6853328: Support OK-AS-DELEGATE flag
Reviewed-by: valeriep
This commit is contained in:
parent
547328d305
commit
6a6d0a3c7a
@ -99,4 +99,58 @@ public interface ExtendedGSSContext extends GSSContext {
|
|||||||
*/
|
*/
|
||||||
public Object inquireSecContext(InquireType type)
|
public Object inquireSecContext(InquireType type)
|
||||||
throws GSSException;
|
throws GSSException;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Requests that the delegation policy be respected. When a true value is
|
||||||
|
* requested, the underlying context would use the delegation policy
|
||||||
|
* defined by the environment as a hint to determine whether credentials
|
||||||
|
* delegation should be performed. This request can only be made on the
|
||||||
|
* context initiator's side and it has to be done prior to the first
|
||||||
|
* call to <code>initSecContext</code>.
|
||||||
|
* <p>
|
||||||
|
* When this flag is false, delegation will only be tried when the
|
||||||
|
* {@link GSSContext#requestCredDeleg(boolean) credentials delegation flag}
|
||||||
|
* is true.
|
||||||
|
* <p>
|
||||||
|
* When this flag is true but the
|
||||||
|
* {@link GSSContext#requestCredDeleg(boolean) credentials delegation flag}
|
||||||
|
* is false, delegation will be only tried if the delegation policy permits
|
||||||
|
* delegation.
|
||||||
|
* <p>
|
||||||
|
* When both this flag and the
|
||||||
|
* {@link GSSContext#requestCredDeleg(boolean) credentials delegation flag}
|
||||||
|
* are true, delegation will be always tried. However, if the delegation
|
||||||
|
* policy does not permit delegation, the value of
|
||||||
|
* {@link #getDelegPolicyState} will be false, even
|
||||||
|
* if delegation is performed successfully.
|
||||||
|
* <p>
|
||||||
|
* In any case, if the delegation is not successful, the value returned
|
||||||
|
* by {@link GSSContext#getCredDelegState()} is false, and the value
|
||||||
|
* returned by {@link #getDelegPolicyState()} is also false.
|
||||||
|
* <p>
|
||||||
|
* Not all mechanisms support delegation policy. Therefore, the
|
||||||
|
* application should check to see if the request was honored with the
|
||||||
|
* {@link #getDelegPolicyState() getDelegPolicyState} method. When
|
||||||
|
* delegation policy is not supported, <code>requestDelegPolicy</code>
|
||||||
|
* should return silently without throwing an exception.
|
||||||
|
* <p>
|
||||||
|
* Note: for the Kerberos 5 mechanism, the delegation policy is expressed
|
||||||
|
* through the OK-AS-DELEGATE flag in the service ticket. When it's true,
|
||||||
|
* the KDC permits delegation to the target server. In a cross-realm
|
||||||
|
* environment, in order for delegation be permitted, all cross-realm TGTs
|
||||||
|
* on the authentication path must also have the OK-AS-DELAGATE flags set.
|
||||||
|
* @param state true if the policy should be respected
|
||||||
|
* @throws GSSException containing the following
|
||||||
|
* major error codes:
|
||||||
|
* {@link GSSException#FAILURE GSSException.FAILURE}
|
||||||
|
*/
|
||||||
|
public void requestDelegPolicy(boolean state) throws GSSException;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns the delegation policy response. Called after a security context
|
||||||
|
* is established. This method can be only called on the initiator's side.
|
||||||
|
* See {@link ExtendedGSSContext#requestDelegPolicy}.
|
||||||
|
* @return the delegation policy response
|
||||||
|
*/
|
||||||
|
public boolean getDelegPolicyState();
|
||||||
}
|
}
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright 2000-2001 Sun Microsystems, Inc. All Rights Reserved.
|
* Copyright 2000-2009 Sun Microsystems, Inc. All Rights Reserved.
|
||||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
*
|
*
|
||||||
* This code is free software; you can redistribute it and/or modify it
|
* This code is free software; you can redistribute it and/or modify it
|
||||||
@ -678,7 +678,7 @@ public interface GSSContext {
|
|||||||
* are not definitive then the method will attempt to treat all
|
* are not definitive then the method will attempt to treat all
|
||||||
* available bytes as part of the token.<p>
|
* available bytes as part of the token.<p>
|
||||||
*
|
*
|
||||||
* Other than the possible blocking behaviour described above, this
|
* Other than the possible blocking behavior described above, this
|
||||||
* method is equivalent to the byte array based {@link #unwrap(byte[],
|
* method is equivalent to the byte array based {@link #unwrap(byte[],
|
||||||
* int, int, MessageProp) unwrap} method.<p>
|
* int, int, MessageProp) unwrap} method.<p>
|
||||||
*
|
*
|
||||||
@ -826,7 +826,7 @@ public interface GSSContext {
|
|||||||
* are not definitive then the method will attempt to treat all
|
* are not definitive then the method will attempt to treat all
|
||||||
* available bytes as part of the token.<p>
|
* available bytes as part of the token.<p>
|
||||||
*
|
*
|
||||||
* Other than the possible blocking behaviour described above, this
|
* Other than the possible blocking behavior described above, this
|
||||||
* method is equivalent to the byte array based {@link #verifyMIC(byte[],
|
* method is equivalent to the byte array based {@link #verifyMIC(byte[],
|
||||||
* int, int, byte[], int, int, MessageProp) verifyMIC} method.<p>
|
* int, int, byte[], int, int, MessageProp) verifyMIC} method.<p>
|
||||||
*
|
*
|
||||||
@ -917,7 +917,7 @@ public interface GSSContext {
|
|||||||
* getMutualAuthState} method.<p>
|
* getMutualAuthState} method.<p>
|
||||||
*
|
*
|
||||||
* @param state a boolean value indicating whether mutual
|
* @param state a boolean value indicating whether mutual
|
||||||
* authentication shouls be used or not.
|
* authentication should be used or not.
|
||||||
* @see #getMutualAuthState()
|
* @see #getMutualAuthState()
|
||||||
*
|
*
|
||||||
* @throws GSSException containing the following
|
* @throws GSSException containing the following
|
||||||
@ -928,7 +928,7 @@ public interface GSSContext {
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Requests that replay detection be enabled for the
|
* Requests that replay detection be enabled for the
|
||||||
* per-message security services after context establishemnt. This
|
* per-message security services after context establishment. This
|
||||||
* request can only be made on the context initiator's side and it has
|
* request can only be made on the context initiator's side and it has
|
||||||
* to be done prior to the first call to
|
* to be done prior to the first call to
|
||||||
* <code>initSecContext</code>. During context establishment replay
|
* <code>initSecContext</code>. During context establishment replay
|
||||||
@ -958,7 +958,7 @@ public interface GSSContext {
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Requests that sequence checking be enabled for the
|
* Requests that sequence checking be enabled for the
|
||||||
* per-message security services after context establishemnt. This
|
* per-message security services after context establishment. This
|
||||||
* request can only be made on the context initiator's side and it has
|
* request can only be made on the context initiator's side and it has
|
||||||
* to be done prior to the first call to
|
* to be done prior to the first call to
|
||||||
* <code>initSecContext</code>. During context establishment sequence
|
* <code>initSecContext</code>. During context establishment sequence
|
||||||
|
@ -25,6 +25,7 @@
|
|||||||
|
|
||||||
package sun.net.www.protocol.http.spnego;
|
package sun.net.www.protocol.http.spnego;
|
||||||
|
|
||||||
|
import com.sun.security.jgss.ExtendedGSSContext;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
|
|
||||||
import org.ietf.jgss.GSSContext;
|
import org.ietf.jgss.GSSContext;
|
||||||
@ -100,15 +101,10 @@ public class NegotiatorImpl extends Negotiator {
|
|||||||
null,
|
null,
|
||||||
GSSContext.DEFAULT_LIFETIME);
|
GSSContext.DEFAULT_LIFETIME);
|
||||||
|
|
||||||
// In order to support credential delegation in HTTP/SPNEGO,
|
// Always respect delegation policy in HTTP/SPNEGO.
|
||||||
// we always request it before initSecContext. The current
|
if (context instanceof ExtendedGSSContext) {
|
||||||
// implementation will check the OK-AS-DELEGATE flag inside
|
((ExtendedGSSContext)context).requestDelegPolicy(true);
|
||||||
// the service ticket of the web server, and only enable
|
}
|
||||||
// delegation when this flag is set. This check is only
|
|
||||||
// performed when the GSS caller is CALLER_HTTP_NEGOTIATE,
|
|
||||||
// so all other normal GSS-API calls are not affected.
