stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

8344248: Remove Security Manager dependencies from java.security.jgss and jdk.security.jgss modules

Browse Source 
Reviewed-by: ascarpino
This commit is contained in:
Sean Mullan 2024-11-21 17:45:04 +00:00
parent 395e404666
commit 6113fa7503
42 changed files with 288 additions and 854 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/java.base/share/classes/module-info.java
View File

@ -320,8 +320,7 @@ module java.base {
java.rmi, java.rmi,
java.sql.rowset; java.sql.rowset;
exports sun.security.action to exports sun.security.action to
java.desktop, java.desktop;
java.security.jgss;
exports sun.security.internal.interfaces to exports sun.security.internal.interfaces to
jdk.crypto.cryptoki; jdk.crypto.cryptoki;
exports sun.security.internal.spec to exports sun.security.internal.spec to

13
src/java.security.jgss/share/classes/javax/security/auth/kerberos/KerberosPrincipal.java
View File

@ -176,19 +176,6 @@ public final class KerberosPrincipal
throw new IllegalArgumentException(e.getMessage()); throw new IllegalArgumentException(e.getMessage());
} }
if (krb5Principal.isRealmDeduced() && !Realm.AUTODEDUCEREALM) {
@SuppressWarnings("removal")
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
try {
sm.checkPermission(new ServicePermission(
"@" + krb5Principal.getRealmAsString(), "-"));
} catch (SecurityException se) {
// Swallow the actual exception to hide info
throw new SecurityException("Cannot read realm info");
}
}
}
this.nameType = nameType; this.nameType = nameType;
fullName = krb5Principal.toString(); fullName = krb5Principal.toString();
realm = krb5Principal.getRealmString(); realm = krb5Principal.getRealmString();

16
src/java.security.jgss/share/classes/javax/security/auth/kerberos/KeyTab.java
View File

@ -26,7 +26,6 @@
package javax.security.auth.kerberos; package javax.security.auth.kerberos;
import java.io.File; import java.io.File;
import java.security.AccessControlException;
import java.util.Objects; import java.util.Objects;
import sun.security.krb5.EncryptionKey; import sun.security.krb5.EncryptionKey;
import sun.security.krb5.KerberosSecrets; import sun.security.krb5.KerberosSecrets;
@ -210,20 +209,7 @@ public final class KeyTab {
// Takes a snapshot of the keytab content. This method is called by // Takes a snapshot of the keytab content. This method is called by
// JavaxSecurityAuthKerberosAccessImpl so no more private // JavaxSecurityAuthKerberosAccessImpl so no more private
sun.security.krb5.internal.ktab.KeyTab takeSnapshot() { sun.security.krb5.internal.ktab.KeyTab takeSnapshot() {
try { return sun.security.krb5.internal.ktab.KeyTab.getInstance(file);
return sun.security.krb5.internal.ktab.KeyTab.getInstance(file);
} catch (@SuppressWarnings("removal") AccessControlException ace) {
if (file != null) {
// It's OK to show the name if caller specified it
throw ace;
} else {
@SuppressWarnings("removal")
AccessControlException ace2 = new AccessControlException(
"Access to default keytab denied (modified exception)");
ace2.setStackTrace(ace.getStackTrace());
throw ace2;
}
}
} }
/** /**

4
src/java.security.jgss/share/classes/sun/net/www/protocol/http/spnego/NegotiatorImpl.java
View File

@ -35,7 +35,6 @@ import org.ietf.jgss.Oid;
import sun.net.www.protocol.http.HttpCallerInfo; import sun.net.www.protocol.http.HttpCallerInfo;
import sun.net.www.protocol.http.Negotiator; import sun.net.www.protocol.http.Negotiator;
import sun.security.action.GetPropertyAction;
import sun.security.jgss.GSSManagerImpl; import sun.security.jgss.GSSManagerImpl;
import sun.security.jgss.GSSContextImpl; import sun.security.jgss.GSSContextImpl;
import sun.security.jgss.GSSUtil; import sun.security.jgss.GSSUtil;
@ -74,8 +73,7 @@ public class NegotiatorImpl extends Negotiator {
// we can only use Kerberos mech when the scheme is kerberos // we can only use Kerberos mech when the scheme is kerberos
oid = GSSUtil.GSS_KRB5_MECH_OID; oid = GSSUtil.GSS_KRB5_MECH_OID;
} else { } else {
String pref = GetPropertyAction String pref = System.getProperty("http.auth.preference", "spnego");
.privilegedGetProperty("http.auth.preference", "spnego");
if (pref.equalsIgnoreCase("kerberos")) { if (pref.equalsIgnoreCase("kerberos")) {
oid = GSSUtil.GSS_KRB5_MECH_OID; oid = GSSUtil.GSS_KRB5_MECH_OID;
} else { } else {

5
src/java.security.jgss/share/classes/sun/security/jgss/GSSManagerImpl.java
View File

@ -26,7 +26,6 @@
package sun.security.jgss; package sun.security.jgss;
import org.ietf.jgss.*; import org.ietf.jgss.*;
import sun.security.action.GetBooleanAction;
import sun.security.jgss.spi.*; import sun.security.jgss.spi.*;
import java.security.Provider; import java.security.Provider;
@ -37,8 +36,8 @@ import java.security.Provider;
public class GSSManagerImpl extends GSSManager { public class GSSManagerImpl extends GSSManager {
// Undocumented property // Undocumented property
private static final Boolean USE_NATIVE = GetBooleanAction private static final Boolean USE_NATIVE =
.privilegedGetProperty("sun.security.jgss.native"); Boolean.getBoolean("sun.security.jgss.native");
private final ProviderList list; private final ProviderList list;

99
src/java.security.jgss/share/classes/sun/security/jgss/GSSUtil.java
View File

@ -32,16 +32,12 @@ import javax.security.auth.kerberos.KerberosKey;
import org.ietf.jgss.*; import org.ietf.jgss.*;
import sun.security.jgss.spi.GSSNameSpi; import sun.security.jgss.spi.GSSNameSpi;
import sun.security.jgss.spi.GSSCredentialSpi; import sun.security.jgss.spi.GSSCredentialSpi;
import sun.security.action.GetPropertyAction;
import sun.security.jgss.krb5.Krb5NameElement; import sun.security.jgss.krb5.Krb5NameElement;
import sun.security.jgss.spnego.SpNegoCredElement; import sun.security.jgss.spnego.SpNegoCredElement;
import java.util.Set; import java.util.Set;
import java.util.HashSet; import java.util.HashSet;
import java.util.Vector; import java.util.Vector;
import java.util.Iterator; import java.util.Iterator;
import java.security.AccessController;
import java.security.PrivilegedExceptionAction;
import java.security.PrivilegedActionException;
import javax.security.auth.callback.CallbackHandler; import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException; import javax.security.auth.login.LoginException;
@ -67,8 +63,8 @@ public class GSSUtil {
public static final Oid NT_GSS_KRB5_PRINCIPAL = public static final Oid NT_GSS_KRB5_PRINCIPAL =
GSSUtil.createOid("1.2.840.113554.1.2.2.1"); GSSUtil.createOid("1.2.840.113554.1.2.2.1");
static final Debug DEBUG = Debug.of("jgss", GetPropertyAction static final Debug DEBUG = Debug.of("jgss",
.privilegedGetProperty("sun.security.jgss.debug")); System.getProperty("sun.security.jgss.debug"));
static void debug(String message) { static void debug(String message) {
assert(message != null); assert(message != null);
@ -268,8 +264,8 @@ public class GSSUtil {
*/ */
public static boolean useSubjectCredsOnly(GSSCaller caller) { public static boolean useSubjectCredsOnly(GSSCaller caller) {
String propValue = GetPropertyAction String propValue =
.privilegedGetProperty("javax.security.auth.useSubjectCredsOnly"); System.getProperty("javax.security.auth.useSubjectCredsOnly");
// Invalid values should be ignored and the default assumed. // Invalid values should be ignored and the default assumed.
if (caller instanceof HttpCaller) { if (caller instanceof HttpCaller) {
@ -290,11 +286,11 @@ public class GSSUtil {
*/ */
public static boolean useMSInterop() { public static boolean useMSInterop() {
/* /*
* Don't use GetBooleanAction because the default value in the JRE * Don't use Boolean.getBoolean() because the default value in the JRE
* (when this is unset) has to treated as true. * (when this is unset) has to treated as true.
*/ */
String propValue = GetPropertyAction String propValue =
.privilegedGetProperty("sun.security.spnego.msinterop", "true"); System.getProperty("sun.security.spnego.msinterop", "true");
/* /*
* This property has to be explicitly set to "false". Invalid * This property has to be explicitly set to "false". Invalid
* values should be ignored and the default "true" assumed. * values should be ignored and the default "true" assumed.
@ -320,56 +316,41 @@ public class GSSUtil {
(name == null ? "<<DEF>>" : name.toString()) + ", " + (name == null ? "<<DEF>>" : name.toString()) + ", " +
credCls.getName() + ")"); credCls.getName() + ")");
} }
try { Vector<T> creds = null;
@SuppressWarnings("removal") Subject currSubj = Subject.current();
Vector<T> creds = if (currSubj != null) {
AccessController.doPrivilegedWithCombiner creds = new Vector<>();
((PrivilegedExceptionAction<Vector<T>>) () -> { Iterator<GSSCredentialImpl> iterator =
Subject currSubj = Subject.current(); currSubj.getPrivateCredentials
Vector<T> result = null; (GSSCredentialImpl.class).iterator();
if (currSubj != null) { while (iterator.hasNext()) {
result = new Vector<>(); GSSCredentialImpl cred = iterator.next();
Iterator<GSSCredentialImpl> iterator = if (DEBUG != null) {
currSubj.getPrivateCredentials debug("...Found cred" + cred);
(GSSCredentialImpl.class).iterator(); }
while (iterator.hasNext()) { try {
GSSCredentialImpl cred = iterator.next(); GSSCredentialSpi ce = cred.getElement(mech, initiate);
if (DEBUG != null) { if (DEBUG != null) {
debug("...Found cred" + cred); debug("......Found element: " + ce);
}
try {
GSSCredentialSpi ce =
cred.getElement(mech, initiate);
if (DEBUG != null) {
debug("......Found element: " + ce);
}
if (ce.getClass().equals(credCls) &&
(name == null ||
name.equals((Object) ce.getName()))) {
result.add(credCls.cast(ce));
} else {
if (DEBUG != null) {
debug("......Discard element");
}
}
} catch (GSSException ge) {
if (DEBUG != null) {
debug("...Discard cred (" + ge + ")");
}
}
}
} else if (DEBUG != null) {
debug("No Subject");
} }
return result; if (ce.getClass().equals(credCls) &&
}); (name == null ||
return creds; name.equals((Object) ce.getName()))) {
} catch (PrivilegedActionException pae) { creds.add(credCls.cast(ce));
if (DEBUG != null) { } else {
debug("Unexpected exception when searching Subject:"); if (DEBUG != null) {
pae.printStackTrace(); debug("......Discard element");
}
}
} catch (GSSException ge) {
if (DEBUG != null) {
debug("...Discard cred (" + ge + ")");
}
}
} }
return null; } else if (DEBUG != null) {
debug("No Subject");
} }
return creds;
} }
} }

