8344248: Remove Security Manager dependencies from java.security.jgss and jdk.security.jgss modules
Reviewed-by: ascarpino
This commit is contained in:
Sean Mullan
parent
395e404666
commit
6113fa7503
@ -320,8 +320,7 @@ module java.base {
|
||||
java.rmi,
|
||||
java.sql.rowset;
|
||||
exports sun.security.action to
|
||||
java.desktop,
|
||||
java.security.jgss;
|
||||
java.desktop;
|
||||
exports sun.security.internal.interfaces to
|
||||
jdk.crypto.cryptoki;
|
||||
exports sun.security.internal.spec to
|
||||
|
||||
@ -176,19 +176,6 @@ public final class KerberosPrincipal
|
||||
throw new IllegalArgumentException(e.getMessage());
|
||||
}
|
||||
|
||||
if (krb5Principal.isRealmDeduced() && !Realm.AUTODEDUCEREALM) {
|
||||
@SuppressWarnings("removal")
|
||||
SecurityManager sm = System.getSecurityManager();
|
||||
if (sm != null) {
|
||||
try {
|
||||
sm.checkPermission(new ServicePermission(
|
||||
"@" + krb5Principal.getRealmAsString(), "-"));
|
||||
} catch (SecurityException se) {
|
||||
// Swallow the actual exception to hide info
|
||||
throw new SecurityException("Cannot read realm info");
|
||||
}
|
||||
}
|
||||
}
|
||||
this.nameType = nameType;
|
||||
fullName = krb5Principal.toString();
|
||||
realm = krb5Principal.getRealmString();
|
||||
|
||||
@ -26,7 +26,6 @@
|
||||
package javax.security.auth.kerberos;
|
||||
|
||||
import java.io.File;
|
||||
import java.security.AccessControlException;
|
||||
import java.util.Objects;
|
||||
import sun.security.krb5.EncryptionKey;
|
||||
import sun.security.krb5.KerberosSecrets;
|
||||
@ -210,20 +209,7 @@ public final class KeyTab {
|
||||
// Takes a snapshot of the keytab content. This method is called by
|
||||
// JavaxSecurityAuthKerberosAccessImpl so no more private
|
||||
sun.security.krb5.internal.ktab.KeyTab takeSnapshot() {
|
||||
try {
|
||||
return sun.security.krb5.internal.ktab.KeyTab.getInstance(file);
|
||||
} catch (@SuppressWarnings("removal") AccessControlException ace) {
|
||||
if (file != null) {
|
||||
// It's OK to show the name if caller specified it
|
||||
throw ace;
|
||||
} else {
|
||||
@SuppressWarnings("removal")
|
||||
AccessControlException ace2 = new AccessControlException(
|
||||
"Access to default keytab denied (modified exception)");
|
||||
ace2.setStackTrace(ace.getStackTrace());
|
||||
throw ace2;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@ -35,7 +35,6 @@ import org.ietf.jgss.Oid;
|
||||
|
||||
import sun.net.www.protocol.http.HttpCallerInfo;
|
||||
import sun.net.www.protocol.http.Negotiator;
|
||||
import sun.security.action.GetPropertyAction;
|
||||
import sun.security.jgss.GSSManagerImpl;
|
||||
import sun.security.jgss.GSSContextImpl;
|
||||
import sun.security.jgss.GSSUtil;
|
||||
@ -74,8 +73,7 @@ public class NegotiatorImpl extends Negotiator {
|
||||
// we can only use Kerberos mech when the scheme is kerberos
|
||||
oid = GSSUtil.GSS_KRB5_MECH_OID;
|
||||
} else {
|
||||
String pref = GetPropertyAction
|
||||
.privilegedGetProperty("http.auth.preference", "spnego");
|
||||
String pref = System.getProperty("http.auth.preference", "spnego");
|
||||
if (pref.equalsIgnoreCase("kerberos")) {
|
||||
oid = GSSUtil.GSS_KRB5_MECH_OID;
|
||||
} else {
|
||||
|
||||
@ -26,7 +26,6 @@
|
||||
package sun.security.jgss;
|
||||
|
||||
import org.ietf.jgss.*;
|
||||
import sun.security.action.GetBooleanAction;
|
||||
import sun.security.jgss.spi.*;
|
||||
import java.security.Provider;
|
||||
|
||||
@ -37,8 +36,8 @@ import java.security.Provider;
|
||||
public class GSSManagerImpl extends GSSManager {
|
||||
|
||||
// Undocumented property
|
||||
private static final Boolean USE_NATIVE = GetBooleanAction
|
||||
.privilegedGetProperty("sun.security.jgss.native");
|
||||
private static final Boolean USE_NATIVE =
|
||||
Boolean.getBoolean("sun.security.jgss.native");
|
||||
|
||||
private final ProviderList list;
|
||||
|
||||
|
||||
@ -32,16 +32,12 @@ import javax.security.auth.kerberos.KerberosKey;
|
||||
import org.ietf.jgss.*;
|
||||
import sun.security.jgss.spi.GSSNameSpi;
|
||||
import sun.security.jgss.spi.GSSCredentialSpi;
|
||||
import sun.security.action.GetPropertyAction;
|
||||
import sun.security.jgss.krb5.Krb5NameElement;
|
||||
import sun.security.jgss.spnego.SpNegoCredElement;
|
||||
import java.util.Set;
|
||||
import java.util.HashSet;
|
||||
import java.util.Vector;
|
||||
import java.util.Iterator;
|
||||
import java.security.AccessController;
|
||||
import java.security.PrivilegedExceptionAction;
|
||||
import java.security.PrivilegedActionException;
|
||||
import javax.security.auth.callback.CallbackHandler;
|
||||
import javax.security.auth.login.LoginContext;
|
||||
import javax.security.auth.login.LoginException;
|
||||
@ -67,8 +63,8 @@ public class GSSUtil {
|
||||
public static final Oid NT_GSS_KRB5_PRINCIPAL =
|
||||
GSSUtil.createOid("1.2.840.113554.1.2.2.1");
|
||||
|
||||
static final Debug DEBUG = Debug.of("jgss", GetPropertyAction
|
||||
.privilegedGetProperty("sun.security.jgss.debug"));
|
||||
static final Debug DEBUG = Debug.of("jgss",
|
||||
System.getProperty("sun.security.jgss.debug"));
|
||||
|
||||
static void debug(String message) {
|
||||
assert(message != null);
|
||||
@ -268,8 +264,8 @@ public class GSSUtil {
|
||||
*/
|
||||
public static boolean useSubjectCredsOnly(GSSCaller caller) {
|
||||
|
||||
String propValue = GetPropertyAction
|
||||
.privilegedGetProperty("javax.security.auth.useSubjectCredsOnly");
|
||||
String propValue =
|
||||
System.getProperty("javax.security.auth.useSubjectCredsOnly");
|
||||
|
||||
// Invalid values should be ignored and the default assumed.
|
||||
if (caller instanceof HttpCaller) {
|
||||
@ -290,11 +286,11 @@ public class GSSUtil {
|
||||
*/
|
||||
public static boolean useMSInterop() {
|
||||
/*
|
||||
* Don't use GetBooleanAction because the default value in the JRE
|
||||
* Don't use Boolean.getBoolean() because the default value in the JRE
|
||||
* (when this is unset) has to treated as true.
|
||||
*/
|
||||
String propValue = GetPropertyAction
|
||||
.privilegedGetProperty("sun.security.spnego.msinterop", "true");
|
||||
String propValue =
|
||||
System.getProperty("sun.security.spnego.msinterop", "true");
|
||||
/*
|
||||
* This property has to be explicitly set to "false". Invalid
|
||||
* values should be ignored and the default "true" assumed.
|
||||
@ -320,15 +316,10 @@ public class GSSUtil {
|
||||
(name == null ? "<<DEF>>" : name.toString()) + ", " +
|
||||
credCls.getName() + ")");
|
||||
}
|
||||
try {
|
||||
@SuppressWarnings("removal")
|
||||
Vector<T> creds =
|
||||
AccessController.doPrivilegedWithCombiner
|
||||
((PrivilegedExceptionAction<Vector<T>>) () -> {
|
||||
Vector<T> creds = null;
|
||||
Subject currSubj = Subject.current();
|
||||
Vector<T> result = null;
|
||||
if (currSubj != null) {
|
||||
result = new Vector<>();
|
||||
creds = new Vector<>();
|
||||
Iterator<GSSCredentialImpl> iterator =
|
||||
currSubj.getPrivateCredentials
|
||||
(GSSCredentialImpl.class).iterator();
|
||||
@ -338,15 +329,14 @@ public class GSSUtil {
|
||||
debug("...Found cred" + cred);
|
||||
}
|
||||
try {
|
||||
GSSCredentialSpi ce =
|
||||
cred.getElement(mech, initiate);
|
||||
GSSCredentialSpi ce = cred.getElement(mech, initiate);
|
||||
if (DEBUG != null) {
|
||||
debug("......Found element: " + ce);
|
||||
}
|
||||
if (ce.getClass().equals(credCls) &&
|
||||
(name == null ||
|
||||
name.equals((Object) ce.getName()))) {
|
||||
result.add(credCls.cast(ce));
|
||||
creds.add(credCls.cast(ce));
|
||||
} else {
|
||||
if (DEBUG != null) {
|
||||
debug("......Discard element");
|
||||
@ -361,15 +351,6 @@ public class GSSUtil {
|
||||
} else if (DEBUG != null) {
|
||||
debug("No Subject");
|
||||
}
|
||||
return result;
|
||||
});
|
||||
return creds;
|
||||
} catch (PrivilegedActionException pae) {
|
||||
if (DEBUG != null) {
|
||||
debug("Unexpected exception when searching Subject:");
|
||||
pae.printStackTrace();
|
||||
}
|
||||
return null;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2005, 2022, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2005, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -25,12 +25,10 @@
|
||||
|
||||
package sun.security.jgss;
|
||||
|
||||
import java.security.PrivilegedAction;
|
||||
import java.util.HashMap;
|
||||
import javax.security.auth.login.AppConfigurationEntry;
|
||||
import javax.security.auth.login.Configuration;
|
||||
import org.ietf.jgss.Oid;
|
||||
import sun.security.action.GetPropertyAction;
|
||||
|
||||
/**
|
||||
* A Configuration implementation especially designed for JGSS.
