author | dfuchs |
Fri, 02 Dec 2016 13:18:50 +0000 | |
changeset 42351 | 85ed90be0ae1 |
parent 32649 | 2ee9017c7597 |
child 44755 | e16b506a60b2 |
permissions | -rw-r--r-- |
2 | 1 |
/* |
42351
85ed90be0ae1
8169495: Add a method to set an Authenticator on a HttpURLConnection.
dfuchs
parents:
32649
diff
changeset
|
2 |
* Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
package sun.net.www.protocol.http; |
|
27 |
||
4157
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
28 |
import java.net.URL; |
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
29 |
import java.io.IOException; |
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
30 |
import java.net.Authenticator.RequestorType; |
15258
dd5001103120
8006153: HTTP protocol handler authenication should use Base64 API
chegar
parents:
5506
diff
changeset
|
31 |
import java.util.Base64; |
2 | 32 |
import java.util.HashMap; |
33 |
import sun.net.www.HeaderParser; |
|
24135
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
34 |
import sun.util.logging.PlatformLogger; |
3859
8b82336dedb3
6882594: Remove static dependancy on NTLM authentication
chegar
parents:
2942
diff
changeset
|
35 |
import static sun.net.www.protocol.http.AuthScheme.NEGOTIATE; |
8b82336dedb3
6882594: Remove static dependancy on NTLM authentication
chegar
parents:
2942
diff
changeset
|
36 |
import static sun.net.www.protocol.http.AuthScheme.KERBEROS; |
2 | 37 |
|
38 |
/** |
|
39 |
* NegotiateAuthentication: |
|
40 |
* |
|
41 |
* @author weijun.wang@sun.com |
|
42 |
* @since 1.6 |
|
43 |
*/ |
|
44 |
||
45 |
class NegotiateAuthentication extends AuthenticationInfo { |
|
46 |
||
47 |
private static final long serialVersionUID = 100L; |
|
24135
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
48 |
private static final PlatformLogger logger = HttpURLConnection.getHttpLogger(); |
2 | 49 |
|
32649
2ee9017c7597
8136583: Core libraries should use blessed modifier order
martin
parents:
32227
diff
changeset
|
50 |
private final HttpCallerInfo hci; |
2 | 51 |
|
52 |
// These maps are used to manage the GSS availability for diffrent |
|
53 |
// hosts. The key for both maps is the host name. |
|
54 |
// <code>supported</code> is set when isSupported is checked, |
|
55 |
// if it's true, a cached Negotiator is put into <code>cache</code>. |
|
56 |
// the cache can be used only once, so after the first use, it's cleaned. |
|
57 |
static HashMap <String, Boolean> supported = null; |
|
58 |
static HashMap <String, Negotiator> cache = null; |
|
59 |
||
60 |
// The HTTP Negotiate Helper |
|
61 |
private Negotiator negotiator = null; |
|
62 |
||
63 |
/** |
|
2942
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
64 |
* Constructor used for both WWW and proxy entries. |
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
65 |
* @param hci a schemed object. |
2 | 66 |
*/ |
2942
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
67 |
public NegotiateAuthentication(HttpCallerInfo hci) { |
3859
8b82336dedb3
6882594: Remove static dependancy on NTLM authentication
chegar
parents:
2942
diff
changeset
|
68 |
super(RequestorType.PROXY==hci.authType ? PROXY_AUTHENTICATION : SERVER_AUTHENTICATION, |
8b82336dedb3
6882594: Remove static dependancy on NTLM authentication
chegar
parents:
2942
diff
changeset
|
69 |
hci.scheme.equalsIgnoreCase("Negotiate") ? NEGOTIATE : KERBEROS, |
8b82336dedb3
6882594: Remove static dependancy on NTLM authentication
chegar
parents:
2942
diff
changeset
|
70 |
hci.url, |
42351
85ed90be0ae1
8169495: Add a method to set an Authenticator on a HttpURLConnection.
dfuchs
parents:
32649
diff
changeset
|
71 |
"", |
85ed90be0ae1
8169495: Add a method to set an Authenticator on a HttpURLConnection.
