jdk-sandbox: test/jdk/sun/security/krb5/auto/ReferralsTest.java@9c3209ff7550 (annotated)

55258 d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	1	/*
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	2	* Copyright (c) 2019, Red Hat, Inc.
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	3	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	4	*
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	5	* This code is free software; you can redistribute it and/or modify it
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	6	* under the terms of the GNU General Public License version 2 only, as
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	7	* published by the Free Software Foundation.
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	8	*
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	9	* This code is distributed in the hope that it will be useful, but WITHOUT
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	10	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	11	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	12	* version 2 for more details (a copy is included in the LICENSE file that
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	13	* accompanied this code).
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	14	*
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	15	* You should have received a copy of the GNU General Public License version
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	16	* 2 along with this work; if not, write to the Free Software Foundation,
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	17	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	18	*
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	19	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	20	* or visit www.oracle.com if you need additional information or have any
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	21	* questions.
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	22	*/
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	23
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	24	/*
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	25	* @test
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	26	* @bug 8215032
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	27	* @library /test/lib
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	28	* @run main/othervm/timeout=120 -Dsun.security.krb5.debug=true ReferralsTest
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	29	* @summary Test Kerberos cross-realm referrals (RFC 6806)
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	30	*/
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	31
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	32	import java.io.File;
57487 643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	33	import java.security.Principal;
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	34	import java.util.Arrays;
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	35	import java.util.HashMap;
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	36	import java.util.List;
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	37	import java.util.Map;
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	38	import java.util.Set;
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	39	import javax.security.auth.kerberos.KerberosTicket;
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	40	import javax.security.auth.Subject;
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	41
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	42	import org.ietf.jgss.GSSName;
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	43
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	44	import sun.security.jgss.GSSUtil;
55258 d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	45	import sun.security.krb5.PrincipalName;
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	46
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	47	public class ReferralsTest {
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	48	private static final boolean DEBUG = true;
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	49	private static final String krbConfigName = "krb5-localkdc.conf";
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	50	private static final String realmKDC1 = "RABBIT.HOLE";
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	51	private static final String realmKDC2 = "DEV.RABBIT.HOLE";
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	52	private static final char[] password = "123qwe@Z".toCharArray();
57487 643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	53
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	54	// Names
55258 d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	55	private static final String clientName = "test";
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	56	private static final String serviceName = "http" +
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	57	PrincipalName.NAME_COMPONENT_SEPARATOR_STR +
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	58	"server.dev.rabbit.hole";
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	59
57487 643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	60	// Alias
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	61	private static final String clientAlias = clientName +
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	62	PrincipalName.NAME_REALM_SEPARATOR_STR + realmKDC1;
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	63
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	64	// Names + realms
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	65	private static final String clientKDC1Name = clientAlias.replaceAll(
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	66	PrincipalName.NAME_REALM_SEPARATOR_STR, "\\\\" +
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	67	PrincipalName.NAME_REALM_SEPARATOR_STR) +
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	68	PrincipalName.NAME_REALM_SEPARATOR_STR + realmKDC1;
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	69	private static final String clientKDC2Name = clientName +
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	70	PrincipalName.NAME_REALM_SEPARATOR_STR + realmKDC2;
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	71	private static final String serviceKDC2Name = serviceName +
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	72	PrincipalName.NAME_REALM_SEPARATOR_STR + realmKDC2;
55258 d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	73
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	74	public static void main(String[] args) throws Exception {
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	75	try {
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	76	initializeKDCs();
57487 643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	77	testSubjectCredentials();
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	78	testDelegated();
55258 d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	79	} finally {
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	80	cleanup();
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	81	}
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	82	}
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	83
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	84	private static void initializeKDCs() throws Exception {
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	85	KDC kdc1 = KDC.create(realmKDC1, "localhost", 0, true);
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	86	kdc1.addPrincipalRandKey(PrincipalName.TGS_DEFAULT_SRV_NAME +
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	87	PrincipalName.NAME_COMPONENT_SEPARATOR_STR + realmKDC1);
