--- a/src/java.security.jgss/share/classes/sun/net/www/protocol/http/spnego/NegotiateCallbackHandler.java Mon Oct 02 11:04:01 2017 -0700
+++ b/src/java.security.jgss/share/classes/sun/net/www/protocol/http/spnego/NegotiateCallbackHandler.java Wed Oct 18 10:43:58 2017 +0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -35,6 +35,7 @@
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import sun.net.www.protocol.http.HttpCallerInfo;
+import sun.security.jgss.LoginConfigImpl;
/**
* @since 1.6
@@ -61,19 +62,28 @@
private void getAnswer() {
if (!answered) {
answered = true;
- PasswordAuthentication passAuth =
- Authenticator.requestPasswordAuthentication(
- hci.authenticator,
- hci.host, hci.addr, hci.port, hci.protocol,
- hci.prompt, hci.scheme, hci.url, hci.authType);
- /**
- * To be compatible with existing callback handler implementations,
- * when the underlying Authenticator is canceled, username and
- * password are assigned null. No exception is thrown.
- */
- if (passAuth != null) {
- username = passAuth.getUserName();
- password = passAuth.getPassword();
+ Authenticator auth;
+ if (hci.authenticator != null) {
+ auth = hci.authenticator;
+ } else {
+ auth = LoginConfigImpl.HTTP_USE_GLOBAL_CREDS ?
+ Authenticator.getDefault() : null;
+ }
+
+ if (auth != null) {
+ PasswordAuthentication passAuth =
+ auth.requestPasswordAuthenticationInstance(
+ hci.host, hci.addr, hci.port, hci.protocol,
+ hci.prompt, hci.scheme, hci.url, hci.authType);
+ /**
+ * To be compatible with existing callback handler implementations,
+ * when the underlying Authenticator is canceled, username and
+ * password are assigned null. No exception is thrown.
+ */
+ if (passAuth != null) {
+ username = passAuth.getUserName();
+ password = passAuth.getPassword();
+ }
}
}
}
--- a/src/java.security.jgss/share/classes/sun/security/jgss/GSSUtil.java Mon Oct 02 11:04:01 2017 -0700
+++ b/src/java.security.jgss/share/classes/sun/security/jgss/GSSUtil.java Wed Oct 18 10:43:58 2017 +0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -270,24 +270,17 @@
*/
public static boolean useSubjectCredsOnly(GSSCaller caller) {
- // HTTP/SPNEGO doesn't use the standard JAAS framework. Instead, it
- // uses the java.net.Authenticator style, therefore always return
- // false here.
+ String propValue = GetPropertyAction.privilegedGetProperty(
+ "javax.security.auth.useSubjectCredsOnly");
+
+ // Invalid values should be ignored and the default assumed.
if (caller instanceof HttpCaller) {
- return false;
+ // Default for HTTP/SPNEGO is false.
+ return "true".equalsIgnoreCase(propValue);
+ } else {
+ // Default for JGSS is true.
+ return !("false".equalsIgnoreCase(propValue));
}
- /*
- * Don't use GetBooleanAction because the default value in the JRE
- * (when this is unset) has to treated as true.
- */
- String propValue = AccessController.doPrivileged(
- new GetPropertyAction("javax.security.auth.useSubjectCredsOnly",
- "true"));
- /*
- * This property has to be explicitly set to "false". Invalid
- * values should be ignored and the default "true" assumed.
- */
- return (!propValue.equalsIgnoreCase("false"));
}
/**
--- a/src/java.security.jgss/share/classes/sun/security/jgss/LoginConfigImpl.java Mon Oct 02 11:04:01 2017 -0700
+++ b/src/java.security.jgss/share/classes/sun/security/jgss/LoginConfigImpl.java Wed Oct 18 10:43:58 2017 +0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -29,6 +29,7 @@
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import org.ietf.jgss.Oid;
+import sun.security.action.GetPropertyAction;
/**
* A Configuration implementation especially designed for JGSS.
@@ -44,6 +45,16 @@
private static final sun.security.util.Debug debug =
sun.security.util.Debug.getInstance("gssloginconfig", "\t[GSS LoginConfigImpl]");
+ public static final boolean HTTP_USE_GLOBAL_CREDS;
+
+ static {
+ String prop = GetPropertyAction
+ .privilegedGetProperty("http.use.global.creds");
+ //HTTP_USE_GLOBAL_CREDS = "true".equalsIgnoreCase(prop); // default false
+ HTTP_USE_GLOBAL_CREDS = !"false".equalsIgnoreCase(prop); // default true
+ }
+
+
/**
* A new instance of LoginConfigImpl must be created for each login request
* since it's only used by a single (caller, mech) pair
@@ -178,7 +189,11 @@
options.put("principal", "*");
options.put("isInitiator", "false");
} else {
- options.put("useTicketCache", "true");
+ if (caller instanceof HttpCaller && !HTTP_USE_GLOBAL_CREDS) {
+ options.put("useTicketCache", "false");
+ } else {
+ options.put("useTicketCache", "true");
+ }
options.put("doNotPrompt", "false");
}
return new AppConfigurationEntry[] {