author | chegar |
Thu, 17 Oct 2019 20:54:25 +0100 | |
branch | datagramsocketimpl-branch |
changeset 58679 | 9c3209ff7550 |
parent 58678 | 9cf78a70fa4f |
parent 57487 | 643978a35f6e |
permissions | -rw-r--r-- |
55258
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
1 |
/* |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
2 |
* Copyright (c) 2019, Red Hat, Inc. |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
4 |
* |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
5 |
* This code is free software; you can redistribute it and/or modify it |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
7 |
* published by the Free Software Foundation. |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
8 |
* |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
9 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
10 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
11 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
12 |
* version 2 for more details (a copy is included in the LICENSE file that |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
13 |
* accompanied this code). |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
14 |
* |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
15 |
* You should have received a copy of the GNU General Public License version |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
16 |
* 2 along with this work; if not, write to the Free Software Foundation, |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
17 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
18 |
* |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
19 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
20 |
* or visit www.oracle.com if you need additional information or have any |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
21 |
* questions. |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
22 |
*/ |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
23 |
|
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
24 |
/* |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
25 |
* @test |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
26 |
* @bug 8215032 |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
27 |
* @library /test/lib |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
28 |
* @run main/othervm/timeout=120 -Dsun.security.krb5.debug=true ReferralsTest |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
29 |
* @summary Test Kerberos cross-realm referrals (RFC 6806) |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
30 |
*/ |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
31 |
|
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
32 |
import java.io.File; |
57487
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
33 |
import java.security.Principal; |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
34 |
import java.util.Arrays; |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
35 |
import java.util.HashMap; |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
36 |
import java.util.List; |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
37 |
import java.util.Map; |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
38 |
import java.util.Set; |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
39 |
import javax.security.auth.kerberos.KerberosTicket; |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
40 |
import javax.security.auth.Subject; |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
41 |
|
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
42 |
import org.ietf.jgss.GSSName; |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
43 |
|
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
44 |
import sun.security.jgss.GSSUtil; |
55258
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
45 |
import sun.security.krb5.PrincipalName; |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
46 |
|
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
47 |
public class ReferralsTest { |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
48 |
private static final boolean DEBUG = true; |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
49 |
private static final String krbConfigName = "krb5-localkdc.conf"; |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
50 |
private static final String realmKDC1 = "RABBIT.HOLE"; |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
51 |
private static final String realmKDC2 = "DEV.RABBIT.HOLE"; |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
52 |
private static final char[] password = "123qwe@Z".toCharArray(); |
57487
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
53 |
|
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
54 |
// Names |
55258
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
55 |
private static final String clientName = "test"; |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
56 |
private static final String serviceName = "http" + |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
57 |
PrincipalName.NAME_COMPONENT_SEPARATOR_STR + |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
58 |
"server.dev.rabbit.hole"; |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
59 |
|
57487
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
60 |
// Alias |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
61 |
private static final String clientAlias = clientName + |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
62 |
PrincipalName.NAME_REALM_SEPARATOR_STR + realmKDC1; |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
63 |
|
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
64 |
// Names + realms |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
65 |
private static final String clientKDC1Name = clientAlias.replaceAll( |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
66 |
PrincipalName.NAME_REALM_SEPARATOR_STR, "\\\\" + |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
67 |
PrincipalName.NAME_REALM_SEPARATOR_STR) + |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
68 |
PrincipalName.NAME_REALM_SEPARATOR_STR + realmKDC1; |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
69 |
private static final String clientKDC2Name = clientName + |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
70 |
PrincipalName.NAME_REALM_SEPARATOR_STR + realmKDC2; |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
71 |
private static final String serviceKDC2Name = serviceName + |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
72 |
PrincipalName.NAME_REALM_SEPARATOR_STR + realmKDC2; |
55258
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
73 |
|
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
74 |
public static void main(String[] args) throws Exception { |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
75 |
try { |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
76 |
initializeKDCs(); |
57487
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
77 |
testSubjectCredentials(); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
78 |
testDelegated(); |
55258
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
79 |
} finally { |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
80 |
cleanup(); |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
81 |
} |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
82 |
} |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
83 |
|
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
84 |
private static void initializeKDCs() throws Exception { |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
85 |
KDC kdc1 = KDC.create(realmKDC1, "localhost", 0, true); |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
86 |
kdc1.addPrincipalRandKey(PrincipalName.TGS_DEFAULT_SRV_NAME + |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
87 |
PrincipalName.NAME_COMPONENT_SEPARATOR_STR + realmKDC1); |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