|
|
||||||
|
|
||||||
context.requestCredDeleg(true);
|
|
||||||
oneToken = context.initSecContext(new byte[0], 0, 0);
|
oneToken = context.initSecContext(new byte[0], 0, 0);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -89,7 +89,8 @@ import com.sun.security.jgss.*;
|
|||||||
*/
|
*/
|
||||||
class GSSContextImpl implements ExtendedGSSContext {
|
class GSSContextImpl implements ExtendedGSSContext {
|
||||||
|
|
||||||
private GSSManagerImpl gssManager = null;
|
private final GSSManagerImpl gssManager;
|
||||||
|
private final boolean initiator;
|
||||||
|
|
||||||
// private flags for the context state
|
// private flags for the context state
|
||||||
private static final int PRE_INIT = 1;
|
private static final int PRE_INIT = 1;
|
||||||
@ -99,14 +100,12 @@ class GSSContextImpl implements ExtendedGSSContext {
|
|||||||
|
|
||||||
// instance variables
|
// instance variables
|
||||||
private int currentState = PRE_INIT;
|
private int currentState = PRE_INIT;
|
||||||
private boolean initiator;
|
|
||||||
|
|
||||||
private GSSContextSpi mechCtxt = null;
|
private GSSContextSpi mechCtxt = null;
|
||||||
private Oid mechOid = null;
|
private Oid mechOid = null;
|
||||||
private ObjectIdentifier objId = null;
|
private ObjectIdentifier objId = null;
|
||||||
|
|
||||||
private GSSCredentialImpl myCred = null;
|
private GSSCredentialImpl myCred = null;
|
||||||
private GSSCredentialImpl delegCred = null;
|
|
||||||
|
|
||||||
private GSSNameImpl srcName = null;
|
private GSSNameImpl srcName = null;
|
||||||
private GSSNameImpl targName = null;
|
private GSSNameImpl targName = null;
|
||||||
@ -121,6 +120,7 @@ class GSSContextImpl implements ExtendedGSSContext {
|
|||||||
private boolean reqSequenceDetState = true;
|
private boolean reqSequenceDetState = true;
|
||||||
private boolean reqCredDelegState = false;
|
private boolean reqCredDelegState = false;
|
||||||
private boolean reqAnonState = false;
|
private boolean reqAnonState = false;
|
||||||
|
private boolean reqDelegPolicyState = false;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Creates a GSSContextImp on the context initiator's side.
|
* Creates a GSSContextImp on the context initiator's side.
|
||||||
@ -221,6 +221,7 @@ class GSSContextImpl implements ExtendedGSSContext {
|
|||||||
mechCtxt.requestSequenceDet(reqSequenceDetState);
|
mechCtxt.requestSequenceDet(reqSequenceDetState);
|
||||||
mechCtxt.requestAnonymity(reqAnonState);
|
mechCtxt.requestAnonymity(reqAnonState);
|
||||||
mechCtxt.setChannelBinding(channelBindings);
|
mechCtxt.setChannelBinding(channelBindings);
|
||||||
|
mechCtxt.requestDelegPolicy(reqDelegPolicyState);
|
||||||
|
|
||||||
objId = new ObjectIdentifier(mechOid.toString());
|
objId = new ObjectIdentifier(mechOid.toString());
|
||||||
|
|
||||||
@ -465,42 +466,42 @@ class GSSContextImpl implements ExtendedGSSContext {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public void requestMutualAuth(boolean state) throws GSSException {
|
public void requestMutualAuth(boolean state) throws GSSException {
|
||||||
if (mechCtxt == null)
|
if (mechCtxt == null && initiator)
|
||||||
reqMutualAuthState = state;
|
reqMutualAuthState = state;
|
||||||
}
|
}
|
||||||
|
|
||||||
public void requestReplayDet(boolean state) throws GSSException {
|
public void requestReplayDet(boolean state) throws GSSException {
|
||||||
if (mechCtxt == null)
|
if (mechCtxt == null && initiator)
|
||||||
reqReplayDetState = state;
|
reqReplayDetState = state;
|
||||||
}
|
}
|
||||||
|
|
||||||
public void requestSequenceDet(boolean state) throws GSSException {
|
public void requestSequenceDet(boolean state) throws GSSException {
|
||||||
if (mechCtxt == null)
|
if (mechCtxt == null && initiator)
|
||||||
reqSequenceDetState = state;
|
reqSequenceDetState = state;
|
||||||
}
|
}
|
||||||
|
|
||||||
public void requestCredDeleg(boolean state) throws GSSException {
|
public void requestCredDeleg(boolean state) throws GSSException {
|
||||||
if (mechCtxt == null)
|
if (mechCtxt == null && initiator)
|
||||||
reqCredDelegState = state;
|
reqCredDelegState = state;
|
||||||
}
|
}
|
||||||
|
|
||||||
public void requestAnonymity(boolean state) throws GSSException {
|
public void requestAnonymity(boolean state) throws GSSException {
|
||||||
if (mechCtxt == null)
|
if (mechCtxt == null && initiator)
|
||||||
reqAnonState = state;
|
reqAnonState = state;
|
||||||
}
|
}
|
||||||
|
|
||||||
public void requestConf(boolean state) throws GSSException {
|
public void requestConf(boolean state) throws GSSException {
|
||||||
if (mechCtxt == null)
|
if (mechCtxt == null && initiator)
|
||||||
reqConfState = state;
|
reqConfState = state;
|
||||||
}
|
}
|
||||||
|
|
||||||
public void requestInteg(boolean state) throws GSSException {
|
public void requestInteg(boolean state) throws GSSException {
|
||||||
if (mechCtxt == null)
|
if (mechCtxt == null && initiator)
|
||||||
reqIntegState = state;
|
reqIntegState = state;
|
||||||
}
|
}
|
||||||
|
|
||||||
public void requestLifetime(int lifetime) throws GSSException {
|
public void requestLifetime(int lifetime) throws GSSException {
|
||||||
if (mechCtxt == null)
|
if (mechCtxt == null && initiator)
|
||||||
reqLifetime = lifetime;
|
reqLifetime = lifetime;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -630,6 +631,8 @@ class GSSContextImpl implements ExtendedGSSContext {
|
|||||||
targName = null;
|
targName = null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// ExtendedGSSContext methods:
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public Object inquireSecContext(InquireType type) throws GSSException {
|
public Object inquireSecContext(InquireType type) throws GSSException {
|
||||||
SecurityManager security = System.getSecurityManager();
|
SecurityManager security = System.getSecurityManager();
|
||||||
@ -641,4 +644,18 @@ class GSSContextImpl implements ExtendedGSSContext {
|
|||||||
}
|
}
|
||||||
return mechCtxt.inquireSecContext(type);
|
return mechCtxt.inquireSecContext(type);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void requestDelegPolicy(boolean state) throws GSSException {
|
||||||
|
if (mechCtxt == null && initiator)
|
||||||
|
reqDelegPolicyState = state;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean getDelegPolicyState() {
|
||||||
|
if (mechCtxt != null)
|
||||||
|
return mechCtxt.getDelegPolicyState();
|
||||||
|
else
|
||||||
|
return reqDelegPolicyState;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -85,32 +85,39 @@ abstract class InitialToken extends Krb5Token {
|
|||||||
int size = CHECKSUM_LENGTH_SIZE + CHECKSUM_BINDINGS_SIZE +
|
int size = CHECKSUM_LENGTH_SIZE + CHECKSUM_BINDINGS_SIZE +
|
||||||
CHECKSUM_FLAGS_SIZE;
|
CHECKSUM_FLAGS_SIZE;
|
||||||
|
|
||||||
if (context.getCredDelegState()) {
|
if (!tgt.isForwardable()) {
|
||||||
if (context.getCaller() instanceof HttpCaller &&
|
context.setCredDelegState(false);
|
||||||
!serviceTicket.getFlags()[Krb5.TKT_OPTS_DELEGATE]) {
|
context.setDelegPolicyState(false);
|
||||||
// When the caller is HTTP/SPNEGO and OK-AS-DELEGATE
|
} else if (context.getCredDelegState()) {
|
||||||
// is not present in the service ticket, delegation
|
if (context.getDelegPolicyState()) {
|
||||||
// is disabled.