11
src/java.security.jgss/share/classes/sun/security/jgss/LoginConfigImpl.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2005, 2022, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2005, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -25,12 +25,10 @@
package sun.security.jgss; package sun.security.jgss;
import java.security.PrivilegedAction;
import java.util.HashMap; import java.util.HashMap;
import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration; import javax.security.auth.login.Configuration;
import org.ietf.jgss.Oid; import org.ietf.jgss.Oid;
import sun.security.action.GetPropertyAction;
/** /**
* A Configuration implementation especially designed for JGSS. * A Configuration implementation especially designed for JGSS.
@ -49,8 +47,7 @@ public class LoginConfigImpl extends Configuration {
public static final boolean HTTP_USE_GLOBAL_CREDS; public static final boolean HTTP_USE_GLOBAL_CREDS;
static { static {
String prop = GetPropertyAction String prop = System.getProperty("http.use.global.creds");
.privilegedGetProperty("http.use.global.creds");
//HTTP_USE_GLOBAL_CREDS = "true".equalsIgnoreCase(prop); // default false //HTTP_USE_GLOBAL_CREDS = "true".equalsIgnoreCase(prop); // default false
HTTP_USE_GLOBAL_CREDS = !"false".equalsIgnoreCase(prop); // default true HTTP_USE_GLOBAL_CREDS = !"false".equalsIgnoreCase(prop); // default true
} }
@ -62,7 +59,6 @@ public class LoginConfigImpl extends Configuration {
* @param caller defined in GSSUtil as CALLER_XXX final fields * @param caller defined in GSSUtil as CALLER_XXX final fields
* @param mech defined in GSSUtil as XXX_MECH_OID final fields * @param mech defined in GSSUtil as XXX_MECH_OID final fields
*/ */
@SuppressWarnings("removal")
public LoginConfigImpl(GSSCaller caller, Oid mech) { public LoginConfigImpl(GSSCaller caller, Oid mech) {
this.caller = caller; this.caller = caller;
@ -72,8 +68,7 @@ public class LoginConfigImpl extends Configuration {
} else { } else {
throw new IllegalArgumentException(mech.toString() + " not supported"); throw new IllegalArgumentException(mech.toString() + " not supported");
} }
config = java.security.AccessController.doPrivileged config = Configuration.getConfiguration();
((PrivilegedAction<Configuration>) Configuration::getConfiguration);
} }
/** /**

4
src/java.security.jgss/share/classes/sun/security/jgss/ProviderList.java
View File

@ -38,7 +38,6 @@ import java.util.Objects;
import sun.security.jgss.spi.*; import sun.security.jgss.spi.*;
import sun.security.jgss.wrapper.NativeGSSFactory; import sun.security.jgss.wrapper.NativeGSSFactory;
import sun.security.jgss.wrapper.SunNativeProvider; import sun.security.jgss.wrapper.SunNativeProvider;
import sun.security.action.GetPropertyAction;
/** /**
* This class stores the list of providers that this * This class stores the list of providers that this
@ -102,8 +101,7 @@ public final class ProviderList {
* with a valid OID value * with a valid OID value
*/ */
Oid defOid = null; Oid defOid = null;
String defaultOidStr = GetPropertyAction String defaultOidStr = System.getProperty("sun.security.jgss.mechanism");
.privilegedGetProperty("sun.security.jgss.mechanism");
if (defaultOidStr != null) { if (defaultOidStr != null) {
defOid = GSSUtil.createOid(defaultOidStr); defOid = GSSUtil.createOid(defaultOidStr);
} }

20
src/java.security.jgss/share/classes/sun/security/jgss/SunProvider.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2000, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -27,8 +27,6 @@ package sun.security.jgss;
import java.io.Serial; import java.io.Serial;
import java.security.Provider; import java.security.Provider;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.security.InvalidParameterException; import java.security.InvalidParameterException;
import java.security.ProviderException; import java.security.ProviderException;
@ -100,20 +98,16 @@ public final class SunProvider extends Provider {
} }
} }
@SuppressWarnings("removal")
public SunProvider() { public SunProvider() {
/* We are the Sun JGSS provider */ /* We are the Sun JGSS provider */
super("SunJGSS", PROVIDER_VER, INFO); super("SunJGSS", PROVIDER_VER, INFO);
final Provider p = this; final Provider p = this;
AccessController.doPrivileged((PrivilegedAction<Void>) () -> { putService(new ProviderService(p, "GssApiMechanism",
putService(new ProviderService(p, "GssApiMechanism", "1.2.840.113554.1.2.2",
"1.2.840.113554.1.2.2", "sun.security.jgss.krb5.Krb5MechFactory"));
"sun.security.jgss.krb5.Krb5MechFactory")); putService(new ProviderService(p, "GssApiMechanism",
putService(new ProviderService(p, "GssApiMechanism", "1.3.6.1.5.5.2",
"1.3.6.1.5.5.2", "sun.security.jgss.spnego.SpNegoMechFactory"));
"sun.security.jgss.spnego.SpNegoMechFactory"));
return null;
});
} }
} }

7
src/java.security.jgss/share/classes/sun/security/jgss/krb5/AcceptSecContextToken.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2000, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -29,7 +29,6 @@ import org.ietf.jgss.*;
import java.io.InputStream; import java.io.InputStream;
import java.io.IOException; import java.io.IOException;
import sun.security.action.GetBooleanAction;
import sun.security.krb5.*; import sun.security.krb5.*;
class AcceptSecContextToken extends InitialToken { class AcceptSecContextToken extends InitialToken {
@ -44,8 +43,8 @@ class AcceptSecContextToken extends InitialToken {
KrbApReq apReq) KrbApReq apReq)
throws KrbException, IOException, GSSException { throws KrbException, IOException, GSSException {
boolean useSubkey = GetBooleanAction boolean useSubkey = Boolean.getBoolean(
.privilegedGetProperty("sun.security.krb5.acceptor.subkey"); "sun.security.krb5.acceptor.subkey");
boolean useSequenceNumber = true; boolean useSequenceNumber = true;

5
src/java.security.jgss/share/classes/sun/security/jgss/krb5/InitSecContextToken.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2000, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -29,7 +29,6 @@ import org.ietf.jgss.*;
import java.io.InputStream; import java.io.InputStream;
import java.io.IOException; import java.io.IOException;
import sun.security.action.GetPropertyAction;
import sun.security.krb5.*; import sun.security.krb5.*;
import java.net.InetAddress; import java.net.InetAddress;
import sun.security.krb5.internal.AuthorizationData; import sun.security.krb5.internal.AuthorizationData;
@ -53,7 +52,7 @@ class InitSecContextToken extends InitialToken {
// property "sun.security.krb5.acceptor.sequence.number.nonmutual", // property "sun.security.krb5.acceptor.sequence.number.nonmutual",
// which can be set to "initiator", "zero" or "0". // which can be set to "initiator", "zero" or "0".
String propName = "sun.security.krb5.acceptor.sequence.number.nonmutual"; String propName = "sun.security.krb5.acceptor.sequence.number.nonmutual";
String s = GetPropertyAction.privilegedGetProperty(propName, "initiator"); String s = System.getProperty(propName, "initiator");
if (s.equals("initiator")) { if (s.equals("initiator")) {
ACCEPTOR_USE_INITIATOR_SEQNUM = true; ACCEPTOR_USE_INITIATOR_SEQNUM = true;
} else if (s.equals("zero") || s.equals("0")) { } else if (s.equals("zero") || s.equals("0")) {

11
src/java.security.jgss/share/classes/sun/security/jgss/krb5/InitialToken.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2000, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -26,7 +26,6 @@
package sun.security.jgss.krb5; package sun.security.jgss.krb5;
import org.ietf.jgss.*; import org.ietf.jgss.*;
import javax.security.auth.kerberos.DelegationPermission;
import java.io.IOException; import java.io.IOException;
import java.net.InetAddress; import java.net.InetAddress;
import java.net.Inet4Address; import java.net.Inet4Address;
@ -171,14 +170,6 @@ abstract class InitialToken extends Krb5Token {
String realm = delegateTo.getRealmAsString(); String realm = delegateTo.getRealmAsString();
sb.append(" \"krbtgt/").append(realm).append('@'); sb.append(" \"krbtgt/").append(realm).append('@');
sb.append(realm).append('\"'); sb.append(realm).append('\"');
@SuppressWarnings("removal")
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
DelegationPermission perm =
new DelegationPermission(sb.toString());
sm.checkPermission(perm);
}
/* /*
* Write 1 in little endian but in two bytes * Write 1 in little endian but in two bytes

23
src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5AcceptCredential.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2000, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -29,10 +29,8 @@ import org.ietf.jgss.*;
import sun.security.jgss.GSSCaller; import sun.security.jgss.GSSCaller;
import sun.security.jgss.spi.*; import sun.security.jgss.spi.*;
import sun.security.krb5.*; import sun.security.krb5.*;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.AccessController;
import javax.security.auth.DestroyFailedException; import javax.security.auth.DestroyFailedException;
import javax.security.auth.login.LoginException;
/** /**
* Implements the krb5 acceptor credential element. * Implements the krb5 acceptor credential element.
@ -57,27 +55,22 @@ public class Krb5AcceptCredential
this.screds = creds; this.screds = creds;
} }
@SuppressWarnings("removal")
static Krb5AcceptCredential getInstance(final GSSCaller caller, Krb5NameElement name) static Krb5AcceptCredential getInstance(final GSSCaller caller, Krb5NameElement name)
throws GSSException { throws GSSException {
final String serverPrinc = (name == null? null: final String serverPrinc = (name == null? null:
name.getKrb5PrincipalName().getName()); name.getKrb5PrincipalName().getName());
ServiceCreds creds; ServiceCreds creds = null;
try { try {
creds = AccessController.doPrivilegedWithCombiner( creds = Krb5Util.getServiceCreds(
new PrivilegedExceptionAction<ServiceCreds>() { caller == GSSCaller.CALLER_UNKNOWN ? GSSCaller.CALLER_ACCEPT: caller,
public ServiceCreds run() throws Exception { serverPrinc);
return Krb5Util.getServiceCreds( } catch (LoginException e) {
caller == GSSCaller.CALLER_UNKNOWN ? GSSCaller.CALLER_ACCEPT: caller,
serverPrinc);
}});
} catch (PrivilegedActionException e) {
GSSException ge = GSSException ge =
new GSSException(GSSException.NO_CRED, -1, new GSSException(GSSException.NO_CRED, -1,
"Attempt to obtain new ACCEPT credentials failed!"); "Attempt to obtain new ACCEPT credentials failed!");
ge.initCause(e.getException()); ge.initCause(e);
throw ge; throw ge;
} }

75
src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Context.java
View File

