author | avstepan |
Tue, 18 Aug 2015 18:04:17 +0300 | |
changeset 32227 | 34721a47bc92 |
parent 25859 | 3317bb8137f4 |
child 32649 | 2ee9017c7597 |
permissions | -rw-r--r-- |
2 | 1 |
/* |
24135
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
2 |
* Copyright (c) 2005, 2014, Oracle and/or its affiliates. All rights reserved. |
2 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
5506 | 7 |
* published by the Free Software Foundation. Oracle designates this |
2 | 8 |
* particular file as subject to the "Classpath" exception as provided |
5506 | 9 |
* by Oracle in the LICENSE file that accompanied this code. |
2 | 10 |
* |
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
5506 | 21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
2 | 24 |
*/ |
25 |
||
26 |
package sun.net.www.protocol.http; |
|
27 |
||
4157
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
28 |
import java.net.URL; |
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
29 |
import java.io.IOException; |
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
30 |
import java.net.Authenticator.RequestorType; |
15258
dd5001103120
8006153: HTTP protocol handler authenication should use Base64 API
chegar
parents:
5506
diff
changeset
|
31 |
import java.util.Base64; |
2 | 32 |
import java.util.HashMap; |
33 |
import sun.net.www.HeaderParser; |
|
24135
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
34 |
import sun.util.logging.PlatformLogger; |
3859
8b82336dedb3
6882594: Remove static dependancy on NTLM authentication
chegar
parents:
2942
diff
changeset
|
35 |
import static sun.net.www.protocol.http.AuthScheme.NEGOTIATE; |
8b82336dedb3
6882594: Remove static dependancy on NTLM authentication
chegar
parents:
2942
diff
changeset
|
36 |
import static sun.net.www.protocol.http.AuthScheme.KERBEROS; |
2 | 37 |
|
38 |
/** |
|
39 |
* NegotiateAuthentication: |
|
40 |
* |
|
41 |
* @author weijun.wang@sun.com |
|
42 |
* @since 1.6 |
|
43 |
*/ |
|
44 |
||
45 |
class NegotiateAuthentication extends AuthenticationInfo { |
|
46 |
||
47 |
private static final long serialVersionUID = 100L; |
|
24135
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
48 |
private static final PlatformLogger logger = HttpURLConnection.getHttpLogger(); |
2 | 49 |
|
2942
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
50 |
final private HttpCallerInfo hci; |
2 | 51 |
|
52 |
// These maps are used to manage the GSS availability for diffrent |
|
53 |
// hosts. The key for both maps is the host name. |
|
54 |
// <code>supported</code> is set when isSupported is checked, |
|
55 |
// if it's true, a cached Negotiator is put into <code>cache</code>. |
|
56 |
// the cache can be used only once, so after the first use, it's cleaned. |
|
57 |
static HashMap <String, Boolean> supported = null; |
|
58 |
static HashMap <String, Negotiator> cache = null; |
|
59 |
||
60 |
// The HTTP Negotiate Helper |
|
61 |
private Negotiator negotiator = null; |
|
62 |
||
63 |
/** |
|
2942
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
64 |
* Constructor used for both WWW and proxy entries. |
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
65 |
* @param hci a schemed object. |
2 | 66 |
*/ |
2942
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
67 |
public NegotiateAuthentication(HttpCallerInfo hci) { |
3859
8b82336dedb3
6882594: Remove static dependancy on NTLM authentication
chegar
parents:
2942
diff
changeset
|
68 |
super(RequestorType.PROXY==hci.authType ? PROXY_AUTHENTICATION : SERVER_AUTHENTICATION, |
8b82336dedb3
6882594: Remove static dependancy on NTLM authentication
chegar
parents:
2942
diff
changeset
|
69 |
hci.scheme.equalsIgnoreCase("Negotiate") ? NEGOTIATE : KERBEROS, |
8b82336dedb3
6882594: Remove static dependancy on NTLM authentication
chegar
parents:
2942
diff
changeset
|
70 |
hci.url, |
8b82336dedb3
6882594: Remove static dependancy on NTLM authentication
chegar
parents:
2942
diff
changeset
|
71 |
""); |
2942
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
72 |
this.hci = hci; |
2 | 73 |
} |
74 |
||
75 |
/** |
|
76 |
* @return true if this authentication supports preemptive authorization |
|
77 |
*/ |
|
4157
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
78 |
@Override |
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
79 |
public boolean supportsPreemptiveAuthorization() { |
2 | 80 |
return false; |
81 |
} |
|
82 |
||
83 |
/** |
|
24135
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
84 |
