1 /* |
1 /* |
2 * Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved. |
2 * Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 * |
4 * |
5 * This code is free software; you can redistribute it and/or modify it |
5 * This code is free software; you can redistribute it and/or modify it |
6 * under the terms of the GNU General Public License version 2 only, as |
6 * under the terms of the GNU General Public License version 2 only, as |
7 * published by the Free Software Foundation. Oracle designates this |
7 * published by the Free Software Foundation. Oracle designates this |
51 extends KerberosTicket |
51 extends KerberosTicket |
52 implements Krb5CredElement { |
52 implements Krb5CredElement { |
53 |
53 |
54 private static final long serialVersionUID = 7723415700837898232L; |
54 private static final long serialVersionUID = 7723415700837898232L; |
55 |
55 |
|
56 @SuppressWarnings("serial") // Not statically typed as Serializable |
56 private Krb5NameElement name; |
57 private Krb5NameElement name; |
|
58 @SuppressWarnings("serial") // Not statically typed as Serializable |
57 private Credentials krb5Credentials; |
59 private Credentials krb5Credentials; |
|
60 public KerberosTicket proxyTicket; |
58 |
61 |
59 private Krb5InitCredential(Krb5NameElement name, |
62 private Krb5InitCredential(Krb5NameElement name, |
60 byte[] asn1Encoding, |
63 byte[] asn1Encoding, |
61 KerberosPrincipal client, |
64 KerberosPrincipal client, |
|
65 KerberosPrincipal clientAlias, |
62 KerberosPrincipal server, |
66 KerberosPrincipal server, |
|
67 KerberosPrincipal serverAlias, |
63 byte[] sessionKey, |
68 byte[] sessionKey, |
64 int keyType, |
69 int keyType, |
65 boolean[] flags, |
70 boolean[] flags, |
66 Date authTime, |
71 Date authTime, |
67 Date startTime, |
72 Date startTime, |
78 authTime, |
83 authTime, |
79 startTime, |
84 startTime, |
80 endTime, |
85 endTime, |
81 renewTill, |
86 renewTill, |
82 clientAddresses); |
87 clientAddresses); |
83 |
88 KerberosSecrets.getJavaxSecurityAuthKerberosAccess() |
|
89 .kerberosTicketSetClientAlias(this, clientAlias); |
|
90 KerberosSecrets.getJavaxSecurityAuthKerberosAccess() |
|
91 .kerberosTicketSetServerAlias(this, serverAlias); |
84 this.name = name; |
92 this.name = name; |
85 |
93 |
86 try { |
94 try { |
87 // Cache this for later use by the sun.security.krb5 package. |
95 // Cache this for later use by the sun.security.krb5 package. |
88 krb5Credentials = new Credentials(asn1Encoding, |
96 krb5Credentials = new Credentials(asn1Encoding, |
89 client.getName(), |
97 client.getName(), |
|
98 (clientAlias != null ? |
|
99 clientAlias.getName() : null), |
90 server.getName(), |
100 server.getName(), |
|
101 (serverAlias != null ? |
|
102 serverAlias.getName() : null), |
91 sessionKey, |
103 sessionKey, |
92 keyType, |
104 keyType, |
93 flags, |
105 flags, |
94 authTime, |
106 authTime, |
95 startTime, |
107 startTime, |
108 |
120 |
109 private Krb5InitCredential(Krb5NameElement name, |
121 private Krb5InitCredential(Krb5NameElement name, |
110 Credentials delegatedCred, |
122 Credentials delegatedCred, |
111 byte[] asn1Encoding, |
123 byte[] asn1Encoding, |
112 KerberosPrincipal client, |
124 KerberosPrincipal client, |
|
125 KerberosPrincipal clientAlias, |
113 KerberosPrincipal server, |
126 KerberosPrincipal server, |
|
127 KerberosPrincipal serverAlias, |
114 byte[] sessionKey, |
128 byte[] sessionKey, |
115 int keyType, |
129 int keyType, |
116 boolean[] flags, |
130 boolean[] flags, |
117 Date authTime, |
131 Date authTime, |
118 Date startTime, |
132 Date startTime, |
151 String fullName = tgt.getClient().getName(); |
168 String fullName = tgt.getClient().getName(); |
152 name = Krb5NameElement.getInstance(fullName, |
169 name = Krb5NameElement.getInstance(fullName, |
153 Krb5MechFactory.NT_GSS_KRB5_PRINCIPAL); |
170 Krb5MechFactory.NT_GSS_KRB5_PRINCIPAL); |
154 } |
171 } |
155 |
172 |
156 return new Krb5InitCredential(name, |
173 KerberosPrincipal clientAlias = KerberosSecrets |
|
174 .getJavaxSecurityAuthKerberosAccess() |
|
175 .kerberosTicketGetClientAlias(tgt); |
|
176 KerberosPrincipal serverAlias = KerberosSecrets |
|
177 .getJavaxSecurityAuthKerberosAccess() |
|
178 .kerberosTicketGetServerAlias(tgt); |
|
179 Krb5InitCredential result = new Krb5InitCredential(name, |
157 tgt.getEncoded(), |
180 tgt.getEncoded(), |
158 tgt.getClient(), |
181 tgt.getClient(), |
|
182 clientAlias, |
159 tgt.getServer(), |
183 tgt.getServer(), |
|
184 serverAlias, |
160 tgt.getSessionKey().getEncoded(), |
185 tgt.getSessionKey().getEncoded(), |
