|
2
|
1 |
/*
|
|
4336
|
2 |
* Portions Copyright 2001-2009 Sun Microsystems, Inc. All Rights Reserved.
|
|
2
|
3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
|
|
4 |
*
|
|
|
5 |
* This code is free software; you can redistribute it and/or modify it
|
|
|
6 |
* under the terms of the GNU General Public License version 2 only, as
|
|
|
7 |
* published by the Free Software Foundation. Sun designates this
|
|
|
8 |
* particular file as subject to the "Classpath" exception as provided
|
|
|
9 |
* by Sun in the LICENSE file that accompanied this code.
|
|
|
10 |
*
|
|
|
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT
|
|
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that
|
|
|
15 |
* accompanied this code).
|
|
|
16 |
*
|
|
|
17 |
* You should have received a copy of the GNU General Public License version
|
|
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation,
|
|
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
|
20 |
*
|
|
|
21 |
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
|
|
|
22 |
* CA 95054 USA or visit www.sun.com if you need additional information or
|
|
|
23 |
* have any questions.
|
|
|
24 |
*/
|
|
|
25 |
|
|
|
26 |
/*
|
|
|
27 |
*
|
|
|
28 |
* (C) Copyright IBM Corp. 1999 All Rights Reserved.
|
|
|
29 |
* Copyright 1997 The Open Group Research Institute. All rights reserved.
|
|
|
30 |
*/
|
|
|
31 |
|
|
|
32 |
package sun.security.krb5.internal;
|
|
|
33 |
|
|
|
34 |
import sun.security.krb5.*;
|
|
|
35 |
import sun.security.krb5.internal.ccache.CredentialsCache;
|
|
|
36 |
import java.util.StringTokenizer;
|
|
|
37 |
import sun.security.krb5.internal.ktab.*;
|
|
|
38 |
import java.io.File;
|
|
|
39 |
import java.io.IOException;
|
|
|
40 |
import java.util.Date;
|
|
|
41 |
import java.util.Vector;
|
|
|
42 |
import java.io.BufferedReader;
|
|
|
43 |
import java.io.InputStreamReader;
|
|
|
44 |
import java.io.UnsupportedEncodingException;
|
|
|
45 |
import java.net.InetAddress;
|
|
|
46 |
|
|
|
47 |
/**
|
|
|
48 |
* This class is a utility that contains much of the TGS-Exchange
|
|
|
49 |
* protocol. It is used by ../Credentials.java for service ticket
|
|
|
50 |
* acquisition in both the normal and the x-realm case.
|
|
|
51 |
*/
|
|
|
52 |
public class CredentialsUtil {
|
|
|
53 |
|
|
|
54 |
private static boolean DEBUG = sun.security.krb5.internal.Krb5.DEBUG;
|
|
|
55 |
|
|
|
56 |
/**
|
|
|
57 |
* Acquires credentials for a specified service using initial credential. Wh
|
|
|
58 |
en the service has a different realm
|
|
|
59 |
* from the initial credential, we do cross-realm authentication - first, we
|
|
|
60 |
use the current credential to get
|
|
|
61 |
* a cross-realm credential from the local KDC, then use that cross-realm cr
|
|
|
62 |
edential to request service credential
|
|
|
63 |
* from the foreigh KDC.
|
|
|
64 |
*
|
|
|
65 |
* @param service the name of service principal using format components@real
|
|
|
66 |
m
|
|
|
67 |
* @param ccreds client's initial credential.
|
|
|
68 |
* @exception Exception general exception will be thrown when any error occu
|
|
|
69 |
rs.
|
|
|
70 |
* @return a <code>Credentials</code> object.
