRBCred(cred.getEncoded()).encPart.decrypt(
diff --git a/jdk/test/sun/security/krb5/auto/OkAsDelegate.java b/jdk/test/sun/security/krb5/auto/OkAsDelegate.java
index d66e2421b82..198de7d78ca 100644
--- a/jdk/test/sun/security/krb5/auto/OkAsDelegate.java
+++ b/jdk/test/sun/security/krb5/auto/OkAsDelegate.java
@@ -48,6 +48,7 @@
  * @summary Support OK-AS-DELEGATE flag
  */
 import com.sun.security.jgss.ExtendedGSSContext;
+import org.ietf.jgss.GSSContext;
 import org.ietf.jgss.GSSCredential;
 import org.ietf.jgss.GSSException;
 import org.ietf.jgss.Oid;
@@ -102,7 +103,7 @@ public class OkAsDelegate {
         cx.requestCredDeleg(requestDelegState);
         cx.requestDelegPolicy(requestDelegPolicyState);
         s.startAsServer(mech);
-        ExtendedGSSContext sx = (ExtendedGSSContext)s.x();
+        GSSContext sx = s.x();
 
         Context.handshake(c, s);
 
diff --git a/jdk/test/sun/security/krb5/auto/OkAsDelegateXRealm.java b/jdk/test/sun/security/krb5/auto/OkAsDelegateXRealm.java
index 4607619ec31..ce71314339e 100644
--- a/jdk/test/sun/security/krb5/auto/OkAsDelegateXRealm.java
+++ b/jdk/test/sun/security/krb5/auto/OkAsDelegateXRealm.java
@@ -42,6 +42,8 @@ import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.callback.NameCallback;
 import javax.security.auth.callback.PasswordCallback;
 import javax.security.auth.callback.UnsupportedCallbackException;
+
+import com.sun.security.jgss.ExtendedGSSContext;
 import org.ietf.jgss.GSSException;
 import sun.security.jgss.GSSUtil;
 import sun.security.krb5.Config;
@@ -129,7 +131,7 @@ public class OkAsDelegateXRealm implements CallbackHandler {
         for (int i=0; i<2; i++) {
             c.startAsClient("host@host.r3.local", GSSUtil.GSS_KRB5_MECH_OID);
             s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
-            c.x().requestDelegPolicy(true);
+            ((ExtendedGSSContext)c.x()).requestDelegPolicy(true);
 
             Context.handshake(c, s);
             boolean succeed = true;
diff --git a/jdk/test/sun/security/krb5/auto/SSL.java b/jdk/test/sun/security/krb5/auto/SSL.java
index aab262244ac..db7aae88bd4 100644
--- a/jdk/test/sun/security/krb5/auto/SSL.java
+++ b/jdk/test/sun/security/krb5/auto/SSL.java
@@ -186,13 +186,13 @@ public class SSL extends SecurityManager {
             // Client checks "initiate", then server gets the name
             // and checks "accept". Second connection resume.
             if (!permChecks.equals("IA")) {
-                throw new Exception();
+                throw new Exception(permChecks);
             }
         } else {
             // For bound, JAAS checks "accept" once. Server checks again,
             // client then checks "initiate". Second connection resume.
             if (!permChecks.equals("AAI")) {
-                throw new Exception();
+                throw new Exception(permChecks);
             }
         }
     }