8186600: Improve property negotiations
Reviewed-by: valeriep, ahgross, mullan
This commit is contained in:
Weijun Wang
parent
1eda3a24d5
commit
bb586d9974
@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
|
* Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
|
||||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
*
|
*
|
||||||
* This code is free software; you can redistribute it and/or modify it
|
* This code is free software; you can redistribute it and/or modify it
|
||||||
@ -35,6 +35,7 @@ import javax.security.auth.callback.NameCallback;
|
|||||||
import javax.security.auth.callback.PasswordCallback;
|
import javax.security.auth.callback.PasswordCallback;
|
||||||
import javax.security.auth.callback.UnsupportedCallbackException;
|
import javax.security.auth.callback.UnsupportedCallbackException;
|
||||||
import sun.net.www.protocol.http.HttpCallerInfo;
|
import sun.net.www.protocol.http.HttpCallerInfo;
|
||||||
|
import sun.security.jgss.LoginConfigImpl;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @since 1.6
|
* @since 1.6
|
||||||
@ -61,19 +62,28 @@ public class NegotiateCallbackHandler implements CallbackHandler {
|
|||||||
private void getAnswer() {
|
private void getAnswer() {
|
||||||
if (!answered) {
|
if (!answered) {
|
||||||
answered = true;
|
answered = true;
|
||||||
PasswordAuthentication passAuth =
|
Authenticator auth;
|
||||||
Authenticator.requestPasswordAuthentication(
|
if (hci.authenticator != null) {
|
||||||
hci.authenticator,
|
auth = hci.authenticator;
|
||||||
hci.host, hci.addr, hci.port, hci.protocol,
|
} else {
|
||||||
hci.prompt, hci.scheme, hci.url, hci.authType);
|
auth = LoginConfigImpl.HTTP_USE_GLOBAL_CREDS ?
|
||||||
/**
|
Authenticator.getDefault() : null;
|
||||||
* To be compatible with existing callback handler implementations,
|
}
|
||||||
* when the underlying Authenticator is canceled, username and
|
|
||||||
* password are assigned null. No exception is thrown.
|
if (auth != null) {
|
||||||
*/
|
PasswordAuthentication passAuth =
|
||||||
if (passAuth != null) {
|
auth.requestPasswordAuthenticationInstance(
|
||||||
username = passAuth.getUserName();
|
hci.host, hci.addr, hci.port, hci.protocol,
|
||||||
password = passAuth.getPassword();
|
hci.prompt, hci.scheme, hci.url, hci.authType);
|
||||||
|
/**
|
||||||
|
* To be compatible with existing callback handler implementations,
|
||||||
|
* when the underlying Authenticator is canceled, username and
|
||||||
|
* password are assigned null. No exception is thrown.
|
||||||
|
*/
|
||||||
|
if (passAuth != null) {
|
||||||
|
username = passAuth.getUserName();
|
||||||
|
password = passAuth.getPassword();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
|
* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
|
||||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
*
|
*
|
||||||
* This code is free software; you can redistribute it and/or modify it
|
* This code is free software; you can redistribute it and/or modify it
|
||||||
@ -270,24 +270,17 @@ public class GSSUtil {
|
|||||||
*/
|
*/
|
||||||
public static boolean useSubjectCredsOnly(GSSCaller caller) {
|
public static boolean useSubjectCredsOnly(GSSCaller caller) {
|
||||||
|
|
||||||
// HTTP/SPNEGO doesn't use the standard JAAS framework. Instead, it
|
String propValue = GetPropertyAction.privilegedGetProperty(
|
||||||
// uses the java.net.Authenticator style, therefore always return
|
"javax.security.auth.useSubjectCredsOnly");
|
||||||
// false here.
|
|
||||||
|
// Invalid values should be ignored and the default assumed.
|
||||||
if (caller instanceof HttpCaller) {
|
if (caller instanceof HttpCaller) {
|
||||||
return false;
|
// Default for HTTP/SPNEGO is false.