|
if (!serviceTicket.checkDelegate()) {
|
||||||
context.setCredDelegState(false);
|
// delegation not permitted by server policy, mark it
|
||||||
} else if (!tgt.isForwardable()) {
|
context.setDelegPolicyState(false);
|
||||||
// XXX log this resetting of delegation state
|
|
||||||
context.setCredDelegState(false);
|
|
||||||
} else {
|
|
||||||
KrbCred krbCred = null;
|
|
||||||
CipherHelper cipherHelper =
|
|
||||||
context.getCipherHelper(serviceTicket.getSessionKey());
|
|
||||||
if (useNullKey(cipherHelper)) {
|
|
||||||
krbCred = new KrbCred(tgt, serviceTicket,
|
|
||||||
EncryptionKey.NULL_KEY);
|
|
||||||
} else {
|
|
||||||
krbCred = new KrbCred(tgt, serviceTicket,
|
|
||||||
serviceTicket.getSessionKey());
|
|
||||||
}
|
}
|
||||||
krbCredMessage = krbCred.getMessage();
|
|
||||||
size += CHECKSUM_DELEG_OPT_SIZE +
|
|
||||||
CHECKSUM_DELEG_LGTH_SIZE +
|
|
||||||
krbCredMessage.length;
|
|
||||||
}
|
}
|
||||||
|
} else if (context.getDelegPolicyState()) {
|
||||||
|
if (serviceTicket.checkDelegate()) {
|
||||||
|
context.setCredDelegState(true);
|
||||||
|
} else {
|
||||||
|
context.setDelegPolicyState(false);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (context.getCredDelegState()) {
|
||||||
|
KrbCred krbCred = null;
|
||||||
|
CipherHelper cipherHelper =
|
||||||
|
context.getCipherHelper(serviceTicket.getSessionKey());
|
||||||
|
if (useNullKey(cipherHelper)) {
|
||||||
|
krbCred = new KrbCred(tgt, serviceTicket,
|
||||||
|
EncryptionKey.NULL_KEY);
|
||||||
|
} else {
|
||||||
|
krbCred = new KrbCred(tgt, serviceTicket,
|
||||||
|
serviceTicket.getSessionKey());
|
||||||
|
}
|
||||||
|
krbCredMessage = krbCred.getMessage();
|
||||||
|
size += CHECKSUM_DELEG_OPT_SIZE +
|
||||||
|
CHECKSUM_DELEG_LGTH_SIZE +
|
||||||
|
krbCredMessage.length;
|
||||||
}
|
}
|
||||||
|
|
||||||
checksumBytes = new byte[size];
|
checksumBytes = new byte[size];
|
||||||
@ -296,6 +303,7 @@ abstract class InitialToken extends Krb5Token {
|
|||||||
return delegCreds;
|
return delegCreds;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Only called by acceptor
|
||||||
public void setContextFlags(Krb5Context context) {
|
public void setContextFlags(Krb5Context context) {
|
||||||
// default for cred delegation is false
|
// default for cred delegation is false
|
||||||
if ((flags & CHECKSUM_DELEG_FLAG) > 0)
|
if ((flags & CHECKSUM_DELEG_FLAG) > 0)
|
||||||
|
@ -78,6 +78,7 @@ class Krb5Context implements GSSContextSpi {
|
|||||||
private boolean sequenceDetState = true;
|
private boolean sequenceDetState = true;
|
||||||
private boolean confState = true;
|
private boolean confState = true;
|
||||||
private boolean integState = true;
|
private boolean integState = true;
|
||||||
|
private boolean delegPolicyState = false;
|
||||||
|
|
||||||
private int mySeqNumber;
|
private int mySeqNumber;
|
||||||
private int peerSeqNumber;
|
private int peerSeqNumber;
|
||||||
@ -299,6 +300,21 @@ class Krb5Context implements GSSContextSpi {
|
|||||||
return sequenceDetState || replayDetState;
|
return sequenceDetState || replayDetState;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Requests that the deleg policy be respected.
|
||||||
|
*/
|
||||||
|
public final void requestDelegPolicy(boolean value) {
|
||||||
|
if (state == STATE_NEW && isInitiator())
|
||||||
|
delegPolicyState = value;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Is deleg policy respected?
|
||||||
|
*/
|
||||||
|
public final boolean getDelegPolicyState() {
|
||||||
|
return delegPolicyState;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Anonymity is a little different in that after an application
|
* Anonymity is a little different in that after an application
|
||||||
* requests anonymity it will want to know whether the mechanism
|
* requests anonymity it will want to know whether the mechanism
|
||||||
@ -422,6 +438,10 @@ class Krb5Context implements GSSContextSpi {
|
|||||||
integState = state;
|
integState = state;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
final void setDelegPolicyState(boolean state) {
|
||||||
|
delegPolicyState = state;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Sets the channel bindings to be used during context
|
* Sets the channel bindings to be used during context
|
||||||
* establishment.
|
* establishment.
|
||||||
|
@ -124,6 +124,8 @@ public interface GSSContextSpi {
|
|||||||
|
|
||||||
public void requestInteg(boolean state) throws GSSException;
|
public void requestInteg(boolean state) throws GSSException;
|
||||||
|
|
||||||
|
public void requestDelegPolicy(boolean state) throws GSSException;
|
||||||
|
|
||||||
public void setChannelBinding(ChannelBinding cb) throws GSSException;
|
public void setChannelBinding(ChannelBinding cb) throws GSSException;
|
||||||
|
|
||||||
public boolean getCredDelegState();
|
public boolean getCredDelegState();
|
||||||
@ -136,6 +138,8 @@ public interface GSSContextSpi {
|
|||||||
|
|
||||||
public boolean getAnonymityState();
|
public boolean getAnonymityState();
|
||||||
|
|
||||||
|
public boolean getDelegPolicyState();
|
||||||
|
|
||||||
public boolean isTransferable() throws GSSException;
|
public boolean isTransferable() throws GSSException;
|
||||||
|
|
||||||
public boolean isProtReady();
|
public boolean isProtReady();
|
||||||
|
@ -63,6 +63,7 @@ public class SpNegoContext implements GSSContextSpi {
|
|||||||
private boolean sequenceDetState = true;
|
private boolean sequenceDetState = true;
|
||||||
private boolean confState = true;
|
private boolean confState = true;
|
||||||
private boolean integState = true;
|
private boolean integState = true;
|
||||||
|
private boolean delegPolicyState = false;
|
||||||
|
|
||||||
private GSSNameSpi peerName = null;
|
private GSSNameSpi peerName = null;
|
||||||
private GSSNameSpi myName = null;
|
private GSSNameSpi myName = null;
|
||||||
@ -153,6 +154,14 @@ public class SpNegoContext implements GSSContextSpi {
|
|||||||
integState = value;
|
integState = value;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Requests that deleg policy be respected.
|
||||||
|
*/
|
||||||
|
public final void requestDelegPolicy(boolean value) throws GSSException {
|
||||||
|
if (state == STATE_NEW && isInitiator())
|
||||||
|
delegPolicyState = value;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Is integrity available?
|
* Is integrity available?
|
||||||
*/
|
*/
|
||||||
@ -160,6 +169,19 @@ public class SpNegoContext implements GSSContextSpi {
|
|||||||
return integState;
|
return integState;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Is deleg policy respected?
|
||||||
|
*/
|
||||||
|
public final boolean getDelegPolicyState() {
|
||||||
|
if (isInitiator() && mechContext != null &&
|
||||||
|
mechContext instanceof ExtendedGSSContext &&
|
||||||
|
(state == STATE_IN_PROCESS || state == STATE_DONE)) {
|
||||||
|
return ((ExtendedGSSContext)mechContext).getDelegPolicyState();
|
||||||
|
} else {
|
||||||
|
return delegPolicyState;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Requests that credential delegation be done during context
|
* Requests that credential delegation be done during context
|
||||||
* establishment.
|
* establishment.
|
||||||
@ -173,7 +195,7 @@ public class SpNegoContext implements GSSContextSpi {
|
|||||||
* Is credential delegation enabled?
|
* Is credential delegation enabled?
|
||||||
*/
|
*/
|
||||||
public final boolean getCredDelegState() {
|
public final boolean getCredDelegState() {
|
||||||
if (mechContext != null &&
|
if (isInitiator() && mechContext != null &&
|
||||||
(state == STATE_IN_PROCESS || state == STATE_DONE)) {
|
(state == STATE_IN_PROCESS || state == STATE_DONE)) {
|
||||||
return mechContext.getCredDelegState();
|
return mechContext.getCredDelegState();
|
||||||
} else {
|
} else {
|
||||||
@ -201,30 +223,6 @@ public class SpNegoContext implements GSSContextSpi {
|
|||||||
return mutualAuthState;
|
return mutualAuthState;
|
||||||
}
|
}
|
||||||
|
|
||||||
final void setCredDelegState(boolean state) {
|
|
||||||
credDelegState = state;
|
|
||||||
}
|
|
||||||
|
|
||||||
final void setMutualAuthState(boolean state) {
|
|
||||||
mutualAuthState = state;
|
|
||||||
}
|
|
||||||
|
|
||||||
final void setReplayDetState(boolean state) {
|
|
||||||
replayDetState = state;
|
|
||||||
}
|
|
||||||
|
|
||||||
final void setSequenceDetState(boolean state) {
|
|
||||||
sequenceDetState = state;
|
|
||||||
}
|
|
||||||
|
|
||||||
final void setConfState(boolean state) {
|
|
||||||
confState = state;
|
|
||||||
}
|
|
||||||
|
|
||||||
final void setIntegState(boolean state) {
|
|
||||||
integState = state;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Returns the mechanism oid.
|
* Returns the mechanism oid.
|
||||||
*
|
*
|
||||||
@ -653,6 +651,10 @@ public class SpNegoContext implements GSSContextSpi {
|
|||||||
throw gssException;
|
throw gssException;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (state == STATE_DONE) {
|
||||||
|
// now set the context flags for acceptor
|
||||||
|
setContextFlags();
|
||||||
|
}
|
||||||
return retVal;
|
return retVal;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -703,28 +705,31 @@ public class SpNegoContext implements GSSContextSpi {
|
|||||||
return out;
|
return out;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Only called on acceptor side. On the initiator side, most flags
|
||||||
|
// are already set at request. For those that might get chanegd,
|
||||||
|
// state from mech below is used.