@ -39,7 +39,6 @@ import java.io.ObjectInputStream;
import java.io.OutputStream; import java.io.OutputStream;
import java.security.*; import java.security.*;
import javax.security.auth.Subject; import javax.security.auth.Subject;
import javax.security.auth.kerberos.ServicePermission;
import javax.security.auth.kerberos.KerberosCredMessage; import javax.security.auth.kerberos.KerberosCredMessage;
import javax.security.auth.kerberos.KerberosPrincipal; import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket; import javax.security.auth.kerberos.KerberosTicket;
@ -631,8 +630,6 @@ class Krb5Context implements GSSContextSpi {
tgt = proxyCreds.self.getKrb5Credentials(); tgt = proxyCreds.self.getKrb5Credentials();
} }
checkPermission(peerName.getKrb5PrincipalName().getName(),
"initiate");
/* /*
* If useSubjectCredsonly is true then * If useSubjectCredsonly is true then
* we check whether we already have the ticket * we check whether we already have the ticket
@ -641,33 +638,21 @@ class Krb5Context implements GSSContextSpi {
if (GSSUtil.useSubjectCredsOnly(caller)) { if (GSSUtil.useSubjectCredsOnly(caller)) {
KerberosTicket kerbTicket = null; KerberosTicket kerbTicket = null;
try { // get service ticket from caller's subject
// get service ticket from caller's subject // XXX to be cleaned
@SuppressWarnings("removal") // highly consider just calling:
var tmp = AccessController.doPrivilegedWithCombiner( // Subject.getSubject
new PrivilegedExceptionAction<KerberosTicket>() { // SubjectComber.find
public KerberosTicket run() throws Exception { // instead of Krb5Util.getServiceTicket
// XXX to be cleaned kerbTicket = Krb5Util.getServiceTicket(
// highly consider just calling: GSSCaller.CALLER_UNKNOWN,
// Subject.getSubject // since it's useSubjectCredsOnly here,
// SubjectComber.find // don't worry about the null
// instead of Krb5Util.getServiceTicket proxyCreds == null ?
return Krb5Util.getServiceTicket( myName.getKrb5PrincipalName().getName():
GSSCaller.CALLER_UNKNOWN, proxyCreds.getName().getKrb5PrincipalName().getName(),
// since it's useSubjectCredsOnly here, peerName.getKrb5PrincipalName().getName());
// don't worry about the null
proxyCreds == null ?
myName.getKrb5PrincipalName().getName():
proxyCreds.getName().getKrb5PrincipalName().getName(),
peerName.getKrb5PrincipalName().getName());
}});
kerbTicket = tmp;
} catch (PrivilegedActionException e) {
if (DEBUG != null) {
DEBUG.println("Attempt to obtain service"
+ " ticket from the subject failed!");
}
}
if (kerbTicket != null) { if (kerbTicket != null) {
if (DEBUG != null) { if (DEBUG != null) {
DEBUG.println("Found service ticket in " + DEBUG.println("Found service ticket in " +
@ -701,10 +686,7 @@ class Krb5Context implements GSSContextSpi {
tgt); tgt);
} }
if (GSSUtil.useSubjectCredsOnly(caller)) { if (GSSUtil.useSubjectCredsOnly(caller)) {
@SuppressWarnings("removal") Subject subject = Subject.current();
final Subject subject =
AccessController.doPrivilegedWithCombiner(
(PrivilegedAction<Subject>) Subject::current);
if (subject != null && if (subject != null &&
!subject.isReadOnly()) { !subject.isReadOnly()) {
/* /*
@ -714,14 +696,9 @@ class Krb5Context implements GSSContextSpi {
* successfully established; however it is easier * successfully established; however it is easier
* to do it here and there is no harm. * to do it here and there is no harm.
*/ */
final KerberosTicket kt = KerberosTicket kt =
Krb5Util.credsToTicket(serviceCreds); Krb5Util.credsToTicket(serviceCreds);
@SuppressWarnings("removal") subject.getPrivateCredentials().add(kt);
var dummy = AccessController.doPrivileged (
(PrivilegedAction<Void>) () -> {
subject.getPrivateCredentials().add(kt);
return null;
});
} else { } else {
// log it for debugging purpose // log it for debugging purpose
if (DEBUG != null) { if (DEBUG != null) {
@ -816,11 +793,6 @@ class Krb5Context implements GSSContextSpi {
} }
myName = (Krb5NameElement) myCred.getName(); myName = (Krb5NameElement) myCred.getName();
// If there is already a bound name, check now
if (myName != null) {
Krb5MechFactory.checkAcceptCredPermission(myName, myName);
}
InitSecContextToken token = new InitSecContextToken(this, InitSecContextToken token = new InitSecContextToken(this,
(Krb5AcceptCredential) myCred, is); (Krb5AcceptCredential) myCred, is);
PrincipalName clientName = token.getKrbApReq().getClient(); PrincipalName clientName = token.getKrbApReq().getClient();
@ -830,7 +802,6 @@ class Krb5Context implements GSSContextSpi {
if (myName == null) { if (myName == null) {
myName = Krb5NameElement.getInstance( myName = Krb5NameElement.getInstance(
token.getKrbApReq().getCreds().getServer()); token.getKrbApReq().getCreds().getServer());
Krb5MechFactory.checkAcceptCredPermission(myName, myName);
} }
if (getMutualAuthState()) { if (getMutualAuthState()) {
@ -1322,16 +1293,6 @@ class Krb5Context implements GSSContextSpi {
} }
} }
private void checkPermission(String principal, String action) {
@SuppressWarnings("removal")
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
ServicePermission perm =
new ServicePermission(principal, action);
sm.checkPermission(perm);
}
}
private static String getHexBytes(byte[] bytes, int pos, int len) { private static String getHexBytes(byte[] bytes, int pos, int len) {
StringBuilder sb = new StringBuilder(); StringBuilder sb = new StringBuilder();

26
src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5InitCredential.java
View File

@ -37,9 +37,7 @@ import java.io.InvalidObjectException;
import java.io.IOException; import java.io.IOException;
import java.io.ObjectInputStream; import java.io.ObjectInputStream;
import java.util.Date; import java.util.Date;
import java.security.AccessController; import javax.security.auth.login.LoginException;
import java.security.PrivilegedExceptionAction;
import java.security.PrivilegedActionException;
/** /**
* Implements the krb5 initiator credential element. * Implements the krb5 initiator credential element.
@ -348,7 +346,6 @@ public class Krb5InitCredential
// XXX call to this.destroy() should destroy the locally cached copy // XXX call to this.destroy() should destroy the locally cached copy
// of krb5Credentials and then call super.destroy(). // of krb5Credentials and then call super.destroy().
@SuppressWarnings("removal")
private static KerberosTicket getTgt(GSSCaller caller, Krb5NameElement name, private static KerberosTicket getTgt(GSSCaller caller, Krb5NameElement name,
int initLifetime) int initLifetime)
throws GSSException { throws GSSException {
@ -366,23 +363,18 @@ public class Krb5InitCredential
} }
try { try {
final GSSCaller realCaller = (caller == GSSCaller.CALLER_UNKNOWN) GSSCaller realCaller = (caller == GSSCaller.CALLER_UNKNOWN)
? GSSCaller.CALLER_INITIATE ? GSSCaller.CALLER_INITIATE
: caller; : caller;
return AccessController.doPrivilegedWithCombiner( // It's OK to use null as serverPrincipal. TGT is almost
new PrivilegedExceptionAction<KerberosTicket>() { // the first ticket for a principal and we use list.
public KerberosTicket run() throws Exception { return Krb5Util.getInitialTicket(realCaller, clientPrincipal);
// It's OK to use null as serverPrincipal. TGT is almost } catch (LoginException e) {
// the first ticket for a principal and we use list.
return Krb5Util.getInitialTicket(
realCaller, clientPrincipal);
}});
} catch (PrivilegedActionException e) {
GSSException ge = GSSException ge =
new GSSException(GSSException.NO_CRED, -1, new GSSException(GSSException.NO_CRED, -1,
"Attempt to obtain new INITIATE credentials failed!" + "Attempt to obtain new INITIATE credentials failed!" +
" (" + e.getMessage() + ")"); " (" + e.getMessage() + ")");
ge.initCause(e.getException()); ge.initCause(e);
throw ge; throw ge;
} }
} }

63
src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5MechFactory.java
View File

@ -29,12 +29,9 @@ import org.ietf.jgss.*;
import sun.security.jgss.GSSUtil; import sun.security.jgss.GSSUtil;
import sun.security.jgss.GSSCaller; import sun.security.jgss.GSSCaller;
import sun.security.jgss.spi.*; import sun.security.jgss.spi.*;
import javax.security.auth.kerberos.ServicePermission;
import java.security.Provider; import java.security.Provider;
import java.util.Vector; import java.util.Vector;
import static sun.security.krb5.internal.Krb5.DEBUG;
/** /**
* Krb5 Mechanism plug in for JGSS * Krb5 Mechanism plug in for JGSS
* This is the properties object required by the JGSS framework. * This is the properties object required by the JGSS framework.
@ -71,19 +68,8 @@ public final class Krb5MechFactory implements MechanismFactory {
Krb5InitCredential.class : Krb5InitCredential.class :
Krb5AcceptCredential.class)); Krb5AcceptCredential.class));
Krb5CredElement result = ((creds == null || creds.isEmpty()) ? return ((creds == null || creds.isEmpty()) ?
null : creds.firstElement()); null : creds.firstElement());
// Force permission check before returning the cred to caller
if (result != null) {
if (initiate) {
checkInitCredPermission((Krb5NameElement) result.getName());
} else {
checkAcceptCredPermission
((Krb5NameElement) result.getName(), name);
}
}
return result;
} }
public Krb5MechFactory() { public Krb5MechFactory() {
@ -126,14 +112,10 @@ public final class Krb5MechFactory implements MechanismFactory {
(caller, (Krb5NameElement) name, initLifetime); (caller, (Krb5NameElement) name, initLifetime);
credElement = Krb5ProxyCredential.tryImpersonation( credElement = Krb5ProxyCredential.tryImpersonation(
caller, (Krb5InitCredential)credElement); caller, (Krb5InitCredential)credElement);
checkInitCredPermission
((Krb5NameElement) credElement.getName());
} else if (usage == GSSCredential.ACCEPT_ONLY) { } else if (usage == GSSCredential.ACCEPT_ONLY) {
credElement = credElement =
Krb5AcceptCredential.getInstance(caller, Krb5AcceptCredential.getInstance(caller,
(Krb5NameElement) name); (Krb5NameElement) name);
checkAcceptCredPermission
((Krb5NameElement) credElement.getName(), name);
} else } else
throw new GSSException(GSSException.FAILURE, -1, throw new GSSException(GSSException.FAILURE, -1,
"Unknown usage mode requested"); "Unknown usage mode requested");
@ -141,47 +123,6 @@ public final class Krb5MechFactory implements MechanismFactory {
return credElement; return credElement;
} }
public static void checkInitCredPermission(Krb5NameElement name) {
@SuppressWarnings("removal")
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
String realm = (name.getKrb5PrincipalName()).getRealmAsString();
String tgsPrincipal = "krbtgt/" + realm + '@' + realm;
ServicePermission perm =
new ServicePermission(tgsPrincipal, "initiate");
try {
sm.checkPermission(perm);
} catch (SecurityException e) {
if (DEBUG != null) {
DEBUG.println("Permission to initiate " +
"kerberos init credential" + e.getMessage());
}
throw e;
}
}
}
public static void checkAcceptCredPermission(Krb5NameElement name,
GSSNameSpi originalName) {
@SuppressWarnings("removal")
SecurityManager sm = System.getSecurityManager();
if (sm != null && name != null) {
ServicePermission perm = new ServicePermission
(name.getKrb5PrincipalName().getName(), "accept");
try {
sm.checkPermission(perm);
} catch (SecurityException e) {
if (originalName == null) {
// Don't disclose the name of the principal
e = new SecurityException("No permission to acquire "
+ "Kerberos accept credential");
// Don't call e.initCause() with caught exception
}
throw e;
}
}
}
public GSSContextSpi getMechanismContext(GSSNameSpi peer, public GSSContextSpi getMechanismContext(GSSNameSpi peer,
GSSCredentialSpi myInitiatorCred, int lifetime) GSSCredentialSpi myInitiatorCred, int lifetime)
throws GSSException { throws GSSException {