|
||||
@ -49,8 +47,7 @@ public class LoginConfigImpl extends Configuration {
|
||||
public static final boolean HTTP_USE_GLOBAL_CREDS;
|
||||
|
||||
static {
|
||||
String prop = GetPropertyAction
|
||||
.privilegedGetProperty("http.use.global.creds");
|
||||
String prop = System.getProperty("http.use.global.creds");
|
||||
//HTTP_USE_GLOBAL_CREDS = "true".equalsIgnoreCase(prop); // default false
|
||||
HTTP_USE_GLOBAL_CREDS = !"false".equalsIgnoreCase(prop); // default true
|
||||
}
|
||||
@ -62,7 +59,6 @@ public class LoginConfigImpl extends Configuration {
|
||||
* @param caller defined in GSSUtil as CALLER_XXX final fields
|
||||
* @param mech defined in GSSUtil as XXX_MECH_OID final fields
|
||||
*/
|
||||
@SuppressWarnings("removal")
|
||||
public LoginConfigImpl(GSSCaller caller, Oid mech) {
|
||||
|
||||
this.caller = caller;
|
||||
@ -72,8 +68,7 @@ public class LoginConfigImpl extends Configuration {
|
||||
} else {
|
||||
throw new IllegalArgumentException(mech.toString() + " not supported");
|
||||
}
|
||||
config = java.security.AccessController.doPrivileged
|
||||
((PrivilegedAction<Configuration>) Configuration::getConfiguration);
|
||||
config = Configuration.getConfiguration();
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@ -38,7 +38,6 @@ import java.util.Objects;
|
||||
import sun.security.jgss.spi.*;
|
||||
import sun.security.jgss.wrapper.NativeGSSFactory;
|
||||
import sun.security.jgss.wrapper.SunNativeProvider;
|
||||
import sun.security.action.GetPropertyAction;
|
||||
|
||||
/**
|
||||
* This class stores the list of providers that this
|
||||
@ -102,8 +101,7 @@ public final class ProviderList {
|
||||
* with a valid OID value
|
||||
*/
|
||||
Oid defOid = null;
|
||||
String defaultOidStr = GetPropertyAction
|
||||
.privilegedGetProperty("sun.security.jgss.mechanism");
|
||||
String defaultOidStr = System.getProperty("sun.security.jgss.mechanism");
|
||||
if (defaultOidStr != null) {
|
||||
defOid = GSSUtil.createOid(defaultOidStr);
|
||||
}
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2000, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -27,8 +27,6 @@ package sun.security.jgss;
|
||||
|
||||
import java.io.Serial;
|
||||
import java.security.Provider;
|
||||
import java.security.AccessController;
|
||||
import java.security.PrivilegedAction;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.security.InvalidParameterException;
|
||||
import java.security.ProviderException;
|
||||
@ -100,20 +98,16 @@ public final class SunProvider extends Provider {
|
||||
}
|
||||
}
|
||||
|
||||
@SuppressWarnings("removal")
|
||||
public SunProvider() {
|
||||
/* We are the Sun JGSS provider */
|
||||
super("SunJGSS", PROVIDER_VER, INFO);
|
||||
|
||||
final Provider p = this;
|
||||
AccessController.doPrivileged((PrivilegedAction<Void>) () -> {
|
||||
putService(new ProviderService(p, "GssApiMechanism",
|
||||
"1.2.840.113554.1.2.2",
|
||||
"sun.security.jgss.krb5.Krb5MechFactory"));
|
||||
putService(new ProviderService(p, "GssApiMechanism",
|
||||
"1.3.6.1.5.5.2",
|
||||
"sun.security.jgss.spnego.SpNegoMechFactory"));
|
||||
return null;
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2000, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -29,7 +29,6 @@ import org.ietf.jgss.*;
|
||||
import java.io.InputStream;
|
||||
import java.io.IOException;
|
||||
|
||||
import sun.security.action.GetBooleanAction;
|
||||
import sun.security.krb5.*;
|
||||
|
||||
class AcceptSecContextToken extends InitialToken {
|
||||
@ -44,8 +43,8 @@ class AcceptSecContextToken extends InitialToken {
|
||||
KrbApReq apReq)
|
||||
throws KrbException, IOException, GSSException {
|
||||
|
||||
boolean useSubkey = GetBooleanAction
|
||||
.privilegedGetProperty("sun.security.krb5.acceptor.subkey");
|
||||
boolean useSubkey = Boolean.getBoolean(
|
||||
"sun.security.krb5.acceptor.subkey");
|
||||
|
||||
boolean useSequenceNumber = true;
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2000, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -29,7 +29,6 @@ import org.ietf.jgss.*;
|
||||
import java.io.InputStream;
|
||||
import java.io.IOException;
|
||||
|
||||
import sun.security.action.GetPropertyAction;
|
||||
import sun.security.krb5.*;
|
||||
import java.net.InetAddress;
|
||||
import sun.security.krb5.internal.AuthorizationData;
|
||||
@ -53,7 +52,7 @@ class InitSecContextToken extends InitialToken {
|
||||
// property "sun.security.krb5.acceptor.sequence.number.nonmutual",
|
||||
// which can be set to "initiator", "zero" or "0".
|
||||
String propName = "sun.security.krb5.acceptor.sequence.number.nonmutual";
|
||||
String s = GetPropertyAction.privilegedGetProperty(propName, "initiator");
|
||||
String s = System.getProperty(propName, "initiator");
|
||||
if (s.equals("initiator")) {
|
||||
ACCEPTOR_USE_INITIATOR_SEQNUM = true;
|
||||
} else if (s.equals("zero") || s.equals("0")) {
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2000, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -26,7 +26,6 @@
|
||||
package sun.security.jgss.krb5;
|
||||
|
||||
import org.ietf.jgss.*;
|
||||
import javax.security.auth.kerberos.DelegationPermission;
|
||||
import java.io.IOException;
|
||||
import java.net.InetAddress;
|
||||
import java.net.Inet4Address;
|
||||
@ -171,14 +170,6 @@ abstract class InitialToken extends Krb5Token {
|
||||
String realm = delegateTo.getRealmAsString();
|
||||
sb.append(" \"krbtgt/").append(realm).append('@');
|
||||
sb.append(realm).append('\"');
|
||||
@SuppressWarnings("removal")
|
||||
SecurityManager sm = System.getSecurityManager();
|
||||
if (sm != null) {
|
||||
DelegationPermission perm =
|
||||
new DelegationPermission(sb.toString());
|
||||
sm.checkPermission(perm);
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
* Write 1 in little endian but in two bytes
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2000, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -29,10 +29,8 @@ import org.ietf.jgss.*;
|
||||
import sun.security.jgss.GSSCaller;
|
||||
import sun.security.jgss.spi.*;
|
||||
import sun.security.krb5.*;
|
||||
import java.security.PrivilegedActionException;
|
||||
import java.security.PrivilegedExceptionAction;
|
||||
import java.security.AccessController;
|
||||
import javax.security.auth.DestroyFailedException;
|
||||
import javax.security.auth.login.LoginException;
|
||||
|
||||
/**
|
||||
* Implements the krb5 acceptor credential element.
|
||||
@ -57,27 +55,22 @@ public class Krb5AcceptCredential
|
||||
this.screds = creds;
|
||||
}
|
||||
|
||||
@SuppressWarnings("removal")
|
||||
static Krb5AcceptCredential getInstance(final GSSCaller caller, Krb5NameElement name)
|
||||
throws GSSException {
|
||||
|
||||
final String serverPrinc = (name == null? null:
|
||||
name.getKrb5PrincipalName().getName());
|
||||
|
||||
ServiceCreds creds;
|
||||
ServiceCreds creds = null;
|
||||
try {
|
||||
creds = AccessController.doPrivilegedWithCombiner(
|
||||
new PrivilegedExceptionAction<ServiceCreds>() {
|
||||
public ServiceCreds run() throws Exception {
|
||||
return Krb5Util.getServiceCreds(
|
||||
creds = Krb5Util.getServiceCreds(
|
||||
caller == GSSCaller.CALLER_UNKNOWN ? GSSCaller.CALLER_ACCEPT: caller,
|
||||
serverPrinc);
|
||||
}});
|
||||
} catch (PrivilegedActionException e) {
|
||||
} catch (LoginException e) {
|
||||
GSSException ge =
|
||||
new GSSException(GSSException.NO_CRED, -1,
|
||||
"Attempt to obtain new ACCEPT credentials failed!");
|
||||
ge.initCause(e.getException());
|
||||
ge.initCause(e);
|
||||
throw ge;
|
||||
}
|
||||
|
||||
|
||||
@ -39,7 +39,6 @@ import java.io.ObjectInputStream;
|
||||
import java.io.OutputStream;
|
||||
import java.security.*;
|
||||
import javax.security.auth.Subject;
|
||||
import javax.security.auth.kerberos.ServicePermission;
|
||||
import javax.security.auth.kerberos.KerberosCredMessage;
|
||||
import javax.security.auth.kerberos.KerberosPrincipal;
|
||||
import javax.security.auth.kerberos.KerberosTicket;
|
||||
@ -631,8 +630,6 @@ class Krb5Context implements GSSContextSpi {
|
||||
tgt = proxyCreds.self.getKrb5Credentials();
|
||||
}
|
||||
|
||||
checkPermission(peerName.getKrb5PrincipalName().getName(),
|
||||
"initiate");
|
||||
/*
|
||||
* If useSubjectCredsonly is true then
|
||||
* we check whether we already have the ticket
|
||||
@ -641,18 +638,13 @@ class Krb5Context implements GSSContextSpi {
|
||||
|
||||
if (GSSUtil.useSubjectCredsOnly(caller)) {
|
||||
KerberosTicket kerbTicket = null;
|
||||
try {
|
||||
// get service ticket from caller's subject
|
||||
@SuppressWarnings("removal")
|
||||
var tmp = AccessController.doPrivilegedWithCombiner(
|
||||
new PrivilegedExceptionAction<KerberosTicket>() {
|
||||
public KerberosTicket run() throws Exception {
|
||||
// XXX to be cleaned
|
||||
// highly consider just calling:
|
||||
// Subject.getSubject
|
||||
// SubjectComber.find
|
||||
// instead of Krb5Util.getServiceTicket
|
||||
return Krb5Util.getServiceTicket(
|
||||
kerbTicket = Krb5Util.getServiceTicket(
|
||||
GSSCaller.CALLER_UNKNOWN,
|
||||
// since it's useSubjectCredsOnly here,
|
||||
// don't worry about the null
|
||||
@ -660,14 +652,7 @@ class Krb5Context implements GSSContextSpi {
|
||||
myName.getKrb5PrincipalName().getName():
|
||||
proxyCreds.getName().getKrb5PrincipalName().getName(),
|
||||
peerName.getKrb5PrincipalName().getName());
|
||||
}});
|
||||
kerbTicket = tmp;
|
||||
} catch (PrivilegedActionException e) {
|
||||
if (DEBUG != null) {
|
||||
DEBUG.println("Attempt to obtain service"
|
||||
+ " ticket from the subject failed!");
|
||||
}
|
||||
}
|
||||
|
||||
if (kerbTicket != null) {
|
||||
if (DEBUG != null) {
|
||||
DEBUG.println("Found service ticket in " +
|
||||
@ -701,10 +686,7 @@ class Krb5Context implements GSSContextSpi {
|
||||
tgt);
|
||||
}
|
||||
if (GSSUtil.useSubjectCredsOnly(caller)) {
|
||||
@SuppressWarnings("removal")
|
||||
final Subject subject =
|
||||
AccessController.doPrivilegedWithCombiner(
|
||||
(PrivilegedAction<Subject>) Subject::current);
|
||||
Subject subject = Subject.current();
|
||||
if (subject != null &&
|
||||
!subject.isReadOnly()) {
|
||||
/*
|
||||
@ -714,14 +696,9 @@ class Krb5Context implements GSSContextSpi {
|
||||
* successfully established; however it is easier
|
||||
* to do it here and there is no harm.