dfuchs
parents:
32649
diff
changeset
|
72 |
AuthenticatorKeys.getKey(hci.authenticator)); |
2942
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
73 |
this.hci = hci; |
2 | 74 |
} |
75 |
||
76 |
/** |
|
77 |
* @return true if this authentication supports preemptive authorization |
|
78 |
*/ |
|
4157
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
79 |
@Override |
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
80 |
public boolean supportsPreemptiveAuthorization() { |
2 | 81 |
return false; |
82 |
} |
|
83 |
||
84 |
/** |
|
24135
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
85 |
* Find out if the HttpCallerInfo supports Negotiate protocol. |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
86 |
* @return true if supported |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
87 |
*/ |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
88 |
public static boolean isSupported(HttpCallerInfo hci) { |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
89 |
ClassLoader loader = null; |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
90 |
try { |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
91 |
loader = Thread.currentThread().getContextClassLoader(); |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
92 |
} catch (SecurityException se) { |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
93 |
if (logger.isLoggable(PlatformLogger.Level.FINER)) { |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
94 |
logger.finer("NegotiateAuthentication: " + |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
95 |
"Attempt to get the context class loader failed - " + se); |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
96 |
} |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
97 |
} |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
98 |
|
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
99 |
if (loader != null) { |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
100 |
// Lock on the class loader instance to avoid the deadlock engaging |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
101 |
// the lock in "ClassLoader.loadClass(String, boolean)" method. |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
102 |
synchronized (loader) { |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
103 |
return isSupportedImpl(hci); |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
104 |
} |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
105 |
} |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
106 |
return isSupportedImpl(hci); |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
107 |
} |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
108 |
|
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
109 |
/** |
2942
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
110 |
* Find out if the HttpCallerInfo supports Negotiate protocol. In order to |
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
111 |
* find out yes or no, an initialization of a Negotiator object against it |
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
112 |
* is tried. The generated object will be cached under the name of ths |
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
113 |
* hostname at a success try.<br> |
2 | 114 |
* |
2942
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
115 |
* If this method is called for the second time on an HttpCallerInfo with |
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
116 |
* the same hostname, the answer is retrieved from cache. |
2 | 117 |
* |
118 |
* @return true if supported |
|
119 |
*/ |
|
24135
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
120 |
private static synchronized boolean isSupportedImpl(HttpCallerInfo hci) { |
2 | 121 |
if (supported == null) { |
122 |
supported = new HashMap <String, Boolean>(); |
|
123 |
cache = new HashMap <String, Negotiator>(); |
|
124 |
} |
|
2942
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
125 |
String hostname = hci.host; |
2 | 126 |
hostname = hostname.toLowerCase(); |
127 |
if (supported.containsKey(hostname)) { |
|
128 |
return supported.get(hostname); |
|
129 |
} |
|
130 |
||
4157
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
131 |
Negotiator neg = Negotiator.getNegotiator(hci); |
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
132 |
if (neg != null) { |
2 | 133 |
supported.put(hostname, true); |
134 |
// the only place cache.put is called. here we can make sure |
|
135 |
// the object is valid and the oneToken inside is not null |
|
136 |
cache.put(hostname, neg); |
|
137 |
return true; |
|
4157
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
138 |
} else { |
2 | 139 |
supported.put(hostname, false); |
140 |
return false; |
|
141 |
} |
|