161 tgt.getSessionKeyType(), |
186 tgt.getSessionKeyType(), |
162 tgt.getFlags(), |
187 tgt.getFlags(), |
163 tgt.getAuthTime(), |
188 tgt.getAuthTime(), |
164 tgt.getStartTime(), |
189 tgt.getStartTime(), |
165 tgt.getEndTime(), |
190 tgt.getEndTime(), |
166 tgt.getRenewTill(), |
191 tgt.getRenewTill(), |
167 tgt.getClientAddresses()); |
192 tgt.getClientAddresses()); |
|
193 result.proxyTicket = KerberosSecrets.getJavaxSecurityAuthKerberosAccess(). |
|
194 kerberosTicketGetProxy(tgt); |
|
195 return result; |
168 } |
196 } |
169 |
197 |
170 static Krb5InitCredential getInstance(Krb5NameElement name, |
198 static Krb5InitCredential getInstance(Krb5NameElement name, |
171 Credentials delegatedCred) |
199 Credentials delegatedCred) |
172 throws GSSException { |
200 throws GSSException { |
177 * all of the following data is optional in a KRB-CRED |
205 * all of the following data is optional in a KRB-CRED |
178 * messages. This check for each field. |
206 * messages. This check for each field. |
179 */ |
207 */ |
180 |
208 |
181 PrincipalName cPrinc = delegatedCred.getClient(); |
209 PrincipalName cPrinc = delegatedCred.getClient(); |
|
210 PrincipalName cAPrinc = delegatedCred.getClientAlias(); |
182 PrincipalName sPrinc = delegatedCred.getServer(); |
211 PrincipalName sPrinc = delegatedCred.getServer(); |
|
212 PrincipalName sAPrinc = delegatedCred.getServerAlias(); |
183 |
213 |
184 KerberosPrincipal client = null; |
214 KerberosPrincipal client = null; |
|
215 KerberosPrincipal clientAlias = null; |
185 KerberosPrincipal server = null; |
216 KerberosPrincipal server = null; |
|
217 KerberosPrincipal serverAlias = null; |
186 |
218 |
187 Krb5NameElement credName = null; |
219 Krb5NameElement credName = null; |
188 |
220 |
189 if (cPrinc != null) { |
221 if (cPrinc != null) { |
190 String fullName = cPrinc.getName(); |
222 String fullName = cPrinc.getName(); |
191 credName = Krb5NameElement.getInstance(fullName, |
223 credName = Krb5NameElement.getInstance(fullName, |
192 Krb5MechFactory.NT_GSS_KRB5_PRINCIPAL); |
224 Krb5MechFactory.NT_GSS_KRB5_PRINCIPAL); |
193 client = new KerberosPrincipal(fullName); |
225 client = new KerberosPrincipal(fullName); |
194 } |
226 } |
195 |
227 |
|
228 if (cAPrinc != null) { |
|
229 clientAlias = new KerberosPrincipal(cAPrinc.getName()); |
|
230 } |
|
231 |
196 // XXX Compare name to credName |
232 // XXX Compare name to credName |
197 |
233 |
198 if (sPrinc != null) { |
234 if (sPrinc != null) { |
199 server = |
235 server = |
200 new KerberosPrincipal(sPrinc.getName(), |
236 new KerberosPrincipal(sPrinc.getName(), |
201 KerberosPrincipal.KRB_NT_SRV_INST); |
237 KerberosPrincipal.KRB_NT_SRV_INST); |
202 } |
238 } |
203 |
239 |
|
240 if (sAPrinc != null) { |
|
241 serverAlias = new KerberosPrincipal(sAPrinc.getName()); |
|
242 } |
|
243 |
204 return new Krb5InitCredential(credName, |
244 return new Krb5InitCredential(credName, |
205 delegatedCred, |
245 delegatedCred, |
206 delegatedCred.getEncoded(), |
246 delegatedCred.getEncoded(), |
207 client, |
247 client, |
|
248 clientAlias, |
208 server, |
249 server, |
|
250 serverAlias, |
209 sessionKey.getBytes(), |
251 sessionKey.getBytes(), |
210 sessionKey.getEType(), |
252 sessionKey.getEType(), |
211 delegatedCred.getFlags(), |
253 delegatedCred.getFlags(), |
212 delegatedCred.getAuthTime(), |
254 delegatedCred.getAuthTime(), |
213 delegatedCred.getStartTime(), |
255 delegatedCred.getStartTime(), |
331 return AccessController.doPrivileged( |
373 return AccessController.doPrivileged( |
332 new PrivilegedExceptionAction<KerberosTicket>() { |
374 new PrivilegedExceptionAction<KerberosTicket>() { |
333 public KerberosTicket run() throws Exception { |
375 public KerberosTicket run() throws Exception { |
334 // It's OK to use null as serverPrincipal. TGT is almost |
376 // It's OK to use null as serverPrincipal. TGT is almost |
335 // the first ticket for a principal and we use list. |
377 // the first ticket for a principal and we use list. |
336 return Krb5Util.getTicket( |
378 return Krb5Util.getInitialTicket( |
337 realCaller, |
379 realCaller, |
338 clientPrincipal, null, acc); |
380 clientPrincipal, acc); |
339 }}); |
381 }}); |
340 } catch (PrivilegedActionException e) { |
382 } catch (PrivilegedActionException e) { |
341 GSSException ge = |
383 GSSException ge = |
342 new GSSException(GSSException.NO_CRED, -1, |
384 new GSSException(GSSException.NO_CRED, -1, |
343 "Attempt to obtain new INITIATE credentials failed!" + |
385 "Attempt to obtain new INITIATE credentials failed!" + |