|
||||
*/
|
||||
final KerberosTicket kt =
|
||||
KerberosTicket kt =
|
||||
Krb5Util.credsToTicket(serviceCreds);
|
||||
@SuppressWarnings("removal")
|
||||
var dummy = AccessController.doPrivileged (
|
||||
(PrivilegedAction<Void>) () -> {
|
||||
subject.getPrivateCredentials().add(kt);
|
||||
return null;
|
||||
});
|
||||
} else {
|
||||
// log it for debugging purpose
|
||||
if (DEBUG != null) {
|
||||
@ -816,11 +793,6 @@ class Krb5Context implements GSSContextSpi {
|
||||
}
|
||||
myName = (Krb5NameElement) myCred.getName();
|
||||
|
||||
// If there is already a bound name, check now
|
||||
if (myName != null) {
|
||||
Krb5MechFactory.checkAcceptCredPermission(myName, myName);
|
||||
}
|
||||
|
||||
InitSecContextToken token = new InitSecContextToken(this,
|
||||
(Krb5AcceptCredential) myCred, is);
|
||||
PrincipalName clientName = token.getKrbApReq().getClient();
|
||||
@ -830,7 +802,6 @@ class Krb5Context implements GSSContextSpi {
|
||||
if (myName == null) {
|
||||
myName = Krb5NameElement.getInstance(
|
||||
token.getKrbApReq().getCreds().getServer());
|
||||
Krb5MechFactory.checkAcceptCredPermission(myName, myName);
|
||||
}
|
||||
|
||||
if (getMutualAuthState()) {
|
||||
@ -1322,16 +1293,6 @@ class Krb5Context implements GSSContextSpi {
|
||||
}
|
||||
}
|
||||
|
||||
private void checkPermission(String principal, String action) {
|
||||
@SuppressWarnings("removal")
|
||||
SecurityManager sm = System.getSecurityManager();
|
||||
if (sm != null) {
|
||||
ServicePermission perm =
|
||||
new ServicePermission(principal, action);
|
||||
sm.checkPermission(perm);
|
||||
}
|
||||
}
|
||||
|
||||
private static String getHexBytes(byte[] bytes, int pos, int len) {
|
||||
|
||||
StringBuilder sb = new StringBuilder();
|
||||
|
||||
@ -37,9 +37,7 @@ import java.io.InvalidObjectException;
|
||||
import java.io.IOException;
|
||||
import java.io.ObjectInputStream;
|
||||
import java.util.Date;
|
||||
import java.security.AccessController;
|
||||
import java.security.PrivilegedExceptionAction;
|
||||
import java.security.PrivilegedActionException;
|
||||
import javax.security.auth.login.LoginException;
|
||||
|
||||
/**
|
||||
* Implements the krb5 initiator credential element.
|
||||
@ -348,7 +346,6 @@ public class Krb5InitCredential
|
||||
// XXX call to this.destroy() should destroy the locally cached copy
|
||||
// of krb5Credentials and then call super.destroy().
|
||||
|
||||
@SuppressWarnings("removal")
|
||||
private static KerberosTicket getTgt(GSSCaller caller, Krb5NameElement name,
|
||||
int initLifetime)
|
||||
throws GSSException {
|
||||
@ -366,23 +363,18 @@ public class Krb5InitCredential
|
||||
}
|
||||
|
||||
try {
|
||||
final GSSCaller realCaller = (caller == GSSCaller.CALLER_UNKNOWN)
|
||||
GSSCaller realCaller = (caller == GSSCaller.CALLER_UNKNOWN)
|
||||
? GSSCaller.CALLER_INITIATE
|
||||
: caller;
|
||||
return AccessController.doPrivilegedWithCombiner(
|
||||
new PrivilegedExceptionAction<KerberosTicket>() {
|
||||
public KerberosTicket run() throws Exception {
|
||||
// It's OK to use null as serverPrincipal. TGT is almost
|
||||
// the first ticket for a principal and we use list.
|
||||
return Krb5Util.getInitialTicket(
|
||||
realCaller, clientPrincipal);
|
||||
}});
|
||||
} catch (PrivilegedActionException e) {
|
||||
return Krb5Util.getInitialTicket(realCaller, clientPrincipal);
|
||||
} catch (LoginException e) {
|
||||
GSSException ge =
|
||||
new GSSException(GSSException.NO_CRED, -1,
|
||||
"Attempt to obtain new INITIATE credentials failed!" +
|
||||
" (" + e.getMessage() + ")");
|
||||
ge.initCause(e.getException());
|
||||
ge.initCause(e);
|
||||
throw ge;
|
||||
}
|
||||
}
|
||||
|
||||
@ -29,12 +29,9 @@ import org.ietf.jgss.*;
|
||||
import sun.security.jgss.GSSUtil;
|
||||
import sun.security.jgss.GSSCaller;
|
||||
import sun.security.jgss.spi.*;
|
||||
import javax.security.auth.kerberos.ServicePermission;
|
||||
import java.security.Provider;
|
||||
import java.util.Vector;
|
||||
|
||||
import static sun.security.krb5.internal.Krb5.DEBUG;
|
||||
|
||||
/**
|
||||
* Krb5 Mechanism plug in for JGSS
|
||||
* This is the properties object required by the JGSS framework.
|
||||
@ -71,19 +68,8 @@ public final class Krb5MechFactory implements MechanismFactory {
|
||||
Krb5InitCredential.class :
|
||||
Krb5AcceptCredential.class));
|
||||
|
||||
Krb5CredElement result = ((creds == null || creds.isEmpty()) ?
|
||||
return ((creds == null || creds.isEmpty()) ?