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	88	kdc1.addPrincipal(PrincipalName.TGS_DEFAULT_SRV_NAME +
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	89	PrincipalName.NAME_COMPONENT_SEPARATOR_STR + realmKDC1 +
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	90	PrincipalName.NAME_REALM_SEPARATOR_STR + realmKDC2,
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	91	password);
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	92	kdc1.addPrincipal(PrincipalName.TGS_DEFAULT_SRV_NAME +
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	93	PrincipalName.NAME_COMPONENT_SEPARATOR_STR + realmKDC2,
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	94	password);
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	95
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	96	KDC kdc2 = KDC.create(realmKDC2, "localhost", 0, true);
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	97	kdc2.addPrincipalRandKey(PrincipalName.TGS_DEFAULT_SRV_NAME +
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	98	PrincipalName.NAME_COMPONENT_SEPARATOR_STR + realmKDC2);
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	99	kdc2.addPrincipal(clientKDC2Name, password);
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	100	kdc2.addPrincipal(serviceName, password);
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	101	kdc2.addPrincipal(PrincipalName.TGS_DEFAULT_SRV_NAME +
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	102	PrincipalName.NAME_COMPONENT_SEPARATOR_STR + realmKDC1,
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	103	password);
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	104	kdc2.addPrincipal(PrincipalName.TGS_DEFAULT_SRV_NAME +
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	105	PrincipalName.NAME_COMPONENT_SEPARATOR_STR + realmKDC2 +
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	106	PrincipalName.NAME_REALM_SEPARATOR_STR + realmKDC1,
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	107	password);
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	108
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	109	kdc1.registerAlias(clientAlias, kdc2);
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	110	kdc1.registerAlias(serviceName, kdc2);
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	111	kdc2.registerAlias(clientAlias, clientKDC2Name);
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	112
57487 643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	113	Map<String,List<String>> mapKDC2 = new HashMap<>();
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	114	mapKDC2.put(serviceName + "@" + realmKDC2, Arrays.asList(
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	115	new String[]{serviceName + "@" + realmKDC2}));
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	116	kdc2.setOption(KDC.Option.ALLOW_S4U2PROXY, mapKDC2);
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	117
55258 d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	118	KDC.saveConfig(krbConfigName, kdc1, kdc2,
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	119	"forwardable=true");
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	120	System.setProperty("java.security.krb5.conf", krbConfigName);
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	121	}
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	122
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	123	private static void cleanup() {
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	124	File f = new File(krbConfigName);
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	125	if (f.exists()) {
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	126	f.delete();
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	127	}
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	128	}
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	129
57487 643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	130	/*
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	131	* The client subject (whose principal is
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	132	* test@RABBIT.HOLE@RABBIT.HOLE) will obtain a TGT after
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	133	* realm referral and name canonicalization (TGT cname
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	134	* will be test@DEV.RABBIT.HOLE). With this TGT, the client will request
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	135	* a TGS for service http/server.dev.rabbit.hole@RABBIT.HOLE. After
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	136	* realm referral, a http/server.dev.rabbit.hole@DEV.RABBIT.HOLE TGS
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	137	* will be obtained.
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	138	*
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	139	* Assert that we get the proper TGT and TGS tickets, and that they are
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	140	* associated to the client subject.
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	141	*
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	142	* Assert that if we request a TGS for the same service again (based on the
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	143	* original service name), we don't get a new one but the previous,
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	144	* already in the subject credentials.
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	145	*/
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	146	private static void testSubjectCredentials() throws Exception {
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	147	Subject clientSubject = new Subject();
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	148	Context clientContext = Context.fromUserPass(clientSubject,
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	149	clientKDC1Name, password, false);
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	150
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	151	Set<Principal> clientPrincipals = clientSubject.getPrincipals();
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	152	if (clientPrincipals.size() != 1) {
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	153	throw new Exception("Only one client subject principal expected");
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	154	}
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	155	Principal clientPrincipal = clientPrincipals.iterator().next();
55258 d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	156	if (DEBUG) {
57487 643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	157	System.out.println("Client subject principal: " +
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	158	clientPrincipal.getName());
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	159	}
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	160	if (!clientPrincipal.getName().equals(clientKDC1Name)) {
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	161	throw new Exception("Unexpected client subject principal.");
55258 d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	162	}
57487 643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	163
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	164	clientContext.startAsClient(serviceName, GSSUtil.GSS_KRB5_MECH_OID);
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	165	clientContext.take(new byte[0]);
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	166	Set<KerberosTicket> clientTickets =
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	167	clientSubject.getPrivateCredentials(KerberosTicket.class);
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	168	boolean tgtFound = false;
