Mercurial Mercurial > jdk-sandbox / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
jdk/test/sun/security/krb5/auto/SSL.java
changeset 17189 9f2ae085280b
parent 14342 8435a30053c1
child 20499 4aa3d51ec41b 
--- a/jdk/test/sun/security/krb5/auto/SSL.java	Fri Apr 26 16:09:53 2013 -0700
+++ b/jdk/test/sun/security/krb5/auto/SSL.java	Sat Apr 27 18:25:16 2013 +0800
@@ -23,10 +23,11 @@
 
 /*
  * @test
- * @bug 6894643 6913636
+ * @bug 6894643 6913636 8005523
  * @summary Test JSSE Kerberos ciphersuite
+
  * @run main/othervm SSL TLS_KRB5_WITH_RC4_128_SHA
- * @run main/othervm SSL TLS_KRB5_WITH_RC4_128_MD5
+ * @run main/othervm SSL TLS_KRB5_WITH_RC4_128_SHA unbound
  * @run main/othervm SSL TLS_KRB5_WITH_3DES_EDE_CBC_SHA
  * @run main/othervm SSL TLS_KRB5_WITH_3DES_EDE_CBC_MD5
  * @run main/othervm SSL TLS_KRB5_WITH_DES_CBC_SHA
@@ -38,14 +39,17 @@
  */
 import java.io.*;
 import java.net.InetAddress;
+import java.security.AccessControlException;
+import java.security.Permission;
 import javax.net.ssl.*;
 import java.security.Principal;
 import java.util.Date;
+import javax.security.auth.kerberos.ServicePermission;
 import sun.security.jgss.GSSUtil;
 import sun.security.krb5.PrincipalName;
 import sun.security.krb5.internal.ktab.KeyTab;
 
-public class SSL {
+public class SSL extends SecurityManager {
 
     private static String krb5Cipher;
     private static final int LOOP_LIMIT = 3;
@@ -53,13 +57,32 @@
     private static volatile String server;
     private static volatile int port;
 
+    private static String permChecks = "";
+
     // 0-Not started, 1-Start OK, 2-Failure
     private static volatile int serverState = 0;
 
+    @Override
+    public void checkPermission(Permission perm, Object context) {
+        checkPermission(perm);
+    }
+
+    public void checkPermission(Permission perm) {
+        if (!(perm instanceof ServicePermission)) {
+            return;
+        }
+        ServicePermission p = (ServicePermission)perm;
+        permChecks = permChecks + p.getActions().toUpperCase().charAt(0);
+    }
+
     public static void main(String[] args) throws Exception {
 
         krb5Cipher = args[0];
 
+        boolean unbound = args.length > 1;
+
+        System.setSecurityManager(new SSL());
+
         KDC kdc = KDC.create(OneKDC.REALM);
         // Run this after KDC, so our own DNS service can be started
         try {
@@ -85,6 +108,7 @@
         // and use the middle one as the real key
         kdc.addPrincipal("host/" + server, "pass2".toCharArray());
 
+
         // JAAS config entry name ssl
         System.setProperty("java.security.auth.login.config", OneKDC.JAAS_CONF);
         File f = new File(OneKDC.JAAS_CONF);
@@ -92,7 +116,9 @@
         fos.write((
                 "ssl {\n" +
                 "    com.sun.security.auth.module.Krb5LoginModule required\n" +
-                "    principal=\"host/" + server + "\"\n" +
+                (unbound ?
+                    "    principal=*\n" :
+                    "    principal=\"host/" + server + "\"\n") +
                 "    useKeyTab=true\n" +
                 "    keyTab=" + OneKDC.KTAB + "\n" +
                 "    isInitiator=false\n" +
@@ -103,7 +129,6 @@
         Context c;
         final Context s = Context.fromJAAS("ssl");
 
-        // There's no keytab file when server starts.
         s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
 
         Thread server = new Thread(new Runnable() {
@@ -127,21 +152,6 @@
             throw new Exception("Server already failed");
         }
 
-        // Now create the keytab
-
-        /*
-        // Add 3 versions of keys into keytab
-        KeyTab ktab = KeyTab.create(OneKDC.KTAB);
-        PrincipalName service = new PrincipalName(
-                "host/" + server, PrincipalName.KRB_NT_SRV_HST);
-        ktab.addEntry(service, "pass1".toCharArray(), 1);
-        ktab.addEntry(service, "pass2".toCharArray(), 2);
-        ktab.addEntry(service, "pass3".toCharArray(), 3);
-        ktab.save();
-
-        // and use the middle one as the  real key
-        kdc.addPrincipal("host/" + server, "pass2".toCharArray());
-         */
         c = Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false);
         c.startAsClient("host/" + server, GSSUtil.GSS_KRB5_MECH_OID);
         c.doAs(new JsseClientAction(), null);
@@ -157,20 +167,22 @@
         c.startAsClient("host/" + server, GSSUtil.GSS_KRB5_MECH_OID);
         c.doAs(new JsseClientAction(), null);
 
-        // Revoke the old key
-        /*Thread.sleep(2000);
-        ktab = KeyTab.create(OneKDC.KTAB);
-        ktab.addEntry(service, "pass5".toCharArray(), 5, false);
-        ktab.save();
-
-        c = Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false);
-        c.startAsClient("host/" + server, GSSUtil.GSS_KRB5_MECH_OID);
-        try {
-            c.doAs(new JsseClientAction(), null);
-            throw new Exception("Should fail this time.");
-        } catch (SSLException e) {
-            // Correct behavior.
-        }*/
+        // Permission checking check. Please note this is highly
+        // implementation related.
+        if (unbound) {
+            // For unbound, server does not know what name to check.
+            // Client checks "initiate", then server gets the name
+            // and checks "accept". Second connection resume.
+            if (!permChecks.equals("IA")) {
+                throw new Exception();
+            }
+        } else {
+            // For bound, JAAS checks "accept" once. Server checks again,
+            // client then checks "initiate". Second connection resume.
+            if (!permChecks.equals("AAI")) {
+                throw new Exception();
+            }
+        }
     }
 
     // Following codes copied from
jdk-sandbox