17
src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5NameElement.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2000, 2023, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2000, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -28,10 +28,8 @@ package sun.security.jgss.krb5;
import org.ietf.jgss.*; import org.ietf.jgss.*;
import sun.security.jgss.spi.*; import sun.security.jgss.spi.*;
import sun.security.krb5.PrincipalName; import sun.security.krb5.PrincipalName;
import sun.security.krb5.Realm;
import sun.security.krb5.KrbException; import sun.security.krb5.KrbException;
import javax.security.auth.kerberos.ServicePermission;
import java.net.InetAddress; import java.net.InetAddress;
import java.net.UnknownHostException; import java.net.UnknownHostException;
import java.security.Provider; import java.security.Provider;
@ -127,19 +125,6 @@ public class Krb5NameElement
throw new GSSException(GSSException.BAD_NAME, -1, e.getMessage()); throw new GSSException(GSSException.BAD_NAME, -1, e.getMessage());
} }
if (principalName.isRealmDeduced() && !Realm.AUTODEDUCEREALM) {
@SuppressWarnings("removal")
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
try {
sm.checkPermission(new ServicePermission(
"@" + principalName.getRealmAsString(), "-"));
} catch (SecurityException se) {
// Do not chain the actual exception to hide info
throw new GSSException(GSSException.FAILURE);
}
}
}
return new Krb5NameElement(principalName, gssNameStr, gssNameType); return new Krb5NameElement(principalName, gssNameStr, gssNameType);
} }

1
src/java.security.jgss/share/classes/sun/security/jgss/krb5/Krb5Util.java
View File

@ -59,7 +59,6 @@ public class Krb5Util {
static KerberosTicket getServiceTicket(GSSCaller caller, static KerberosTicket getServiceTicket(GSSCaller caller,
String clientPrincipal, String serverPrincipal) { String clientPrincipal, String serverPrincipal) {
// Try to get ticket from current Subject // Try to get ticket from current Subject
@SuppressWarnings("removal")
Subject currSubj = Subject.current(); Subject currSubj = Subject.current();
KerberosTicket ticket = KerberosTicket ticket =
SubjectComber.find(currSubj, serverPrincipal, clientPrincipal, SubjectComber.find(currSubj, serverPrincipal, clientPrincipal,

6
src/java.security.jgss/share/classes/sun/security/jgss/spnego/SpNegoContext.java
View File

@ -30,8 +30,6 @@ import java.security.Provider;
import java.util.Objects; import java.util.Objects;
import org.ietf.jgss.*; import org.ietf.jgss.*;
import sun.security.action.GetBooleanAction;
import sun.security.action.GetPropertyAction;
import sun.security.jgss.*; import sun.security.jgss.*;
import sun.security.jgss.spi.*; import sun.security.jgss.spi.*;
import sun.security.util.*; import sun.security.util.*;
@ -85,8 +83,8 @@ public class SpNegoContext implements GSSContextSpi {
private final SpNegoMechFactory factory; private final SpNegoMechFactory factory;
// debug property // debug property
static final Debug DEBUG = Debug.of("spnego", GetPropertyAction static final Debug DEBUG = Debug.of("spnego",
.privilegedGetProperty("sun.security.spnego.debug")); System.getProperty("sun.security.spnego.debug"));
/** /**
* Constructor for SpNegoContext to be called on the context initiator's * Constructor for SpNegoContext to be called on the context initiator's

27
src/java.security.jgss/share/classes/sun/security/jgss/spnego/SpNegoMechFactory.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2005, 2022, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2005, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -28,10 +28,6 @@ package sun.security.jgss.spnego;
import org.ietf.jgss.*; import org.ietf.jgss.*;
import sun.security.jgss.*; import sun.security.jgss.*;
import sun.security.jgss.spi.*; import sun.security.jgss.spi.*;
import sun.security.jgss.krb5.Krb5MechFactory;
import sun.security.jgss.krb5.Krb5InitCredential;
import sun.security.jgss.krb5.Krb5AcceptCredential;
import sun.security.jgss.krb5.Krb5NameElement;
import java.security.Provider; import java.security.Provider;
import java.util.Vector; import java.util.Vector;
@ -75,25 +71,8 @@ public final class SpNegoMechFactory implements MechanismFactory {
GSSUtil.searchSubject(name, GSS_SPNEGO_MECH_OID, GSSUtil.searchSubject(name, GSS_SPNEGO_MECH_OID,
initiate, SpNegoCredElement.class); initiate, SpNegoCredElement.class);
SpNegoCredElement result = ((creds == null || creds.isEmpty()) ? return ((creds == null || creds.isEmpty()) ?
null : creds.firstElement()); null : creds.firstElement());
// Force permission check before returning the cred to caller
if (result != null) {
GSSCredentialSpi cred = result.getInternalCred();
if (GSSUtil.isKerberosMech(cred.getMechanism())) {
if (initiate) {
Krb5InitCredential krbCred = (Krb5InitCredential) cred;
Krb5MechFactory.checkInitCredPermission
((Krb5NameElement) krbCred.getName());
} else {
Krb5AcceptCredential krbCred = (Krb5AcceptCredential) cred;
Krb5MechFactory.checkAcceptCredPermission
((Krb5NameElement) krbCred.getName(), name);
}
}
}
return result;
} }
public SpNegoMechFactory() { public SpNegoMechFactory() {

23
src/java.security.jgss/share/classes/sun/security/jgss/wrapper/GSSCredElement.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2005, 2022, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2005, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -27,7 +27,6 @@ package sun.security.jgss.wrapper;
import org.ietf.jgss.*; import org.ietf.jgss.*;
import java.lang.ref.Cleaner; import java.lang.ref.Cleaner;
import java.security.Provider; import java.security.Provider;
import sun.security.jgss.GSSUtil;
import sun.security.jgss.spi.GSSCredentialSpi; import sun.security.jgss.spi.GSSCredentialSpi;
import sun.security.jgss.spi.GSSNameSpi; import sun.security.jgss.spi.GSSNameSpi;
@ -45,24 +44,6 @@ public class GSSCredElement implements GSSCredentialSpi {
private GSSNameElement name; private GSSNameElement name;
private final GSSLibStub cStub; private final GSSLibStub cStub;
// Perform the necessary ServicePermission check on this cred
@SuppressWarnings("removal")
void doServicePermCheck() throws GSSException {
if (GSSUtil.isKerberosMech(cStub.getMech())) {
if (System.getSecurityManager() != null) {
if (isInitiatorCredential()) {
String tgsName = Krb5Util.getTGSName(name);
Krb5Util.checkServicePermission(tgsName, "initiate");
}
if (isAcceptorCredential() &&
name != GSSNameElement.DEF_ACCEPTOR) {
String krbName = name.getKrbName();
Krb5Util.checkServicePermission(krbName, "accept");
}
}
}
}
// Construct delegation cred using the actual context mech and srcName // Construct delegation cred using the actual context mech and srcName
// Warning: called by NativeUtil.c // Warning: called by NativeUtil.c
GSSCredElement(long pCredentials, GSSNameElement srcName, Oid mech) GSSCredElement(long pCredentials, GSSNameElement srcName, Oid mech)
@ -81,12 +62,10 @@ public class GSSCredElement implements GSSCredentialSpi {
if (name != null) { // Could be GSSNameElement.DEF_ACCEPTOR if (name != null) { // Could be GSSNameElement.DEF_ACCEPTOR
this.name = name; this.name = name;
doServicePermCheck();
pCred = cStub.acquireCred(this.name.pName, lifetime, usage); pCred = cStub.acquireCred(this.name.pName, lifetime, usage);
} else { } else {
pCred = cStub.acquireCred(0, lifetime, usage); pCred = cStub.acquireCred(0, lifetime, usage);
this.name = new GSSNameElement(cStub.getCredName(pCred), cStub); this.name = new GSSNameElement(cStub.getCredName(pCred), cStub);
doServicePermCheck();
} }
cleanable = Krb5Util.cleaner.register(this, disposerFor(cStub, pCred)); cleanable = Krb5Util.cleaner.register(this, disposerFor(cStub, pCred));

26
src/java.security.jgss/share/classes/sun/security/jgss/wrapper/GSSNameElement.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2005, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -36,7 +36,6 @@ import sun.security.util.DerInputStream;
import sun.security.util.DerOutputStream; import sun.security.util.DerOutputStream;
import sun.security.util.ObjectIdentifier; import sun.security.util.ObjectIdentifier;
import javax.security.auth.kerberos.ServicePermission;
import java.io.IOException; import java.io.IOException;
import java.lang.ref.Cleaner; import java.lang.ref.Cleaner;
import java.security.Provider; import java.security.Provider;
@ -168,29 +167,6 @@ public class GSSNameElement implements GSSNameSpi {
setPrintables(); setPrintables();
@SuppressWarnings("removal")
SecurityManager sm = System.getSecurityManager();
if (sm != null && !Realm.AUTODEDUCEREALM) {
String krbName = getKrbName();
int atPos = krbName.lastIndexOf('@');
if (atPos != -1) {
String atRealm = krbName.substring(atPos);
// getNativeNameType() can modify NT_GSS_KRB5_PRINCIPAL to null
if ((nameType == null
|| nameType.equals(GSSUtil.NT_GSS_KRB5_PRINCIPAL))
&& new String(nameBytes).endsWith(atRealm)) {
// Created from Kerberos name with realm, no need to check
} else {
try {
sm.checkPermission(new ServicePermission(atRealm, "-"));
} catch (SecurityException se) {
// Do not chain the actual exception to hide info
throw new GSSException(GSSException.FAILURE);
}
}
}
}
if (SunNativeProvider.DEBUG) { if (SunNativeProvider.DEBUG) {
SunNativeProvider.debug("Imported " + printableName + " w/ type " + SunNativeProvider.debug("Imported " + printableName + " w/ type " +
printableType); printableType);

19
src/java.security.jgss/share/classes/sun/security/jgss/wrapper/Krb5Util.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2005, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -26,7 +26,6 @@ package sun.security.jgss.wrapper;
import org.ietf.jgss.*; import org.ietf.jgss.*;
import java.lang.ref.Cleaner; import java.lang.ref.Cleaner;
import javax.security.auth.kerberos.ServicePermission;
/** /**
* This class is a utility class for Kerberos related stuff. * This class is a utility class for Kerberos related stuff.
@ -46,20 +45,4 @@ class Krb5Util {
String realm = krbPrinc.substring(atIndex + 1); String realm = krbPrinc.substring(atIndex + 1);
return "krbtgt/" + realm + '@' + realm; return "krbtgt/" + realm + '@' + realm;
} }
// Perform the Service Permission check using the specified
// <code>target</code> and <code>action</code>
static void checkServicePermission(String target, String action) {
@SuppressWarnings("removal")
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
if (SunNativeProvider.DEBUG) {
SunNativeProvider.debug("Checking ServicePermission(" +
target + ", " + action + ")");
}
ServicePermission perm =
new ServicePermission(target, action);
sm.checkPermission(perm);
}
}
} }

