# HG changeset patch # User weijun # Date 1317190870 -28800 # Node ID 08c28770f82b8d6fa6ac60a9e73cf53b600ad8ab # Parent cf59e2badd1417a11db261f2c03a65831bf67e0b 7089889: Krb5LoginModule.login() throws an exception if used without a keytab Reviewed-by: xuelei, valeriep diff -r cf59e2badd14 -r 08c28770f82b jdk/src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java --- a/jdk/src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java Mon Sep 26 17:20:45 2011 -0700 +++ b/jdk/src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java Wed Sep 28 14:21:10 2011 +0800 @@ -725,7 +725,7 @@ cred = builder.action().getCreds(); } if (storeKey) { - encKeys = builder.getKeys(); + encKeys = builder.getKeys(isInitiator); // When encKeys is empty, the login actually fails. // For compatibility, exception is thrown in commit(). } diff -r cf59e2badd14 -r 08c28770f82b jdk/src/share/classes/sun/security/krb5/KrbAsReqBuilder.java --- a/jdk/src/share/classes/sun/security/krb5/KrbAsReqBuilder.java Mon Sep 26 17:20:45 2011 -0700 +++ b/jdk/src/share/classes/sun/security/krb5/KrbAsReqBuilder.java Wed Sep 28 14:21:10 2011 +0800 @@ -144,15 +144,18 @@ /** * Retrieves an array of secret keys for the client. This is used when - * the client supplies password but need keys to act as an acceptor - * (in JAAS words, isInitiator=true and storeKey=true) + * the client supplies password but need keys to act as an acceptor. For + * an initiator, it must be called after AS-REQ is performed (state is OK). + * For an acceptor, it can be called when this KrbAsReqBuilder object is + * constructed (state is INIT). + * @param isInitiator if the caller is an initiator * @return generated keys from password. PA-DATA from server might be used. * All "default_tkt_enctypes" keys will be generated, Never null. * @throws IllegalStateException if not constructed from a password * @throws KrbException */ - public EncryptionKey[] getKeys() throws KrbException { - checkState(State.REQ_OK, "Cannot get keys"); + public EncryptionKey[] getKeys(boolean isInitiator) throws KrbException { + checkState(isInitiator?State.REQ_OK:State.INIT, "Cannot get keys"); if (password != null) { int[] eTypes = EType.getDefaults("default_tkt_enctypes"); EncryptionKey[] result = new EncryptionKey[eTypes.length]; diff -r cf59e2badd14 -r 08c28770f82b jdk/test/sun/security/krb5/auto/NoInitNoKeytab.java --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/jdk/test/sun/security/krb5/auto/NoInitNoKeytab.java Wed Sep 28 14:21:10 2011 +0800 @@ -0,0 +1,66 @@ +/* + * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 7089889 + * @summary Krb5LoginModule.login() throws an exception if used without a keytab + * @compile -XDignore.symbol.file NoInitNoKeytab.java + * @run main/othervm NoInitNoKeytab + */ + +import java.io.FileOutputStream; +import sun.security.jgss.GSSUtil; + +// The basic krb5 test skeleton you can copy from +public class NoInitNoKeytab { + + public static void main(String[] args) throws Exception { + + new OneKDC(null).writeJAASConf(); + try (FileOutputStream fos = + new FileOutputStream(OneKDC.JAAS_CONF, true)) { + fos.write(( + "noinit {\n" + + " com.sun.security.auth.module.Krb5LoginModule required\n" + + " principal=\"" + OneKDC.USER + "\"\n" + + " useKeyTab=false\n" + + " isInitiator=false\n" + + " storeKey=true;\n};\n").getBytes()); + } + Context c, s; + c = Context.fromJAAS("client"); + s = Context.fromJAAS("noinit"); + + c.startAsClient(OneKDC.USER, GSSUtil.GSS_SPNEGO_MECH_OID); + s.startAsServer(GSSUtil.GSS_SPNEGO_MECH_OID); + + Context.handshake(c, s); + + Context.transmit("i say high --", c, s); + Context.transmit(" you say low", s, c); + + s.dispose(); + c.dispose(); + } +}