|
||||||
private void setContextFlags() {
|
private void setContextFlags() {
|
||||||
|
|
||||||
if (mechContext != null) {
|
if (mechContext != null) {
|
||||||
// default for cred delegation is false
|
// default for cred delegation is false
|
||||||
if (mechContext.getCredDelegState()) {
|
if (mechContext.getCredDelegState()) {
|
||||||
setCredDelegState(true);
|
credDelegState = true;
|
||||||
}
|
}
|
||||||
// default for the following are true
|
// default for the following are true
|
||||||
if (!mechContext.getMutualAuthState()) {
|
if (!mechContext.getMutualAuthState()) {
|
||||||
setMutualAuthState(false);
|
mutualAuthState = false;
|
||||||
}
|
}
|
||||||
if (!mechContext.getReplayDetState()) {
|
if (!mechContext.getReplayDetState()) {
|
||||||
setReplayDetState(false);
|
replayDetState = false;
|
||||||
}
|
}
|
||||||
if (!mechContext.getSequenceDetState()) {
|
if (!mechContext.getSequenceDetState()) {
|
||||||
setSequenceDetState(false);
|
sequenceDetState = false;
|
||||||
}
|
}
|
||||||
if (!mechContext.getIntegState()) {
|
if (!mechContext.getIntegState()) {
|
||||||
setIntegState(false);
|
integState = false;
|
||||||
}
|
}
|
||||||
if (!mechContext.getConfState()) {
|
if (!mechContext.getConfState()) {
|
||||||
setConfState(false);
|
confState = false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -837,6 +842,10 @@ public class SpNegoContext implements GSSContextSpi {
|
|||||||
mechContext.requestMutualAuth(mutualAuthState);
|
mechContext.requestMutualAuth(mutualAuthState);
|
||||||
mechContext.requestReplayDet(replayDetState);
|
mechContext.requestReplayDet(replayDetState);
|
||||||
mechContext.requestSequenceDet(sequenceDetState);
|
mechContext.requestSequenceDet(sequenceDetState);
|
||||||
|
if (mechContext instanceof ExtendedGSSContext) {
|
||||||
|
((ExtendedGSSContext)mechContext).requestDelegPolicy(
|
||||||
|
delegPolicyState);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// pass token
|
// pass token
|
||||||
@ -1202,5 +1211,5 @@ public class SpNegoContext implements GSSContextSpi {
|
|||||||
"inquireSecContext not supported by underlying mech.");
|
"inquireSecContext not supported by underlying mech.");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -549,6 +549,9 @@ class NativeGSSContext implements GSSContextSpi {
|
|||||||
public void requestInteg(boolean state) throws GSSException {
|
public void requestInteg(boolean state) throws GSSException {
|
||||||
changeFlags(GSS_C_INTEG_FLAG, state);
|
changeFlags(GSS_C_INTEG_FLAG, state);
|
||||||
}
|
}
|
||||||
|
public void requestDelegPolicy(boolean state) throws GSSException {
|
||||||
|
// Not supported, ignore
|
||||||
|
}
|
||||||
public void requestLifetime(int lifetime) throws GSSException {
|
public void requestLifetime(int lifetime) throws GSSException {
|
||||||
if (isInitiator && pContext == 0) {
|
if (isInitiator && pContext == 0) {
|
||||||
this.lifetime = lifetime;
|
this.lifetime = lifetime;
|
||||||
@ -590,6 +593,9 @@ class NativeGSSContext implements GSSContextSpi {
|
|||||||
public boolean getIntegState() {
|
public boolean getIntegState() {
|
||||||
return checkFlags(GSS_C_INTEG_FLAG);
|
return checkFlags(GSS_C_INTEG_FLAG);
|
||||||
}
|
}
|
||||||
|
public boolean getDelegPolicyState() {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
public int getLifetime() {
|
public int getLifetime() {
|
||||||
return cStub.getContextTime(pContext);
|
return cStub.getContextTime(pContext);
|
||||||
}
|
}
|
||||||
|
@ -234,7 +234,19 @@ public class Credentials {
|
|||||||
* @return true if OK-AS_DELEGATE flag is set, otherwise, return false.
|
* @return true if OK-AS_DELEGATE flag is set, otherwise, return false.
|
||||||
*/
|
*/
|
||||||
public boolean checkDelegate() {
|
public boolean checkDelegate() {
|
||||||
return (flags.get(Krb5.TKT_OPTS_DELEGATE));
|
return flags.get(Krb5.TKT_OPTS_DELEGATE);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Reset TKT_OPTS_DELEGATE to false, called at credentials acquirement
|
||||||
|
* when one of the cross-realm TGTs does not have the OK-AS-DELEGATE
|
||||||
|
* flag set. This info must be preservable and restorable through
|
||||||
|
* the Krb5Util.credsToTicket/ticketToCreds() methods so that even if
|
||||||
|
* the service ticket is cached it still remembers the cross-realm
|
||||||
|
* authentication result.
|
||||||
|
*/
|
||||||
|
public void resetDelegate() {
|
||||||
|
flags.set(Krb5.TKT_OPTS_DELEGATE, false);
|
||||||
}
|
}
|
||||||
|
|
||||||
public Credentials renew() throws KrbException, IOException {
|
public Credentials renew() throws KrbException, IOException {
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Portions Copyright 2001-2004 Sun Microsystems, Inc. All Rights Reserved.
|
* Portions Copyright 2001-2009 Sun Microsystems, Inc. All Rights Reserved.
|
||||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
*
|
*
|
||||||
* This code is free software; you can redistribute it and/or modify it
|
* This code is free software; you can redistribute it and/or modify it
|
||||||
@ -117,6 +117,7 @@ rs.
|
|||||||
|
|
||||||
// Get a list of realms to traverse
|
// Get a list of realms to traverse
|
||||||
String[] realms = Realm.getRealmsList(localRealm, serviceRealm);
|
String[] realms = Realm.getRealmsList(localRealm, serviceRealm);
|
||||||
|
boolean okAsDelegate = true;
|
||||||
|
|
||||||
if (realms == null || realms.length == 0)
|
if (realms == null || realms.length == 0)
|
||||||
{
|
{
|
||||||
@ -194,6 +195,15 @@ rs.
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
newTgtRealm = newTgt.getServer().getInstanceComponent();
|
newTgtRealm = newTgt.getServer().getInstanceComponent();
|
||||||
|
if (okAsDelegate && !newTgt.checkDelegate()) {
|
||||||
|
if (DEBUG)
|
||||||
|
{
|
||||||
|
System.out.println(">>> Credentials acquireServiceCreds: " +
|
||||||
|
"global OK-AS-DELEGATE turned off at " +
|
||||||
|
newTgt.getServer());
|
||||||
|
}
|
||||||
|
okAsDelegate = false;
|
||||||
|
}
|
||||||
|
|
||||||
if (DEBUG)
|
if (DEBUG)
|
||||||
{
|
{
|
||||||
@ -283,6 +293,9 @@ rs.
|
|||||||
System.out.println(">>> Credentials acquireServiceCreds: returning creds:");
|
System.out.println(">>> Credentials acquireServiceCreds: returning creds:");
|
||||||
Credentials.printDebug(theCreds);
|
Credentials.printDebug(theCreds);
|
||||||
}
|
}
|
||||||
|
if (!okAsDelegate) {
|
||||||
|
theCreds.resetDelegate();
|
||||||
|
}
|
||||||
return theCreds;
|
return theCreds;
|
||||||
}
|
}
|
||||||
throw new KrbApErrException(Krb5.KRB_AP_ERR_GEN_CRED,
|
throw new KrbApErrException(Krb5.KRB_AP_ERR_GEN_CRED,
|
||||||
|
@ -72,7 +72,7 @@ import com.sun.security.jgss.AuthorizationDataEntry;
|
|||||||
public class Context {
|
public class Context {
|
||||||
|
|
||||||
private Subject s;
|
private Subject s;
|
||||||
private GSSContext x;
|
private ExtendedGSSContext x;
|
||||||
private boolean f; // context established?
|
private boolean f; // context established?
|
||||||
private String name;
|
private String name;
|
||||||
private GSSCredential cred; // see static method delegated().
|
private GSSCredential cred; // see static method delegated().
|
||||||
@ -147,8 +147,8 @@ public class Context {
|
|||||||
@Override
|
@Override
|
||||||
public byte[] run(Context me, byte[] dummy) throws Exception {
|
public byte[] run(Context me, byte[] dummy) throws Exception {
|
||||||
GSSManager m = GSSManager.getInstance();
|
GSSManager m = GSSManager.getInstance();
|
||||||
me.x = m.createContext(
|
me.x = (ExtendedGSSContext)m.createContext(
|
||||||
target.indexOf('@') < 0 ?
|
target.indexOf('@') < 0 ?