87
src/java.security.jgss/share/classes/sun/security/jgss/wrapper/NativeGSSContext.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2005, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -36,7 +36,6 @@ import sun.security.util.DerValue;
import sun.security.util.ObjectIdentifier; import sun.security.util.ObjectIdentifier;
import sun.security.jgss.spnego.NegTokenInit; import sun.security.jgss.spnego.NegTokenInit;
import sun.security.jgss.spnego.NegTokenTarg; import sun.security.jgss.spnego.NegTokenTarg;
import javax.security.auth.kerberos.DelegationPermission;
import java.io.*; import java.io.*;
@ -79,9 +78,6 @@ class NativeGSSContext implements GSSContextSpi {
private GSSCredElement disposeDelegatedCred; private GSSCredElement disposeDelegatedCred;
private final GSSLibStub cStub; private final GSSLibStub cStub;
private boolean skipDelegPermCheck;
private boolean skipServicePermCheck;
// Retrieve the (preferred) mech out of SPNEGO tokens, i.e. // Retrieve the (preferred) mech out of SPNEGO tokens, i.e.
// NegTokenInit & NegTokenTarg // NegTokenInit & NegTokenTarg
private static Oid getMechFromSpNegoToken(byte[] token, private static Oid getMechFromSpNegoToken(byte[] token,
@ -112,53 +108,6 @@ class NativeGSSContext implements GSSContextSpi {
return mech; return mech;
} }
// Perform the Service permission check
@SuppressWarnings("removal")
private void doServicePermCheck() throws GSSException {
if (System.getSecurityManager() != null) {
String action = (isInitiator? "initiate" : "accept");
// Need to check Service permission for accessing
// initiator cred for SPNEGO during context establishment
if (GSSUtil.isSpNegoMech(cStub.getMech()) && isInitiator
&& !isEstablished) {
if (srcName == null) {
// Check by creating default initiator KRB5 cred
GSSCredElement tempCred =
new GSSCredElement(null, lifetime,
GSSCredential.INITIATE_ONLY,
GSSLibStub.getInstance(GSSUtil.GSS_KRB5_MECH_OID));
tempCred.dispose();
} else {
String tgsName = Krb5Util.getTGSName(srcName);
Krb5Util.checkServicePermission(tgsName, action);
}
}
String targetStr = targetName.getKrbName();
Krb5Util.checkServicePermission(targetStr, action);
skipServicePermCheck = true;
}
}
// Perform the Delegation permission check
private void doDelegPermCheck() throws GSSException {
@SuppressWarnings("removal")
SecurityManager sm = System.getSecurityManager();
if (sm != null) {
String targetStr = targetName.getKrbName();
String tgsStr = Krb5Util.getTGSName(targetName);
String krbPrincPair = "\"" + targetStr + "\" \"" +
tgsStr + '\"';
if (SunNativeProvider.DEBUG) {
SunNativeProvider.debug("Checking DelegationPermission (" +
krbPrincPair + ")");
}
DelegationPermission perm =
new DelegationPermission(krbPrincPair);
sm.checkPermission(perm);
skipDelegPermCheck = true;
}
}
private byte[] retrieveToken(InputStream is, int mechTokenLen) private byte[] retrieveToken(InputStream is, int mechTokenLen)
throws GSSException { throws GSSException {
try { try {
@ -210,7 +159,6 @@ class NativeGSSContext implements GSSContextSpi {
lifetime = time; lifetime = time;
if (GSSUtil.isKerberosMech(cStub.getMech())) { if (GSSUtil.isKerberosMech(cStub.getMech())) {
doServicePermCheck();
if (cred == null) { if (cred == null) {
disposeCred = cred = disposeCred = cred =
new GSSCredElement(null, lifetime, new GSSCredElement(null, lifetime,
@ -230,11 +178,6 @@ class NativeGSSContext implements GSSContextSpi {
if (cred != null) targetName = cred.getName(); if (cred != null) targetName = cred.getName();
isInitiator = false; isInitiator = false;
// Defer Service permission check for default acceptor cred
// to acceptSecContext()
if (GSSUtil.isKerberosMech(cStub.getMech()) && targetName != null) {
doServicePermCheck();
}
// srcName and potentially targetName (when myCred is null) // srcName and potentially targetName (when myCred is null)
// will be set in GSSLibStub.acceptContext(...) // will be set in GSSLibStub.acceptContext(...)
@ -258,13 +201,6 @@ class NativeGSSContext implements GSSContextSpi {
isEstablished = (info[3] != 0); isEstablished = (info[3] != 0);
flags = (int) info[4]; flags = (int) info[4];
lifetime = (int) info[5]; lifetime = (int) info[5];
// Do Service Permission check when importing SPNEGO context
// just to be safe
Oid mech = cStub.getMech();
if (GSSUtil.isSpNegoMech(mech) || GSSUtil.isKerberosMech(mech)) {
doServicePermCheck();
}
} }
public Provider getProvider() { public Provider getProvider() {
@ -285,12 +221,6 @@ class NativeGSSContext implements GSSContextSpi {
} }
} }
if (!getCredDelegState()) skipDelegPermCheck = true;
if (GSSUtil.isKerberosMech(cStub.getMech()) && !skipDelegPermCheck) {
doDelegPermCheck();
}
long pCred = (cred == null? 0 : cred.pCred); long pCred = (cred == null? 0 : cred.pCred);
outToken = cStub.initContext(pCred, targetName.pName, outToken = cStub.initContext(pCred, targetName.pName,
cb, inToken, this); cb, inToken, this);
@ -304,11 +234,6 @@ class NativeGSSContext implements GSSContextSpi {
if (GSSUtil.isSpNegoMech(cStub.getMech()) && outToken != null) { if (GSSUtil.isSpNegoMech(cStub.getMech()) && outToken != null) {
// WORKAROUND for SEAM bug#6287358 // WORKAROUND for SEAM bug#6287358
actualMech = getMechFromSpNegoToken(outToken, true); actualMech = getMechFromSpNegoToken(outToken, true);
if (GSSUtil.isKerberosMech(actualMech)) {
if (!skipServicePermCheck) doServicePermCheck();
if (!skipDelegPermCheck) doDelegPermCheck();
}
} }
if (isEstablished) { if (isEstablished) {
@ -355,16 +280,6 @@ class NativeGSSContext implements GSSContextSpi {
new GSSCredElement(targetName, lifetime, new GSSCredElement(targetName, lifetime,
GSSCredential.ACCEPT_ONLY, cStub); GSSCredential.ACCEPT_ONLY, cStub);
} }
// Only inspect token when the permission check has not
// been performed
if (GSSUtil.isSpNegoMech(cStub.getMech()) &&
(outToken != null) && !skipServicePermCheck) {
if (GSSUtil.isKerberosMech(getMechFromSpNegoToken
(outToken, false))) {
doServicePermCheck();
}
}
} }
return outToken; return outToken;
} }

11
src/java.security.jgss/share/classes/sun/security/jgss/wrapper/NativeGSSFactory.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2005, 2022, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2005, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -65,13 +65,8 @@ public final class NativeGSSFactory implements MechanismFactory {
} }
} }
GSSCredElement result = ((creds == null || creds.isEmpty()) ? return ((creds == null || creds.isEmpty()) ?
null : creds.firstElement()); null : creds.firstElement());
// Force permission check before returning the cred to caller
if (result != null) {
result.doServicePermCheck();
}
return result;
} }
public NativeGSSFactory(GSSCaller caller) { public NativeGSSFactory(GSSCaller caller) {

133
src/java.security.jgss/share/classes/sun/security/jgss/wrapper/SunNativeProvider.java
View File

@ -28,14 +28,10 @@ package sun.security.jgss.wrapper;
import java.io.Serial; import java.io.Serial;
import java.util.HashMap; import java.util.HashMap;
import java.security.Provider; import java.security.Provider;
import java.security.AccessController;
import java.security.PrivilegedAction;
import jdk.internal.util.OperatingSystem; import jdk.internal.util.OperatingSystem;
import jdk.internal.util.StaticProperty; import jdk.internal.util.StaticProperty;
import org.ietf.jgss.Oid; import org.ietf.jgss.Oid;
import sun.security.action.GetBooleanAction;
import sun.security.action.PutAllAction;
import static sun.security.util.SecurityConstants.PROVIDER_VER; import static sun.security.util.SecurityConstants.PROVIDER_VER;
/** /**
@ -59,7 +55,7 @@ public final class SunNativeProvider extends Provider {
"sun.security.jgss.wrapper.NativeGSSFactory"; "sun.security.jgss.wrapper.NativeGSSFactory";
static final boolean DEBUG = static final boolean DEBUG =
GetBooleanAction.privilegedGetProperty("sun.security.nativegss.debug"); Boolean.getBoolean("sun.security.nativegss.debug");
static void debug(String message) { static void debug(String message) {
if (message == null) { if (message == null) {
@ -68,81 +64,76 @@ public final class SunNativeProvider extends Provider {
System.err.println(NAME + ": " + message); System.err.println(NAME + ": " + message);
} }
@SuppressWarnings({"removal", "restricted"}) private static final HashMap<String, String> MECH_MAP = constructMechMap();
private static final HashMap<String, String> MECH_MAP =
AccessController.doPrivileged( @SuppressWarnings("restricted")
new PrivilegedAction<>() { private static HashMap<String, String> constructMechMap() {
public HashMap<String, String> run() { try {
try { // Ensure the InetAddress class is loaded before
// Ensure the InetAddress class is loaded before // loading j2gss. The library will access this class
// loading j2gss. The library will access this class // and a deadlock might happen. See JDK-8210373.
// and a deadlock might happen. See JDK-8210373. Class.forName("java.net.InetAddress");
Class.forName("java.net.InetAddress"); System.loadLibrary("j2gss");
System.loadLibrary("j2gss"); } catch (ClassNotFoundException | Error err) {
} catch (ClassNotFoundException | Error err) { if (DEBUG) {
if (DEBUG) { debug("No j2gss library found!");
debug("No j2gss library found!"); err.printStackTrace();
err.printStackTrace(); }
} return null;
return null; }
} String[] gssLibs;
String[] gssLibs; String defaultLib = System.getProperty("sun.security.jgss.lib");
String defaultLib if (defaultLib == null || defaultLib.trim().equals("")) {
= System.getProperty("sun.security.jgss.lib"); gssLibs = switch (OperatingSystem.current()) {
if (defaultLib == null || defaultLib.trim().equals("")) { case LINUX -> new String[]{
gssLibs = switch (OperatingSystem.current()) { "libgssapi.so",
case LINUX -> new String[]{ "libgssapi_krb5.so",
"libgssapi.so", "libgssapi_krb5.so.2",
"libgssapi_krb5.so", };
"libgssapi_krb5.so.2", case MACOS -> new String[]{
}; "libgssapi_krb5.dylib",
case MACOS -> new String[]{ "/usr/lib/sasl2/libgssapiv2.2.so",
"libgssapi_krb5.dylib", };
"/usr/lib/sasl2/libgssapiv2.2.so", case WINDOWS -> new String[]{
}; // Full path needed, DLL is in jre/bin
case WINDOWS -> new String[]{ StaticProperty.javaHome() + "\\bin\\sspi_bridge.dll",
// Full path needed, DLL is in jre/bin };
StaticProperty.javaHome() + "\\bin\\sspi_bridge.dll", case AIX -> new String[]{
}; "/opt/freeware/lib64/libgssapi_krb5.so",
case AIX -> new String[]{ };
"/opt/freeware/lib64/libgssapi_krb5.so", default -> new String[0];
}; };
default -> new String[0]; } else {
}; gssLibs = new String[]{ defaultLib };
} else { }
gssLibs = new String[]{ defaultLib }; for (String libName: gssLibs) {
} if (GSSLibStub.init(libName, DEBUG)) {
for (String libName: gssLibs) { if (DEBUG) {
if (GSSLibStub.init(libName, DEBUG)) { debug("Loaded GSS library: " + libName);
if (DEBUG) { }
debug("Loaded GSS library: " + libName); Oid[] mechs = GSSLibStub.indicateMechs();
} HashMap<String, String> map = new HashMap<>();
Oid[] mechs = GSSLibStub.indicateMechs(); for (int i = 0; i < mechs.length; i++) {
HashMap<String,String> map = new HashMap<>(); if (DEBUG) {
for (int i = 0; i < mechs.length; i++) { debug("Native MF for " + mechs[i]);
if (DEBUG) { }
debug("Native MF for " + mechs[i]); map.put("GssApiMechanism." + mechs[i], MF_CLASS);
} }
map.put("GssApiMechanism." + mechs[i], return map;
MF_CLASS); }
} }
return map; return null;
} }
}
return null;
}
});
// initialize INSTANCE after MECH_MAP is constructed // initialize INSTANCE after MECH_MAP is constructed
static final Provider INSTANCE = new SunNativeProvider(); static final Provider INSTANCE = new SunNativeProvider();
@SuppressWarnings("removal")
public SunNativeProvider() { public SunNativeProvider() {
/* We are the Sun NativeGSS provider */ /* We are the Sun NativeGSS provider */
super(NAME, PROVIDER_VER, INFO); super(NAME, PROVIDER_VER, INFO);
if (MECH_MAP != null) { if (MECH_MAP != null) {
AccessController.doPrivileged(new PutAllAction(this, MECH_MAP)); putAll(MECH_MAP);
} }
} }
} }

