jdk-sandbox: comparison test/jdk/sun/security/krb5/auto/ReferralsTest.java

equal deleted inserted replaced

-:347804d623fc
+:643978a35f6e
 * @run main/othervm/timeout=120 -Dsun.security.krb5.debug=true ReferralsTest
 * @summary Test Kerberos cross-realm referrals (RFC 6806)
 */
 import java.io.File;
-import sun.security.krb5.Credentials;
+import java.security.Principal;
-import sun.security.krb5.internal.CredentialsUtil;
+import java.util.Arrays;
-import sun.security.krb5.KrbAsReqBuilder;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import javax.security.auth.kerberos.KerberosTicket;
+import javax.security.auth.Subject;
+import org.ietf.jgss.GSSName;
+import sun.security.jgss.GSSUtil;
 import sun.security.krb5.PrincipalName;
 public class ReferralsTest {
 private static final boolean DEBUG = true;
 private static final String krbConfigName = "krb5-localkdc.conf";
 private static final String realmKDC1 = "RABBIT.HOLE";
 private static final String realmKDC2 = "DEV.RABBIT.HOLE";
 private static final char[] password = "123qwe@Z".toCharArray();
+// Names
 private static final String clientName = "test";
+private static final String serviceName = "http" +
+PrincipalName.NAME_COMPONENT_SEPARATOR_STR +
+"server.dev.rabbit.hole";
+// Alias
 private static final String clientAlias = clientName +
 PrincipalName.NAME_REALM_SEPARATOR_STR + realmKDC1;
-private static final String clientKDC1QueryName = clientAlias.replaceAll(
+// Names + realms
+private static final String clientKDC1Name = clientAlias.replaceAll(
 PrincipalName.NAME_REALM_SEPARATOR_STR, "\\\\" +
 PrincipalName.NAME_REALM_SEPARATOR_STR) +
 PrincipalName.NAME_REALM_SEPARATOR_STR + realmKDC1;
-private static PrincipalName clientKDC1QueryPrincipal = null;
-static {
-try {
-clientKDC1QueryPrincipal = new PrincipalName(
-clientKDC1QueryName, PrincipalName.KRB_NT_ENTERPRISE,
-null);
-} catch (Throwable t) {}
-}
 private static final String clientKDC2Name = clientName +
 PrincipalName.NAME_REALM_SEPARATOR_STR + realmKDC2;
+private static final String serviceKDC2Name = serviceName +
-private static final String serviceName = "http" +
+PrincipalName.NAME_REALM_SEPARATOR_STR + realmKDC2;
-PrincipalName.NAME_COMPONENT_SEPARATOR_STR +
-"server.dev.rabbit.hole";
-private static Credentials tgt;
-private static Credentials tgs;
 public static void main(String[] args) throws Exception {
 try {
 initializeKDCs();
-getTGT();
+testSubjectCredentials();
-getTGS();
+testDelegated();
 } finally {
 cleanup();
 }
 }
 kdc1.registerAlias(clientAlias, kdc2);
 kdc1.registerAlias(serviceName, kdc2);
 kdc2.registerAlias(clientAlias, clientKDC2Name);
+Map<String,List<String>> mapKDC2 = new HashMap<>();
+mapKDC2.put(serviceName + "@" + realmKDC2, Arrays.asList(
+new String[]{serviceName + "@" + realmKDC2}));
+kdc2.setOption(KDC.Option.ALLOW_S4U2PROXY, mapKDC2);
 KDC.saveConfig(krbConfigName, kdc1, kdc2,
 "forwardable=true");
 System.setProperty("java.security.krb5.conf", krbConfigName);
 }
 if (f.exists()) {
 f.delete();
 }
 }
-private static void getTGT() throws Exception {
+/*
-KrbAsReqBuilder builder = new KrbAsReqBuilder(clientKDC1QueryPrincipal,
+* The client subject (whose principal is
-password);
+* test@RABBIT.HOLE@RABBIT.HOLE) will obtain a TGT after
-tgt = builder.action().getCreds();
+* realm referral and name canonicalization (TGT cname
-builder.destroy();
+* will be test@DEV.RABBIT.HOLE). With this TGT, the client will request
+* a TGS for service http/server.dev.rabbit.hole@RABBIT.HOLE. After
+* realm referral, a http/server.dev.rabbit.hole@DEV.RABBIT.HOLE TGS
+* will be obtained.
+*
+* Assert that we get the proper TGT and TGS tickets, and that they are
+* associated to the client subject.
+*
+* Assert that if we request a TGS for the same service again (based on the
+* original service name), we don't get a new one but the previous,
+* already in the subject credentials.
+*/
+private static void testSubjectCredentials() throws Exception {
+Subject clientSubject = new Subject();
+Context clientContext = Context.fromUserPass(clientSubject,
+clientKDC1Name, password, false);
+Set<Principal> clientPrincipals = clientSubject.getPrincipals();
+if (clientPrincipals.size() != 1) {
+throw new Exception("Only one client subject principal expected");
+}
+Principal clientPrincipal = clientPrincipals.iterator().next();
 if (DEBUG) {
-System.out.println("TGT");
+System.out.println("Client subject principal: " +
-System.out.println("----------------------");
+clientPrincipal.getName());