|
||||
null : creds.firstElement());
|
||||
|
||||
// Force permission check before returning the cred to caller
|
||||
if (result != null) {
|
||||
if (initiate) {
|
||||
checkInitCredPermission((Krb5NameElement) result.getName());
|
||||
} else {
|
||||
checkAcceptCredPermission
|
||||
((Krb5NameElement) result.getName(), name);
|
||||
}
|
||||
}
|
||||
return result;
|
||||
}
|
||||
|
||||
public Krb5MechFactory() {
|
||||
@ -126,14 +112,10 @@ public final class Krb5MechFactory implements MechanismFactory {
|
||||
(caller, (Krb5NameElement) name, initLifetime);
|
||||
credElement = Krb5ProxyCredential.tryImpersonation(
|
||||
caller, (Krb5InitCredential)credElement);
|
||||
checkInitCredPermission
|
||||
((Krb5NameElement) credElement.getName());
|
||||
} else if (usage == GSSCredential.ACCEPT_ONLY) {
|
||||
credElement =
|
||||
Krb5AcceptCredential.getInstance(caller,
|
||||
(Krb5NameElement) name);
|
||||
checkAcceptCredPermission
|
||||
((Krb5NameElement) credElement.getName(), name);
|
||||
} else
|
||||
throw new GSSException(GSSException.FAILURE, -1,
|
||||
"Unknown usage mode requested");
|
||||
@ -141,47 +123,6 @@ public final class Krb5MechFactory implements MechanismFactory {
|
||||
return credElement;
|
||||
}
|
||||
|
||||
public static void checkInitCredPermission(Krb5NameElement name) {
|
||||
@SuppressWarnings("removal")
|
||||
SecurityManager sm = System.getSecurityManager();
|
||||
if (sm != null) {
|
||||
String realm = (name.getKrb5PrincipalName()).getRealmAsString();
|
||||
String tgsPrincipal = "krbtgt/" + realm + '@' + realm;
|
||||
ServicePermission perm =
|
||||
new ServicePermission(tgsPrincipal, "initiate");
|
||||
try {
|
||||
sm.checkPermission(perm);
|
||||
} catch (SecurityException e) {
|
||||
if (DEBUG != null) {
|
||||
DEBUG.println("Permission to initiate " +
|
||||
"kerberos init credential" + e.getMessage());
|
||||
}
|
||||
throw e;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public static void checkAcceptCredPermission(Krb5NameElement name,
|
||||
GSSNameSpi originalName) {
|
||||
@SuppressWarnings("removal")
|
||||
SecurityManager sm = System.getSecurityManager();
|
||||
if (sm != null && name != null) {
|
||||
ServicePermission perm = new ServicePermission
|
||||
(name.getKrb5PrincipalName().getName(), "accept");
|
||||
try {
|
||||
sm.checkPermission(perm);
|
||||
} catch (SecurityException e) {
|
||||
if (originalName == null) {
|
||||
// Don't disclose the name of the principal
|
||||
e = new SecurityException("No permission to acquire "
|
||||
+ "Kerberos accept credential");
|
||||
// Don't call e.initCause() with caught exception
|
||||
}
|
||||
throw e;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public GSSContextSpi getMechanismContext(GSSNameSpi peer,
|
||||
GSSCredentialSpi myInitiatorCred, int lifetime)
|
||||
throws GSSException {
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2000, 2023, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2000, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -28,10 +28,8 @@ package sun.security.jgss.krb5;
|
||||
import org.ietf.jgss.*;
|
||||
import sun.security.jgss.spi.*;
|
||||
import sun.security.krb5.PrincipalName;
|
||||
import sun.security.krb5.Realm;
|
||||
import sun.security.krb5.KrbException;
|
||||
|
||||
import javax.security.auth.kerberos.ServicePermission;
|
||||
import java.net.InetAddress;
|
||||
import java.net.UnknownHostException;
|
||||
import java.security.Provider;
|
||||
@ -127,19 +125,6 @@ public class Krb5NameElement
|
||||
throw new GSSException(GSSException.BAD_NAME, -1, e.getMessage());
|
||||
}
|
||||
|
||||
if (principalName.isRealmDeduced() && !Realm.AUTODEDUCEREALM) {
|
||||
@SuppressWarnings("removal")
|
||||
SecurityManager sm = System.getSecurityManager();
|
||||
if (sm != null) {
|
||||
try {
|
||||
sm.checkPermission(new ServicePermission(
|
||||
"@" + principalName.getRealmAsString(), "-"));
|
||||
} catch (SecurityException se) {
|
||||
// Do not chain the actual exception to hide info
|
||||
throw new GSSException(GSSException.FAILURE);
|
||||
}
|
||||
}
|
||||
}
|
||||
return new Krb5NameElement(principalName, gssNameStr, gssNameType);
|
||||
}
|
||||
|
||||
|
||||
@ -59,7 +59,6 @@ public class Krb5Util {
|
||||
static KerberosTicket getServiceTicket(GSSCaller caller,
|
||||
String clientPrincipal, String serverPrincipal) {
|
||||
// Try to get ticket from current Subject
|
||||
@SuppressWarnings("removal")
|
||||
Subject currSubj = Subject.current();
|
||||
KerberosTicket ticket =
|
||||
SubjectComber.find(currSubj, serverPrincipal, clientPrincipal,
|
||||
|
||||
@ -30,8 +30,6 @@ import java.security.Provider;
|
||||
import java.util.Objects;
|
||||
|
||||
import org.ietf.jgss.*;
|
||||
import sun.security.action.GetBooleanAction;
|
||||
import sun.security.action.GetPropertyAction;
|
||||
import sun.security.jgss.*;
|
||||
import sun.security.jgss.spi.*;
|
||||
import sun.security.util.*;
|
||||
@ -85,8 +83,8 @@ public class SpNegoContext implements GSSContextSpi {
|
||||
private final SpNegoMechFactory factory;
|
||||
|
||||
// debug property
|
||||
static final Debug DEBUG = Debug.of("spnego", GetPropertyAction
|
||||
.privilegedGetProperty("sun.security.spnego.debug"));
|
||||
static final Debug DEBUG = Debug.of("spnego",
|
||||
System.getProperty("sun.security.spnego.debug"));
|
||||
|
||||
/**
|
||||
* Constructor for SpNegoContext to be called on the context initiator's
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2005, 2022, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2005, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -28,10 +28,6 @@ package sun.security.jgss.spnego;
|
||||
import org.ietf.jgss.*;
|
||||
import sun.security.jgss.*;
|
||||
import sun.security.jgss.spi.*;
|
||||
import sun.security.jgss.krb5.Krb5MechFactory;
|
||||
import sun.security.jgss.krb5.Krb5InitCredential;
|
||||
import sun.security.jgss.krb5.Krb5AcceptCredential;
|
||||
import sun.security.jgss.krb5.Krb5NameElement;
|
||||
import java.security.Provider;
|
||||
import java.util.Vector;
|
||||
|
||||
@ -75,25 +71,8 @@ public final class SpNegoMechFactory implements MechanismFactory {
|
||||
GSSUtil.searchSubject(name, GSS_SPNEGO_MECH_OID,
|
||||
initiate, SpNegoCredElement.class);
|
||||
|
||||
SpNegoCredElement result = ((creds == null || creds.isEmpty()) ?
|
||||
return ((creds == null || creds.isEmpty()) ?
|
||||
null : creds.firstElement());
|
||||
|
||||
// Force permission check before returning the cred to caller
|
||||
if (result != null) {
|
||||
GSSCredentialSpi cred = result.getInternalCred();
|
||||
if (GSSUtil.isKerberosMech(cred.getMechanism())) {
|
||||
if (initiate) {
|
||||
Krb5InitCredential krbCred = (Krb5InitCredential) cred;
|
||||
Krb5MechFactory.checkInitCredPermission
|
||||
((Krb5NameElement) krbCred.getName());
|
||||
} else {
|
||||
Krb5AcceptCredential krbCred = (Krb5AcceptCredential) cred;
|
||||
Krb5MechFactory.checkAcceptCredPermission
|
||||
((Krb5NameElement) krbCred.getName(), name);
|
||||
}
|
||||
}
|
||||
}
|
||||
return result;
|
||||
}
|
||||
|
||||
public SpNegoMechFactory() {
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2005, 2022, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2005, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -27,7 +27,6 @@ package sun.security.jgss.wrapper;
|
||||
import org.ietf.jgss.*;
|
||||
import java.lang.ref.Cleaner;
|
||||
import java.security.Provider;
|
||||
import sun.security.jgss.GSSUtil;
|
||||
import sun.security.jgss.spi.GSSCredentialSpi;
|
||||
import sun.security.jgss.spi.GSSNameSpi;
|
||||
|
||||
@ -45,24 +44,6 @@ public class GSSCredElement implements GSSCredentialSpi {
|
||||
private GSSNameElement name;
|
||||
private final GSSLibStub cStub;
|
||||
|
||||
// Perform the necessary ServicePermission check on this cred
|
||||
@SuppressWarnings("removal")
|
||||
void doServicePermCheck() throws GSSException {
|
||||
if (GSSUtil.isKerberosMech(cStub.getMech())) {
|
||||
if (System.getSecurityManager() != null) {
|
||||
if (isInitiatorCredential()) {
|
||||
String tgsName = Krb5Util.getTGSName(name);
|
||||
Krb5Util.checkServicePermission(tgsName, "initiate");
|
||||
}
|
||||
if (isAcceptorCredential() &&
|
||||
name != GSSNameElement.DEF_ACCEPTOR) {
|
||||
String krbName = name.getKrbName();
|
||||
Krb5Util.checkServicePermission(krbName, "accept");
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Construct delegation cred using the actual context mech and srcName
|
||||
// Warning: called by NativeUtil.c
|
||||
GSSCredElement(long pCredentials, GSSNameElement srcName, Oid mech)
|
||||
@ -81,12 +62,10 @@ public class GSSCredElement implements GSSCredentialSpi {
|
||||
|
||||
if (name != null) { // Could be GSSNameElement.DEF_ACCEPTOR
|
||||
this.name = name;
|
||||
doServicePermCheck();
|
||||
pCred = cStub.acquireCred(this.name.pName, lifetime, usage);
|
||||
} else {
|
||||
pCred = cStub.acquireCred(0, lifetime, usage);
|
||||
this.name = new GSSNameElement(cStub.getCredName(pCred), cStub);
|
||||
doServicePermCheck();
|
||||
}
|
||||
|
||||
cleanable = Krb5Util.cleaner.register(this, disposerFor(cStub, pCred));
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2005, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -36,7 +36,6 @@ import sun.security.util.DerInputStream;
|
||||
import sun.security.util.DerOutputStream;
|
||||
import sun.security.util.ObjectIdentifier;
|
||||
|
||||
import javax.security.auth.kerberos.ServicePermission;
|
||||
import java.io.IOException;
|
||||
import java.lang.ref.Cleaner;
|
||||
import java.security.Provider;
|
||||
@ -168,29 +167,6 @@ public class GSSNameElement implements GSSNameSpi {
|
||||
|
||||
setPrintables();
|
||||
|
||||
@SuppressWarnings("removal")
|
||||
SecurityManager sm = System.getSecurityManager();
|
||||
if (sm != null && !Realm.AUTODEDUCEREALM) {
|
||||
String krbName = getKrbName();
|
||||
int atPos = krbName.lastIndexOf('@');
|
||||
if (atPos != -1) {
|
||||
String atRealm = krbName.substring(atPos);
|
||||
// getNativeNameType() can modify NT_GSS_KRB5_PRINCIPAL to null
|
||||
if ((nameType == null
|
||||
|| nameType.equals(GSSUtil.NT_GSS_KRB5_PRINCIPAL))
|
||||
&& new String(nameBytes).endsWith(atRealm)) {
|
||||
// Created from Kerberos name with realm, no need to check
|
||||
} else {
|
||||
try {
|
||||
sm.checkPermission(new ServicePermission(atRealm, "-"));
|
||||
} catch (SecurityException se) {
|
||||
// Do not chain the actual exception to hide info
|
||||
throw new GSSException(GSSException.FAILURE);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (SunNativeProvider.DEBUG) {
|
||||
SunNativeProvider.debug("Imported " + printableName + " w/ type " +
|
||||
printableType);
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2005, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -26,7 +26,6 @@ package sun.security.jgss.wrapper;
|
||||
|
||||
import org.ietf.jgss.*;
|
||||
import java.lang.ref.Cleaner;
|
||||
import javax.security.auth.kerberos.ServicePermission;
|
||||
|
||||
/**
|
||||
* This class is a utility class for Kerberos related stuff.