|
|
|
71 |
*/
|
|
|
72 |
public static Credentials acquireServiceCreds(
|
|
|
73 |
String service, Credentials ccreds)
|
|
|
74 |
throws KrbException, IOException {
|
|
|
75 |
ServiceName sname = new ServiceName(service);
|
|
|
76 |
String serviceRealm = sname.getRealmString();
|
|
|
77 |
String localRealm = ccreds.getClient().getRealmString();
|
|
|
78 |
String defaultRealm = Config.getInstance().getDefaultRealm();
|
|
|
79 |
|
|
|
80 |
if (localRealm == null) {
|
|
|
81 |
PrincipalName temp = null;
|
|
|
82 |
if ((temp = ccreds.getServer()) != null)
|
|
|
83 |
localRealm = temp.getRealmString();
|
|
|
84 |
}
|
|
|
85 |
if (localRealm == null) {
|
|
|
86 |
localRealm = defaultRealm;
|
|
|
87 |
}
|
|
|
88 |
if (serviceRealm == null) {
|
|
|
89 |
serviceRealm = localRealm;
|
|
|
90 |
sname.setRealm(serviceRealm);
|
|
|
91 |
}
|
|
|
92 |
|
|
|
93 |
/*
|
|
|
94 |
if (!localRealm.equalsIgnoreCase(serviceRealm)) { //do cross-realm auth entication
|
|
|
95 |
if (DEBUG) {
|
|
|
96 |
System.out.println(">>>DEBUG: Credentails request cross realm ticket for " + "krbtgt/" + serviceRealm + "@" + localRealm);
|
|
|
97 |
}
|
|
|
98 |
Credentials crossCreds = serviceCreds(new ServiceName("krbtgt/" + serviceRealm + "@" + localRealm), ccreds);
|
|
|
99 |
if (DEBUG) {
|
|
|
100 |
printDebug(crossCreds);
|
|
|
101 |
}
|
|
|
102 |
Credentials result = serviceCreds(sname, crossCreds);
|
|
|
103 |
if (DEBUG) {
|
|
|
104 |
printDebug(result);
|
|
|
105 |
}
|
|
|
106 |
return result;
|
|
|
107 |
}
|
|
|
108 |
else return serviceCreds(sname, ccreds);
|
|
|
109 |
*/
|
|
|
110 |
|
|
|
111 |
if (localRealm.equals(serviceRealm))
|
|
|
112 |
{
|
|
|
113 |
if (DEBUG)
|
|
|
114 |
System.out.println(">>> Credentials acquireServiceCreds: same realm");
|
|
|
115 |
return serviceCreds(sname, ccreds);
|
|
|
116 |
}
|
|
|
117 |
|
|
|
118 |
// Get a list of realms to traverse
|
|
|
119 |
String[] realms = Realm.getRealmsList(localRealm, serviceRealm);
|
|
4336
|
120 |
boolean okAsDelegate = true;
|
|
2
|
121 |
|
|
|
122 |
if (realms == null || realms.length == 0)
|
|
|
123 |
{
|
|
|
124 |
if (DEBUG)
|
|
|
125 |
System.out.println(">>> Credentials acquireServiceCreds: no realms list");
|
|
|
126 |
return null;
|
|
|
127 |
}
|
|
|
128 |
|
|
|
129 |
int i = 0, k = 0;
|
|
|
130 |
Credentials cTgt = null, newTgt = null, theTgt = null;
|
|
|
131 |
ServiceName tempService = null;
|
|
|
132 |
String realm = null, newTgtRealm = null, theTgtRealm = null;
|
|
|
133 |
|
|
|
134 |
for (cTgt = ccreds, i = 0; i < realms.length;)
|
|
|
135 |
{
|
|
|
136 |
tempService = new ServiceName(PrincipalName.TGS_DEFAULT_SRV_NAME,
|
|
|
137 |
serviceRealm, realms[i]);
|
|
|
138 |
|
|
|
139 |
if (DEBUG)
|
|
|
140 |
{
|
|
|
141 |
System.out.println(">>> Credentials acquireServiceCreds: main loop: [" + i +"] tempService=" + tempService);
|
|
|
142 |
}
|
|
|
143 |
|
|
|
144 |
try {
|
|
|
145 |
newTgt = serviceCreds(tempService, cTgt);
|
|
|
146 |
} catch (Exception exc) {
|
|
|
147 |
newTgt = null;
|
|
|
148 |
}
|
|
|
149 |
|
|
|
150 |
if (newTgt == null)
|
|
|
151 |
{
|
|
|
152 |
if (DEBUG)
|
|
|
153 |
{
|
|
|
154 |
System.out.println(">>> Credentials acquireServiceCreds: no tgt; searching backwards");
|
|
|
155 |
}
|
|
|
156 |
|
|
|
157 |
/*
|
|
|
158 |
* No tgt found. Try to get one for a
|
|
|
159 |
* realm as close to the target as possible.