88 |
kdc1.addPrincipal(PrincipalName.TGS_DEFAULT_SRV_NAME + |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
89 |
PrincipalName.NAME_COMPONENT_SEPARATOR_STR + realmKDC1 + |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
90 |
PrincipalName.NAME_REALM_SEPARATOR_STR + realmKDC2, |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
91 |
password); |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
92 |
kdc1.addPrincipal(PrincipalName.TGS_DEFAULT_SRV_NAME + |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
93 |
PrincipalName.NAME_COMPONENT_SEPARATOR_STR + realmKDC2, |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
94 |
password); |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
95 |
|
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
96 |
KDC kdc2 = KDC.create(realmKDC2, "localhost", 0, true); |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
97 |
kdc2.addPrincipalRandKey(PrincipalName.TGS_DEFAULT_SRV_NAME + |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
98 |
PrincipalName.NAME_COMPONENT_SEPARATOR_STR + realmKDC2); |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
99 |
kdc2.addPrincipal(clientKDC2Name, password); |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
100 |
kdc2.addPrincipal(serviceName, password); |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
101 |
kdc2.addPrincipal(PrincipalName.TGS_DEFAULT_SRV_NAME + |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
102 |
PrincipalName.NAME_COMPONENT_SEPARATOR_STR + realmKDC1, |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
103 |
password); |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
104 |
kdc2.addPrincipal(PrincipalName.TGS_DEFAULT_SRV_NAME + |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
105 |
PrincipalName.NAME_COMPONENT_SEPARATOR_STR + realmKDC2 + |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
106 |
PrincipalName.NAME_REALM_SEPARATOR_STR + realmKDC1, |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
107 |
password); |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
108 |
|
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
109 |
kdc1.registerAlias(clientAlias, kdc2); |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
110 |
kdc1.registerAlias(serviceName, kdc2); |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
111 |
kdc2.registerAlias(clientAlias, clientKDC2Name); |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
112 |
|
57487
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
113 |
Map<String,List<String>> mapKDC2 = new HashMap<>(); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
114 |
mapKDC2.put(serviceName + "@" + realmKDC2, Arrays.asList( |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
115 |
new String[]{serviceName + "@" + realmKDC2})); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
116 |
kdc2.setOption(KDC.Option.ALLOW_S4U2PROXY, mapKDC2); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
117 |
|
55258
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
118 |
KDC.saveConfig(krbConfigName, kdc1, kdc2, |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
119 |
"forwardable=true"); |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
120 |
System.setProperty("java.security.krb5.conf", krbConfigName); |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
121 |
} |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
122 |
|
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
123 |
private static void cleanup() { |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
124 |
File f = new File(krbConfigName); |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
125 |
if (f.exists()) { |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
126 |
f.delete(); |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
127 |
} |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
128 |
} |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
129 |
|
57487
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
130 |
/* |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
131 |
* The client subject (whose principal is |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
132 |
* test@RABBIT.HOLE@RABBIT.HOLE) will obtain a TGT after |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
133 |
* realm referral and name canonicalization (TGT cname |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
134 |
* will be test@DEV.RABBIT.HOLE). With this TGT, the client will request |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
135 |
* a TGS for service http/server.dev.rabbit.hole@RABBIT.HOLE. After |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
136 |
* realm referral, a http/server.dev.rabbit.hole@DEV.RABBIT.HOLE TGS |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
137 |
* will be obtained. |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
138 |
* |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
139 |
* Assert that we get the proper TGT and TGS tickets, and that they are |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
140 |
* associated to the client subject. |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
141 |
* |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
142 |
* Assert that if we request a TGS for the same service again (based on the |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
143 |
* original service name), we don't get a new one but the previous, |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
144 |
* already in the subject credentials. |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
145 |
*/ |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
146 |
private static void testSubjectCredentials() throws Exception { |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
147 |
Subject clientSubject = new Subject(); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
148 |
Context clientContext = Context.fromUserPass(clientSubject, |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
149 |
clientKDC1Name, password, false); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
150 |
|
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
151 |
Set<Principal> clientPrincipals = clientSubject.getPrincipals(); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
152 |
if (clientPrincipals.size() != 1) { |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
153 |
throw new Exception("Only one client subject principal expected"); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
154 |
} |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
155 |
Principal clientPrincipal = clientPrincipals.iterator().next(); |
55258
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
156 |
if (DEBUG) { |
57487
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
157 |
System.out.println("Client subject principal: " + |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
158 |
clientPrincipal.getName()); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
159 |
} |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
160 |
if (!clientPrincipal.getName().equals(clientKDC1Name)) { |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
161 |
throw new Exception("Unexpected client subject principal."); |
55258
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
162 |
} |
57487
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
163 |
|
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
164 |
clientContext.startAsClient(serviceName, GSSUtil.GSS_KRB5_MECH_OID); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
165 |
clientContext.take(new byte[0]); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
166 |
Set<KerberosTicket> clientTickets = |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
167 |
clientSubject.getPrivateCredentials(KerberosTicket.class); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