|
||||
@ -46,20 +45,4 @@ class Krb5Util {
|
||||
String realm = krbPrinc.substring(atIndex + 1);
|
||||
return "krbtgt/" + realm + '@' + realm;
|
||||
}
|
||||
|
||||
// Perform the Service Permission check using the specified
|
||||
// <code>target</code> and <code>action</code>
|
||||
static void checkServicePermission(String target, String action) {
|
||||
@SuppressWarnings("removal")
|
||||
SecurityManager sm = System.getSecurityManager();
|
||||
if (sm != null) {
|
||||
if (SunNativeProvider.DEBUG) {
|
||||
SunNativeProvider.debug("Checking ServicePermission(" +
|
||||
target + ", " + action + ")");
|
||||
}
|
||||
ServicePermission perm =
|
||||
new ServicePermission(target, action);
|
||||
sm.checkPermission(perm);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2005, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -36,7 +36,6 @@ import sun.security.util.DerValue;
|
||||
import sun.security.util.ObjectIdentifier;
|
||||
import sun.security.jgss.spnego.NegTokenInit;
|
||||
import sun.security.jgss.spnego.NegTokenTarg;
|
||||
import javax.security.auth.kerberos.DelegationPermission;
|
||||
import java.io.*;
|
||||
|
||||
|
||||
@ -79,9 +78,6 @@ class NativeGSSContext implements GSSContextSpi {
|
||||
private GSSCredElement disposeDelegatedCred;
|
||||
private final GSSLibStub cStub;
|
||||
|
||||
private boolean skipDelegPermCheck;
|
||||
private boolean skipServicePermCheck;
|
||||
|
||||
// Retrieve the (preferred) mech out of SPNEGO tokens, i.e.
|
||||
// NegTokenInit & NegTokenTarg
|
||||
private static Oid getMechFromSpNegoToken(byte[] token,
|
||||
@ -112,53 +108,6 @@ class NativeGSSContext implements GSSContextSpi {
|
||||
return mech;
|
||||
}
|
||||
|
||||
// Perform the Service permission check
|
||||
@SuppressWarnings("removal")
|
||||
private void doServicePermCheck() throws GSSException {
|
||||
if (System.getSecurityManager() != null) {
|
||||
String action = (isInitiator? "initiate" : "accept");
|
||||
// Need to check Service permission for accessing
|
||||
// initiator cred for SPNEGO during context establishment
|
||||
if (GSSUtil.isSpNegoMech(cStub.getMech()) && isInitiator
|
||||
&& !isEstablished) {
|
||||
if (srcName == null) {
|
||||
// Check by creating default initiator KRB5 cred
|
||||
GSSCredElement tempCred =
|
||||
new GSSCredElement(null, lifetime,
|
||||
GSSCredential.INITIATE_ONLY,
|
||||
GSSLibStub.getInstance(GSSUtil.GSS_KRB5_MECH_OID));
|
||||
tempCred.dispose();
|
||||
} else {
|
||||
String tgsName = Krb5Util.getTGSName(srcName);
|
||||
Krb5Util.checkServicePermission(tgsName, action);
|
||||
}
|
||||
}
|
||||
String targetStr = targetName.getKrbName();
|
||||
Krb5Util.checkServicePermission(targetStr, action);
|
||||
skipServicePermCheck = true;
|
||||
}
|
||||
}
|
||||
|
||||
// Perform the Delegation permission check
|
||||
private void doDelegPermCheck() throws GSSException {
|
||||
@SuppressWarnings("removal")
|
||||
SecurityManager sm = System.getSecurityManager();
|
||||
if (sm != null) {
|
||||
String targetStr = targetName.getKrbName();
|
||||
String tgsStr = Krb5Util.getTGSName(targetName);
|
||||
String krbPrincPair = "\"" + targetStr + "\" \"" +
|
||||
tgsStr + '\"';
|
||||
if (SunNativeProvider.DEBUG) {
|
||||
SunNativeProvider.debug("Checking DelegationPermission (" +
|
||||
krbPrincPair + ")");
|
||||
}
|
||||
DelegationPermission perm =
|
||||
new DelegationPermission(krbPrincPair);
|
||||
sm.checkPermission(perm);
|
||||
skipDelegPermCheck = true;
|
||||
}
|
||||
}
|
||||
|
||||
private byte[] retrieveToken(InputStream is, int mechTokenLen)
|
||||
throws GSSException {
|
||||
try {
|
||||
@ -210,7 +159,6 @@ class NativeGSSContext implements GSSContextSpi {
|
||||
lifetime = time;
|
||||
|
||||
if (GSSUtil.isKerberosMech(cStub.getMech())) {
|
||||
doServicePermCheck();
|
||||
if (cred == null) {
|
||||
disposeCred = cred =
|
||||
new GSSCredElement(null, lifetime,
|
||||
@ -230,11 +178,6 @@ class NativeGSSContext implements GSSContextSpi {
|
||||
if (cred != null) targetName = cred.getName();
|
||||
|
||||
isInitiator = false;
|
||||
// Defer Service permission check for default acceptor cred
|
||||
// to acceptSecContext()
|
||||
if (GSSUtil.isKerberosMech(cStub.getMech()) && targetName != null) {
|
||||
doServicePermCheck();
|
||||
}
|
||||
|
||||
// srcName and potentially targetName (when myCred is null)
|
||||
// will be set in GSSLibStub.acceptContext(...)
|
||||
@ -258,13 +201,6 @@ class NativeGSSContext implements GSSContextSpi {
|
||||
isEstablished = (info[3] != 0);
|
||||
flags = (int) info[4];
|
||||
lifetime = (int) info[5];
|
||||
|
||||
// Do Service Permission check when importing SPNEGO context
|
||||
// just to be safe
|
||||
Oid mech = cStub.getMech();
|
||||
if (GSSUtil.isSpNegoMech(mech) || GSSUtil.isKerberosMech(mech)) {
|
||||
doServicePermCheck();
|
||||
}
|
||||
}
|
||||
|
||||
public Provider getProvider() {
|
||||
@ -285,12 +221,6 @@ class NativeGSSContext implements GSSContextSpi {
|
||||
}
|
||||
}
|
||||
|
||||
if (!getCredDelegState()) skipDelegPermCheck = true;
|
||||
|
||||
if (GSSUtil.isKerberosMech(cStub.getMech()) && !skipDelegPermCheck) {
|
||||
doDelegPermCheck();
|
||||
}
|
||||
|
||||
long pCred = (cred == null? 0 : cred.pCred);
|
||||
outToken = cStub.initContext(pCred, targetName.pName,
|
||||
cb, inToken, this);
|
||||
@ -304,11 +234,6 @@ class NativeGSSContext implements GSSContextSpi {
|
||||
if (GSSUtil.isSpNegoMech(cStub.getMech()) && outToken != null) {
|
||||
// WORKAROUND for SEAM bug#6287358
|
||||
actualMech = getMechFromSpNegoToken(outToken, true);
|
||||
|
||||
if (GSSUtil.isKerberosMech(actualMech)) {
|
||||
if (!skipServicePermCheck) doServicePermCheck();
|
||||
if (!skipDelegPermCheck) doDelegPermCheck();
|
||||
}
|
||||
}
|
||||
|
||||
if (isEstablished) {
|
||||
@ -355,16 +280,6 @@ class NativeGSSContext implements GSSContextSpi {
|
||||
new GSSCredElement(targetName, lifetime,
|
||||
GSSCredential.ACCEPT_ONLY, cStub);
|
||||
}
|
||||
|
||||
// Only inspect token when the permission check has not
|
||||
// been performed
|
||||
if (GSSUtil.isSpNegoMech(cStub.getMech()) &&
|
||||
(outToken != null) && !skipServicePermCheck) {
|
||||
if (GSSUtil.isKerberosMech(getMechFromSpNegoToken
|
||||
(outToken, false))) {
|
||||
doServicePermCheck();
|
||||
}
|
||||
}
|
||||
}
|
||||
return outToken;
|
||||
}
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2005, 2022, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2005, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -65,13 +65,8 @@ public final class NativeGSSFactory implements MechanismFactory {
|
||||
}
|
||||
}
|
||||
|
||||
GSSCredElement result = ((creds == null || creds.isEmpty()) ?
|
||||
return ((creds == null || creds.isEmpty()) ?
