jdk-sandbox: comparison jdk/src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java

equal deleted inserted replaced

-:c59964385a5f
+:f3115698a012
 /*
-* Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
+* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 // the authentication status
 private boolean succeeded = false;
 private boolean commitSucceeded = false;
 private String username;
+// Encryption keys calculated from password. Assigned when storekey == true
+// and useKeyTab == false (or true but not found)
 private EncryptionKey[] encKeys = null;
+KeyTab ktab = null;
 private Credentials cred = null;
 private PrincipalName principal = null;
 private KerberosPrincipal kerbClientPrinc = null;
 private KerberosTicket kerbTicket = null;
 promptForName(getPasswdFromSharedState);
 principal = new PrincipalName
 (krb5PrincName.toString(),
 PrincipalName.KRB_NT_PRINCIPAL);
 }
+/*
+* Before dynamic KeyTab support (6894072), here we check if
+* the keytab contains keys for the principal. If no, keytab
+* will not be used and password is prompted for.
+*
+* After 6894072, we normally don't check it, and expect the
+* keys can be populated until a real connection is made. The
+* check is still done when isInitiator == true, where the keys
+* will be used right now.
+*
+* Probably tricky relations:
+*
+* useKeyTab is config flag, but when it's true but the ktab
+* does not contains keys for principal, we would use password
+* and keep the flag unchanged (for reuse?). In this method,
+* we use (ktab != null) to check whether keytab is used.
+* After this method (and when storeKey == true), we use
+* (encKeys == null) to check.
+*/
 if (useKeyTab) {
-encKeys =
+ktab = (keyTabName == null)
-EncryptionKey.acquireSecretKeys(principal, keyTabName);
+? KeyTab.getInstance()
+: KeyTab.getInstance(new File(keyTabName));
-if (debug) {
+if (isInitiator) {
-if (encKeys != null)
+if (Krb5Util.keysFromJavaxKeyTab(ktab, principal).length
-System.out.println
+== 0) {
-("principal's key obtained from the keytab");
+ktab = null;
-else
+if (debug) {
 System.out.println
 ("Key for the principal " +
 principal  +
 " not available in " +
 ((keyTabName == null) ?
 "default key tab" : keyTabName));
+}
+}
 }
 }
 KrbAsReqBuilder builder;
-// We can't get the key from the keytab so prompt
-if (encKeys == null) {
+if (ktab == null) {
 promptForPass(getPasswdFromSharedState);
 builder = new KrbAsReqBuilder(principal, password);
 if (isInitiator) {
 // XXX Even if isInitiator=false, it might be
 // better to do an AS-REQ so that keys can be
 // updated with PA info
 cred = builder.action().getCreds();
 }
-encKeys = builder.getKeys();
+if (storeKey) {
+encKeys = builder.getKeys();
+// When encKeys is empty, the login actually fails.
+// For compatibility, exception is thrown in commit().
+}
 } else {
-builder = new KrbAsReqBuilder(principal, encKeys);
+builder = new KrbAsReqBuilder(principal, ktab);
 if (isInitiator) {
 cred = builder.action().getCreds();
 }
 }
 builder.destroy();
 if (debug) {
 System.out.println("principal is " + principal);
 HexDumpEncoder hd = new HexDumpEncoder();
-for (int i = 0; i < encKeys.length; i++) {
+if (ktab != null) {
-System.out.println("EncryptionKey: keyType=" +
+System.out.println("Will use keytab");
-encKeys[i].getEType() + " keyBytes (hex dump)=" +
+} else if (storeKey) {
-hd.encodeBuffer(encKeys[i].getBytes()));
+for (int i = 0; i < encKeys.length; i++) {
+System.out.println("EncryptionKey: keyType=" +
+encKeys[i].getEType() +
+" keyBytes (hex dump)=" +
+hd.encodeBuffer(encKeys[i].getBytes()));
+}
 }
 }
 // we should hava a non-null cred
 if (isInitiator && (cred == null)) {
 // create Kerberos Ticket
 if (isInitiator) {
 kerbTicket = Krb5Util.credsToTicket(cred);
 }
-if (storeKey) {
+if (storeKey && encKeys != null) {
-if (encKeys == null || encKeys.length <= 0) {
+if (encKeys.length == 0) {
 succeeded = false;
 throw new LoginException("Null Server Key ");
 }
 kerbKeys = new KerberosKey[encKeys.length];
 (temp == null?
 0: temp.intValue()));
 }
 }
-// Let us add the kerbClientPrinc,kerbTicket and kerbKey (if
+// Let us add the kerbClientPrinc,kerbTicket and KeyTab/KerbKey (if
 // storeKey is true)
-if (!princSet.contains(kerbClientPrinc))
+if (!princSet.contains(kerbClientPrinc)) {
 princSet.add(kerbClientPrinc);
+}
 // add the TGT
 if (kerbTicket != null) {
 if (!privCredSet.contains(kerbTicket))
 privCredSet.add(kerbTicket);
 }
 if (storeKey) {
-for (int i = 0; i < kerbKeys.length; i++) {
+if (encKeys == null) {
-if (!privCredSet.contains(kerbKeys[i])) {
+if (!privCredSet.contains(ktab)) {
-privCredSet.add(kerbKeys[i]);
+privCredSet.add(ktab);
+// Compatibility; also add keys to privCredSet
+for (KerberosKey key: ktab.getKeys(kerbClientPrinc)) {
+privCredSet.add(new Krb5Util.KeysFromKeyTab(key));
+}
 }
-encKeys[i].destroy();
+} else {
-encKeys[i] = null;
+for (int i = 0; i < kerbKeys.length; i ++) {
-if (debug) {
+if (!privCredSet.contains(kerbKeys[i])) {
-System.out.println("Added server's key"
+privCredSet.add(kerbKeys[i]);
-+ kerbKeys[i]);
+}
-System.out.println("\t\t[Krb5LoginModule] " +
+encKeys[i].destroy();
-"added Krb5Principal  " +
+encKeys[i] = null;
-kerbClientPrinc.toString()
+if (debug) {
-+ " to Subject");
+System.out.println("Added server's key"
++ kerbKeys[i]);
+System.out.println("\t\t[Krb5LoginModule] " +
+"added Krb5Principal  " +
+kerbClientPrinc.toString()
++ " to Subject");
+}
 }
 }
 }
 }
 commitSucceeded = true;
 // Let us remove all Kerberos credentials stored in the Subject
 Iterator<Object> it = subject.getPrivateCredentials().iterator();
 while (it.hasNext()) {
 Object o = it.next();
 if (o instanceof KerberosTicket ||
-o instanceof KerberosKey) {
+o instanceof KerberosKey ||
+o instanceof KeyTab) {
 it.remove();
 }
 }
 // clean the kerberos ticket and keys
 cleanKerberosCred();
 sharedState.put(PWD, password);
 }
 } else {
 // remove temp results for the next try
 encKeys = null;
+ktab = null;
 principal = null;
 }
 username = null;
 password = null;
 if (krb5PrincName != null && krb5PrincName.length() != 0)

changeset 9499	f3115698a012
parent 7183	d8ccc1c73358
child 10336	0bb1999251f8