* Find out if the HttpCallerInfo supports Negotiate protocol. |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
85 |
* @return true if supported |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
86 |
*/ |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
87 |
public static boolean isSupported(HttpCallerInfo hci) { |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
88 |
ClassLoader loader = null; |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
89 |
try { |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
90 |
loader = Thread.currentThread().getContextClassLoader(); |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
91 |
} catch (SecurityException se) { |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
92 |
if (logger.isLoggable(PlatformLogger.Level.FINER)) { |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
93 |
logger.finer("NegotiateAuthentication: " + |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
94 |
"Attempt to get the context class loader failed - " + se); |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
95 |
} |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
96 |
} |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
97 |
|
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
98 |
if (loader != null) { |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
99 |
// Lock on the class loader instance to avoid the deadlock engaging |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
100 |
// the lock in "ClassLoader.loadClass(String, boolean)" method. |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
101 |
synchronized (loader) { |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
102 |
return isSupportedImpl(hci); |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
103 |
} |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
104 |
} |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
105 |
return isSupportedImpl(hci); |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
106 |
} |
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
107 |
|
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
108 |
/** |
2942
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
109 |
* Find out if the HttpCallerInfo supports Negotiate protocol. In order to |
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
110 |
* find out yes or no, an initialization of a Negotiator object against it |
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
111 |
* is tried. The generated object will be cached under the name of ths |
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
112 |
* hostname at a success try.<br> |
2 | 113 |
* |
2942
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
114 |
* If this method is called for the second time on an HttpCallerInfo with |
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
115 |
* the same hostname, the answer is retrieved from cache. |
2 | 116 |
* |
117 |
* @return true if supported |
|
118 |
*/ |
|
24135
f273b57ed7e1
8032832: Applet/browser deadlocks, when IIS integrated authentication is used
alitvinov
parents:
23010
diff
changeset
|
119 |
private static synchronized boolean isSupportedImpl(HttpCallerInfo hci) { |
2 | 120 |
if (supported == null) { |
121 |
supported = new HashMap <String, Boolean>(); |
|
122 |
cache = new HashMap <String, Negotiator>(); |
|
123 |
} |
|
2942
37d9baeb7518
6578647: Undefined requesting URL in java.net.Authenticator.getPasswordAuthentication()
weijun
parents:
2
diff
changeset
|
124 |
String hostname = hci.host; |
2 | 125 |
hostname = hostname.toLowerCase(); |
126 |
if (supported.containsKey(hostname)) { |
|
127 |
return supported.get(hostname); |
|
128 |
} |
|
129 |
||
4157
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
130 |
Negotiator neg = Negotiator.getNegotiator(hci); |
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
131 |
if (neg != null) { |
2 | 132 |
supported.put(hostname, true); |
133 |
// the only place cache.put is called. here we can make sure |
|
134 |
// the object is valid and the oneToken inside is not null |
|
135 |
cache.put(hostname, neg); |
|
136 |
return true; |
|
4157
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
137 |
} else { |
2 | 138 |
supported.put(hostname, false); |
139 |
return false; |
|
140 |
} |
|
141 |
} |
|
142 |
||
143 |
/** |
|
144 |
* Not supported. Must use the setHeaders() method |
|
145 |
*/ |
|
4157
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
146 |
@Override |
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
147 |
public String getHeaderValue(URL url, String method) { |