|
|
|
160 |
* That means traversing the realms list backwards.
|
|
|
161 |
*/
|
|
|
162 |
|
|
|
163 |
for (newTgt = null, k = realms.length - 1;
|
|
|
164 |
newTgt == null && k > i; k--)
|
|
|
165 |
{
|
|
|
166 |
|
|
|
167 |
tempService = new ServiceName(
|
|
|
168 |
PrincipalName.TGS_DEFAULT_SRV_NAME,
|
|
|
169 |
realms[k], realms[i]);
|
|
|
170 |
if (DEBUG)
|
|
|
171 |
{
|
|
|
172 |
System.out.println(">>> Credentials acquireServiceCreds: inner loop: [" + k +"] tempService=" + tempService);
|
|
|
173 |
}
|
|
|
174 |
|
|
|
175 |
try {
|
|
|
176 |
newTgt = serviceCreds(tempService, cTgt);
|
|
|
177 |
} catch (Exception exc) {
|
|
|
178 |
newTgt = null;
|
|
|
179 |
}
|
|
|
180 |
}
|
|
|
181 |
} // Ends 'if (newTgt == null)'
|
|
|
182 |
|
|
|
183 |
if (newTgt == null)
|
|
|
184 |
{
|
|
|
185 |
if (DEBUG)
|
|
|
186 |
{
|
|
|
187 |
System.out.println(">>> Credentials acquireServiceCreds: no tgt; cannot get creds");
|
|
|
188 |
}
|
|
|
189 |
break;
|
|
|
190 |
}
|
|
|
191 |
|
|
|
192 |
/*
|
|
|
193 |
* We have a tgt. It may or may not be for the target.
|
|
|
194 |
* If it's for the target realm, we're done looking for a tgt.
|
|
|
195 |
*/
|
|
|
196 |
|
|
|
197 |
newTgtRealm = newTgt.getServer().getInstanceComponent();
|
|
4336
|
198 |
if (okAsDelegate && !newTgt.checkDelegate()) {
|
|
|
199 |
if (DEBUG)
|
|
|
200 |
{
|
|
|
201 |
System.out.println(">>> Credentials acquireServiceCreds: " +
|
|
|
202 |
"global OK-AS-DELEGATE turned off at " +
|
|
|
203 |
newTgt.getServer());
|
|
|
204 |
}
|
|
|
205 |
okAsDelegate = false;
|
|
|
206 |
}
|
|
2
|
207 |
|
|
|
208 |
if (DEBUG)
|
|
|
209 |
{
|
|
|
210 |
System.out.println(">>> Credentials acquireServiceCreds: got tgt");
|
|
|
211 |
//printDebug(newTgt);
|
|
|
212 |
}
|
|
|
213 |
|
|
|
214 |
if (newTgtRealm.equals(serviceRealm))
|
|
|
215 |
{
|
|
|
216 |
/* We got the right tgt */
|
|
|
217 |
theTgt = newTgt;
|
|
|
218 |
theTgtRealm = newTgtRealm;
|
|
|
219 |
break;
|
|
|
220 |
}
|
|
|
221 |
|
|
|
222 |
/*
|
|
|
223 |
* The new tgt is not for the target realm.
|
|
|
224 |
* See if the realm of the new tgt is in the list of realms
|
|
|
225 |
* and continue looking from there.
