|
1 /* |
|
2 * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. |
|
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
|
4 * |
|
5 * This code is free software; you can redistribute it and/or modify it |
|
6 * under the terms of the GNU General Public License version 2 only, as |
|
7 * published by the Free Software Foundation. |
|
8 * |
|
9 * This code is distributed in the hope that it will be useful, but WITHOUT |
|
10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
12 * version 2 for more details (a copy is included in the LICENSE file that |
|
13 * accompanied this code). |
|
14 * |
|
15 * You should have received a copy of the GNU General Public License version |
|
16 * 2 along with this work; if not, write to the Free Software Foundation, |
|
17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
18 * |
|
19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
|
20 * or visit www.oracle.com if you need additional information or have any |
|
21 * questions. |
|
22 */ |
|
23 |
|
24 import java.nio.file.Files; |
|
25 import java.nio.file.Paths; |
|
26 import java.time.Instant; |
|
27 import java.util.Arrays; |
|
28 import java.util.HashMap; |
|
29 import java.util.Map; |
|
30 import java.util.Set; |
|
31 import javax.security.auth.RefreshFailedException; |
|
32 import javax.security.auth.Subject; |
|
33 import javax.security.auth.kerberos.KerberosTicket; |
|
34 import javax.security.auth.login.LoginContext; |
|
35 |
|
36 /* |
|
37 * @test |
|
38 * @bug 6857795 8075299 |
|
39 * @summary Checks Kerberos ticket properties |
|
40 * @run main/othervm KrbTicket |
|
41 */ |
|
42 public class KrbTicket { |
|
43 |
|
44 private static final String REALM = "TEST.REALM"; |
|
45 private static final String HOST = "localhost"; |
|
46 private static final String USER = "TESTER"; |
|
47 private static final String USER_PRINCIPAL = USER + "@" + REALM; |
|
48 private static final String PASSWORD = "password"; |
|
49 private static final String KRBTGT_PRINCIPAL = "krbtgt/" + REALM; |
|
50 private static final String KRB5_CONF_FILENAME = "krb5.conf"; |
|
51 private static final String JAAS_CONF = "jaas.conf"; |
|
52 private static final long TICKET_LIFTETIME = 5 * 60 * 1000; // 5 mins |
|
53 |
|
54 public static void main(String[] args) throws Exception { |
|
55 // define principals |
|
56 Map<String, String> principals = new HashMap<>(); |
|
57 principals.put(USER_PRINCIPAL, PASSWORD); |
|
58 principals.put(KRBTGT_PRINCIPAL, null); |
|
59 |
|
60 System.setProperty("java.security.krb5.conf", KRB5_CONF_FILENAME); |
|
61 |
|
62 // start a local KDC instance |
|
63 KDC kdc = KDC.startKDC(HOST, null, REALM, principals, null, null); |
|
64 KDC.saveConfig(KRB5_CONF_FILENAME, kdc, |
|
65 "forwardable = true", "proxiable = true"); |
|
66 |
|
67 // create JAAS config |
|
68 Files.write(Paths.get(JAAS_CONF), Arrays.asList( |
|
69 "Client {", |
|
70 " com.sun.security.auth.module.Krb5LoginModule required;", |
|
71 "};" |
|
72 )); |
|
73 System.setProperty("java.security.auth.login.config", JAAS_CONF); |
|
74 System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); |
|
75 |
|
76 long startTime = Instant.now().getEpochSecond() * 1000; |
|
77 |
|
78 LoginContext lc = new LoginContext("Client", |
|
79 new Helper.UserPasswordHandler(USER, PASSWORD)); |
|
80 lc.login(); |
|
81 |
|
82 Subject subject = lc.getSubject(); |
|
83 System.out.println("subject: " + subject); |
|
84 |
|
85 Set creds = subject.getPrivateCredentials( |
|
86 KerberosTicket.class); |
|
87 |
|
88 if (creds.size() > 1) { |
|
89 throw new RuntimeException("Multiple credintials found"); |
|
90 } |
|
91 |
|
92 Object o = creds.iterator().next(); |
|
93 if (!(o instanceof KerberosTicket)) { |
|
94 throw new RuntimeException("Instance of KerberosTicket expected"); |
|
95 } |
|
96 KerberosTicket krbTkt = (KerberosTicket) o; |
|
97 |
|
98 System.out.println("forwardable = " + krbTkt.isForwardable()); |
|
99 System.out.println("proxiable = " + krbTkt.isProxiable()); |
|
100 System.out.println("renewable = " + krbTkt.isRenewable()); |
|
101 System.out.println("current = " + krbTkt.isCurrent()); |
|
102 |
|
103 if (!krbTkt.isForwardable()) { |
|
104 throw new RuntimeException("Forwardable ticket expected"); |
|
105 } |
|
106 |
|
107 if (!krbTkt.isProxiable()) { |
|
108 throw new RuntimeException("Proxiable ticket expected"); |
|
109 } |
|
110 |
|
111 if (!krbTkt.isCurrent()) { |
|
112 throw new RuntimeException("Ticket is not current"); |
|
113 } |
|
114 |
|
115 if (krbTkt.isRenewable()) { |
|
116 throw new RuntimeException("Not renewable ticket expected"); |
|
117 } |
|
118 try { |
|
119 krbTkt.refresh(); |
|
120 throw new RuntimeException( |
|
121 "Expected RefreshFailedException not thrown"); |
|
122 } catch(RefreshFailedException e) { |
|
123 System.out.println("Expected exception: " + e); |
|
124 } |
|
125 |
|
126 if (!checkTime(krbTkt, startTime)) { |
|
127 throw new RuntimeException("Wrong ticket life time"); |
|
128 } |
|
129 |
|
130 krbTkt.destroy(); |
|
131 if (!krbTkt.isDestroyed()) { |
|
132 throw new RuntimeException("Ticket not destroyed"); |
|
133 } |
|
134 |
|
135 System.out.println("Test passed"); |
|
136 } |
|
137 |
|
138 private static boolean checkTime(KerberosTicket krbTkt, long startTime) { |
|
139 long ticketEndTime = krbTkt.getEndTime().getTime(); |
|
140 long roughLifeTime = ticketEndTime - startTime; |
|
141 System.out.println("start time = " + startTime); |
|
142 System.out.println("end time = " + ticketEndTime); |
|
143 System.out.println("rough life time = " + roughLifeTime); |
|
144 return roughLifeTime >= TICKET_LIFTETIME; |
|
145 } |
|
146 } |