8209094: Improve web server connections

Reviewed-by: chegar, dfuchs, mschoene, igerasim

make/lib/Lib-java.base.gmk

@@ -56,7 +56,7 @@ $(eval $(call SetupJdkLibrary, BUILD_LIBNET, \
     LIBS_solaris := -lnsl -lsocket $(LIBDL), \
     LIBS_aix := $(LIBDL),\
     LIBS_windows := ws2_32.lib jvm.lib secur32.lib iphlpapi.lib winhttp.lib \
-        delayimp.lib $(WIN_JAVA_LIB) advapi32.lib, \
+        urlmon.lib delayimp.lib $(WIN_JAVA_LIB) advapi32.lib, \
     LIBS_macosx := -framework CoreFoundation -framework CoreServices, \
 ))
 

src/java.base/share/classes/sun/net/www/protocol/http/ntlm/NTLMAuthenticationCallback.java

@@ -33,8 +33,7 @@ import java.net.URL;
  * credentials without prompting) should only be tried with trusted sites.
  */
 public abstract class NTLMAuthenticationCallback {
-    private static volatile NTLMAuthenticationCallback callback =
-            new DefaultNTLMAuthenticationCallback();
+    private static volatile NTLMAuthenticationCallback callback;
 
     public static void setNTLMAuthenticationCallback(
             NTLMAuthenticationCallback callback) {
@@ -50,10 +49,5 @@ public abstract class NTLMAuthenticationCallback {
      * transparent Authentication.
      */
     public abstract boolean isTrustedSite(URL url);
-
-    static class DefaultNTLMAuthenticationCallback extends NTLMAuthenticationCallback {
-        @Override
-        public boolean isTrustedSite(URL url) { return true; }
-    }
 }
 

src/java.base/share/conf/net.properties

@@ -1,5 +1,5 @@
 ############################################################
-#  	Default Networking Configuration File
+#       Default Networking Configuration File
 #
 # This file may contain default values for the networking system properties.
 # These values are only used when the system properties are not specified
@@ -110,3 +110,23 @@ jdk.http.auth.tunneling.disabledSchemes=Basic
 #
 # jdk.httpclient.allowRestrictedHeaders=host
 #
+#
+# Transparent NTLM HTTP authentication mode on Windows. Transparent authentication
+# can be used for the NTLM scheme, where the security credentials based on the
+# currently logged in user's name and password can be obtained directly from the
+# operating system, without prompting the user. This property has three possible
+# values which regulate the behavior as shown below. Other unrecognized values
+# are handled the same as 'disabled'. Note, that NTLM is not considered to be a
+# strongly secure authentication scheme and care should be taken before enabling
+# this mechanism.
+#
+# Transparent authentication never used.
+#jdk.http.ntlm.transparentAuth=disabled
+#
+# Enabled for all hosts.
+#jdk.http.ntlm.transparentAuth=allHosts
+#
+# Enabled for hosts that are trusted in Windows Internet settings
+#jdk.http.ntlm.transparentAuth=trustedHosts
+#
+jdk.http.ntlm.transparentAuth=disabled

src/java.base/unix/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java

@@ -93,10 +93,13 @@ public class NTLMAuthentication extends AuthenticationInfo {
 
     /**
      * Returns true if the given site is trusted, i.e. we can try
-     * transparent Authentication.
+     * transparent Authentication. Shouldn't be called since
+     * capability not supported on Unix
      */
     public static boolean isTrustedSite(URL url) {
-        return NTLMAuthCallback.isTrustedSite(url);
+        if (NTLMAuthCallback != null)
+            return NTLMAuthCallback.isTrustedSite(url);
+        return false;
     }
 
     private void init0() {

src/java.base/windows/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java

@@ -32,6 +32,7 @@ import java.net.UnknownHostException;
 import java.net.URL;
 import java.util.Objects;
 import java.util.Properties;
+import sun.net.NetProperties;
 import sun.net.www.HeaderParser;
 import sun.net.www.protocol.http.AuthenticationInfo;
 import sun.net.www.protocol.http.AuthScheme;
@@ -56,11 +57,33 @@ public class NTLMAuthentication extends AuthenticationInfo {
     private static final String defaultDomain;
     /* Whether cache is enabled for NTLM */
     private static final boolean ntlmCache;
+
+    enum TransparentAuth {
+        DISABLED,      // disable for all hosts (default)
+        TRUSTED_HOSTS, // use Windows trusted hosts settings
+        ALL_HOSTS      // attempt for all hosts
+    }
+
+    private static final TransparentAuth authMode;
+
     static {
         Properties props = GetPropertyAction.privilegedGetProperties();
         defaultDomain = props.getProperty("http.auth.ntlm.domain", "domain");
         String ntlmCacheProp = props.getProperty("jdk.ntlm.cache", "true");
         ntlmCache = Boolean.parseBoolean(ntlmCacheProp);
+        String modeProp = java.security.AccessController.doPrivileged(
+            new java.security.PrivilegedAction<String>() {
+                public String run() {
+                    return NetProperties.get("jdk.http.ntlm.transparentAuth");
+                }
+            });
+
+        if ("trustedHosts".equalsIgnoreCase(modeProp))
+            authMode = TransparentAuth.TRUSTED_HOSTS;
+        else if ("allHosts".equalsIgnoreCase(modeProp))
+            authMode = TransparentAuth.ALL_HOSTS;
+        else
+            authMode = TransparentAuth.DISABLED;
     }
 
