author | darcy |
Wed, 09 Oct 2019 10:17:50 -0700 | |
changeset 58520 | e036ee8bae56 |
parent 57956 | e0b8b019d2f5 |
child 58679 | 9c3209ff7550 |
child 59207 | 7a3218ad8e7c |
permissions | -rw-r--r-- |
2 | 1 |
/* |
57956
e0b8b019d2f5
8229997: Apply java.io.Serial annotations in java.base
darcy
parents:
47216
diff
changeset
|
2 |
* Copyright (c) 2005, 2019, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
package sun.net.www.protocol.http; |
|
27 |
||
4157
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
28 |
import java.net.URL; |
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
29 |
import java.io.IOException; |
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
30 |
import java.net.Authenticator.RequestorType; |
15258
dd5001103120
8006153: HTTP protocol handler authenication should use Base64 API
chegar
parents:
5506
diff
changeset
|
31 |
import java.util.Base64; |
2 | 32 |
import java.util.HashMap; |
33 |
import sun.net.www.HeaderParser; |
|
24135
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
34 |
import sun.util.logging.PlatformLogger; |
3859
8b82336dedb3
6882594: Remove static dependancy on NTLM authentication
chegar
parents:
2942
diff
changeset
|
35 |
import static sun.net.www.protocol.http.AuthScheme.NEGOTIATE; |
8b82336dedb3
6882594: Remove static dependancy on NTLM authentication
chegar
parents:
2942
diff
changeset
|
36 |
import static sun.net.www.protocol.http.AuthScheme.KERBEROS; |
44755 | 37 |
import sun.security.action.GetPropertyAction; |
2 | 38 |
|
39 |
/** |
|
40 |
* NegotiateAuthentication: |
|
41 |
* |
|
42 |
* @author weijun.wang@sun.com |
|
43 |
* @since 1.6 |
|
44 |
*/ |
|
45 |
||
46 |
class NegotiateAuthentication extends AuthenticationInfo { |
|
47 |
||
57956
e0b8b019d2f5
8229997: Apply java.io.Serial annotations in java.base
darcy
parents:
47216
diff
changeset
|
48 |
@java.io.Serial |
2 | 49 |
private static final long serialVersionUID = 100L; |
24135
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
50 |
private static final PlatformLogger logger = HttpURLConnection.getHttpLogger(); |
2 | 51 |
|
58520
e036ee8bae56
8231202: Suppress warnings on non-serializable non-transient instance fields in serializable classes
darcy
parents:
57956
diff
changeset
|
52 |
@SuppressWarnings("serial") // Not statically typed as Serializable |
32649
2ee9017c7597
8136583: Core libraries should use blessed modifier order
martin
parents:
32227
diff
changeset
|
53 |
private final HttpCallerInfo hci; |
2 | 54 |
|
55 |
// These maps are used to manage the GSS availability for diffrent |
|
56 |
// hosts. The key for both maps is the host name. |
|
57 |
// <code>supported</code> is set when isSupported is checked, |
|
58 |
// if it's true, a cached Negotiator is put into <code>cache</code>. |
|
59 |
// the cache can be used only once, so after the first use, it's cleaned. |
|
60 |
static HashMap <String, Boolean> supported = null; |
|
44755 | 61 |
static ThreadLocal <HashMap <String, Negotiator>> cache = null; |
62 |
/* Whether cache is enabled for Negotiate/Kerberos */ |
|
63 |
private static final boolean cacheSPNEGO; |
|
64 |
static { |
|
65 |
String spnegoCacheProp = |
|
66 |
GetPropertyAction.privilegedGetProperty("jdk.spnego.cache", "true"); |
|
67 |
cacheSPNEGO = Boolean.parseBoolean(spnegoCacheProp); |
|
68 |
} |
|
2 | 69 |
|
70 |
// The HTTP Negotiate Helper |
|
58520
e036ee8bae56
8231202: Suppress warnings on non-serializable non-transient instance fields in serializable classes
darcy
parents:
57956
diff
changeset
|
71 |
@SuppressWarnings("serial") // Not statically typed as Serializable |
2 | 72 |
private Negotiator negotiator = null; |
73 |
||
74 |
/** |
|
2942
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
75 |
* Constructor used for both WWW and proxy entries. |
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
76 |
* @param hci a schemed object. |
2 | 77 |
*/ |
2942
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
78 |
public NegotiateAuthentication(HttpCallerInfo hci) { |
3859
8b82336dedb3
6882594: Remove static dependancy on NTLM authentication
chegar
parents:
2942
diff
changeset
|
79 |
super(RequestorType.PROXY==hci.authType ? PROXY_AUTHENTICATION : SERVER_AUTHENTICATION, |
8b82336dedb3
6882594: Remove static dependancy on NTLM authentication
chegar
parents:
2942
diff
changeset
|
80 |
hci.scheme.equalsIgnoreCase("Negotiate") ? NEGOTIATE : KERBEROS, |
8b82336dedb3
6882594: Remove static dependancy on NTLM authentication
chegar
parents:
2942
diff
changeset
|
81 |
hci.url, |
42351
85ed90be0ae1
8169495: Add a method to set an Authenticator on a HttpURLConnection.