|
||||||
m.createName(target, null) :
|
m.createName(target, null) :
|
||||||
m.createName(target, GSSName.NT_HOSTBASED_SERVICE),
|
m.createName(target, GSSName.NT_HOSTBASED_SERVICE),
|
||||||
mech,
|
mech,
|
||||||
@ -170,7 +170,7 @@ public class Context {
|
|||||||
@Override
|
@Override
|
||||||
public byte[] run(Context me, byte[] dummy) throws Exception {
|
public byte[] run(Context me, byte[] dummy) throws Exception {
|
||||||
GSSManager m = GSSManager.getInstance();
|
GSSManager m = GSSManager.getInstance();
|
||||||
me.x = m.createContext(m.createCredential(
|
me.x = (ExtendedGSSContext)m.createContext(m.createCredential(
|
||||||
null,
|
null,
|
||||||
GSSCredential.INDEFINITE_LIFETIME,
|
GSSCredential.INDEFINITE_LIFETIME,
|
||||||
mech,
|
mech,
|
||||||
@ -193,7 +193,7 @@ public class Context {
|
|||||||
*
|
*
|
||||||
* @return the GSSContext object
|
* @return the GSSContext object
|
||||||
*/
|
*/
|
||||||
public GSSContext x() {
|
public ExtendedGSSContext x() {
|
||||||
return x;
|
return x;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -255,6 +255,11 @@ public class Context {
|
|||||||
if (x.getSequenceDetState()) {
|
if (x.getSequenceDetState()) {
|
||||||
sb.append("seq det, ");
|
sb.append("seq det, ");
|
||||||
}
|
}
|
||||||
|
if (x instanceof ExtendedGSSContext) {
|
||||||
|
if (((ExtendedGSSContext)x).getDelegPolicyState()) {
|
||||||
|
sb.append("deleg policy, ");
|
||||||
|
}
|
||||||
|
}
|
||||||
System.out.println("Context status of " + name + ": " + sb.toString());
|
System.out.println("Context status of " + name + ": " + sb.toString());
|
||||||
System.out.println(x.getSrcName() + " -> " + x.getTargName());
|
System.out.println(x.getSrcName() + " -> " + x.getTargName());
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
|
@ -63,6 +63,14 @@ import sun.security.util.DerValue;
|
|||||||
* settings after calling a KDC method, call <code>Config.refresh()</code> to
|
* settings after calling a KDC method, call <code>Config.refresh()</code> to
|
||||||
* make sure your changes are reflected in the <code>Config</code> object.
|
* make sure your changes are reflected in the <code>Config</code> object.
|
||||||
* </ol>
|
* </ol>
|
||||||
|
* System properties recognized:
|
||||||
|
* <ul>
|
||||||
|
* <li>test.kdc.save.ccache
|
||||||
|
* </ul>
|
||||||
|
* Support policies:
|
||||||
|
* <ul>
|
||||||
|
* <li>ok-as-delegate
|
||||||
|
* </ul>
|
||||||
* Issues and TODOs:
|
* Issues and TODOs:
|
||||||
* <ol>
|
* <ol>
|
||||||
* <li> Generates krb5.conf to be used on another machine, currently the kdc is
|
* <li> Generates krb5.conf to be used on another machine, currently the kdc is
|
||||||
@ -151,7 +159,7 @@ public class KDC {
|
|||||||
* A standalone KDC server.
|
* A standalone KDC server.
|
||||||
*/
|
*/
|
||||||
public static void main(String[] args) throws Exception {
|
public static void main(String[] args) throws Exception {
|
||||||
KDC kdc = create("RABBIT.HOLE", "kdc.rabbit,hole", 0, false);
|
KDC kdc = create("RABBIT.HOLE", "kdc.rabbit.hole", 0, false);
|
||||||
kdc.addPrincipal("dummy", "bogus".toCharArray());
|
kdc.addPrincipal("dummy", "bogus".toCharArray());
|
||||||
kdc.addPrincipal("foo", "bar".toCharArray());
|
kdc.addPrincipal("foo", "bar".toCharArray());
|
||||||
kdc.addPrincipalRandKey("krbtgt/RABBIT.HOLE");
|
kdc.addPrincipalRandKey("krbtgt/RABBIT.HOLE");
|
||||||
@ -426,14 +434,17 @@ public class KDC {
|
|||||||
* @throws sun.security.krb5.KrbException when the principal is not inside
|
* @throws sun.security.krb5.KrbException when the principal is not inside
|
||||||
* the database.
|
* the database.
|
||||||
*/
|
*/
|
||||||
private char[] getPassword(PrincipalName p) throws KrbException {
|
private char[] getPassword(PrincipalName p, boolean server)
|
||||||
|
throws KrbException {
|
||||||
String pn = p.toString();
|
String pn = p.toString();
|
||||||
if (p.getRealmString() == null) {
|
if (p.getRealmString() == null) {
|
||||||
pn = pn + "@" + getRealm();
|
pn = pn + "@" + getRealm();
|
||||||
}
|
}
|
||||||
char[] pass = passwords.get(pn);
|
char[] pass = passwords.get(pn);
|
||||||
if (pass == null) {
|
if (pass == null) {
|
||||||
throw new KrbException(Krb5.KDC_ERR_C_PRINCIPAL_UNKNOWN);
|
throw new KrbException(server?
|
||||||
|
Krb5.KDC_ERR_S_PRINCIPAL_UNKNOWN:
|
||||||
|
Krb5.KDC_ERR_C_PRINCIPAL_UNKNOWN);
|
||||||
}
|
}
|
||||||
return pass;
|
return pass;
|
||||||
}
|
}
|
||||||
@ -457,10 +468,12 @@ public class KDC {
|
|||||||
* Returns the key for a given principal of the given encryption type
|
* Returns the key for a given principal of the given encryption type
|
||||||
* @param p the principal
|
* @param p the principal
|
||||||
* @param etype the encryption type
|
* @param etype the encryption type
|
||||||
|
* @param server looking for a server principal?
|
||||||
* @return the key
|
* @return the key
|
||||||
* @throws sun.security.krb5.KrbException for unknown/unsupported etype
|
* @throws sun.security.krb5.KrbException for unknown/unsupported etype
|
||||||
*/
|
*/
|
||||||
private EncryptionKey keyForUser(PrincipalName p, int etype) throws KrbException {
|
private EncryptionKey keyForUser(PrincipalName p, int etype, boolean server)
|
||||||
|
throws KrbException {
|
||||||
try {
|
try {
|
||||||
// Do not call EncryptionKey.acquireSecretKeys(), otherwise
|
// Do not call EncryptionKey.acquireSecretKeys(), otherwise
|
||||||
// the krb5.conf config file would be loaded.
|
// the krb5.conf config file would be loaded.
|
||||||
@ -469,22 +482,71 @@ public class KDC {
|
|||||||
Integer kvno = null;
|
Integer kvno = null;
|
||||||
// For service whose password ending with a number, use it as kvno
|
// For service whose password ending with a number, use it as kvno
|
||||||
if (p.toString().indexOf('/') >= 0) {
|
if (p.toString().indexOf('/') >= 0) {
|
||||||
char[] pass = getPassword(p);
|
char[] pass = getPassword(p, server);
|
||||||
if (Character.isDigit(pass[pass.length-1])) {
|
if (Character.isDigit(pass[pass.length-1])) {
|
||||||
kvno = pass[pass.length-1] - '0';
|
kvno = pass[pass.length-1] - '0';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return new EncryptionKey((byte[]) stringToKey.invoke(
|
return new EncryptionKey((byte[]) stringToKey.invoke(
|
||||||
null, getPassword(p), getSalt(p), null, etype),
|
null, getPassword(p, server), getSalt(p), null, etype),
|
||||||
etype, kvno);
|
etype, kvno);
|
||||||
} catch (InvocationTargetException ex) {
|
} catch (InvocationTargetException ex) {
|
||||||
KrbException ke = (KrbException)ex.getCause();
|
KrbException ke = (KrbException)ex.getCause();
|
||||||
throw ke;
|
throw ke;
|
||||||
|
} catch (KrbException ke) {
|
||||||
|
throw ke;
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
throw new RuntimeException(e); // should not happen
|
throw new RuntimeException(e); // should not happen
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private Map<String,String> policies = new HashMap<String,String>();
|
||||||
|
|
||||||
|
public void setPolicy(String rule, String value) {
|
||||||
|
if (value == null) {
|
||||||
|
policies.remove(rule);
|
||||||
|
} else {
|
||||||
|
policies.put(rule, value);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
/**
|
||||||
|
* If the provided client/server pair matches a rule
|
||||||
|
*
|
||||||
|
* A system property named test.kdc.policy.RULE will be consulted.
|
||||||
|
* If it's unset, returns false. If its value is "", any pair is
|
||||||
|
* matched. Otherwise, it should contains the server name matched.
|
||||||
|
*
|
||||||
|
* TODO: client name is not used currently.