|
||||
null : creds.firstElement());
|
||||
// Force permission check before returning the cred to caller
|
||||
if (result != null) {
|
||||
result.doServicePermCheck();
|
||||
}
|
||||
return result;
|
||||
}
|
||||
|
||||
public NativeGSSFactory(GSSCaller caller) {
|
||||
|
||||
@ -28,14 +28,10 @@ package sun.security.jgss.wrapper;
|
||||
import java.io.Serial;
|
||||
import java.util.HashMap;
|
||||
import java.security.Provider;
|
||||
import java.security.AccessController;
|
||||
import java.security.PrivilegedAction;
|
||||
|
||||
import jdk.internal.util.OperatingSystem;
|
||||
import jdk.internal.util.StaticProperty;
|
||||
import org.ietf.jgss.Oid;
|
||||
import sun.security.action.GetBooleanAction;
|
||||
import sun.security.action.PutAllAction;
|
||||
import static sun.security.util.SecurityConstants.PROVIDER_VER;
|
||||
|
||||
/**
|
||||
@ -59,7 +55,7 @@ public final class SunNativeProvider extends Provider {
|
||||
"sun.security.jgss.wrapper.NativeGSSFactory";
|
||||
|
||||
static final boolean DEBUG =
|
||||
GetBooleanAction.privilegedGetProperty("sun.security.nativegss.debug");
|
||||
Boolean.getBoolean("sun.security.nativegss.debug");
|
||||
|
||||
static void debug(String message) {
|
||||
if (message == null) {
|
||||
@ -68,11 +64,10 @@ public final class SunNativeProvider extends Provider {
|
||||
System.err.println(NAME + ": " + message);
|
||||
}
|
||||
|
||||
@SuppressWarnings({"removal", "restricted"})
|
||||
private static final HashMap<String, String> MECH_MAP =
|
||||
AccessController.doPrivileged(
|
||||
new PrivilegedAction<>() {
|
||||
public HashMap<String, String> run() {
|
||||
private static final HashMap<String, String> MECH_MAP = constructMechMap();
|
||||
|
||||
@SuppressWarnings("restricted")
|
||||
private static HashMap<String, String> constructMechMap() {
|
||||
try {
|
||||
// Ensure the InetAddress class is loaded before
|
||||
// loading j2gss. The library will access this class
|
||||
@ -87,8 +82,7 @@ public final class SunNativeProvider extends Provider {
|
||||
return null;
|
||||
}
|
||||
String[] gssLibs;
|
||||
String defaultLib
|
||||
= System.getProperty("sun.security.jgss.lib");
|
||||
String defaultLib = System.getProperty("sun.security.jgss.lib");
|
||||
if (defaultLib == null || defaultLib.trim().equals("")) {
|
||||
gssLibs = switch (OperatingSystem.current()) {
|
||||
case LINUX -> new String[]{
|
||||
@ -123,26 +117,23 @@ public final class SunNativeProvider extends Provider {
|
||||
if (DEBUG) {
|
||||
debug("Native MF for " + mechs[i]);
|
||||
}
|
||||
map.put("GssApiMechanism." + mechs[i],
|
||||
MF_CLASS);
|
||||
map.put("GssApiMechanism." + mechs[i], MF_CLASS);
|
||||
}
|
||||
return map;
|
||||
}
|
||||
}
|
||||
return null;
|
||||
}
|
||||
});
|
||||
|
||||
// initialize INSTANCE after MECH_MAP is constructed
|
||||
static final Provider INSTANCE = new SunNativeProvider();
|
||||
|
||||
@SuppressWarnings("removal")
|
||||
public SunNativeProvider() {
|
||||
/* We are the Sun NativeGSS provider */
|
||||
super(NAME, PROVIDER_VER, INFO);
|
||||
|
||||
if (MECH_MAP != null) {
|
||||
AccessController.doPrivileged(new PutAllAction(this, MECH_MAP));
|
||||
putAll(MECH_MAP);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -34,19 +34,15 @@ import java.io.*;
|
||||
import java.nio.file.Files;
|
||||
import java.nio.file.Paths;
|
||||
import java.nio.file.Path;
|
||||
import java.security.PrivilegedAction;
|
||||
import java.util.*;
|
||||
import java.net.InetAddress;
|
||||
import java.net.UnknownHostException;
|
||||
import java.security.AccessController;
|
||||
import java.security.PrivilegedExceptionAction;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
import java.util.stream.Stream;
|
||||
|
||||
import jdk.internal.util.OperatingSystem;
|
||||
import sun.net.dns.ResolverConfiguration;
|
||||
import sun.security.action.GetPropertyAction;
|
||||
import sun.security.krb5.internal.crypto.EType;
|
||||
import sun.security.krb5.internal.Krb5;
|
||||
import sun.security.util.SecurityProperties;
|
||||
@ -164,7 +160,7 @@ public class Config {
|
||||
return false;
|
||||
}
|
||||
|
||||
String osVersion = GetPropertyAction.privilegedGetProperty("os.version");
|
||||
String osVersion = System.getProperty("os.version");
|
||||
String[] fragments = osVersion.split("\\.");
|
||||
if (fragments.length < 2) return false;
|
||||
|
||||
@ -188,16 +184,14 @@ public class Config {
|
||||
/*
|
||||
* If either one system property is specified, we throw exception.
|
||||
*/
|
||||
String tmp = GetPropertyAction
|
||||
.privilegedGetProperty("java.security.krb5.kdc");
|
||||
String tmp = System.getProperty("java.security.krb5.kdc");
|
||||
if (tmp != null) {
|
||||
// The user can specify a list of kdc hosts separated by ":"
|
||||
defaultKDC = tmp.replace(':', ' ');
|
||||
} else {
|
||||
defaultKDC = null;
|
||||
}
|
||||
defaultRealm = GetPropertyAction
|
||||
.privilegedGetProperty("java.security.krb5.realm");
|
||||
defaultRealm = System.getProperty("java.security.krb5.realm");
|
||||
if ((defaultKDC == null && defaultRealm != null) ||
|
||||
(defaultRealm == null && defaultKDC != null)) {
|
||||
throw new KrbException
|
||||
@ -666,7 +660,6 @@ public class Config {
|
||||
* @param fileName the configuration file
|
||||
* @return normalized lines
|
||||
*/
|
||||
@SuppressWarnings("removal")
|
||||
private List<String> loadConfigFile(final String fileName)
|
||||
throws IOException, KrbException {
|
||||
|
||||
@ -677,32 +670,15 @@ public class Config {
|
||||
List<String> raw = new ArrayList<>();
|
||||
Set<Path> dupsCheck = new HashSet<>();
|
||||
|
||||
try {
|
||||
Path fullp = AccessController.doPrivileged((PrivilegedAction<Path>)
|
||||
() -> Paths.get(fileName).toAbsolutePath(),
|
||||
null,
|
||||
new PropertyPermission("user.dir", "read"));
|
||||
AccessController.doPrivileged(
|
||||
new PrivilegedExceptionAction<Void>() {
|
||||
@Override
|
||||
public Void run() throws IOException {
|
||||
Path fullp = Paths.get(fileName).toAbsolutePath();
|
||||
Path path = Paths.get(fileName);
|
||||
if (!Files.exists(path)) {
|
||||
// This is OK. There are other ways to get
|
||||
// Kerberos 5 settings
|
||||
return null;
|
||||
} else {
|
||||
return readConfigFileLines(
|
||||
fullp, raw, dupsCheck);
|
||||
}
|
||||
}
|
||||
},
|
||||
null,
|
||||
// include/includedir can go anywhere
|
||||
new FilePermission("<<ALL FILES>>", "read"));
|
||||
} catch (java.security.PrivilegedActionException pe) {
|
||||
throw (IOException)pe.getException();
|
||||
readConfigFileLines(fullp, raw, dupsCheck);
|
||||
}
|
||||
|
||||
String previous = null;
|
||||
for (String line: raw) {
|
||||
if (line.startsWith("[")) {
|
||||
@ -862,10 +838,9 @@ public class Config {
|
||||
* The method returns null if it cannot find a Java config file.
|
||||
*/
|
||||
private String getJavaFileName() {
|
||||
String name = GetPropertyAction
|
||||
.privilegedGetProperty("java.security.krb5.conf");
|
||||
String name = System.getProperty("java.security.krb5.conf");
|
||||
if (name == null) {
|
||||
name = GetPropertyAction.privilegedGetProperty("java.home")
|
||||
name = System.getProperty("java.home")
|
||||
+ File.separator + "conf" + File.separator + "security"
|
||||
+ File.separator + "krb5.conf";
|
||||
if (!fileExists(name)) {
|
||||
@ -942,7 +917,7 @@ public class Config {
|
||||
}
|
||||
|
||||
private String findMacosConfigFile() {
|
||||
String userHome = GetPropertyAction.privilegedGetProperty("user.home");
|
||||
String userHome = System.getProperty("user.home");
|
||||
final String PREF_FILE = "/Library/Preferences/edu.mit.Kerberos";
|
||||
String userPrefs = userHome + PREF_FILE;
|
||||
|
||||
@ -1185,7 +1160,6 @@ public class Config {
|
||||
* @throws KrbException where no realm can be located
|
||||
* @return the default realm, always non null
|
||||
*/
|
||||
@SuppressWarnings("removal")
|
||||
public String getDefaultRealm() throws KrbException {
|
||||
if (defaultRealm != null) {
|
||||
return defaultRealm;
|
||||
@ -1201,16 +1175,9 @@ public class Config {
|
||||
}
|
||||
}
|
||||
if (realm == null) {
|
||||
realm = java.security.AccessController.doPrivileged(
|
||||
new java.security.PrivilegedAction<String>() {
|
||||
@Override
|
||||
public String run() {
|
||||
if (OperatingSystem.isWindows()) {
|
||||
return System.getenv("USERDNSDOMAIN");
|
||||
realm = System.getenv("USERDNSDOMAIN");
|
||||
}
|
||||
return null;
|
||||
}
|
||||
});
|
||||
}
|
||||
if (realm == null) {
|
||||
KrbException ke = new KrbException("Cannot locate default realm");
|
||||
@ -1229,7 +1196,6 @@ public class Config {
|
||||
* @throws KrbException if there's no way to find KDC for the realm
|
||||
* @return the list of KDCs separated by a space, always non null
|
||||
*/
|
||||
@SuppressWarnings("removal")
|
||||
public String getKDCList(String realm) throws KrbException {
|
||||
if (realm == null) {
|
||||
realm = getDefaultRealm();
|
||||
@ -1248,21 +1214,14 @@ public class Config {
|
||||
}
|
||||
}
|
||||
if (kdcs == null) {
|
||||
kdcs = java.security.AccessController.doPrivileged(
|
||||
new java.security.PrivilegedAction<String>() {
|
||||
@Override
|
||||
public String run() {
|
||||
if (OperatingSystem.isWindows()) {
|
||||
String logonServer = System.getenv("LOGONSERVER");
|
||||
if (logonServer != null
|
||||
&& logonServer.startsWith("\\\\")) {
|
||||
logonServer = logonServer.substring(2);
|
||||
}
|
||||
return logonServer;
|
||||
kdcs = logonServer;
|
||||
}
|
||||
return null;
|
||||
}
|
||||
});
|
||||
}
|
||||
if (kdcs == null) {
|
||||
if (defaultKDC != null) {
|
||||
@ -1381,24 +1340,8 @@ public class Config {
|
||||
return kdcs;
|
||||
}
|
||||
|
||||
@SuppressWarnings("removal")
|
||||
private boolean fileExists(String name) {
|
||||
return java.security.AccessController.doPrivileged(
|
||||
new FileExistsAction(name));
|
||||
}
|
||||
|
||||
static class FileExistsAction
|
||||
implements java.security.PrivilegedAction<Boolean> {
|
||||
|
||||
private String fileName;
|
||||
|
||||
public FileExistsAction(String fileName) {
|
||||
this.fileName = fileName;
|
||||
}
|
||||
|
||||
public Boolean run() {
|
||||
return new File(fileName).exists();
|
||||
}
|
||||
return new File(name).exists();
|
||||
}
|
||||
|
||||
// Shows the content of the Config object for debug purpose.