dfuchs
parents:
32649
diff
changeset
|
82 |
"", |
85ed90be0ae1
8169495: Add a method to set an Authenticator on a HttpURLConnection.
dfuchs
parents:
32649
diff
changeset
|
83 |
AuthenticatorKeys.getKey(hci.authenticator)); |
2942
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
84 |
this.hci = hci; |
2 | 85 |
} |
86 |
||
87 |
/** |
|
88 |
* @return true if this authentication supports preemptive authorization |
|
89 |
*/ |
|
4157
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
90 |
@Override |
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
91 |
public boolean supportsPreemptiveAuthorization() { |
2 | 92 |
return false; |
93 |
} |
|
94 |
||
95 |
/** |
|
24135
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
96 |
* Find out if the HttpCallerInfo supports Negotiate protocol. |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
97 |
* @return true if supported |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
98 |
*/ |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
99 |
public static boolean isSupported(HttpCallerInfo hci) { |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
100 |
ClassLoader loader = null; |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
101 |
try { |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
102 |
loader = Thread.currentThread().getContextClassLoader(); |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
103 |
} catch (SecurityException se) { |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
104 |
if (logger.isLoggable(PlatformLogger.Level.FINER)) { |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
105 |
logger.finer("NegotiateAuthentication: " + |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
106 |
"Attempt to get the context class loader failed - " + se); |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
107 |
} |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
108 |
} |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
109 |
|
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
110 |
if (loader != null) { |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
111 |
// Lock on the class loader instance to avoid the deadlock engaging |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
112 |
// the lock in "ClassLoader.loadClass(String, boolean)" method. |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
113 |
synchronized (loader) { |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
114 |
return isSupportedImpl(hci); |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
115 |
} |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
116 |
} |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
117 |
return isSupportedImpl(hci); |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
118 |
} |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
119 |
|
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
120 |
/** |
2942
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
121 |
* Find out if the HttpCallerInfo supports Negotiate protocol. In order to |
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
122 |
* find out yes or no, an initialization of a Negotiator object against it |
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
123 |
* is tried. The generated object will be cached under the name of ths |
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
124 |
* hostname at a success try.<br> |
2 | 125 |
* |
2942
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
126 |
* If this method is called for the second time on an HttpCallerInfo with |
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
127 |
* the same hostname, the answer is retrieved from cache. |
2 | 128 |
* |
129 |
* @return true if supported |
|
130 |
*/ |
|
24135
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
131 |
private static synchronized boolean isSupportedImpl(HttpCallerInfo hci) { |
2 | 132 |
if (supported == null) { |
44755 | 133 |
supported = new HashMap<>(); |
2 | 134 |
} |
2942
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
135 |
String hostname = hci.host; |
2 | 136 |
hostname = hostname.toLowerCase(); |
137 |
if (supported.containsKey(hostname)) { |
|
138 |
return supported.get(hostname); |
|
139 |
} |
|
140 |
||
4157
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
141 |
Negotiator neg = Negotiator.getNegotiator(hci); |
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
142 |
if (neg != null) { |
2 | 143 |
supported.put(hostname, true); |
144 |
// the only place cache.put is called. here we can make sure |
|
145 |
// the object is valid and the oneToken inside is not null |
|
44755 | 146 |
if (cache == null) { |
147 |
cache = new ThreadLocal<>() { |
|
148 |
@Override |
|
149 |
protected HashMap<String, Negotiator> initialValue() { |
|
150 |
return new HashMap<>(); |
|
151 |
} |
|
152 |
}; |
|
153 |
} |
|
154 |
cache.get().put(hostname, neg); |
|
2 | 155 |
return true; |
4157
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
156 |
} else { |
2 | 157 |
supported.put(hostname, false); |
158 |
return false; |
|
159 |
} |
|
160 |
} |
|
161 |
||