107
src/java.security.jgss/share/classes/sun/security/krb5/Config.java
View File

@ -34,19 +34,15 @@ import java.io.*;
import java.nio.file.Files; import java.nio.file.Files;
import java.nio.file.Paths; import java.nio.file.Paths;
import java.nio.file.Path; import java.nio.file.Path;
import java.security.PrivilegedAction;
import java.util.*; import java.util.*;
import java.net.InetAddress; import java.net.InetAddress;
import java.net.UnknownHostException; import java.net.UnknownHostException;
import java.security.AccessController;
import java.security.PrivilegedExceptionAction;
import java.util.regex.Matcher; import java.util.regex.Matcher;
import java.util.regex.Pattern; import java.util.regex.Pattern;
import java.util.stream.Stream; import java.util.stream.Stream;
import jdk.internal.util.OperatingSystem; import jdk.internal.util.OperatingSystem;
import sun.net.dns.ResolverConfiguration; import sun.net.dns.ResolverConfiguration;
import sun.security.action.GetPropertyAction;
import sun.security.krb5.internal.crypto.EType; import sun.security.krb5.internal.crypto.EType;
import sun.security.krb5.internal.Krb5; import sun.security.krb5.internal.Krb5;
import sun.security.util.SecurityProperties; import sun.security.util.SecurityProperties;
@ -164,7 +160,7 @@ public class Config {
return false; return false;
} }
String osVersion = GetPropertyAction.privilegedGetProperty("os.version"); String osVersion = System.getProperty("os.version");
String[] fragments = osVersion.split("\\."); String[] fragments = osVersion.split("\\.");
if (fragments.length < 2) return false; if (fragments.length < 2) return false;
@ -188,16 +184,14 @@ public class Config {
/* /*
* If either one system property is specified, we throw exception. * If either one system property is specified, we throw exception.
*/ */
String tmp = GetPropertyAction String tmp = System.getProperty("java.security.krb5.kdc");
.privilegedGetProperty("java.security.krb5.kdc");
if (tmp != null) { if (tmp != null) {
// The user can specify a list of kdc hosts separated by ":" // The user can specify a list of kdc hosts separated by ":"
defaultKDC = tmp.replace(':', ' '); defaultKDC = tmp.replace(':', ' ');
} else { } else {
defaultKDC = null; defaultKDC = null;
} }
defaultRealm = GetPropertyAction defaultRealm = System.getProperty("java.security.krb5.realm");
.privilegedGetProperty("java.security.krb5.realm");
if ((defaultKDC == null && defaultRealm != null) || if ((defaultKDC == null && defaultRealm != null) ||
(defaultRealm == null && defaultKDC != null)) { (defaultRealm == null && defaultKDC != null)) {
throw new KrbException throw new KrbException
@ -666,7 +660,6 @@ public class Config {
* @param fileName the configuration file * @param fileName the configuration file
* @return normalized lines * @return normalized lines
*/ */
@SuppressWarnings("removal")
private List<String> loadConfigFile(final String fileName) private List<String> loadConfigFile(final String fileName)
throws IOException, KrbException { throws IOException, KrbException {
@ -677,32 +670,15 @@ public class Config {
List<String> raw = new ArrayList<>(); List<String> raw = new ArrayList<>();
Set<Path> dupsCheck = new HashSet<>(); Set<Path> dupsCheck = new HashSet<>();
try { Path fullp = Paths.get(fileName).toAbsolutePath();
Path fullp = AccessController.doPrivileged((PrivilegedAction<Path>) Path path = Paths.get(fileName);
() -> Paths.get(fileName).toAbsolutePath(), if (!Files.exists(path)) {
null, // This is OK. There are other ways to get
new PropertyPermission("user.dir", "read")); // Kerberos 5 settings
AccessController.doPrivileged( } else {
new PrivilegedExceptionAction<Void>() { readConfigFileLines(fullp, raw, dupsCheck);
@Override
public Void run() throws IOException {
Path path = Paths.get(fileName);
if (!Files.exists(path)) {
// This is OK. There are other ways to get
// Kerberos 5 settings
return null;
} else {
return readConfigFileLines(
fullp, raw, dupsCheck);
}
}
},
null,
// include/includedir can go anywhere
new FilePermission("<<ALL FILES>>", "read"));
} catch (java.security.PrivilegedActionException pe) {
throw (IOException)pe.getException();
} }
String previous = null; String previous = null;
for (String line: raw) { for (String line: raw) {
if (line.startsWith("[")) { if (line.startsWith("[")) {
@ -862,10 +838,9 @@ public class Config {
* The method returns null if it cannot find a Java config file. * The method returns null if it cannot find a Java config file.
*/ */
private String getJavaFileName() { private String getJavaFileName() {
String name = GetPropertyAction String name = System.getProperty("java.security.krb5.conf");
.privilegedGetProperty("java.security.krb5.conf");
if (name == null) { if (name == null) {
name = GetPropertyAction.privilegedGetProperty("java.home") name = System.getProperty("java.home")
+ File.separator + "conf" + File.separator + "security" + File.separator + "conf" + File.separator + "security"
+ File.separator + "krb5.conf"; + File.separator + "krb5.conf";
if (!fileExists(name)) { if (!fileExists(name)) {
@ -942,7 +917,7 @@ public class Config {
} }
private String findMacosConfigFile() { private String findMacosConfigFile() {
String userHome = GetPropertyAction.privilegedGetProperty("user.home"); String userHome = System.getProperty("user.home");
final String PREF_FILE = "/Library/Preferences/edu.mit.Kerberos"; final String PREF_FILE = "/Library/Preferences/edu.mit.Kerberos";
String userPrefs = userHome + PREF_FILE; String userPrefs = userHome + PREF_FILE;
@ -1185,7 +1160,6 @@ public class Config {
* @throws KrbException where no realm can be located * @throws KrbException where no realm can be located
* @return the default realm, always non null * @return the default realm, always non null
*/ */
@SuppressWarnings("removal")
public String getDefaultRealm() throws KrbException { public String getDefaultRealm() throws KrbException {
if (defaultRealm != null) { if (defaultRealm != null) {
return defaultRealm; return defaultRealm;
@ -1201,16 +1175,9 @@ public class Config {
} }
} }
if (realm == null) { if (realm == null) {
realm = java.security.AccessController.doPrivileged( if (OperatingSystem.isWindows()) {
new java.security.PrivilegedAction<String>() { realm = System.getenv("USERDNSDOMAIN");
@Override }
public String run() {
if (OperatingSystem.isWindows()) {
return System.getenv("USERDNSDOMAIN");
}
return null;
}
});
} }
if (realm == null) { if (realm == null) {
KrbException ke = new KrbException("Cannot locate default realm"); KrbException ke = new KrbException("Cannot locate default realm");
@ -1229,7 +1196,6 @@ public class Config {
* @throws KrbException if there's no way to find KDC for the realm * @throws KrbException if there's no way to find KDC for the realm
* @return the list of KDCs separated by a space, always non null * @return the list of KDCs separated by a space, always non null
*/ */
@SuppressWarnings("removal")
public String getKDCList(String realm) throws KrbException { public String getKDCList(String realm) throws KrbException {
if (realm == null) { if (realm == null) {
realm = getDefaultRealm(); realm = getDefaultRealm();
@ -1248,21 +1214,14 @@ public class Config {
} }
} }
if (kdcs == null) { if (kdcs == null) {
kdcs = java.security.AccessController.doPrivileged( if (OperatingSystem.isWindows()) {
new java.security.PrivilegedAction<String>() { String logonServer = System.getenv("LOGONSERVER");
@Override if (logonServer != null
public String run() { && logonServer.startsWith("\\\\")) {
if (OperatingSystem.isWindows()) { logonServer = logonServer.substring(2);
String logonServer = System.getenv("LOGONSERVER");
if (logonServer != null
&& logonServer.startsWith("\\\\")) {
logonServer = logonServer.substring(2);
}
return logonServer;
}
return null;
} }
}); kdcs = logonServer;
}
} }
if (kdcs == null) { if (kdcs == null) {
if (defaultKDC != null) { if (defaultKDC != null) {
@ -1381,24 +1340,8 @@ public class Config {
return kdcs; return kdcs;
} }
@SuppressWarnings("removal")
private boolean fileExists(String name) { private boolean fileExists(String name) {
return java.security.AccessController.doPrivileged( return new File(name).exists();
new FileExistsAction(name));
}
static class FileExistsAction
implements java.security.PrivilegedAction<Boolean> {
private String fileName;
public FileExistsAction(String fileName) {
this.fileName = fileName;
}
public Boolean run() {
return new File(fileName).exists();
}
} }
// Shows the content of the Config object for debug purpose. // Shows the content of the Config object for debug purpose.