     private void init0() {
@@ -166,9 +189,21 @@ public class NTLMAuthentication extends AuthenticationInfo {
      * transparent Authentication.
      */
     public static boolean isTrustedSite(URL url) {
-        return NTLMAuthCallback.isTrustedSite(url);
+        if (NTLMAuthCallback != null)
+            return NTLMAuthCallback.isTrustedSite(url);
+
+        switch (authMode) {
+            case TRUSTED_HOSTS:
+                return isTrustedSite(url.toString());
+            case ALL_HOSTS:
+                return true;
+            default:
+                return false;
+        }
     }
 
+    static native boolean isTrustedSite(String url);
+
     /**
      * Not supported. Must use the setHeaders() method
      */
@@ -218,5 +253,4 @@ public class NTLMAuthentication extends AuthenticationInfo {
             return false;
         }
     }
-
 }

src/java.base/windows/native/libnet/NTLMAuthentication.c

@@ -0,0 +1,106 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+#include <jni.h>
+#include <windows.h>
+#include "jni_util.h"
+#include <urlmon.h>
+
+JNIEXPORT jboolean JNICALL Java_sun_net_www_protocol_http_ntlm_NTLMAuthentication_isTrustedSite(JNIEnv *env, jclass clazz, jstring url )
+{
+
+    HRESULT hr;
+    DWORD dwZone;
+    DWORD  pPolicy = 0;
+    IInternetSecurityManager *spSecurityManager;
+    jboolean ret;
+
+    // Create IInternetSecurityManager
+    hr = CoInternetCreateSecurityManager(NULL, &spSecurityManager, (DWORD)0);
+    if (FAILED(hr)) {
+        return JNI_FALSE;
+    }
+
+    const LPCWSTR bstrURL = (LPCWSTR)((*env)->GetStringChars(env, url, NULL));
+    if (bstrURL == NULL) {
+        if (!(*env)->ExceptionCheck(env))
+            JNU_ThrowOutOfMemoryError(env, NULL);
+        spSecurityManager->lpVtbl->Release(spSecurityManager);
+        return JNI_FALSE;
+    }
+
+    // Determines the policy for the URLACTION_CREDENTIALS_USE action and display
+    // a user interface, if the policy indicates that the user should be queried
+    hr = spSecurityManager->lpVtbl->ProcessUrlAction(
+        spSecurityManager,
+        bstrURL,
+        URLACTION_CREDENTIALS_USE,
+        (LPBYTE)&pPolicy,
+        sizeof(DWORD), 0, 0, 0, 0);
+
+    if (FAILED(hr)) {
+        ret = JNI_FALSE;
+        goto cleanupAndReturn;
+    }
+
+    // If these two User Authentication Logon options is selected
+    // Anonymous logon
+    // Prompt for user name and password
+    if (pPolicy == URLPOLICY_CREDENTIALS_ANONYMOUS_ONLY ||
+        pPolicy == URLPOLICY_CREDENTIALS_MUST_PROMPT_USER) {
+        ret = JNI_FALSE;
+        goto cleanupAndReturn;
+    }
+
+    // Option "Automatic logon with current user name and password" is selected
+    if (pPolicy == URLPOLICY_CREDENTIALS_SILENT_LOGON_OK) {
+        ret = JNI_TRUE;
+        goto cleanupAndReturn;
+    }
+
+    // Option "Automatic logon only in intranet zone" is selected
+    if (pPolicy == URLPOLICY_CREDENTIALS_CONDITIONAL_PROMPT) {
+
+        // Gets the zone index from the specified URL
+        hr = spSecurityManager->lpVtbl->MapUrlToZone(
+                spSecurityManager, bstrURL, &dwZone, 0);
+        if (FAILED(hr)) {
+            ret = JNI_FALSE;
+            goto cleanupAndReturn;
+        }
+
+        // Check if the URL is in Local or Intranet zone
+        if (dwZone == URLZONE_INTRANET || dwZone == URLZONE_LOCAL_MACHINE) {
+            ret = JNI_TRUE;
+            goto cleanupAndReturn;
+        }
+    }
+    ret = JNI_FALSE;
+
+cleanupAndReturn:
+    (*env)->ReleaseStringChars(env, url, bstrURL);
+    spSecurityManager->lpVtbl->Release(spSecurityManager);
+    return ret;
+}