|
||||||
|
*
|
||||||
|
* @param c client name
|
||||||
|
* @param s server name
|
||||||
|
* @param rule rule name
|
||||||
|
* @return if a match is found
|
||||||
|
*/
|
||||||
|
private boolean configMatch(String c, String s, String rule) {
|
||||||
|
String policy = policies.get(rule);
|
||||||
|
boolean result = false;
|
||||||
|
if (policy == null) {
|
||||||
|
result = false;
|
||||||
|
} else if (policy.length() == 0) {
|
||||||
|
result = true;
|
||||||
|
} else {
|
||||||
|
String[] names = policy.split("\\s+");
|
||||||
|
for (String name: names) {
|
||||||
|
if (name.equals(s)) {
|
||||||
|
result = true;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (result) {
|
||||||
|
System.out.printf(">>>> Policy match result (%s vs %s on %s) %b\n",
|
||||||
|
c, s, rule, result);
|
||||||
|
}
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Processes an incoming request and generates a response.
|
* Processes an incoming request and generates a response.
|
||||||
* @param in the request
|
* @param in the request
|
||||||
@ -530,7 +592,7 @@ public class KDC {
|
|||||||
tkt = apReq.ticket;
|
tkt = apReq.ticket;
|
||||||
etype = tkt.encPart.getEType();
|
etype = tkt.encPart.getEType();
|
||||||
tkt.sname.setRealm(tkt.realm);
|
tkt.sname.setRealm(tkt.realm);
|
||||||
EncryptionKey kkey = keyForUser(tkt.sname, etype);
|
EncryptionKey kkey = keyForUser(tkt.sname, etype, true);
|
||||||
byte[] bb = tkt.encPart.decrypt(kkey, KeyUsage.KU_TICKET);
|
byte[] bb = tkt.encPart.decrypt(kkey, KeyUsage.KU_TICKET);
|
||||||
DerInputStream derIn = new DerInputStream(bb);
|
DerInputStream derIn = new DerInputStream(bb);
|
||||||
DerValue der = derIn.getDerValue();
|
DerValue der = derIn.getDerValue();
|
||||||
@ -541,7 +603,7 @@ public class KDC {
|
|||||||
throw new KrbException(Krb5.KDC_ERR_PADATA_TYPE_NOSUPP);
|
throw new KrbException(Krb5.KDC_ERR_PADATA_TYPE_NOSUPP);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
EncryptionKey skey = keyForUser(body.sname, etype);
|
EncryptionKey skey = keyForUser(body.sname, etype, true);
|
||||||
if (skey == null) {
|
if (skey == null) {
|
||||||
throw new KrbException(Krb5.KDC_ERR_SUMTYPE_NOSUPP); // TODO
|
throw new KrbException(Krb5.KDC_ERR_SUMTYPE_NOSUPP); // TODO
|
||||||
}
|
}
|
||||||
@ -581,6 +643,10 @@ public class KDC {
|
|||||||
if (body.kdcOptions.get(KDCOptions.ALLOW_POSTDATE)) {
|
if (body.kdcOptions.get(KDCOptions.ALLOW_POSTDATE)) {
|
||||||
bFlags[Krb5.TKT_OPTS_MAY_POSTDATE] = true;
|
bFlags[Krb5.TKT_OPTS_MAY_POSTDATE] = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (configMatch("", body.sname.getNameString(), "ok-as-delegate")) {
|
||||||
|
bFlags[Krb5.TKT_OPTS_DELEGATE] = true;
|
||||||
|
}
|
||||||
bFlags[Krb5.TKT_OPTS_INITIAL] = true;
|
bFlags[Krb5.TKT_OPTS_INITIAL] = true;
|
||||||
|
|
||||||
TicketFlags tFlags = new TicketFlags(bFlags);
|
TicketFlags tFlags = new TicketFlags(bFlags);
|
||||||
@ -671,8 +737,8 @@ public class KDC {
|
|||||||
eTypes = (int[])f.get(body);
|
eTypes = (int[])f.get(body);
|
||||||
int eType = eTypes[0];
|
int eType = eTypes[0];
|
||||||
|
|
||||||
EncryptionKey ckey = keyForUser(body.cname, eType);
|
EncryptionKey ckey = keyForUser(body.cname, eType, false);
|
||||||
EncryptionKey skey = keyForUser(body.sname, eType);
|
EncryptionKey skey = keyForUser(body.sname, eType, true);
|
||||||
if (ckey == null) {
|
if (ckey == null) {
|
||||||
throw new KrbException(Krb5.KDC_ERR_ETYPE_NOSUPP);
|
throw new KrbException(Krb5.KDC_ERR_ETYPE_NOSUPP);
|
||||||
}
|
}
|
||||||
|
104
jdk/test/sun/security/krb5/auto/OkAsDelegate.java
Normal file
104
jdk/test/sun/security/krb5/auto/OkAsDelegate.java
Normal file
@ -0,0 +1,104 @@
|
|||||||
|
/*
|
||||||
|
* Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
|
||||||
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
|
*
|
||||||
|
* This code is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License version 2 only, as
|
||||||
|
* published by the Free Software Foundation.
|
||||||
|
*
|
||||||
|
* This code is distributed in the hope that it will be useful, but WITHOUT
|
||||||
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||||
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||||
|
* version 2 for more details (a copy is included in the LICENSE file that
|
||||||
|
* accompanied this code).
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License version
|
||||||
|
* 2 along with this work; if not, write to the Free Software Foundation,
|
||||||
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
|
*
|
||||||
|
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
|
||||||
|
* CA 95054 USA or visit www.sun.com if you need additional information or
|
||||||
|
* have any questions.
|
||||||
|
*/
|
||||||
|
|
||||||
|
import com.sun.security.jgss.ExtendedGSSContext;
|
||||||
|
import org.ietf.jgss.GSSCredential;
|
||||||
|
import org.ietf.jgss.GSSException;
|
||||||
|
import org.ietf.jgss.Oid;
|
||||||
|
import sun.security.jgss.GSSUtil;
|
||||||
|
import sun.security.krb5.Config;
|
||||||
|
|
||||||
|
public class OkAsDelegate {
|
||||||
|
|
||||||
|
public static void main(String[] args)
|
||||||
|
throws Exception {
|
||||||
|
OkAsDelegate ok = new OkAsDelegate();
|
||||||
|
ok.go(
|
||||||
|
Boolean.valueOf(args[0]), // FORWARDABLE in krb5.conf on?
|
||||||
|
Boolean.valueOf(args[1]), // requestDelegState
|
||||||
|
Boolean.valueOf(args[2]), // requestDelegPolicyState
|
||||||
|
Boolean.valueOf(args[3]), // DelegState in response
|
||||||
|
Boolean.valueOf(args[4]), // DelegPolicyState in response
|
||||||
|
Boolean.valueOf(args[5]) // getDelegCred OK?
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
void go(
|
||||||
|
boolean forwardable,
|
||||||
|
boolean requestDelegState,
|
||||||
|
boolean requestDelegPolicyState,
|
||||||
|
boolean delegState,
|
||||||
|
boolean delegPolicyState,
|
||||||
|
boolean delegated
|
||||||
|
) throws Exception {
|
||||||
|
OneKDC kdc = new OneKDC(null);
|
||||||
|
kdc.setPolicy("ok-as-delegate",
|
||||||
|
System.getProperty("test.kdc.policy.ok-as-delegate"));
|
||||||
|
kdc.writeJAASConf();
|
||||||
|
if (!forwardable) {
|
||||||
|
// The default OneKDC always includes "forwardable = true"
|
||||||
|
// in krb5.conf, override it.
|
||||||
|
KDC.saveConfig(OneKDC.KRB5_CONF, kdc,
|
||||||
|
"default_keytab_name = " + OneKDC.KTAB);
|
||||||
|
Config.refresh();
|
||||||
|
}
|
||||||
|
|
||||||
|
Context c, s;
|
||||||
|
c = Context.fromJAAS("client");
|
||||||
|
s = Context.fromJAAS("server");
|
||||||
|
|
||||||
|
Oid mech = GSSUtil.GSS_KRB5_MECH_OID;
|
||||||
|
if (System.getProperty("test.spnego") != null) {
|
||||||
|
mech = GSSUtil.GSS_SPNEGO_MECH_OID;
|
||||||
|
}
|
||||||
|
c.startAsClient(OneKDC.SERVER, mech);
|
||||||
|
ExtendedGSSContext cx = (ExtendedGSSContext)c.x();
|
||||||
|
cx.requestCredDeleg(requestDelegState);
|
||||||
|
cx.requestDelegPolicy(requestDelegPolicyState);
|
||||||
|
s.startAsServer(mech);
|
||||||
|
ExtendedGSSContext sx = (ExtendedGSSContext)s.x();
|
||||||
|
|
||||||
|
Context.handshake(c, s);
|
||||||
|
|
||||||
|
if (cx.getCredDelegState() != delegState) {
|
||||||
|
throw new Exception("Initiator cred state error");
|
||||||
|
}
|
||||||
|
if (sx.getCredDelegState() != delegState) {
|
||||||
|
throw new Exception("Acceptor cred state error");
|
||||||
|
}
|
||||||
|
if (cx.getDelegPolicyState() != delegPolicyState) {
|
||||||
|
throw new Exception("Initiator cred policy state error");
|
||||||
|
}
|
||||||
|
|
||||||
|
GSSCredential cred = null;
|
||||||
|
try {
|
||||||
|
cred = s.x().getDelegCred();
|
||||||
|
} catch (GSSException e) {
|
||||||
|
// leave cred as null
|
||||||
|
}
|
||||||
|
|
||||||
|
if (delegated != (cred != null)) {
|
||||||
|
throw new Exception("get cred error");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
156
jdk/test/sun/security/krb5/auto/OkAsDelegateXRealm.java
Normal file
156
jdk/test/sun/security/krb5/auto/OkAsDelegateXRealm.java
Normal file
@ -0,0 +1,156 @@
|
|||||||
|
/*
|
||||||
|
* Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
|
||||||
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
|
*
|
||||||
|
* This code is free software; you can redistribute it and/or modify it
|
||||||
|
* under the terms of the GNU General Public License version 2 only, as
|
||||||
|
* published by the Free Software Foundation.
|
||||||
|
*
|
||||||
|
* This code is distributed in the hope that it will be useful, but WITHOUT
|
||||||
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||||
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||||
|
* version 2 for more details (a copy is included in the LICENSE file that
|
||||||
|
* accompanied this code).