18
src/java.security.jgss/share/classes/sun/security/krb5/Credentials.java
View File

@ -524,19 +524,13 @@ public class Credentials {
} }
@SuppressWarnings({"removal", "restricted"}) @SuppressWarnings("restricted")
static void ensureLoaded() { static void ensureLoaded() {
java.security.AccessController.doPrivileged( if (OperatingSystem.isMacOS()) {
new java.security.PrivilegedAction<Void> () { System.loadLibrary("osxkrb5");
public Void run() { } else {
if (OperatingSystem.isMacOS()) { System.loadLibrary("w2k_lsa_auth");
System.loadLibrary("osxkrb5"); }
} else {
System.loadLibrary("w2k_lsa_auth");
}
return null;
}
});
alreadyLoaded = true; alreadyLoaded = true;
} }

106
src/java.security.jgss/share/classes/sun/security/krb5/KdcComm.java
View File

@ -31,7 +31,6 @@
package sun.security.krb5; package sun.security.krb5;
import java.security.PrivilegedAction;
import java.security.Security; import java.security.Security;
import java.util.Locale; import java.util.Locale;
import sun.security.krb5.internal.Krb5; import sun.security.krb5.internal.Krb5;
@ -39,9 +38,6 @@ import sun.security.krb5.internal.NetClient;
import java.io.IOException; import java.io.IOException;
import java.net.SocketTimeoutException; import java.net.SocketTimeoutException;
import java.util.StringTokenizer; import java.util.StringTokenizer;
import java.security.AccessController;
import java.security.PrivilegedExceptionAction;
import java.security.PrivilegedActionException;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import java.util.Set; import java.util.Set;
@ -98,13 +94,7 @@ public final class KdcComm {
* Read global settings * Read global settings
*/ */
public static void initStatic() { public static void initStatic() {
@SuppressWarnings("removal") String value = Security.getProperty("krb5.kdc.bad.policy");
String value = AccessController.doPrivileged(
new PrivilegedAction<String>() {
public String run() {
return Security.getProperty("krb5.kdc.bad.policy");
}
});
if (value != null) { if (value != null) {
value = value.toLowerCase(Locale.ENGLISH); value = value.toLowerCase(Locale.ENGLISH);
String[] ss = value.split(":"); String[] ss = value.split(":");
@ -349,81 +339,39 @@ public final class KdcComm {
+ ", #bytes=" + obuf.length); + ", #bytes=" + obuf.length);
} }
KdcCommunication kdcCommunication = byte[] ibuf = null;
new KdcCommunication(kdc, port, useTCP, timeout, retries, obuf);
try { for (int i=1; i <= retries; i++) {
@SuppressWarnings("removal") String proto = useTCP?"TCP":"UDP";
byte[] ibuf = AccessController.doPrivileged(kdcCommunication);
if (DEBUG != null) { if (DEBUG != null) {
DEBUG.println(">>> KrbKdcReq send: #bytes read=" DEBUG.println(">>> KDCCommunication: kdc=" + kdc
+ (ibuf != null ? ibuf.length : 0)); + " " + proto + ":"
+ port + ", timeout="
+ timeout
+ ",Attempt =" + i
+ ", #bytes=" + obuf.length);
} }
return ibuf; try (NetClient kdcClient = NetClient.getInstance(
} catch (PrivilegedActionException e) { proto, kdc, port, timeout)) {
Exception wrappedException = e.getException(); kdcClient.send(obuf);
if (wrappedException instanceof IOException) { ibuf = kdcClient.receive();
throw (IOException) wrappedException; break;
} else { } catch (SocketTimeoutException se) {
throw (KrbException) wrappedException;
}
}
}
private static class KdcCommunication
implements PrivilegedExceptionAction<byte[]> {
private String kdc;
private int port;
private boolean useTCP;
private int timeout;
private int retries;
private byte[] obuf;
public KdcCommunication(String kdc, int port, boolean useTCP,
int timeout, int retries, byte[] obuf) {
this.kdc = kdc;
this.port = port;
this.useTCP = useTCP;
this.timeout = timeout;
this.retries = retries;
this.obuf = obuf;
}
// The caller only casts IOException and KrbException so don't
// add any new ones!
public byte[] run() throws IOException, KrbException {
byte[] ibuf = null;
for (int i=1; i <= retries; i++) {
String proto = useTCP?"TCP":"UDP";
if (DEBUG != null) { if (DEBUG != null) {
DEBUG.println(">>> KDCCommunication: kdc=" + kdc DEBUG.println ("SocketTimeOutException with " +
+ " " + proto + ":" "attempt: " + i);
+ port + ", timeout="
+ timeout
+ ",Attempt =" + i
+ ", #bytes=" + obuf.length);
} }
try (NetClient kdcClient = NetClient.getInstance( if (i == retries) {
proto, kdc, port, timeout)) { ibuf = null;
kdcClient.send(obuf); throw se;
ibuf = kdcClient.receive();
break;
} catch (SocketTimeoutException se) {
if (DEBUG != null) {
DEBUG.println ("SocketTimeOutException with " +
"attempt: " + i);
}
if (i == retries) {
ibuf = null;
throw se;
}
} }
} }
return ibuf;
} }
if (DEBUG != null) {
DEBUG.println(">>> KrbKdcReq send: #bytes read="
+ (ibuf != null ? ibuf.length : 0));
}
return ibuf;
} }
/** /**

35
src/java.security.jgss/share/classes/sun/security/krb5/KrbServiceLocator.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2006, 2021, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2006, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -27,9 +27,6 @@ package sun.security.krb5;
import sun.security.krb5.internal.Krb5; import sun.security.krb5.internal.Krb5;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Arrays; import java.util.Arrays;
import java.util.Hashtable; import java.util.Hashtable;
import java.util.Random; import java.util.Random;
@ -71,7 +68,6 @@ class KrbServiceLocator {
* @return An ordered list of hostports for the Kerberos service or null if * @return An ordered list of hostports for the Kerberos service or null if
* the service has not been located. * the service has not been located.
*/ */
@SuppressWarnings("removal")
static String[] getKerberosService(String realmName) { static String[] getKerberosService(String realmName) {
// search realm in SRV TXT records // search realm in SRV TXT records
@ -86,18 +82,8 @@ class KrbServiceLocator {
if (!(ctx instanceof DirContext)) { if (!(ctx instanceof DirContext)) {
return null; // cannot create a DNS context return null; // cannot create a DNS context
} }
Attributes attrs = null; Attributes attrs = ((DirContext)ctx).getAttributes(
try { dnsUrl, SRV_TXT_ATTR);
// both connect and accept are needed since DNS is thru UDP
attrs = AccessController.doPrivileged(
(PrivilegedExceptionAction<Attributes>)
() -> ((DirContext)ctx).getAttributes(
dnsUrl, SRV_TXT_ATTR),
null,
new java.net.SocketPermission("*", "connect,accept"));
} catch (PrivilegedActionException e) {
throw (NamingException)e.getCause();
}
Attribute attr; Attribute attr;
if (attrs != null && ((attr = attrs.get(SRV_TXT)) != null)) { if (attrs != null && ((attr = attrs.get(SRV_TXT)) != null)) {
@ -144,7 +130,6 @@ class KrbServiceLocator {
* @return An ordered list of hostports for the Kerberos service or null if * @return An ordered list of hostports for the Kerberos service or null if
* the service has not been located. * the service has not been located.
*/ */
@SuppressWarnings("removal")
static String[] getKerberosService(String realmName, String protocol) { static String[] getKerberosService(String realmName, String protocol) {
String dnsUrl = "dns:///_kerberos." + protocol + "." + realmName; String dnsUrl = "dns:///_kerberos." + protocol + "." + realmName;
@ -160,18 +145,8 @@ class KrbServiceLocator {
return null; // cannot create a DNS context return null; // cannot create a DNS context
} }
Attributes attrs = null; Attributes attrs = ((DirContext)ctx).getAttributes(
try { dnsUrl, SRV_RR_ATTR);
// both connect and accept are needed since DNS is thru UDP
attrs = AccessController.doPrivileged(
(PrivilegedExceptionAction<Attributes>)
() -> ((DirContext)ctx).getAttributes(
dnsUrl, SRV_RR_ATTR),
null,
new java.net.SocketPermission("*", "connect,accept"));
} catch (PrivilegedActionException e) {
throw (NamingException)e.getCause();
}
Attribute attr; Attribute attr;

7
src/java.security.jgss/share/classes/sun/security/krb5/Realm.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2000, 2023, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2000, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -31,7 +31,6 @@
package sun.security.krb5; package sun.security.krb5;
import sun.security.action.GetBooleanAction;
import sun.security.krb5.internal.Krb5; import sun.security.krb5.internal.Krb5;
import sun.security.util.*; import sun.security.util.*;
import java.io.IOException; import java.io.IOException;
@ -48,8 +47,8 @@ import sun.security.krb5.internal.util.KerberosString;
*/ */
public class Realm implements Cloneable { public class Realm implements Cloneable {
public static final boolean AUTODEDUCEREALM = GetBooleanAction public static final boolean AUTODEDUCEREALM =
.privilegedGetProperty("sun.security.krb5.autodeducerealm"); Boolean.getBoolean("sun.security.krb5.autodeducerealm");
private final String realm; // not null nor empty private final String realm; // not null nor empty

21
src/java.security.jgss/share/classes/sun/security/krb5/SCDynamicStoreConfig.java
View File

@ -45,20 +45,19 @@ public class SCDynamicStoreConfig {
private static native List<String> getKerberosConfig(); private static native List<String> getKerberosConfig();
static { static {
@SuppressWarnings({"removal", "restricted"}) boolean isMac = loadLibrary();
boolean isMac = java.security.AccessController.doPrivileged(
new java.security.PrivilegedAction<Boolean>() {
public Boolean run() {
if (OperatingSystem.isMacOS()) {
System.loadLibrary("osxkrb5");
return true;
}
return false;
}
});
if (isMac) installNotificationCallback(); if (isMac) installNotificationCallback();
} }
@SuppressWarnings("restricted")
private static boolean loadLibrary() {
if (OperatingSystem.isMacOS()) {
System.loadLibrary("osxkrb5");
return true;
}
return false;
}
/** /**
* Calls down to JNI to get the raw Kerberos Config and maps the object * Calls down to JNI to get the raw Kerberos Config and maps the object
* graph to the one that Kerberos Config in Java expects * graph to the one that Kerberos Config in Java expects

5
src/java.security.jgss/share/classes/sun/security/krb5/internal/Krb5.java
View File

@ -31,7 +31,6 @@
package sun.security.krb5.internal; package sun.security.krb5.internal;
import sun.security.action.GetPropertyAction;
import sun.security.util.Debug; import sun.security.util.Debug;
import java.util.Hashtable; import java.util.Hashtable;
@ -317,8 +316,8 @@ public class Krb5 {
} }
// Warning: used by NativeCreds.c // Warning: used by NativeCreds.c
public static final Debug DEBUG = Debug.of("krb5", GetPropertyAction public static final Debug DEBUG = Debug.of("krb5",
.privilegedGetProperty("sun.security.krb5.debug")); System.getProperty("sun.security.krb5.debug"));
static { static {
errMsgList = new Hashtable<Integer,String> (); errMsgList = new Hashtable<Integer,String> ();

