From bb586d9974f584ad0c5d3a354630406a4ebedc7d Mon Sep 17 00:00:00 2001 From: Weijun Wang Date: Wed, 18 Oct 2017 10:43:58 +0800 Subject: [PATCH] 8186600: Improve property negotiations Reviewed-by: valeriep, ahgross, mullan --- .../http/spnego/NegotiateCallbackHandler.java | 38 ++++++++++++------- .../classes/sun/security/jgss/GSSUtil.java | 27 +++++-------- .../sun/security/jgss/LoginConfigImpl.java | 19 +++++++++- 3 files changed, 51 insertions(+), 33 deletions(-) diff --git a/src/java.security.jgss/share/classes/sun/net/www/protocol/http/spnego/NegotiateCallbackHandler.java b/src/java.security.jgss/share/classes/sun/net/www/protocol/http/spnego/NegotiateCallbackHandler.java index 43003bfb811..202af32656e 100644 --- a/src/java.security.jgss/share/classes/sun/net/www/protocol/http/spnego/NegotiateCallbackHandler.java +++ b/src/java.security.jgss/share/classes/sun/net/www/protocol/http/spnego/NegotiateCallbackHandler.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -35,6 +35,7 @@ import javax.security.auth.callback.NameCallback; import javax.security.auth.callback.PasswordCallback; import javax.security.auth.callback.UnsupportedCallbackException; import sun.net.www.protocol.http.HttpCallerInfo; +import sun.security.jgss.LoginConfigImpl; /** * @since 1.6 @@ -61,19 +62,28 @@ public class NegotiateCallbackHandler implements CallbackHandler { private void getAnswer() { if (!answered) { answered = true; - PasswordAuthentication passAuth = - Authenticator.requestPasswordAuthentication( - hci.authenticator, - hci.host, hci.addr, hci.port, hci.protocol, - hci.prompt, hci.scheme, hci.url, hci.authType); - /** - * To be compatible with existing callback handler implementations, - * when the underlying Authenticator is canceled, username and - * password are assigned null. No exception is thrown. - */ - if (passAuth != null) { - username = passAuth.getUserName(); - password = passAuth.getPassword(); + Authenticator auth; + if (hci.authenticator != null) { + auth = hci.authenticator; + } else { + auth = LoginConfigImpl.HTTP_USE_GLOBAL_CREDS ? + Authenticator.getDefault() : null; + } + + if (auth != null) { + PasswordAuthentication passAuth = + auth.requestPasswordAuthenticationInstance( + hci.host, hci.addr, hci.port, hci.protocol, + hci.prompt, hci.scheme, hci.url, hci.authType); + /** + * To be compatible with existing callback handler implementations, + * when the underlying Authenticator is canceled, username and + * password are assigned null. No exception is thrown. + */ + if (passAuth != null) { + username = passAuth.getUserName(); + password = passAuth.getPassword(); + } } } } diff --git a/src/java.security.jgss/share/classes/sun/security/jgss/GSSUtil.java b/src/java.security.jgss/share/classes/sun/security/jgss/GSSUtil.java index abcacf024a4..646a8c633cb 100644 --- a/src/java.security.jgss/share/classes/sun/security/jgss/GSSUtil.java +++ b/src/java.security.jgss/share/classes/sun/security/jgss/GSSUtil.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -270,24 +270,17 @@ public class GSSUtil { */ public static boolean useSubjectCredsOnly(GSSCaller caller) { - // HTTP/SPNEGO doesn't use the standard JAAS framework. Instead, it - // uses the java.net.Authenticator style, therefore always return - // false here. + String propValue = GetPropertyAction.privilegedGetProperty( + "javax.security.auth.useSubjectCredsOnly"); + + // Invalid values should be ignored and the default assumed. if (caller instanceof HttpCaller) { - return false; + // Default for HTTP/SPNEGO is false. + return "true".equalsIgnoreCase(propValue); + } else { + // Default for JGSS is true. + return !("false".equalsIgnoreCase(propValue)); } - /* - * Don't use GetBooleanAction because the default value in the JRE - * (when this is unset) has to treated as true. - */ - String propValue = AccessController.doPrivileged( - new GetPropertyAction("javax.security.auth.useSubjectCredsOnly", - "true")); - /* - * This property has to be explicitly set to "false". Invalid - * values should be ignored and the default "true" assumed. - */ - return (!propValue.equalsIgnoreCase("false")); } /** diff --git a/src/java.security.jgss/share/classes/sun/security/jgss/LoginConfigImpl.java b/src/java.security.jgss/share/classes/sun/security/jgss/LoginConfigImpl.java index 26181f7b720..eab531d8dba 100644 --- a/src/java.security.jgss/share/classes/sun/security/jgss/LoginConfigImpl.java +++ b/src/java.security.jgss/share/classes/sun/security/jgss/LoginConfigImpl.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -29,6 +29,7 @@ import java.util.HashMap; import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.Configuration; import org.ietf.jgss.Oid; +import sun.security.action.GetPropertyAction; /** * A Configuration implementation especially designed for JGSS. @@ -44,6 +45,16 @@ public class LoginConfigImpl extends Configuration { private static final sun.security.util.Debug debug = sun.security.util.Debug.getInstance("gssloginconfig", "\t[GSS LoginConfigImpl]"); + public static final boolean HTTP_USE_GLOBAL_CREDS; + + static { + String prop = GetPropertyAction + .privilegedGetProperty("http.use.global.creds"); + //HTTP_USE_GLOBAL_CREDS = "true".equalsIgnoreCase(prop); // default false + HTTP_USE_GLOBAL_CREDS = !"false".equalsIgnoreCase(prop); // default true + } + + /** * A new instance of LoginConfigImpl must be created for each login request * since it's only used by a single (caller, mech) pair @@ -178,7 +189,11 @@ public class LoginConfigImpl extends Configuration { options.put("principal", "*"); options.put("isInitiator", "false"); } else { - options.put("useTicketCache", "true"); + if (caller instanceof HttpCaller && !HTTP_USE_GLOBAL_CREDS) { + options.put("useTicketCache", "false"); + } else { + options.put("useTicketCache", "true"); + } options.put("doNotPrompt", "false"); } return new AppConfigurationEntry[] {