From efc37c5e71f41bdb3f53e980a3ec5804acdf3fb9 Mon Sep 17 00:00:00 2001 From: Rob McKenna Date: Wed, 20 May 2015 18:06:31 +0100 Subject: [PATCH] 8077155: LoginContext Subject ignored by jdk8 sun.net.www.protocol.http.HttpURLConnection Reviewed-by: michaelm --- .../www/protocol/http/HttpURLConnection.java | 8 +- .../krb5/auto/HttpNegotiateServer.java | 160 +++++++++++++++++- 2 files changed, 161 insertions(+), 7 deletions(-) diff --git a/jdk/src/java.base/share/classes/sun/net/www/protocol/http/HttpURLConnection.java b/jdk/src/java.base/share/classes/sun/net/www/protocol/http/HttpURLConnection.java index a012c3b6a1c..b9d594b0316 100644 --- a/jdk/src/java.base/share/classes/sun/net/www/protocol/http/HttpURLConnection.java +++ b/jdk/src/java.base/share/classes/sun/net/www/protocol/http/HttpURLConnection.java @@ -983,7 +983,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection { SocketPermission p = URLtoSocketPermission(this.url); if (p != null) { try { - AccessController.doPrivileged( + AccessController.doPrivilegedWithCombiner( new PrivilegedExceptionAction<>() { public Void run() throws IOException { plainConnect0(); @@ -1244,7 +1244,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection { if (p != null) { try { - return AccessController.doPrivileged( + return AccessController.doPrivilegedWithCombiner( new PrivilegedExceptionAction<>() { public OutputStream run() throws IOException { return getOutputStream0(); @@ -1422,7 +1422,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection { if (p != null) { try { - return AccessController.doPrivileged( + return AccessController.doPrivilegedWithCombiner( new PrivilegedExceptionAction<>() { public InputStream run() throws IOException { return getInputStream0(); @@ -2565,7 +2565,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection { if (p != null) { try { - return AccessController.doPrivileged( + return AccessController.doPrivilegedWithCombiner( new PrivilegedExceptionAction<>() { public Boolean run() throws IOException { return followRedirect0(loc, stat, locUrl0); diff --git a/jdk/test/sun/security/krb5/auto/HttpNegotiateServer.java b/jdk/test/sun/security/krb5/auto/HttpNegotiateServer.java index fea76c829f9..9d3b44e0057 100644 --- a/jdk/test/sun/security/krb5/auto/HttpNegotiateServer.java +++ b/jdk/test/sun/security/krb5/auto/HttpNegotiateServer.java @@ -40,21 +40,34 @@ import java.io.BufferedReader; import java.io.File; import java.io.FileOutputStream; import java.io.IOException; +import java.io.InputStream; import java.io.InputStreamReader; import java.net.HttpURLConnection; import java.net.InetSocketAddress; import java.net.PasswordAuthentication; import java.net.Proxy; import java.net.URL; -import java.security.PrivilegedExceptionAction; +import java.net.URLConnection; +import java.security.*; import java.util.HashMap; import java.util.Map; import javax.security.auth.Subject; +import javax.security.auth.callback.Callback; +import javax.security.auth.callback.CallbackHandler; +import javax.security.auth.callback.NameCallback; +import javax.security.auth.callback.PasswordCallback; +import javax.security.auth.callback.UnsupportedCallbackException; +import javax.security.auth.login.AppConfigurationEntry; +import javax.security.auth.login.Configuration; +import javax.security.auth.login.LoginContext; +import javax.security.auth.login.LoginException; +import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag; import org.ietf.jgss.GSSContext; import org.ietf.jgss.GSSCredential; import org.ietf.jgss.GSSManager; import sun.security.jgss.GSSUtil; import sun.security.krb5.Config; +import java.util.Base64; import sun.util.logging.PlatformLogger; import java.util.Base64; @@ -197,7 +210,7 @@ public class HttpNegotiateServer { proxyUrl = new URL("http://nosuchplace/a/b/c"); try { - Exception e1 = null, e2 = null; + Exception e1 = null, e2 = null, e3 = null; try { test6578647(); } catch (Exception e) { @@ -210,7 +223,14 @@ public class HttpNegotiateServer { e2 = e; e.printStackTrace(); } - if (e1 != null || e2 != null) { + try { + test8077155(); + } catch (Exception e) { + e3 = e; + e.printStackTrace(); + } + + if (e1 != null || e2 != null || e3 != null) { throw new RuntimeException("Test error"); } } finally { @@ -254,6 +274,121 @@ public class HttpNegotiateServer { } } + static void testConnect() { + InputStream inputStream = null; + try { + URL url = webUrl; + + URLConnection conn = url.openConnection(); + conn.connect(); + inputStream = conn.getInputStream(); + byte[] b = new byte[inputStream.available()]; + for (int j = 0; j < b.length; j++) { + b[j] = (byte) inputStream.read(); + } + String s = new String(b); + System.out.println("Length: " + s.length()); + System.out.println(s); + } catch (Exception ex) { + throw new RuntimeException(ex); + } finally { + if (inputStream != null) { + try { + inputStream.close(); + } catch (IOException e) { + e.printStackTrace(); + } + } + } + } + + static void test8077155() throws Exception { + final String username = WEB_USER; + final char[] password = WEB_PASS; + + SecurityManager security = new SecurityManager(); + Policy.setPolicy(new SecurityPolicy()); + System.setSecurityManager(security); + + CallbackHandler callback = new CallbackHandler() { + @Override + public void handle(Callback[] pCallbacks) throws IOException, UnsupportedCallbackException { + for (Callback cb : pCallbacks) { + if (cb instanceof NameCallback) { + NameCallback ncb = (NameCallback)cb; + ncb.setName(username); + + } else if (cb instanceof PasswordCallback) { + PasswordCallback pwdcb = (PasswordCallback) cb; + pwdcb.setPassword(password); + } + } + } + + }; + + final String jaasConfigName = "oracle.test.kerberos.login"; + final String krb5LoginModule = "com.sun.security.auth.module.Krb5LoginModule"; + + Configuration loginConfig = new Configuration() { + @Override + public AppConfigurationEntry[] getAppConfigurationEntry(String name) { + if (! jaasConfigName.equals(name)) { + return new AppConfigurationEntry[0]; + } + + Map options = new HashMap(); + options.put("useTicketCache", Boolean.FALSE.toString()); + options.put("useKeyTab", Boolean.FALSE.toString()); + + return new AppConfigurationEntry[] { + new AppConfigurationEntry(krb5LoginModule, + LoginModuleControlFlag.REQUIRED, + options) + }; + } + }; + + // oracle context/subject/login + LoginContext context = null; + try { + context = new LoginContext("oracle.test.kerberos.login", null, callback, loginConfig); + context.login(); + + } catch (LoginException ex) { + ex.printStackTrace(); + throw new RuntimeException(ex); + } + + + Subject subject = context.getSubject(); + + final PrivilegedExceptionAction test_action = new PrivilegedExceptionAction() { + public Object run() throws Exception { + testConnect(); + return null; + } + }; + + System.err.println("\n\nExpecting to succeed when executing with the the logged in subject."); + + try { + Subject.doAs(subject, test_action); + System.err.println("\n\nConnection succeed when executing with the the logged in subject."); + } catch (PrivilegedActionException e) { + System.err.println("\n\nFailure unexpected when executing with the the logged in subject."); + e.printStackTrace(); + throw new RuntimeException("Failed to login as subject"); + } + + try { + System.err.println("\n\nExpecting to fail when running with the current user's login."); + testConnect(); + } catch (Exception ex) { + System.err.println("\nConnect failed when running with the current user's login:\n" + ex.getMessage()); + } + } + /** * Creates and starts an HTTP or proxy server that requires * Negotiate authentication. @@ -366,3 +501,22 @@ public class HttpNegotiateServer { } } } + +class SecurityPolicy extends Policy { + + private static Permissions perms; + + public SecurityPolicy() { + super(); + if (perms == null) { + perms = new Permissions(); + perms.add(new AllPermission()); + } + } + + @Override + public PermissionCollection getPermissions(CodeSource codesource) { + return perms; + } + +}