|
||||
|
||||
@ -524,19 +524,13 @@ public class Credentials {
|
||||
}
|
||||
|
||||
|
||||
@SuppressWarnings({"removal", "restricted"})
|
||||
@SuppressWarnings("restricted")
|
||||
static void ensureLoaded() {
|
||||
java.security.AccessController.doPrivileged(
|
||||
new java.security.PrivilegedAction<Void> () {
|
||||
public Void run() {
|
||||
if (OperatingSystem.isMacOS()) {
|
||||
System.loadLibrary("osxkrb5");
|
||||
} else {
|
||||
System.loadLibrary("w2k_lsa_auth");
|
||||
}
|
||||
return null;
|
||||
}
|
||||
});
|
||||
alreadyLoaded = true;
|
||||
}
|
||||
|
||||
|
||||
@ -31,7 +31,6 @@
|
||||
|
||||
package sun.security.krb5;
|
||||
|
||||
import java.security.PrivilegedAction;
|
||||
import java.security.Security;
|
||||
import java.util.Locale;
|
||||
import sun.security.krb5.internal.Krb5;
|
||||
@ -39,9 +38,6 @@ import sun.security.krb5.internal.NetClient;
|
||||
import java.io.IOException;
|
||||
import java.net.SocketTimeoutException;
|
||||
import java.util.StringTokenizer;
|
||||
import java.security.AccessController;
|
||||
import java.security.PrivilegedExceptionAction;
|
||||
import java.security.PrivilegedActionException;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
@ -98,13 +94,7 @@ public final class KdcComm {
|
||||
* Read global settings
|
||||
*/
|
||||
public static void initStatic() {
|
||||
@SuppressWarnings("removal")
|
||||
String value = AccessController.doPrivileged(
|
||||
new PrivilegedAction<String>() {
|
||||
public String run() {
|
||||
return Security.getProperty("krb5.kdc.bad.policy");
|
||||
}
|
||||
});
|
||||
String value = Security.getProperty("krb5.kdc.bad.policy");
|
||||
if (value != null) {
|
||||
value = value.toLowerCase(Locale.ENGLISH);
|
||||
String[] ss = value.split(":");
|
||||
@ -349,51 +339,6 @@ public final class KdcComm {
|
||||
+ ", #bytes=" + obuf.length);
|
||||
}
|
||||
|
||||
KdcCommunication kdcCommunication =
|
||||
new KdcCommunication(kdc, port, useTCP, timeout, retries, obuf);
|
||||
try {
|
||||
@SuppressWarnings("removal")
|
||||
byte[] ibuf = AccessController.doPrivileged(kdcCommunication);
|
||||
if (DEBUG != null) {
|
||||
DEBUG.println(">>> KrbKdcReq send: #bytes read="
|
||||
+ (ibuf != null ? ibuf.length : 0));
|
||||
}
|
||||
return ibuf;
|
||||
} catch (PrivilegedActionException e) {
|
||||
Exception wrappedException = e.getException();
|
||||
if (wrappedException instanceof IOException) {
|
||||
throw (IOException) wrappedException;
|
||||
} else {
|
||||
throw (KrbException) wrappedException;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private static class KdcCommunication
|
||||
implements PrivilegedExceptionAction<byte[]> {
|
||||
|
||||
private String kdc;
|
||||
private int port;
|
||||
private boolean useTCP;
|
||||
private int timeout;
|
||||
private int retries;
|
||||
private byte[] obuf;
|
||||
|
||||
public KdcCommunication(String kdc, int port, boolean useTCP,
|
||||
int timeout, int retries, byte[] obuf) {
|
||||
this.kdc = kdc;
|
||||
this.port = port;
|
||||
this.useTCP = useTCP;
|
||||
this.timeout = timeout;
|
||||
this.retries = retries;
|
||||
this.obuf = obuf;
|
||||
}
|
||||
|
||||
// The caller only casts IOException and KrbException so don't
|
||||
// add any new ones!
|
||||
|
||||
public byte[] run() throws IOException, KrbException {
|
||||
|
||||
byte[] ibuf = null;
|
||||
|
||||
for (int i=1; i <= retries; i++) {
|
||||
@ -422,8 +367,11 @@ public final class KdcComm {
|
||||
}
|
||||
}
|
||||
}
|
||||
return ibuf;
|
||||
if (DEBUG != null) {
|
||||
DEBUG.println(">>> KrbKdcReq send: #bytes read="
|
||||
+ (ibuf != null ? ibuf.length : 0));
|
||||
}
|
||||
return ibuf;
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2006, 2021, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2006, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -27,9 +27,6 @@ package sun.security.krb5;
|
||||
|
||||
import sun.security.krb5.internal.Krb5;
|
||||
|
||||
import java.security.AccessController;
|
||||
import java.security.PrivilegedActionException;
|
||||
import java.security.PrivilegedExceptionAction;
|
||||
import java.util.Arrays;
|
||||
import java.util.Hashtable;
|
||||
import java.util.Random;
|
||||
@ -71,7 +68,6 @@ class KrbServiceLocator {
|
||||
* @return An ordered list of hostports for the Kerberos service or null if
|
||||
* the service has not been located.
|
||||
*/
|
||||
@SuppressWarnings("removal")
|
||||
static String[] getKerberosService(String realmName) {
|
||||
|
||||
// search realm in SRV TXT records
|
||||
@ -86,18 +82,8 @@ class KrbServiceLocator {
|
||||
if (!(ctx instanceof DirContext)) {
|
||||
return null; // cannot create a DNS context
|
||||
}
|
||||
Attributes attrs = null;
|
||||
try {
|
||||
// both connect and accept are needed since DNS is thru UDP
|
||||
attrs = AccessController.doPrivileged(
|
||||
(PrivilegedExceptionAction<Attributes>)
|
||||
() -> ((DirContext)ctx).getAttributes(
|
||||
dnsUrl, SRV_TXT_ATTR),
|
||||
null,
|
||||
new java.net.SocketPermission("*", "connect,accept"));
|
||||
} catch (PrivilegedActionException e) {
|
||||
throw (NamingException)e.getCause();
|
||||
}
|
||||
Attributes attrs = ((DirContext)ctx).getAttributes(
|
||||
dnsUrl, SRV_TXT_ATTR);
|
||||
Attribute attr;
|
||||
|
||||
if (attrs != null && ((attr = attrs.get(SRV_TXT)) != null)) {
|
||||
@ -144,7 +130,6 @@ class KrbServiceLocator {
|
||||
* @return An ordered list of hostports for the Kerberos service or null if
|
||||
* the service has not been located.
|
||||
*/
|
||||
@SuppressWarnings("removal")
|
||||
static String[] getKerberosService(String realmName, String protocol) {
|
||||
|
||||
String dnsUrl = "dns:///_kerberos." + protocol + "." + realmName;
|
||||
@ -160,18 +145,8 @@ class KrbServiceLocator {
|
||||
return null; // cannot create a DNS context
|
||||
}
|
||||
|
||||
Attributes attrs = null;
|
||||
try {
|
||||
// both connect and accept are needed since DNS is thru UDP
|
||||
attrs = AccessController.doPrivileged(
|
||||
(PrivilegedExceptionAction<Attributes>)
|
||||
() -> ((DirContext)ctx).getAttributes(
|
||||
dnsUrl, SRV_RR_ATTR),
|
||||
null,
|
||||
new java.net.SocketPermission("*", "connect,accept"));
|
||||
} catch (PrivilegedActionException e) {
|
||||
throw (NamingException)e.getCause();
|
||||
}
|
||||
Attributes attrs = ((DirContext)ctx).getAttributes(
|
||||
dnsUrl, SRV_RR_ATTR);
|
||||
|
||||
Attribute attr;
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2000, 2023, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2000, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -31,7 +31,6 @@
|
||||
|
||||
package sun.security.krb5;
|
||||
|
||||
import sun.security.action.GetBooleanAction;
|
||||
import sun.security.krb5.internal.Krb5;
|
||||
import sun.security.util.*;
|
||||
import java.io.IOException;
|
||||
@ -48,8 +47,8 @@ import sun.security.krb5.internal.util.KerberosString;
|
||||
*/
|
||||
public class Realm implements Cloneable {
|
||||
|
||||
public static final boolean AUTODEDUCEREALM = GetBooleanAction
|
||||
.privilegedGetProperty("sun.security.krb5.autodeducerealm");
|
||||
public static final boolean AUTODEDUCEREALM =
|
||||
Boolean.getBoolean("sun.security.krb5.autodeducerealm");
|
||||
|
||||
private final String realm; // not null nor empty
|
||||
|
||||
|
||||
@ -45,19 +45,18 @@ public class SCDynamicStoreConfig {
|
||||
private static native List<String> getKerberosConfig();
|
||||
|
||||
static {
|
||||
@SuppressWarnings({"removal", "restricted"})
|
||||
boolean isMac = java.security.AccessController.doPrivileged(
|
||||
new java.security.PrivilegedAction<Boolean>() {
|
||||
public Boolean run() {
|
||||
boolean isMac = loadLibrary();
|
||||
if (isMac) installNotificationCallback();
|
||||
}
|
||||
|
||||
@SuppressWarnings("restricted")
|
||||
private static boolean loadLibrary() {
|
||||
if (OperatingSystem.isMacOS()) {
|
||||
System.loadLibrary("osxkrb5");
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
});
|
||||
if (isMac) installNotificationCallback();
|
||||
}
|
||||
|
||||
/**
|
||||
* Calls down to JNI to get the raw Kerberos Config and maps the object
|
||||
|
||||
@ -31,7 +31,6 @@
|
||||
|
||||
package sun.security.krb5.internal;
|
||||
|
||||
import sun.security.action.GetPropertyAction;
|
||||
import sun.security.util.Debug;
|
||||
|
||||
import java.util.Hashtable;
|
||||
@ -317,8 +316,8 @@ public class Krb5 {
|
||||
}
|
||||
|
||||
// Warning: used by NativeCreds.c
|
||||
public static final Debug DEBUG = Debug.of("krb5", GetPropertyAction
|
||||
.privilegedGetProperty("sun.security.krb5.debug"));
|
||||
public static final Debug DEBUG = Debug.of("krb5",
|
||||
System.getProperty("sun.security.krb5.debug"));
|
||||
|
||||
static {
|
||||
errMsgList = new Hashtable<Integer,String> ();
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2013, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -25,7 +25,6 @@
|
||||
|
||||
package sun.security.krb5.internal;
|
||||
|
||||
import sun.security.action.GetPropertyAction;
|
||||
import sun.security.krb5.internal.rcache.AuthTimeWithHash;
|
||||
import sun.security.krb5.internal.rcache.MemoryCache;
|
||||
import sun.security.krb5.internal.rcache.DflCache;
|
||||
@ -54,8 +53,7 @@ public abstract class ReplayCache {
|
||||
}
|
||||
}
|
||||
public static ReplayCache getInstance() {
|
||||
String type = GetPropertyAction
|
||||
.privilegedGetProperty("sun.security.krb5.rcache");
|
||||
String type = System.getProperty("sun.security.krb5.rcache");
|
||||
return getInstance(type);
|
||||
}
|
||||
|
||||
|
||||
@ -34,13 +34,11 @@
|
||||
package sun.security.krb5.internal.ccache;
|
||||
|
||||
import jdk.internal.util.OperatingSystem;
|
||||
import sun.security.action.GetPropertyAction;
|
||||
import sun.security.krb5.*;
|
||||
import sun.security.krb5.internal.*;
|
||||
import sun.security.util.SecurityProperties;
|
||||
|
||||
import java.nio.charset.StandardCharsets;
|
||||
import java.security.PrivilegedAction;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
@ -452,17 +450,12 @@ public class FileCredentialsCache extends CredentialsCache
|
||||
|
||||
// The env var can start with TYPE:, we only support FILE: here.