142 |
} |
|
143 |
||
144 |
/** |
|
145 |
* Not supported. Must use the setHeaders() method |
|
146 |
*/ |
|
4157
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
147 |
@Override |
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
148 |
public String getHeaderValue(URL url, String method) { |
2 | 149 |
throw new RuntimeException ("getHeaderValue not supported"); |
150 |
} |
|
151 |
||
152 |
/** |
|
153 |
* Check if the header indicates that the current auth. parameters are stale. |
|
154 |
* If so, then replace the relevant field with the new value |
|
155 |
* and return true. Otherwise return false. |
|
156 |
* returning true means the request can be retried with the same userid/password |
|
157 |
* returning false means we have to go back to the user to ask for a new |
|
158 |
* username password. |
|
159 |
*/ |
|
4157
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
160 |
@Override |
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
161 |
public boolean isAuthorizationStale (String header) { |
2 | 162 |
return false; /* should not be called for Negotiate */ |
163 |
} |
|
164 |
||
165 |
/** |
|
166 |
* Set header(s) on the given connection. |
|
167 |
* @param conn The connection to apply the header(s) to |
|
168 |
* @param p A source of header values for this connection, not used because |
|
169 |
* HeaderParser converts the fields to lower case, use raw instead |
|
170 |
* @param raw The raw header field. |
|
171 |
* @return true if all goes well, false if no headers were set. |
|
172 |
*/ |
|
4157
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
173 |
@Override |
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
174 |
public synchronized boolean setHeaders(HttpURLConnection conn, HeaderParser p, String raw) { |
2 | 175 |
|
176 |
try { |
|
177 |
String response; |
|
178 |
byte[] incoming = null; |
|
179 |
String[] parts = raw.split("\\s+"); |
|
180 |
if (parts.length > 1) { |
|
15258
dd5001103120
8006153: HTTP protocol handler authenication should use Base64 API
chegar
parents:
5506
diff
changeset
|
181 |
incoming = Base64.getDecoder().decode(parts[1]); |
2 | 182 |
} |
15258
dd5001103120
8006153: HTTP protocol handler authenication should use Base64 API
chegar
parents:
5506
diff
changeset
|
183 |
response = hci.scheme + " " + Base64.getEncoder().encodeToString( |
2 | 184 |
incoming==null?firstToken():nextToken(incoming)); |
185 |
||
186 |
conn.setAuthenticationProperty(getHeaderName(), response); |
|
187 |
return true; |
|
188 |
} catch (IOException e) { |
|
189 |
return false; |
|
190 |
} |
|
191 |
} |
|
192 |
||
193 |
/** |
|
194 |
* return the first token. |
|
32227
34721a47bc92
8132478: [tidy] three new warnings from java docs (java.net, javax.annotation)
avstepan
parents:
25859
diff
changeset
|
195 |
* @return the token |
4157
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
196 |
* @throws IOException if <code>Negotiator.getNegotiator()</code> or |
2 | 197 |
* <code>Negotiator.firstToken()</code> failed. |
198 |
*/ |
|
199 |
private byte[] firstToken() throws IOException { |
|
200 |
negotiator = null; |
|
201 |
if (cache != null) { |
|
202 |
synchronized(cache) { |
|
203 |
negotiator = cache.get(getHost()); |
|
204 |
if (negotiator != null) { |
|
205 |
cache.remove(getHost()); // so that it is only used once |
|
206 |
} |
|
207 |
} |
|
208 |
} |
|
209 |
if (negotiator == null) { |
|
4157
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
210 |
negotiator = Negotiator.getNegotiator(hci); |
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
211 |
if (negotiator == null) { |
2 | 212 |
IOException ioe = new IOException("Cannot initialize Negotiator"); |
213 |
throw ioe; |
|
214 |
} |
|
215 |
} |
|
216 |
||
217 |
return negotiator.firstToken(); |
|
218 |
} |
|
219 |
||
220 |
/** |
|
221 |
* return more tokens |
|
222 |
* @param token the token to be fed into <code>negotiator.nextToken()</code> |
|
32227
34721a47bc92
8132478: [tidy] three new warnings from java docs (java.net, javax.annotation)
avstepan
parents:
25859
diff
changeset
|
223 |
* @return the token |
2 | 224 |
* @throws IOException if <code>negotiator.nextToken()</code> throws Exception. |
225 |
* May happen if the input token is invalid. |
|
226 |
*/ |
|
227 |
private byte[] nextToken(byte[] token) throws IOException { |
|
228 |
return negotiator.nextToken(token); |
|
229 |
} |
|
230 |
||
231 |
// MS will send a final WWW-Authenticate even if the status is already |
|
232 |
// 200 OK. The token can be fed into initSecContext() again to determine |
|
233 |
// if the server can be trusted. This is not the same concept as Digest's |
|
234 |
// Authentication-Info header. |
|
235 |
// |
|
236 |
// Currently we ignore this header. |
|
237 |
||
238 |
} |