44755 | 162 |
private static synchronized HashMap<String, Negotiator> getCache() { |
163 |
if (cache == null) return null; |
|
164 |
return cache.get(); |
|
165 |
} |
|
166 |
||
167 |
@Override |
|
168 |
protected boolean useAuthCache() { |
|
169 |
return super.useAuthCache() && cacheSPNEGO; |
|
170 |
} |
|
171 |
||
2 | 172 |
/** |
173 |
* Not supported. Must use the setHeaders() method |
|
174 |
*/ |
|
4157
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
175 |
@Override |
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
176 |
public String getHeaderValue(URL url, String method) { |
2 | 177 |
throw new RuntimeException ("getHeaderValue not supported"); |
178 |
} |
|
179 |
||
180 |
/** |
|
181 |
* Check if the header indicates that the current auth. parameters are stale. |
|
182 |
* If so, then replace the relevant field with the new value |
|
183 |
* and return true. Otherwise return false. |
|
184 |
* returning true means the request can be retried with the same userid/password |
|
185 |
* returning false means we have to go back to the user to ask for a new |
|
186 |
* username password. |
|
187 |
*/ |
|
4157
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
188 |
@Override |
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
189 |
public boolean isAuthorizationStale (String header) { |
2 | 190 |
return false; /* should not be called for Negotiate */ |
191 |
} |
|
192 |
||
193 |
/** |
|
194 |
* Set header(s) on the given connection. |
|
195 |
* @param conn The connection to apply the header(s) to |
|
196 |
* @param p A source of header values for this connection, not used because |
|
197 |
* HeaderParser converts the fields to lower case, use raw instead |
|
198 |
* @param raw The raw header field. |
|
199 |
* @return true if all goes well, false if no headers were set. |
|
200 |
*/ |
|
4157
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
201 |
@Override |
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
202 |
public synchronized boolean setHeaders(HttpURLConnection conn, HeaderParser p, String raw) { |
2 | 203 |
|
204 |
try { |
|
205 |
String response; |
|
206 |
byte[] incoming = null; |
|
207 |
String[] parts = raw.split("\\s+"); |
|
208 |
if (parts.length > 1) { |
|
15258
dd5001103120
8006153: HTTP protocol handler authenication should use Base64 API
chegar
parents:
5506
diff
changeset
|
209 |
incoming = Base64.getDecoder().decode(parts[1]); |
2 | 210 |
} |
15258
dd5001103120
8006153: HTTP protocol handler authenication should use Base64 API
chegar
parents:
5506
diff
changeset
|
211 |
response = hci.scheme + " " + Base64.getEncoder().encodeToString( |
2 | 212 |
incoming==null?firstToken():nextToken(incoming)); |
213 |
||
214 |
conn.setAuthenticationProperty(getHeaderName(), response); |
|
215 |
return true; |
|
216 |
} catch (IOException e) { |
|
217 |
return false; |
|
218 |
} |
|
219 |
} |
|
220 |
||
221 |
/** |
|
222 |
* return the first token. |
|
32227
34721a47bc92
8132478: [tidy] three new warnings from java docs (java.net, javax.annotation)
avstepan
parents:
25859
diff
changeset
|
223 |
* @return the token |
4157
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
224 |
* @throws IOException if <code>Negotiator.getNegotiator()</code> or |
2 | 225 |
* <code>Negotiator.firstToken()</code> failed. |
226 |
*/ |
|
227 |
private byte[] firstToken() throws IOException { |
|
228 |
negotiator = null; |
|
44755 | 229 |
HashMap <String, Negotiator> cachedMap = getCache(); |
230 |
if (cachedMap != null) { |
|
231 |
negotiator = cachedMap.get(getHost()); |
|
232 |
if (negotiator != null) { |
|
233 |
cachedMap.remove(getHost()); // so that it is only used once |
|
2 | 234 |
} |
235 |
} |
|
236 |
if (negotiator == null) { |
|
4157
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
237 |
negotiator = Negotiator.getNegotiator(hci); |
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
238 |
if (negotiator == null) { |
2 | 239 |
IOException ioe = new IOException("Cannot initialize Negotiator"); |
240 |
throw ioe; |
|
241 |
} |
|
242 |
} |
|
243 |
||
244 |
return negotiator.firstToken(); |
|
245 |
} |
|
246 |
||
247 |
/** |
|
248 |
* return more tokens |
|
249 |
* @param token the token to be fed into <code>negotiator.nextToken()</code> |
|
32227
34721a47bc92
8132478: [tidy] three new warnings from java docs (java.net, javax.annotation)
avstepan
parents:
25859
diff
changeset
|
250 |
* @return the token |
2 | 251 |
* @throws IOException if <code>negotiator.nextToken()</code> throws Exception. |
252 |
* May happen if the input token is invalid. |
|
253 |
*/ |
|
254 |
private byte[] nextToken(byte[] token) throws IOException { |
|
255 |
return negotiator.nextToken(token); |
|
256 |
} |
|
257 |
||
258 |
// MS will send a final WWW-Authenticate even if the status is already |
|
259 |
// 200 OK. The token can be fed into initSecContext() again to determine |
|
260 |
// if the server can be trusted. This is not the same concept as Digest's |
|
261 |
// Authentication-Info header. |
|
262 |
// |
|
263 |
// Currently we ignore this header. |
|
264 |
||
265 |
} |