2022-03-28 13:51:55 +00:00

277 lines
9.8 KiB
Java

/*
* Copyright (c) 2013, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/* @test
* @bug 8004502
* @library /test/lib
* @summary Sanity check that NTLM will not be selected by the http protocol
* handler when running on a profile that does not support NTLM
* @modules java.base/sun.net.www.protocol.http:open
* @run main/othervm -Dhttp.auth.digest.reEnabledAlgorithms=MD5 NoNTLM
* @run main/othervm -Dhttp.auth.digest.reEnabledAlgorithms=MD5
* -Djava.net.preferIPv6Addresses=true NoNTLM
*/
import java.io.IOException;
import java.lang.reflect.Field;
import java.net.Authenticator;
import java.net.HttpURLConnection;
import java.net.InetAddress;
import java.net.PasswordAuthentication;
import java.net.Proxy;
import java.net.ServerSocket;
import java.net.Socket;
import java.net.URL;
import jdk.test.lib.net.HttpHeaderParser;
import jdk.test.lib.net.URIBuilder;
public class NoNTLM {
static final String CRLF = "\r\n";
static final String OKAY =
"HTTP/1.1 200" + CRLF +
"Content-Length: 0" + CRLF +
"Connection: close" + CRLF +
CRLF;
static class Client implements Runnable {
private final URL url;
private volatile IOException ioe;
private volatile int respCode;
Client(int port) throws IOException {
this.url = URIBuilder.newBuilder()
.scheme("http")
.loopback()
.port(port)
.path("/foo.html")
.toURLUnchecked();
System.out.println("Client URL: " + this.url);
}
public void run() {
try {
HttpURLConnection uc =
(HttpURLConnection)url.openConnection(Proxy.NO_PROXY);
try {
uc.getInputStream();
} catch (IOException x) {
respCode = uc.getResponseCode();
throw x;
}
uc.disconnect();
} catch (IOException x) {
if (respCode == 0)
respCode = -1;
ioe = x;
}
}
IOException ioException() {
return ioe;
}
int respCode() {
return respCode;
}
static void start(int port) throws IOException {
Client client = new Client(port);
new Thread(client).start();
}
}
/**
* Return the http response with WWW-Authenticate headers for the given
* authentication schemes.
*/
static String authReplyFor(String... schemes) {
// construct the server reply
String reply = "HTTP/1.1 401 Unauthorized" + CRLF +
"Content-Length: 0"+ CRLF +
"Connection: close" + CRLF;
for (String s: schemes) {
switch (s) {
case "Basic" :
reply += "WWW-Authenticate: Basic realm=\"wallyworld\"" + CRLF;
break;
case "Digest" :
reply += "WWW-Authenticate: Digest" +
" realm=\"wallyworld\"" +
" domain=/" +
" nonce=\"abcdefghijklmnopqrstuvwxyz\"" +
" qop=\"auth\"" + CRLF;
break;
case "NTLM" :
reply += "WWW-Authenticate: NTLM" + CRLF;
break;
default :
throw new RuntimeException("Should not get here");
}
}
reply += CRLF;
return reply;
}
/**
* Test the http protocol handler with the given authentication schemes
* in the WWW-Authenticate header.
*/
static void test(String... schemes) throws IOException {
// the authentication scheme that the client is expected to choose
String expected = null;
for (String s: schemes) {
if (expected == null) {
expected = s;
} else if (s.equals("Digest")) {
expected = s;
}
}
// server reply
String reply = authReplyFor(schemes);
System.out.println("====================================");
System.out.println("Expect client to choose: " + expected);
System.out.println(reply);
InetAddress loopback = InetAddress.getLoopbackAddress();
try (ServerSocket ss = new ServerSocket(0, 0, loopback)) {
Client.start(ss.getLocalPort());
// client ---- GET ---> server
// client <--- 401 ---- server
try (Socket s = ss.accept()) {
new HttpHeaderParser().parse(s.getInputStream());
s.getOutputStream().write(reply.getBytes("US-ASCII"));
}
// client ---- GET ---> server
// client <--- 200 ---- server
String auth;
try (Socket s = ss.accept()) {
HttpHeaderParser mh = new HttpHeaderParser();
mh.parse(s.getInputStream());
s.getOutputStream().write(OKAY.getBytes("US-ASCII"));
auth = mh.getHeaderValue("Authorization").get(0);
}
// check Authorization header
if (auth == null)
throw new RuntimeException("Authorization header not found");
System.out.println("Server received Authorization header: " + auth);
String[] values = auth.split(" ");
if (!values[0].equals(expected))
throw new RuntimeException("Unexpected value");
}
}
/**
* Test the http protocol handler with one WWW-Authenticate header with
* the value "NTLM".
*/
static void testNTLM() throws Exception {
// server reply
String reply = authReplyFor("NTLM");
System.out.println("====================================");
System.out.println("Expect client to fail with 401 Unauthorized");
System.out.println(reply);
InetAddress loopback = InetAddress.getLoopbackAddress();
try (ServerSocket ss = new ServerSocket(0, 0, loopback)) {
Client client = new Client(ss.getLocalPort());
Thread thr = new Thread(client);
thr.start();
// client ---- GET ---> server
// client <--- 401 ---- client
try (Socket s = ss.accept()) {
new HttpHeaderParser().parse(s.getInputStream());
s.getOutputStream().write(reply.getBytes("US-ASCII"));
}
// the client should fail with 401
System.out.println("Waiting for client to terminate");
thr.join();
IOException ioe = client.ioException();
if (ioe != null)
System.out.println("Client failed: " + ioe);
int respCode = client.respCode();
if (respCode != 0 && respCode != -1)
System.out.println("Client received HTTP response code: " + respCode);
if (respCode != HttpURLConnection.HTTP_UNAUTHORIZED)
throw new RuntimeException("Unexpected response code");
}
}
public static void main(String[] args) throws Exception {
boolean ntlmSupported = false;
try {
Class<?> ntlmProxyClass = Class.forName("sun.net.www.protocol.http.NTLMAuthenticationProxy", true, NoNTLM.class.getClassLoader());
Field ntlmSupportedField = ntlmProxyClass.getDeclaredField("supported");
ntlmSupportedField.setAccessible(true);
if (ntlmSupportedField.getBoolean(null)) {
System.out.println("NTLM is supported.");
ntlmSupported = true;
}
} catch (ClassNotFoundException okay) { }
// setup Authenticator
Authenticator.setDefault(new Authenticator() {
@Override
protected PasswordAuthentication getPasswordAuthentication() {
return new PasswordAuthentication("user", "pass".toCharArray());
}
});
// test combinations of authentication schemes
test("Basic");
test("Digest");
test("Basic", "Digest");
if (ntlmSupported) {
System.out.println("====================================");
System.out.println("NTLM is supported: client would select NTLM: skipping `test(\"Basic\", \"NTLM\")`..");
} else {
test("Basic", "NTLM");
}
test("Digest", "NTLM");
test("Basic", "Digest", "NTLM");
if (ntlmSupported) {
System.out.println("====================================");
System.out.println("NTLM is supported: client would select NTLM: skipping `testNTLM()`..");
} else {
// test NTLM only, this should fail with "401 Unauthorized"
testNTLM();
}
System.out.println();
System.out.println("TEST PASSED");
}
}