|
|
|
226 |
*/
|
|
|
227 |
|
|
|
228 |
for (k = i+1; k < realms.length; k++)
|
|
|
229 |
{
|
|
|
230 |
if (newTgtRealm.equals(realms[k]))
|
|
|
231 |
{
|
|
|
232 |
break;
|
|
|
233 |
}
|
|
|
234 |
}
|
|
|
235 |
|
|
|
236 |
if (k < realms.length)
|
|
|
237 |
{
|
|
|
238 |
/*
|
|
|
239 |
* (re)set the counter so we start looking
|
|
|
240 |
* from the realm we just obtained a tgt for.
|
|
|
241 |
*/
|
|
|
242 |
i = k;
|
|
|
243 |
cTgt = newTgt;
|
|
|
244 |
|
|
|
245 |
if (DEBUG)
|
|
|
246 |
{
|
|
|
247 |
System.out.println(">>> Credentials acquireServiceCreds: continuing with main loop counter reset to " + i);
|
|
|
248 |
}
|
|
|
249 |
|
|
|
250 |
continue;
|
|
|
251 |
}
|
|
|
252 |
else
|
|
|
253 |
{
|
|
|
254 |
/*
|
|
|
255 |
* The new tgt's realm is not in the heirarchy of realms.
|
|
|
256 |
* It's probably not safe to get a tgt from
|
|
|
257 |
* a tgs that is outside the known list of realms.
|
|
|
258 |
* Give up now.
|
|
|
259 |
*/
|
|
|
260 |
|
|
|
261 |
break;
|
|
|
262 |
}
|
|
|
263 |
} // Ends outermost/main 'for' loop
|
|
|
264 |
|
|
|
265 |
Credentials theCreds = null;
|
|
|
266 |
|
|
|
267 |
if (theTgt != null)
|
|
|
268 |
{
|
|
|
269 |
/* We have the right tgt. Let's get the service creds */
|
|
|
270 |
|
|
|
271 |
if (DEBUG)
|
|
|
272 |
{
|
|
|
273 |
System.out.println(">>> Credentials acquireServiceCreds: got right tgt");
|
|
|
274 |
|
|
|
275 |
//printDebug(theTgt);
|
|
|
276 |
|
|
|
277 |
System.out.println(">>> Credentials acquireServiceCreds: obtaining service creds for " + sname);
|
|
|
278 |
}
|
|
|
279 |
|
|
|
280 |
try {
|
|
|
281 |
theCreds = serviceCreds(sname, theTgt);
|
|
|
282 |
} catch (Exception exc) {
|
|
|
283 |
if (DEBUG)
|
|
|
284 |
System.out.println(exc);
|
|
|
285 |
theCreds = null;
|
|
|
286 |
}
|
|
|
287 |
}
|
|
|
288 |
|
|
|
289 |
if (theCreds != null)
|
|
|
290 |
{
|
|
|
291 |
if (DEBUG)
|
|
|
292 |
{
|
|
|
293 |
System.out.println(">>> Credentials acquireServiceCreds: returning creds:");
|
|
|
294 |
Credentials.printDebug(theCreds);
|
|
|
295 |
}
|
|
4336
|
296 |
if (!okAsDelegate) {
|
|
|
297 |
theCreds.resetDelegate();
|
|
|
298 |
}
|
|
2
|
299 |
return theCreds;
|
|
|
300 |
}
|
|
|
301 |
throw new KrbApErrException(Krb5.KRB_AP_ERR_GEN_CRED,
|
|
|
302 |
"No service creds");
|
|
|
303 |
}
|
|
|
304 |
|
|
|
305 |
/*
|
|
|
306 |
* This method does the real job to request the service credential.
|
|
|
307 |
*/
|
|
|
308 |
private static Credentials serviceCreds(
|
|
|
309 |
ServiceName service, Credentials ccreds)
|
|
|
310 |
throws KrbException, IOException {
|
|
|
311 |
return new KrbTgsReq(ccreds, service).sendAndGetCreds();
|
|
|
312 |
}
|
|
|
313 |
}
|