|
||||
// http://docs.oracle.com/cd/E19082-01/819-2252/6n4i8rtr3/index.html
|
||||
@SuppressWarnings("removal")
|
||||
String name = java.security.AccessController.doPrivileged(
|
||||
(PrivilegedAction<String>) () -> {
|
||||
String cache = System.getenv("KRB5CCNAME");
|
||||
if (cache != null &&
|
||||
(cache.length() >= 5) &&
|
||||
cache.regionMatches(true, 0, "FILE:", 0, 5)) {
|
||||
cache = cache.substring(5);
|
||||
String name = System.getenv("KRB5CCNAME");
|
||||
if (name != null &&
|
||||
(name.length() >= 5) &&
|
||||
name.regionMatches(true, 0, "FILE:", 0, 5)) {
|
||||
name = name.substring(5);
|
||||
}
|
||||
return cache;
|
||||
});
|
||||
if (name != null) {
|
||||
if (DEBUG != null) {
|
||||
DEBUG.println(">>>KinitOptions cache name is " + name);
|
||||
@ -502,12 +495,12 @@ public class FileCredentialsCache extends CredentialsCache
|
||||
|
||||
// we did not get the uid;
|
||||
|
||||
String user_name = GetPropertyAction.privilegedGetProperty("user.name");
|
||||
String user_name = System.getProperty("user.name");
|
||||
|
||||
String user_home = GetPropertyAction.privilegedGetProperty("user.home");
|
||||
String user_home = System.getProperty("user.home");
|
||||
|
||||
if (user_home == null) {
|
||||
user_home = GetPropertyAction.privilegedGetProperty("user.dir");
|
||||
user_home = System.getProperty("user.dir");
|
||||
}
|
||||
|
||||
if (user_name != null) {
|
||||
@ -556,19 +549,14 @@ public class FileCredentialsCache extends CredentialsCache
|
||||
}
|
||||
final String[] command = v.toArray(new String[0]);
|
||||
try {
|
||||
@SuppressWarnings("removal")
|
||||
Process p =
|
||||
java.security.AccessController.doPrivileged
|
||||
((PrivilegedAction<Process>) () -> {
|
||||
Process p = null;
|
||||
try {
|
||||
return (Runtime.getRuntime().exec(command));
|
||||
p = Runtime.getRuntime().exec(command);
|
||||
} catch (IOException e) {
|
||||
if (DEBUG != null) {
|
||||
e.printStackTrace(DEBUG.getPrintStream());
|
||||
}
|
||||
return null;
|
||||
}
|
||||
});
|
||||
if (p == null) {
|
||||
// exception occurred during executing the command
|
||||
return null;
|
||||
|
||||
@ -38,7 +38,6 @@ import java.security.GeneralSecurityException;
|
||||
import javax.crypto.spec.IvParameterSpec;
|
||||
import sun.security.krb5.KrbCryptoException;
|
||||
import java.util.Arrays;
|
||||
import sun.security.action.GetPropertyAction;
|
||||
|
||||
public final class Des {
|
||||
|
||||
@ -53,8 +52,8 @@ public final class Des {
|
||||
// string-to-key encoding. When set, the specified charset
|
||||
// name is used. Otherwise, the system default charset.
|
||||
|
||||
private static final String CHARSET = GetPropertyAction
|
||||
.privilegedGetProperty("sun.security.krb5.msinterop.des.s2kcharset");
|
||||
private static final String CHARSET =
|
||||
System.getProperty("sun.security.krb5.msinterop.des.s2kcharset");
|
||||
|
||||
private static final long[] bad_keys = {
|
||||
0x0101010101010101L, 0xfefefefefefefefeL,
|
||||
|
||||
@ -31,7 +31,6 @@
|
||||
|
||||
package sun.security.krb5.internal.ktab;
|
||||
|
||||
import sun.security.action.GetPropertyAction;
|
||||
import sun.security.krb5.*;
|
||||
import sun.security.krb5.internal.*;
|
||||
import sun.security.krb5.internal.crypto.*;
|
||||
@ -211,12 +210,10 @@ public class KeyTab implements KeyTabConstants {
|
||||
}
|
||||
|
||||
if (kname == null) {
|
||||
String user_home = GetPropertyAction
|
||||
.privilegedGetProperty("user.home");
|
||||
String user_home = System.getProperty("user.home");
|
||||
|
||||
if (user_home == null) {
|
||||
user_home = GetPropertyAction
|
||||
.privilegedGetProperty("user.dir");
|
||||
user_home = System.getProperty("user.dir");
|
||||
}
|
||||
|
||||
kname = user_home + File.separator + "krb5.keytab";
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2013, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -25,8 +25,6 @@
|
||||
|
||||
package sun.security.krb5.internal.rcache;
|
||||
|
||||
import sun.security.action.GetBooleanAction;
|
||||
|
||||
import java.util.Objects;
|
||||
|
||||
/**
|
||||
@ -40,7 +38,7 @@ public class AuthTimeWithHash extends AuthTime
|
||||
public static final String DEFAULT_HASH_ALG;
|
||||
|
||||
static {
|
||||
if (GetBooleanAction.privilegedGetProperty("jdk.krb5.rcache.useMD5")) {
|
||||
if (Boolean.getBoolean("jdk.krb5.rcache.useMD5")) {
|
||||
DEFAULT_HASH_ALG = "HASH";
|
||||
} else {
|
||||
DEFAULT_HASH_ALG = "SHA256";
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2013, 2020, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2013, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -38,7 +38,6 @@ import java.nio.file.StandardOpenOption;
|
||||
import java.nio.file.attribute.PosixFilePermission;
|
||||
import java.util.*;
|
||||
|
||||
import sun.security.action.GetPropertyAction;
|
||||
import sun.security.krb5.internal.KerberosTime;
|
||||
import sun.security.krb5.internal.Krb5;
|
||||
import sun.security.krb5.internal.KrbApErrException;
|
||||
@ -116,7 +115,7 @@ public class DflCache extends ReplayCache {
|
||||
}
|
||||
|
||||
private static String defaultPath() {
|
||||
return GetPropertyAction.privilegedGetProperty("java.io.tmpdir");
|
||||
return System.getProperty("java.io.tmpdir");
|
||||
}
|
||||
|
||||
private static String defaultFile(String server) {
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2009, 2019, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2009, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -26,7 +26,6 @@
|
||||
package sun.security.krb5.internal.util;
|
||||
|
||||
import java.io.IOException;
|
||||
import sun.security.action.GetPropertyAction;
|
||||
import sun.security.util.DerValue;
|
||||
|
||||
import static java.nio.charset.StandardCharsets.US_ASCII;
|
||||
@ -58,8 +57,8 @@ public final class KerberosString {
|
||||
public static final boolean MSNAME;
|
||||
|
||||
static {
|
||||
String prop = GetPropertyAction
|
||||
.privilegedGetProperty("sun.security.krb5.msinterop.kstring", "true");
|
||||
String prop =
|
||||
System.getProperty("sun.security.krb5.msinterop.kstring", "true");
|
||||
MSNAME = Boolean.parseBoolean(prop);
|
||||
}
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2016, 2021, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2016, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -41,12 +41,6 @@ class ExtendedGSSContextImpl extends GSSContextImpl
|
||||
|
||||
@Override
|
||||
public Object inquireSecContext(InquireType type) throws GSSException {
|
||||
@SuppressWarnings("removal")
|
||||
SecurityManager security = System.getSecurityManager();
|
||||
if (security != null) {
|
||||
security.checkPermission(
|
||||
new InquireSecContextPermission(type.toString()));
|
||||
}
|
||||
Object output = super.inquireSecContext(type.name());
|
||||
if (output != null) {
|
||||
if (type == InquireType.KRB5_GET_AUTHZ_DATA) {
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2015, 2021, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2015, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
@ -24,8 +24,6 @@
|
||||
*/
|
||||
package com.sun.security.sasl.gsskerb;
|
||||
|
||||
import java.security.AccessController;
|
||||
import java.security.PrivilegedAction;
|
||||
import java.security.Provider;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.security.InvalidParameterException;
|
||||
@ -74,19 +72,13 @@ public final class JdkSASL extends Provider {
|
||||
}
|
||||
}
|
||||
|
||||
@SuppressWarnings("removal")
|
||||
public JdkSASL() {
|
||||
super("JdkSASL", PROVIDER_VER, info);
|
||||
|
||||
final Provider p = this;
|
||||
AccessController.doPrivileged(new PrivilegedAction<Void>() {
|
||||
public Void run() {
|
||||
putService(new ProviderService(p, "SaslClientFactory",
|
||||
"GSSAPI", "com.sun.security.sasl.gsskerb.FactoryImpl"));
|
||||
putService(new ProviderService(p, "SaslServerFactory",
|
||||
"GSSAPI", "com.sun.security.sasl.gsskerb.FactoryImpl"));
|
||||
return null;
|
||||
}
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user