6
src/java.security.jgss/share/classes/sun/security/krb5/internal/ReplayCache.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2013, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -25,7 +25,6 @@
package sun.security.krb5.internal; package sun.security.krb5.internal;
import sun.security.action.GetPropertyAction;
import sun.security.krb5.internal.rcache.AuthTimeWithHash; import sun.security.krb5.internal.rcache.AuthTimeWithHash;
import sun.security.krb5.internal.rcache.MemoryCache; import sun.security.krb5.internal.rcache.MemoryCache;
import sun.security.krb5.internal.rcache.DflCache; import sun.security.krb5.internal.rcache.DflCache;
@ -54,8 +53,7 @@ public abstract class ReplayCache {
} }
} }
public static ReplayCache getInstance() { public static ReplayCache getInstance() {
String type = GetPropertyAction String type = System.getProperty("sun.security.krb5.rcache");
.privilegedGetProperty("sun.security.krb5.rcache");
return getInstance(type); return getInstance(type);
} }

46
src/java.security.jgss/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java
View File

@ -34,13 +34,11 @@
package sun.security.krb5.internal.ccache; package sun.security.krb5.internal.ccache;
import jdk.internal.util.OperatingSystem; import jdk.internal.util.OperatingSystem;
import sun.security.action.GetPropertyAction;
import sun.security.krb5.*; import sun.security.krb5.*;
import sun.security.krb5.internal.*; import sun.security.krb5.internal.*;
import sun.security.util.SecurityProperties; import sun.security.util.SecurityProperties;
import java.nio.charset.StandardCharsets; import java.nio.charset.StandardCharsets;
import java.security.PrivilegedAction;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collections; import java.util.Collections;
import java.util.List; import java.util.List;
@ -452,17 +450,12 @@ public class FileCredentialsCache extends CredentialsCache
// The env var can start with TYPE:, we only support FILE: here. // The env var can start with TYPE:, we only support FILE: here.
// http://docs.oracle.com/cd/E19082-01/819-2252/6n4i8rtr3/index.html // http://docs.oracle.com/cd/E19082-01/819-2252/6n4i8rtr3/index.html
@SuppressWarnings("removal") String name = System.getenv("KRB5CCNAME");
String name = java.security.AccessController.doPrivileged( if (name != null &&
(PrivilegedAction<String>) () -> { (name.length() >= 5) &&
String cache = System.getenv("KRB5CCNAME"); name.regionMatches(true, 0, "FILE:", 0, 5)) {
if (cache != null && name = name.substring(5);
(cache.length() >= 5) && }
cache.regionMatches(true, 0, "FILE:", 0, 5)) {
cache = cache.substring(5);
}
return cache;
});
if (name != null) { if (name != null) {
if (DEBUG != null) { if (DEBUG != null) {
DEBUG.println(">>>KinitOptions cache name is " + name); DEBUG.println(">>>KinitOptions cache name is " + name);
@ -502,12 +495,12 @@ public class FileCredentialsCache extends CredentialsCache
// we did not get the uid; // we did not get the uid;
String user_name = GetPropertyAction.privilegedGetProperty("user.name"); String user_name = System.getProperty("user.name");
String user_home = GetPropertyAction.privilegedGetProperty("user.home"); String user_home = System.getProperty("user.home");
if (user_home == null) { if (user_home == null) {
user_home = GetPropertyAction.privilegedGetProperty("user.dir"); user_home = System.getProperty("user.dir");
} }
if (user_name != null) { if (user_name != null) {
@ -556,19 +549,14 @@ public class FileCredentialsCache extends CredentialsCache
} }
final String[] command = v.toArray(new String[0]); final String[] command = v.toArray(new String[0]);
try { try {
@SuppressWarnings("removal") Process p = null;
Process p = try {
java.security.AccessController.doPrivileged p = Runtime.getRuntime().exec(command);
((PrivilegedAction<Process>) () -> { } catch (IOException e) {
try { if (DEBUG != null) {
return (Runtime.getRuntime().exec(command)); e.printStackTrace(DEBUG.getPrintStream());
} catch (IOException e) { }
if (DEBUG != null) { }
e.printStackTrace(DEBUG.getPrintStream());
}
return null;
}
});
if (p == null) { if (p == null) {
// exception occurred during executing the command // exception occurred during executing the command
return null; return null;

5
src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/Des.java
View File

@ -38,7 +38,6 @@ import java.security.GeneralSecurityException;
import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.IvParameterSpec;
import sun.security.krb5.KrbCryptoException; import sun.security.krb5.KrbCryptoException;
import java.util.Arrays; import java.util.Arrays;
import sun.security.action.GetPropertyAction;
public final class Des { public final class Des {
@ -53,8 +52,8 @@ public final class Des {
// string-to-key encoding. When set, the specified charset // string-to-key encoding. When set, the specified charset
// name is used. Otherwise, the system default charset. // name is used. Otherwise, the system default charset.
private static final String CHARSET = GetPropertyAction private static final String CHARSET =
.privilegedGetProperty("sun.security.krb5.msinterop.des.s2kcharset"); System.getProperty("sun.security.krb5.msinterop.des.s2kcharset");
private static final long[] bad_keys = { private static final long[] bad_keys = {
0x0101010101010101L, 0xfefefefefefefefeL, 0x0101010101010101L, 0xfefefefefefefefeL,

7
src/java.security.jgss/share/classes/sun/security/krb5/internal/ktab/KeyTab.java
View File

@ -31,7 +31,6 @@
package sun.security.krb5.internal.ktab; package sun.security.krb5.internal.ktab;
import sun.security.action.GetPropertyAction;
import sun.security.krb5.*; import sun.security.krb5.*;
import sun.security.krb5.internal.*; import sun.security.krb5.internal.*;
import sun.security.krb5.internal.crypto.*; import sun.security.krb5.internal.crypto.*;
@ -211,12 +210,10 @@ public class KeyTab implements KeyTabConstants {
} }
if (kname == null) { if (kname == null) {
String user_home = GetPropertyAction String user_home = System.getProperty("user.home");
.privilegedGetProperty("user.home");
if (user_home == null) { if (user_home == null) {
user_home = GetPropertyAction user_home = System.getProperty("user.dir");
.privilegedGetProperty("user.dir");
} }
kname = user_home + File.separator + "krb5.keytab"; kname = user_home + File.separator + "krb5.keytab";

6
src/java.security.jgss/share/classes/sun/security/krb5/internal/rcache/AuthTimeWithHash.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2013, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -25,8 +25,6 @@
package sun.security.krb5.internal.rcache; package sun.security.krb5.internal.rcache;
import sun.security.action.GetBooleanAction;
import java.util.Objects; import java.util.Objects;
/** /**
@ -40,7 +38,7 @@ public class AuthTimeWithHash extends AuthTime
public static final String DEFAULT_HASH_ALG; public static final String DEFAULT_HASH_ALG;
static { static {
if (GetBooleanAction.privilegedGetProperty("jdk.krb5.rcache.useMD5")) { if (Boolean.getBoolean("jdk.krb5.rcache.useMD5")) {
DEFAULT_HASH_ALG = "HASH"; DEFAULT_HASH_ALG = "HASH";
} else { } else {
DEFAULT_HASH_ALG = "SHA256"; DEFAULT_HASH_ALG = "SHA256";

5
src/java.security.jgss/share/classes/sun/security/krb5/internal/rcache/DflCache.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2013, 2020, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2013, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -38,7 +38,6 @@ import java.nio.file.StandardOpenOption;
import java.nio.file.attribute.PosixFilePermission; import java.nio.file.attribute.PosixFilePermission;
import java.util.*; import java.util.*;
import sun.security.action.GetPropertyAction;
import sun.security.krb5.internal.KerberosTime; import sun.security.krb5.internal.KerberosTime;
import sun.security.krb5.internal.Krb5; import sun.security.krb5.internal.Krb5;
import sun.security.krb5.internal.KrbApErrException; import sun.security.krb5.internal.KrbApErrException;
@ -116,7 +115,7 @@ public class DflCache extends ReplayCache {
} }
private static String defaultPath() { private static String defaultPath() {
return GetPropertyAction.privilegedGetProperty("java.io.tmpdir"); return System.getProperty("java.io.tmpdir");
} }
private static String defaultFile(String server) { private static String defaultFile(String server) {

7
src/java.security.jgss/share/classes/sun/security/krb5/internal/util/KerberosString.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2009, 2019, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2009, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -26,7 +26,6 @@
package sun.security.krb5.internal.util; package sun.security.krb5.internal.util;
import java.io.IOException; import java.io.IOException;
import sun.security.action.GetPropertyAction;
import sun.security.util.DerValue; import sun.security.util.DerValue;
import static java.nio.charset.StandardCharsets.US_ASCII; import static java.nio.charset.StandardCharsets.US_ASCII;
@ -58,8 +57,8 @@ public final class KerberosString {
public static final boolean MSNAME; public static final boolean MSNAME;
static { static {
String prop = GetPropertyAction String prop =
.privilegedGetProperty("sun.security.krb5.msinterop.kstring", "true"); System.getProperty("sun.security.krb5.msinterop.kstring", "true");
MSNAME = Boolean.parseBoolean(prop); MSNAME = Boolean.parseBoolean(prop);
} }

8
src/jdk.security.jgss/share/classes/com/sun/security/jgss/ExtendedGSSContextImpl.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2016, 2021, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2016, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -41,12 +41,6 @@ class ExtendedGSSContextImpl extends GSSContextImpl
@Override @Override
public Object inquireSecContext(InquireType type) throws GSSException { public Object inquireSecContext(InquireType type) throws GSSException {
@SuppressWarnings("removal")
SecurityManager security = System.getSecurityManager();
if (security != null) {
security.checkPermission(
new InquireSecContextPermission(type.toString()));
}
Object output = super.inquireSecContext(type.name()); Object output = super.inquireSecContext(type.name());
if (output != null) { if (output != null) {
if (type == InquireType.KRB5_GET_AUTHZ_DATA) { if (type == InquireType.KRB5_GET_AUTHZ_DATA) {

18
src/jdk.security.jgss/share/classes/com/sun/security/sasl/gsskerb/JdkSASL.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2015, 2021, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2015, 2024, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -24,8 +24,6 @@
*/ */
package com.sun.security.sasl.gsskerb; package com.sun.security.sasl.gsskerb;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.Provider; import java.security.Provider;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.security.InvalidParameterException; import java.security.InvalidParameterException;
@ -74,19 +72,13 @@ public final class JdkSASL extends Provider {
} }
} }
@SuppressWarnings("removal")
public JdkSASL() { public JdkSASL() {
super("JdkSASL", PROVIDER_VER, info); super("JdkSASL", PROVIDER_VER, info);
final Provider p = this; final Provider p = this;
AccessController.doPrivileged(new PrivilegedAction<Void>() { putService(new ProviderService(p, "SaslClientFactory",
public Void run() { "GSSAPI", "com.sun.security.sasl.gsskerb.FactoryImpl"));
putService(new ProviderService(p, "SaslClientFactory", putService(new ProviderService(p, "SaslServerFactory",
"GSSAPI", "com.sun.security.sasl.gsskerb.FactoryImpl")); "GSSAPI", "com.sun.security.sasl.gsskerb.FactoryImpl"));
putService(new ProviderService(p, "SaslServerFactory",
"GSSAPI", "com.sun.security.sasl.gsskerb.FactoryImpl"));
return null;
}
});
} }
} }