|
||||||
|
return "true".equalsIgnoreCase(propValue);
|
||||||
|
} else {
|
||||||
|
// Default for JGSS is true.
|
||||||
|
return !("false".equalsIgnoreCase(propValue));
|
||||||
}
|
}
|
||||||
/*
|
|
||||||
* Don't use GetBooleanAction because the default value in the JRE
|
|
||||||
* (when this is unset) has to treated as true.
|
|
||||||
*/
|
|
||||||
String propValue = AccessController.doPrivileged(
|
|
||||||
new GetPropertyAction("javax.security.auth.useSubjectCredsOnly",
|
|
||||||
"true"));
|
|
||||||
/*
|
|
||||||
* This property has to be explicitly set to "false". Invalid
|
|
||||||
* values should be ignored and the default "true" assumed.
|
|
||||||
*/
|
|
||||||
return (!propValue.equalsIgnoreCase("false"));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|||||||
@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved.
|
* Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
|
||||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||||
*
|
*
|
||||||
* This code is free software; you can redistribute it and/or modify it
|
* This code is free software; you can redistribute it and/or modify it
|
||||||
@ -29,6 +29,7 @@ import java.util.HashMap;
|
|||||||
import javax.security.auth.login.AppConfigurationEntry;
|
import javax.security.auth.login.AppConfigurationEntry;
|
||||||
import javax.security.auth.login.Configuration;
|
import javax.security.auth.login.Configuration;
|
||||||
import org.ietf.jgss.Oid;
|
import org.ietf.jgss.Oid;
|
||||||
|
import sun.security.action.GetPropertyAction;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A Configuration implementation especially designed for JGSS.
|
* A Configuration implementation especially designed for JGSS.
|
||||||
@ -44,6 +45,16 @@ public class LoginConfigImpl extends Configuration {
|
|||||||
private static final sun.security.util.Debug debug =
|
private static final sun.security.util.Debug debug =
|
||||||
sun.security.util.Debug.getInstance("gssloginconfig", "\t[GSS LoginConfigImpl]");
|
sun.security.util.Debug.getInstance("gssloginconfig", "\t[GSS LoginConfigImpl]");
|
||||||
|
|
||||||
|
public static final boolean HTTP_USE_GLOBAL_CREDS;
|
||||||
|
|
||||||
|
static {
|
||||||
|
String prop = GetPropertyAction
|
||||||
|
.privilegedGetProperty("http.use.global.creds");
|
||||||
|
//HTTP_USE_GLOBAL_CREDS = "true".equalsIgnoreCase(prop); // default false
|
||||||
|
HTTP_USE_GLOBAL_CREDS = !"false".equalsIgnoreCase(prop); // default true
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A new instance of LoginConfigImpl must be created for each login request
|
* A new instance of LoginConfigImpl must be created for each login request
|
||||||
* since it's only used by a single (caller, mech) pair
|
* since it's only used by a single (caller, mech) pair
|
||||||
@ -178,7 +189,11 @@ public class LoginConfigImpl extends Configuration {
|
|||||||
options.put("principal", "*");
|
options.put("principal", "*");
|
||||||
options.put("isInitiator", "false");
|
options.put("isInitiator", "false");
|
||||||
} else {
|
} else {
|
||||||
options.put("useTicketCache", "true");
|
if (caller instanceof HttpCaller && !HTTP_USE_GLOBAL_CREDS) {
|
||||||
|
options.put("useTicketCache", "false");
|
||||||
|
} else {
|
||||||
|
options.put("useTicketCache", "true");
|
||||||
|
}
|
||||||
options.put("doNotPrompt", "false");
|
options.put("doNotPrompt", "false");
|
||||||
}
|
}
|
||||||
return new AppConfigurationEntry[] {
|
return new AppConfigurationEntry[] {
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user