168 |
boolean tgtFound = false; |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
169 |
boolean tgsFound = false; |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
170 |
for (KerberosTicket clientTicket : clientTickets) { |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
171 |
String cname = clientTicket.getClient().getName(); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
172 |
String sname = clientTicket.getServer().getName(); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
173 |
if (cname.equals(clientKDC2Name)) { |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
174 |
if (sname.equals(PrincipalName.TGS_DEFAULT_SRV_NAME + |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
175 |
PrincipalName.NAME_COMPONENT_SEPARATOR_STR + |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
176 |
realmKDC2 + PrincipalName.NAME_REALM_SEPARATOR_STR + |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
177 |
realmKDC2)) { |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
178 |
tgtFound = true; |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
179 |
} else if (sname.equals(serviceKDC2Name)) { |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
180 |
tgsFound = true; |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
181 |
} |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
182 |
} |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
183 |
if (DEBUG) { |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
184 |
System.out.println("Client subject KerberosTicket:"); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
185 |
System.out.println(clientTicket); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
186 |
} |
55258
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
187 |
} |
57487
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
188 |
if (!tgtFound || !tgsFound) { |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
189 |
throw new Exception("client subject tickets (TGT/TGS) not found."); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
190 |
} |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
191 |
int numOfTickets = clientTickets.size(); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
192 |
clientContext.startAsClient(serviceName, GSSUtil.GSS_KRB5_MECH_OID); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
193 |
clientContext.take(new byte[0]); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
194 |
clientContext.status(); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
195 |
int newNumOfTickets = |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
196 |
clientSubject.getPrivateCredentials(KerberosTicket.class).size(); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
197 |
if (DEBUG) { |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
198 |
System.out.println("client subject number of tickets: " + |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
199 |
numOfTickets); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
200 |
System.out.println("client subject new number of tickets: " + |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
201 |
newNumOfTickets); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
202 |
} |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
203 |
if (numOfTickets != newNumOfTickets) { |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
204 |
throw new Exception("Useless client subject TGS request because" + |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
205 |
" TGS was not found in private credentials."); |
55258
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
206 |
} |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
207 |
} |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
208 |
|
57487
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
209 |
/* |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
210 |
* The server (http/server.dev.rabbit.hole@DEV.RABBIT.HOLE) |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
211 |
* will authenticate on itself on behalf of the client |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
212 |
* (test@DEV.RABBIT.HOLE). Cross-realm referrals will occur |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
213 |
* when requesting different TGTs and TGSs (including the |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
214 |
* request for delegated credentials). |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
215 |
*/ |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
216 |
private static void testDelegated() throws Exception { |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
217 |
Context c = Context.fromUserPass(clientKDC2Name, |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
218 |
password, false); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
219 |
c.startAsClient(serviceName, GSSUtil.GSS_KRB5_MECH_OID); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
220 |
Context s = Context.fromUserPass(serviceKDC2Name, |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
221 |
password, true); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
222 |
s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
223 |
Context.handshake(c, s); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
224 |
Context delegatedContext = s.delegated(); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
225 |
delegatedContext.startAsClient(serviceName, GSSUtil.GSS_KRB5_MECH_OID); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
226 |
delegatedContext.x().requestMutualAuth(false); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
227 |
Context s2 = Context.fromUserPass(serviceKDC2Name, |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
228 |
password, true); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
229 |
s2.startAsServer(GSSUtil.GSS_KRB5_MECH_OID); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
230 |
|
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
231 |
// Test authentication |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
232 |
Context.handshake(delegatedContext, s2); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
233 |
if (!delegatedContext.x().isEstablished() || !s2.x().isEstablished()) { |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
234 |
throw new Exception("Delegated authentication failed"); |
55258
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
235 |
} |
57487
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
236 |
|
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
237 |
// Test identities |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
238 |
GSSName contextInitiatorName = delegatedContext.x().getSrcName(); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
239 |
GSSName contextAcceptorName = delegatedContext.x().getTargName(); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
240 |
if (DEBUG) { |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
241 |
System.out.println("Context initiator: " + contextInitiatorName); |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
242 |
System.out.println("Context acceptor: " + contextAcceptorName); |
55258
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
243 |
} |
57487
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
244 |
if (!contextInitiatorName.toString().equals(clientKDC2Name) || |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
245 |
!contextAcceptorName.toString().equals(serviceName)) { |
643978a35f6e
8227437: S4U2proxy cannot continue because server's TGT cannot be found
mbalao
parents:
55258
diff
changeset
|
246 |
throw new Exception("Unexpected initiator or acceptor names"); |
55258
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
247 |
} |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
248 |
} |
d65d3c37232c
8215032: Support Kerberos cross-realm referrals (RFC 6806)
mbalao
parents:
diff
changeset
|
249 |
} |