Mercurial Mercurial > jdk-sandbox / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
7089889: Krb5LoginModule.login() throws an exception if used without a keytab
authorweijun
Wed, 28 Sep 2011 14:21:10 +0800
changeset 10695 08c28770f82b
parent 10694 cf59e2badd14
child 10696 3811a12690ce
7089889: Krb5LoginModule.login() throws an exception if used without a keytab Reviewed-by: xuelei, valeriep
jdk/src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java file | annotate | diff | comparison | revisions
jdk/src/share/classes/sun/security/krb5/KrbAsReqBuilder.java file | annotate | diff | comparison | revisions
jdk/test/sun/security/krb5/auto/NoInitNoKeytab.java file | annotate | diff | comparison | revisions 
--- a/jdk/src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java	Mon Sep 26 17:20:45 2011 -0700
+++ b/jdk/src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java	Wed Sep 28 14:21:10 2011 +0800
@@ -725,7 +725,7 @@
                         cred = builder.action().getCreds();
                     }
                     if (storeKey) {
-                        encKeys = builder.getKeys();
+                        encKeys = builder.getKeys(isInitiator);
                         // When encKeys is empty, the login actually fails.
                         // For compatibility, exception is thrown in commit().
                     }
--- a/jdk/src/share/classes/sun/security/krb5/KrbAsReqBuilder.java	Mon Sep 26 17:20:45 2011 -0700
+++ b/jdk/src/share/classes/sun/security/krb5/KrbAsReqBuilder.java	Wed Sep 28 14:21:10 2011 +0800
@@ -144,15 +144,18 @@
 
     /**
      * Retrieves an array of secret keys for the client. This is used when
-     * the client supplies password but need keys to act as an acceptor
-     * (in JAAS words, isInitiator=true and storeKey=true)
+     * the client supplies password but need keys to act as an acceptor. For
+     * an initiator, it must be called after AS-REQ is performed (state is OK).
+     * For an acceptor, it can be called when this KrbAsReqBuilder object is
+     * constructed (state is INIT).
+     * @param isInitiator if the caller is an initiator
      * @return generated keys from password. PA-DATA from server might be used.
      * All "default_tkt_enctypes" keys will be generated, Never null.
      * @throws IllegalStateException if not constructed from a password
      * @throws KrbException
      */
-    public EncryptionKey[] getKeys() throws KrbException {
-        checkState(State.REQ_OK, "Cannot get keys");
+    public EncryptionKey[] getKeys(boolean isInitiator) throws KrbException {
+        checkState(isInitiator?State.REQ_OK:State.INIT, "Cannot get keys");
         if (password != null) {
             int[] eTypes = EType.getDefaults("default_tkt_enctypes");
             EncryptionKey[] result = new EncryptionKey[eTypes.length];
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/krb5/auto/NoInitNoKeytab.java	Wed Sep 28 14:21:10 2011 +0800
@@ -0,0 +1,66 @@
+/*
+ * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 7089889
+ * @summary Krb5LoginModule.login() throws an exception if used without a keytab
+ * @compile -XDignore.symbol.file NoInitNoKeytab.java
+ * @run main/othervm NoInitNoKeytab
+ */
+
+import java.io.FileOutputStream;
+import sun.security.jgss.GSSUtil;
+
+// The basic krb5 test skeleton you can copy from
+public class NoInitNoKeytab {
+
+    public static void main(String[] args) throws Exception {
+
+        new OneKDC(null).writeJAASConf();
+        try (FileOutputStream fos =
+                new FileOutputStream(OneKDC.JAAS_CONF, true)) {
+            fos.write((
+                "noinit {\n" +
+                "    com.sun.security.auth.module.Krb5LoginModule required\n" +
+                "    principal=\"" + OneKDC.USER + "\"\n" +
+                "    useKeyTab=false\n" +
+                "    isInitiator=false\n" +
+                "    storeKey=true;\n};\n").getBytes());
+        }
+        Context c, s;
+        c = Context.fromJAAS("client");
+        s = Context.fromJAAS("noinit");
+
+        c.startAsClient(OneKDC.USER, GSSUtil.GSS_SPNEGO_MECH_OID);
+        s.startAsServer(GSSUtil.GSS_SPNEGO_MECH_OID);
+
+        Context.handshake(c, s);
+
+        Context.transmit("i say high --", c, s);
+        Context.transmit("   you say low", s, c);
+
+        s.dispose();
+        c.dispose();
+    }
+}
jdk-sandbox