2 | 148 |
throw new RuntimeException ("getHeaderValue not supported"); |
149 |
} |
|
150 |
||
151 |
/** |
|
152 |
* Check if the header indicates that the current auth. parameters are stale. |
|
153 |
* If so, then replace the relevant field with the new value |
|
154 |
* and return true. Otherwise return false. |
|
155 |
* returning true means the request can be retried with the same userid/password |
|
156 |
* returning false means we have to go back to the user to ask for a new |
|
157 |
* username password. |
|
158 |
*/ |
|
4157
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
159 |
@Override |
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
160 |
public boolean isAuthorizationStale (String header) { |
2 | 161 |
return false; /* should not be called for Negotiate */ |
162 |
} |
|
163 |
||
164 |
/** |
|
165 |
* Set header(s) on the given connection. |
|
166 |
* @param conn The connection to apply the header(s) to |
|
167 |
* @param p A source of header values for this connection, not used because |
|
168 |
* HeaderParser converts the fields to lower case, use raw instead |
|
169 |
* @param raw The raw header field. |
|
170 |
* @return true if all goes well, false if no headers were set. |
|
171 |
*/ |
|
4157
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
172 |
@Override |
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
173 |
public synchronized boolean setHeaders(HttpURLConnection conn, HeaderParser p, String raw) { |
2 | 174 |
|
175 |
try { |
|
176 |
String response; |
|
177 |
byte[] incoming = null; |
|
178 |
String[] parts = raw.split("\\s+"); |
|
179 |
if (parts.length > 1) { |
|
15258
dd5001103120
8006153: HTTP protocol handler authenication should use Base64 API
chegar
parents:
5506
diff
changeset
|
180 |
incoming = Base64.getDecoder().decode(parts[1]); |
2 | 181 |
} |
15258
dd5001103120
8006153: HTTP protocol handler authenication should use Base64 API
chegar
parents:
5506
diff
changeset
|
182 |
response = hci.scheme + " " + Base64.getEncoder().encodeToString( |
2 | 183 |
incoming==null?firstToken():nextToken(incoming)); |
184 |
||
185 |
conn.setAuthenticationProperty(getHeaderName(), response); |
|
186 |
return true; |
|
187 |
} catch (IOException e) { |
|
188 |
return false; |
|
189 |
} |
|
190 |
} |
|
191 |
||
192 |
/** |
|
193 |
* return the first token. |
|
32227
34721a47bc92
8132478: [tidy] three new warnings from java docs (java.net, javax.annotation)
avstepan
parents:
25859
diff
changeset
|
194 |
* @return the token |
4157
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
195 |
* @throws IOException if <code>Negotiator.getNegotiator()</code> or |
2 | 196 |
* <code>Negotiator.firstToken()</code> failed. |
197 |
*/ |
|
198 |
private byte[] firstToken() throws IOException { |
|
199 |
negotiator = null; |
|
200 |
if (cache != null) { |
|
201 |
synchronized(cache) { |
|
202 |
negotiator = cache.get(getHost()); |
|
203 |
if (negotiator != null) { |
|
204 |
cache.remove(getHost()); // so that it is only used once |
|
205 |
} |
|
206 |
} |
|
207 |
} |
|
208 |
if (negotiator == null) { |
|
4157
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
209 |
negotiator = Negotiator.getNegotiator(hci); |
558590fb3b49
6893238: Move NTLM and SPNEGO implementations into separate packages
chegar
parents:
3952
diff
changeset
|
210 |
if (negotiator == null) { |
2 | 211 |
IOException ioe = new IOException("Cannot initialize Negotiator"); |
212 |
throw ioe; |
|
213 |
} |
|
214 |
} |
|
215 |
||
216 |
return negotiator.firstToken(); |
|
217 |
} |
|
218 |
||
219 |
/** |
|
220 |
* return more tokens |
|
221 |
* @param token the token to be fed into <code>negotiator.nextToken()</code> |
|
32227
34721a47bc92
8132478: [tidy] three new warnings from java docs (java.net, javax.annotation)
avstepan
parents:
25859
diff
changeset
|
222 |
* @return the token |
2 | 223 |
* @throws IOException if <code>negotiator.nextToken()</code> throws Exception. |
224 |
* May happen if the input token is invalid. |
|
225 |
*/ |
|
226 |
private byte[] nextToken(byte[] token) throws IOException { |
|
227 |
return negotiator.nextToken(token); |
|
228 |
} |
|
229 |
||
230 |
// MS will send a final WWW-Authenticate even if the status is already |
|
231 |
// 200 OK. The token can be fed into initSecContext() again to determine |
|
232 |
// if the server can be trusted. This is not the same concept as Digest's |
|
233 |
// Authentication-Info header. |
|
234 |
// |
|
235 |
// Currently we ignore this header. |
|
236 |
||
237 |
} |