-System.out.println(tgt);
+}
-System.out.println("----------------------");
+if (!clientPrincipal.getName().equals(clientKDC1Name)) {
-}
+throw new Exception("Unexpected client subject principal.");
-if (tgt == null) {
+}
-throw new Exception("TGT is null");
-}
+clientContext.startAsClient(serviceName, GSSUtil.GSS_KRB5_MECH_OID);
-if (!tgt.getClient().getName().equals(clientKDC2Name)) {
+clientContext.take(new byte[0]);
-throw new Exception("Unexpected TGT client");
+Set<KerberosTicket> clientTickets =
-}
+clientSubject.getPrivateCredentials(KerberosTicket.class);
-String[] tgtServerNames = tgt.getServer().getNameStrings();
+boolean tgtFound = false;
-if (tgtServerNames.length != 2 || !tgtServerNames[0].equals(
+boolean tgsFound = false;
-PrincipalName.TGS_DEFAULT_SRV_NAME) ||
+for (KerberosTicket clientTicket : clientTickets) {
-!tgtServerNames[1].equals(realmKDC2) ||
+String cname = clientTicket.getClient().getName();
-!tgt.getServer().getRealmString().equals(realmKDC2)) {
+String sname = clientTicket.getServer().getName();
-throw new Exception("Unexpected TGT server");
+if (cname.equals(clientKDC2Name)) {
-}
+if (sname.equals(PrincipalName.TGS_DEFAULT_SRV_NAME +
-}
+PrincipalName.NAME_COMPONENT_SEPARATOR_STR +
+realmKDC2 + PrincipalName.NAME_REALM_SEPARATOR_STR +
-private static void getTGS() throws Exception {
+realmKDC2)) {
-tgs = CredentialsUtil.acquireServiceCreds(serviceName +
+tgtFound = true;
-PrincipalName.NAME_REALM_SEPARATOR_STR + realmKDC1, tgt);
+} else if (sname.equals(serviceKDC2Name)) {
+tgsFound = true;
+}
+}
+if (DEBUG) {
+System.out.println("Client subject KerberosTicket:");
+System.out.println(clientTicket);
+}
+}
+if (!tgtFound || !tgsFound) {
+throw new Exception("client subject tickets (TGT/TGS) not found.");
+}
+int numOfTickets = clientTickets.size();
+clientContext.startAsClient(serviceName, GSSUtil.GSS_KRB5_MECH_OID);
+clientContext.take(new byte[0]);
+clientContext.status();
+int newNumOfTickets =
+clientSubject.getPrivateCredentials(KerberosTicket.class).size();
 if (DEBUG) {
-System.out.println("TGS");
+System.out.println("client subject number of tickets: " +
-System.out.println("----------------------");
+numOfTickets);
-System.out.println(tgs);
+System.out.println("client subject new number of tickets: " +
-System.out.println("----------------------");
+newNumOfTickets);
 }
-if (tgs == null) {
+if (numOfTickets != newNumOfTickets) {
-throw new Exception("TGS is null");
+throw new Exception("Useless client subject TGS request because" +
-}
+" TGS was not found in private credentials.");
-if (!tgs.getClient().getName().equals(clientKDC2Name)) {
+}
-throw new Exception("Unexpected TGS client");
+}
-}
-if (!tgs.getServer().getNameString().equals(serviceName) ||
+/*
-!tgs.getServer().getRealmString().equals(realmKDC2)) {
+* The server (http/server.dev.rabbit.hole@DEV.RABBIT.HOLE)
-throw new Exception("Unexpected TGS server");
+* will authenticate on itself on behalf of the client
+* (test@DEV.RABBIT.HOLE). Cross-realm referrals will occur
+* when requesting different TGTs and TGSs (including the
+* request for delegated credentials).
+*/
+private static void testDelegated() throws Exception {
+Context c = Context.fromUserPass(clientKDC2Name,
+password, false);
+c.startAsClient(serviceName, GSSUtil.GSS_KRB5_MECH_OID);
+Context s = Context.fromUserPass(serviceKDC2Name,
+password, true);
+s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
+Context.handshake(c, s);
+Context delegatedContext = s.delegated();
+delegatedContext.startAsClient(serviceName, GSSUtil.GSS_KRB5_MECH_OID);
+delegatedContext.x().requestMutualAuth(false);
+Context s2 = Context.fromUserPass(serviceKDC2Name,
+password, true);
+s2.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
+// Test authentication
+Context.handshake(delegatedContext, s2);
+if (!delegatedContext.x().isEstablished() || !s2.x().isEstablished()) {
+throw new Exception("Delegated authentication failed");
+}
+// Test identities
+GSSName contextInitiatorName = delegatedContext.x().getSrcName();
+GSSName contextAcceptorName = delegatedContext.x().getTargName();
+if (DEBUG) {
+System.out.println("Context initiator: " + contextInitiatorName);
+System.out.println("Context acceptor: " + contextAcceptorName);
+}
+if (!contextInitiatorName.toString().equals(clientKDC2Name) ||
+!contextAcceptorName.toString().equals(serviceName)) {
+throw new Exception("Unexpected initiator or acceptor names");
 }
 }
 }

changeset 57487	643978a35f6e
parent 55258	d65d3c37232c
child 58679	9c3209ff7550