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU General Public License version
|
||||||
|
* 2 along with this work; if not, write to the Free Software Foundation,
|
||||||
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
|
*
|
||||||
|
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
|
||||||
|
* CA 95054 USA or visit www.sun.com if you need additional information or
|
||||||
|
* have any questions.
|
||||||
|
*/
|
||||||
|
|
||||||
|
import com.sun.security.jgss.ExtendedGSSContext;
|
||||||
|
import java.io.File;
|
||||||
|
import java.io.FileOutputStream;
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.security.Security;
|
||||||
|
import javax.security.auth.callback.Callback;
|
||||||
|
import javax.security.auth.callback.CallbackHandler;
|
||||||
|
import javax.security.auth.callback.NameCallback;
|
||||||
|
import javax.security.auth.callback.PasswordCallback;
|
||||||
|
import javax.security.auth.callback.UnsupportedCallbackException;
|
||||||
|
import org.ietf.jgss.GSSContext;
|
||||||
|
import org.ietf.jgss.GSSCredential;
|
||||||
|
import org.ietf.jgss.GSSException;
|
||||||
|
import org.ietf.jgss.GSSManager;
|
||||||
|
import org.ietf.jgss.GSSName;
|
||||||
|
import sun.security.jgss.GSSUtil;
|
||||||
|
import sun.security.krb5.Config;
|
||||||
|
|
||||||
|
public class OkAsDelegateXRealm implements CallbackHandler {
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param args boolean if the program should succeed
|
||||||
|
*/
|
||||||
|
public static void main(String[] args)
|
||||||
|
throws Exception {
|
||||||
|
|
||||||
|
// Create and start the KDCs. Here we have 3 realms: R1, R2 and R3.
|
||||||
|
// R1 is trusted by R2, and R2 trusted by R3.
|
||||||
|
KDC kdc1 = KDC.create("R1");
|
||||||
|
kdc1.setPolicy("ok-as-delegate",
|
||||||
|
System.getProperty("test.kdc.policy.ok-as-delegate"));
|
||||||
|
kdc1.addPrincipal("dummy", "bogus".toCharArray());
|
||||||
|
kdc1.addPrincipalRandKey("krbtgt/R1");
|
||||||
|
kdc1.addPrincipal("krbtgt/R2@R1", "r1->r2".toCharArray());
|
||||||
|
|
||||||
|
KDC kdc2 = KDC.create("R2");
|
||||||
|
kdc2.setPolicy("ok-as-delegate",
|
||||||
|
System.getProperty("test.kdc.policy.ok-as-delegate"));
|
||||||
|
kdc2.addPrincipalRandKey("krbtgt/R2");
|
||||||
|
kdc2.addPrincipal("krbtgt/R2@R1", "r1->r2".toCharArray());
|
||||||
|
kdc2.addPrincipal("krbtgt/R3@R2", "r2->r3".toCharArray());
|
||||||
|
|
||||||
|
KDC kdc3 = KDC.create("R3");
|
||||||
|
kdc3.setPolicy("ok-as-delegate",
|
||||||
|
System.getProperty("test.kdc.policy.ok-as-delegate"));
|
||||||
|
kdc3.addPrincipalRandKey("krbtgt/R3");
|
||||||
|
kdc3.addPrincipal("krbtgt/R3@R2", "r2->r3".toCharArray());
|
||||||
|
kdc3.addPrincipalRandKey("host/host.r3.local");
|
||||||
|
|
||||||
|
KDC.saveConfig("krb5-localkdc.conf", kdc1, kdc2, kdc3,
|
||||||
|
"forwardable=true",
|
||||||
|
"[capaths]",
|
||||||
|
"R1 = {",
|
||||||
|
" R2 = .",
|
||||||
|
" R3 = R2",
|
||||||
|
"}",
|
||||||
|
"[domain_realm]",
|
||||||
|
".r3.local=R3"
|
||||||
|
);
|
||||||
|
|
||||||
|
System.setProperty("java.security.krb5.conf", "krb5-localkdc.conf");
|
||||||
|
kdc3.writeKtab("localkdc.ktab");
|
||||||
|
|
||||||
|
FileOutputStream fos = new FileOutputStream("jaas-localkdc.conf");
|
||||||
|
|
||||||
|
// Defines the client and server on R1 and R3 respectively.
|
||||||
|
fos.write(("com.sun.security.jgss.krb5.initiate {\n" +
|
||||||
|
" com.sun.security.auth.module.Krb5LoginModule\n" +
|
||||||
|
" required\n" +
|
||||||
|
" principal=dummy\n" +
|
||||||
|
" doNotPrompt=false\n" +
|
||||||
|
" useTicketCache=false\n" +
|
||||||
|
" ;\n};\n" +
|
||||||
|
"com.sun.security.jgss.krb5.accept {\n" +
|
||||||
|
" com.sun.security.auth.module.Krb5LoginModule required\n" +
|
||||||
|
" principal=\"host/host.r3.local@R3\"\n" +
|
||||||
|
" useKeyTab=true\n" +
|
||||||
|
" keyTab=localkdc.ktab\n" +
|
||||||
|
" isInitiator=false\n" +
|
||||||
|
" storeKey=true;\n};\n" +
|
||||||
|
"\n").getBytes());
|
||||||
|
fos.close();
|
||||||
|
|
||||||
|
Security.setProperty("auth.login.defaultCallbackHandler",
|
||||||
|
"OkAsDelegateXRealm");
|
||||||
|
|
||||||
|
System.setProperty("java.security.auth.login.config", "jaas-localkdc.conf");
|
||||||
|
|
||||||
|
new File("krb5-localkdc.conf").deleteOnExit();
|
||||||
|
new File("localkdc.ktab").deleteOnExit();
|
||||||
|
new File("jaas-localkdc.conf").deleteOnExit();
|
||||||
|
Config.refresh();
|
||||||
|
|
||||||
|
Context c = Context.fromJAAS("com.sun.security.jgss.krb5.initiate");
|
||||||
|
Context s = Context.fromJAAS("com.sun.security.jgss.krb5.accept");
|
||||||
|
|
||||||
|
// Test twice. The frist time the whole cross realm process is tried,
|
||||||
|
// the second time the cached service ticket is used. This is to make sure
|
||||||
|
// the behaviors are the same, especailly for the case when one of the
|
||||||
|
// cross-realm TGTs does not have OK-AS-DELEGATE on.
|
||||||
|
|
||||||
|
for (int i=0; i<2; i++) {
|
||||||
|
c.startAsClient("host@host.r3.local", GSSUtil.GSS_KRB5_MECH_OID);
|
||||||
|
s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
|
||||||
|
c.x().requestDelegPolicy(true);
|
||||||
|
|
||||||
|
Context.handshake(c, s);
|
||||||
|
boolean succeed = true;
|
||||||
|
try {
|
||||||
|
s.x().getDelegCred();
|
||||||
|
} catch (GSSException gsse) {
|
||||||
|
succeed = false;
|
||||||
|
}
|
||||||
|
if (succeed != Boolean.parseBoolean(args[0])) {
|
||||||
|
throw new Exception("Test fail at round #" + i);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void handle(Callback[] callbacks)
|
||||||
|
throws IOException, UnsupportedCallbackException {
|
||||||
|
for (Callback callback : callbacks) {
|
||||||
|
if (callback instanceof NameCallback) {
|
||||||
|
((NameCallback) callback).setName("dummy");
|
||||||
|
}
|
||||||
|
if (callback instanceof PasswordCallback) {
|
||||||
|
((PasswordCallback) callback).setPassword("bogus".toCharArray());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
79
jdk/test/sun/security/krb5/auto/ok-as-delegate-xrealm.sh
Normal file
79
jdk/test/sun/security/krb5/auto/ok-as-delegate-xrealm.sh
Normal file
@ -0,0 +1,79 @@
|
|||||||
|
#
|
||||||
|
# Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
|
||||||
|
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
|
#
|
||||||
|
# This code is free software; you can redistribute it and/or modify it
|
||||||
|
# under the terms of the GNU General Public License version 2 only, as
|
||||||
|
# published by the Free Software Foundation.
|
||||||
|
#
|
||||||
|
# This code is distributed in the hope that it will be useful, but WITHOUT
|
||||||
|
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||||
|
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||||
|
# version 2 for more details (a copy is included in the LICENSE file that
|
||||||
|
# accompanied this code).
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License version
|
||||||
|
# 2 along with this work; if not, write to the Free Software Foundation,
|
||||||
|
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
|
#
|
||||||
|
# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
|
||||||
|
# CA 95054 USA or visit www.sun.com if you need additional information or
|
||||||
|
# have any questions.
|
||||||
|
#
|
||||||
|
|
||||||
|
# @test
|
||||||
|
# @bug 6853328
|
||||||
|
# @summary Support OK-AS-DELEGATE flag
|
||||||
|
# @run shell/timeout=600 ok-as-delegate-xrealm.sh
|
||||||
|
#
|
||||||
|
|
||||||
|
if [ "${TESTSRC}" = "" ] ; then
|
||||||
|
TESTSRC=`dirname $0`
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "${TESTJAVA}" = "" ] ; then
|
||||||
|
JAVAC_CMD=`which javac`
|
||||||
|
TESTJAVA=`dirname $JAVAC_CMD`/..