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	169	boolean tgsFound = false;
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	170	for (KerberosTicket clientTicket : clientTickets) {
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	171	String cname = clientTicket.getClient().getName();
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	172	String sname = clientTicket.getServer().getName();
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	173	if (cname.equals(clientKDC2Name)) {
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	174	if (sname.equals(PrincipalName.TGS_DEFAULT_SRV_NAME +
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	175	PrincipalName.NAME_COMPONENT_SEPARATOR_STR +
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	176	realmKDC2 + PrincipalName.NAME_REALM_SEPARATOR_STR +
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	177	realmKDC2)) {
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	178	tgtFound = true;
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	179	} else if (sname.equals(serviceKDC2Name)) {
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	180	tgsFound = true;
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	181	}
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	182	}
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	183	if (DEBUG) {
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	184	System.out.println("Client subject KerberosTicket:");
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	185	System.out.println(clientTicket);
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	186	}
55258 d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	187	}
57487 643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	188	if (!tgtFound \|\| !tgsFound) {
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	189	throw new Exception("client subject tickets (TGT/TGS) not found.");
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	190	}
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	191	int numOfTickets = clientTickets.size();
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	192	clientContext.startAsClient(serviceName, GSSUtil.GSS_KRB5_MECH_OID);
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	193	clientContext.take(new byte[0]);
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	194	clientContext.status();
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	195	int newNumOfTickets =
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	196	clientSubject.getPrivateCredentials(KerberosTicket.class).size();
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	197	if (DEBUG) {
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	198	System.out.println("client subject number of tickets: " +
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	199	numOfTickets);
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	200	System.out.println("client subject new number of tickets: " +
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	201	newNumOfTickets);
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	202	}
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	203	if (numOfTickets != newNumOfTickets) {
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	204	throw new Exception("Useless client subject TGS request because" +
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	205	" TGS was not found in private credentials.");
55258 d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	206	}
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	207	}
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	208
57487 643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	209	/*
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	210	* The server (http/server.dev.rabbit.hole@DEV.RABBIT.HOLE)
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	211	* will authenticate on itself on behalf of the client
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	212	* (test@DEV.RABBIT.HOLE). Cross-realm referrals will occur
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	213	* when requesting different TGTs and TGSs (including the
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	214	* request for delegated credentials).
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	215	*/
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	216	private static void testDelegated() throws Exception {
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	217	Context c = Context.fromUserPass(clientKDC2Name,
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	218	password, false);
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	219	c.startAsClient(serviceName, GSSUtil.GSS_KRB5_MECH_OID);
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	220	Context s = Context.fromUserPass(serviceKDC2Name,
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	221	password, true);
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	222	s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	223	Context.handshake(c, s);
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	224	Context delegatedContext = s.delegated();
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	225	delegatedContext.startAsClient(serviceName, GSSUtil.GSS_KRB5_MECH_OID);
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	226	delegatedContext.x().requestMutualAuth(false);
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	227	Context s2 = Context.fromUserPass(serviceKDC2Name,
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	228	password, true);
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	229	s2.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	230
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	231	// Test authentication
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	232	Context.handshake(delegatedContext, s2);
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	233	if (!delegatedContext.x().isEstablished() \|\| !s2.x().isEstablished()) {
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	234	throw new Exception("Delegated authentication failed");
55258 d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	235	}
57487 643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	236
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	237	// Test identities
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	238	GSSName contextInitiatorName = delegatedContext.x().getSrcName();
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	239	GSSName contextAcceptorName = delegatedContext.x().getTargName();
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	240	if (DEBUG) {
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	241	System.out.println("Context initiator: " + contextInitiatorName);
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	242	System.out.println("Context acceptor: " + contextAcceptorName);
55258 d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	243	}
57487 643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	244	if (!contextInitiatorName.toString().equals(clientKDC2Name) \|\|
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	245	!contextAcceptorName.toString().equals(serviceName)) {
643978a35f6e 8227437: S4U2proxy cannot continue because server's TGT cannot be found mbalao parents: 55258 diff changeset	246	throw new Exception("Unexpected initiator or acceptor names");
55258 d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	247	}
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	248	}
d65d3c37232c 8215032: Support Kerberos cross-realm referrals (RFC 6806) mbalao parents: diff changeset	249	}

author	chegar
	Thu, 17 Oct 2019 20:54:25 +0100
branch	datagramsocketimpl-branch
changeset 58679	9c3209ff7550
parent 58678	9cf78a70fa4f
parent 57487	643978a35f6e
permissions	-rw-r--r--