|
||||||
|
fi
|
||||||
|
|
||||||
|
# set platform-dependent variables
|
||||||
|
OS=`uname -s`
|
||||||
|
case "$OS" in
|
||||||
|
Windows_* )
|
||||||
|
FS="\\"
|
||||||
|
SEP=";"
|
||||||
|
;;
|
||||||
|
CYGWIN* )
|
||||||
|
FS="/"
|
||||||
|
SEP=";"
|
||||||
|
;;
|
||||||
|
* )
|
||||||
|
FS="/"
|
||||||
|
SEP=":"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
${TESTJAVA}${FS}bin${FS}javac -XDignore.symbol.file -d . \
|
||||||
|
${TESTSRC}${FS}OkAsDelegateXRealm.java \
|
||||||
|
${TESTSRC}${FS}KDC.java \
|
||||||
|
${TESTSRC}${FS}OneKDC.java \
|
||||||
|
${TESTSRC}${FS}Action.java \
|
||||||
|
${TESTSRC}${FS}Context.java \
|
||||||
|
|| exit 10
|
||||||
|
|
||||||
|
# Add $TESTSRC to classpath so that customized nameservice can be used
|
||||||
|
J="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}."
|
||||||
|
|
||||||
|
# KDC no OK-AS-DELEGATE, fail
|
||||||
|
$J OkAsDelegateXRealm false || exit 1
|
||||||
|
|
||||||
|
# KDC set OK-AS-DELEGATE for all, succeed
|
||||||
|
$J -Dtest.kdc.policy.ok-as-delegate OkAsDelegateXRealm true || exit 2
|
||||||
|
|
||||||
|
# KDC set OK-AS-DELEGATE for host/host.r3.local only, fail
|
||||||
|
$J -Dtest.kdc.policy.ok-as-delegate=host/host.r3.local OkAsDelegateXRealm false || exit 3
|
||||||
|
|
||||||
|
# KDC set OK-AS-DELEGATE for all, succeed
|
||||||
|
$J "-Dtest.kdc.policy.ok-as-delegate=host/host.r3.local krbtgt/R2 krbtgt/R3" OkAsDelegateXRealm true || exit 4
|
||||||
|
|
||||||
|
exit 0
|
118
jdk/test/sun/security/krb5/auto/ok-as-delegate.sh
Normal file
118
jdk/test/sun/security/krb5/auto/ok-as-delegate.sh
Normal file
@ -0,0 +1,118 @@
|
|||||||
|
#
|
||||||
|
# Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
|
||||||
|
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
|
#
|
||||||
|
# This code is free software; you can redistribute it and/or modify it
|
||||||
|
# under the terms of the GNU General Public License version 2 only, as
|
||||||
|
# published by the Free Software Foundation.
|
||||||
|
#
|
||||||
|
# This code is distributed in the hope that it will be useful, but WITHOUT
|
||||||
|
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||||
|
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||||
|
# version 2 for more details (a copy is included in the LICENSE file that
|
||||||
|
# accompanied this code).
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License version
|
||||||
|
# 2 along with this work; if not, write to the Free Software Foundation,
|
||||||
|
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
|
#
|
||||||
|
# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
|
||||||
|
# CA 95054 USA or visit www.sun.com if you need additional information or
|
||||||
|
# have any questions.
|
||||||
|
#
|
||||||
|
|
||||||
|
# @test
|
||||||
|
# @bug 6853328
|
||||||
|
# @summary Support OK-AS-DELEGATE flag
|
||||||
|
# @run shell/timeout=600 ok-as-delegate.sh
|
||||||
|
#
|
||||||
|
|
||||||
|
if [ "${TESTSRC}" = "" ] ; then
|
||||||
|
TESTSRC=`dirname $0`
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "${TESTJAVA}" = "" ] ; then
|
||||||
|
JAVAC_CMD=`which javac`
|
||||||
|
TESTJAVA=`dirname $JAVAC_CMD`/..
|
||||||
|
fi
|
||||||
|
|
||||||
|
# set platform-dependent variables
|
||||||
|
OS=`uname -s`
|
||||||
|
case "$OS" in
|
||||||
|
Windows_* )
|
||||||
|
FS="\\"
|
||||||
|
SEP=";"
|
||||||
|
;;
|
||||||
|
CYGWIN* )
|
||||||
|
FS="/"
|
||||||
|
SEP=";"
|
||||||
|
;;
|
||||||
|
* )
|
||||||
|
FS="/"
|
||||||
|
SEP=":"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
${TESTJAVA}${FS}bin${FS}javac -XDignore.symbol.file -d . \
|
||||||
|
${TESTSRC}${FS}OkAsDelegate.java \
|
||||||
|
${TESTSRC}${FS}KDC.java \
|
||||||
|
${TESTSRC}${FS}OneKDC.java \
|
||||||
|
${TESTSRC}${FS}Action.java \
|
||||||
|
${TESTSRC}${FS}Context.java \
|
||||||
|
|| exit 10
|
||||||
|
|
||||||
|
# Testing Kerberos 5
|
||||||
|
|
||||||
|
# Add $TESTSRC to classpath so that customized nameservice can be used
|
||||||
|
J="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}. OkAsDelegate"
|
||||||
|
JOK="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}. -Dtest.kdc.policy.ok-as-delegate OkAsDelegate"
|
||||||
|
|
||||||
|
# FORWARDABLE ticket not allowed, always fail
|
||||||
|
$J false true true false false false || exit 1
|
||||||
|
|
||||||
|
# Service ticket no OK-AS-DELEGATE
|
||||||
|
|
||||||
|
# Request nothing, gain nothing
|
||||||
|
$J true false false false false false || exit 2
|
||||||
|
# Request deleg policy, gain nothing
|
||||||
|
$J true false true false false false || exit 3
|
||||||
|
# Request deleg, granted
|
||||||
|
$J true true false true false true || exit 4
|
||||||
|
# Request deleg and deleg policy, granted, with info not by policy
|
||||||
|
$J true true true true false true || exit 5
|
||||||
|
|
||||||
|
# Service ticket has OK-AS-DELEGATE
|
||||||
|
|
||||||
|
# Request deleg policy, granted
|
||||||
|
$JOK true false true true true true || exit 6
|
||||||
|
# Request deleg and deleg policy, granted, with info by policy
|
||||||
|
$JOK true true true true true true || exit 7
|
||||||
|
|
||||||
|
# Testing SPNEGO
|
||||||
|
|
||||||
|
# Add $TESTSRC to classpath so that customized nameservice can be used
|
||||||
|
J="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}. -Dtest.spnego OkAsDelegate"
|
||||||
|
JOK="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}. -Dtest.spnego -Dtest.kdc.policy.ok-as-delegate OkAsDelegate"
|
||||||
|
|
||||||
|
# FORWARDABLE ticket not allowed, always fail
|
||||||
|
$J false true true false false false || exit 11
|
||||||
|
|
||||||
|
# Service ticket no OK-AS-DELEGATE
|
||||||
|
|
||||||
|
# Request nothing, gain nothing
|
||||||
|
$J true false false false false false || exit 12
|
||||||
|
# Request deleg policy, gain nothing
|
||||||
|
$J true false true false false false || exit 13
|
||||||
|
# Request deleg, granted
|
||||||
|
$J true true false true false true || exit 14
|
||||||
|
# Request deleg and deleg policy, granted, with info not by policy
|
||||||
|
$J true true true true false true || exit 15
|
||||||
|
|
||||||
|
# Service ticket has OK-AS-DELEGATE
|
||||||
|
|
||||||
|
# Request deleg policy, granted
|
||||||
|
$JOK true false true true true true || exit 16
|
||||||
|
# Request deleg and deleg policy, granted, with info by policy
|
||||||
|
$JOK true true true true true true || exit 17
|
||||||
|
|
||||||
|
exit 0
|
Loading…
Reference in New Issue
Block a user