--- a/jdk/test/sun/security/krb5/auto/KDC.java Tue Jun 05 10:16:22 2012 +0800
+++ b/jdk/test/sun/security/krb5/auto/KDC.java Tue Jun 05 17:11:26 2012 +0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2008, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2008, 2012, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -67,10 +67,6 @@
* <ul>
* <li>test.kdc.save.ccache
* </ul>
- * Support policies:
- * <ul>
- * <li>ok-as-delegate
- * </ul>
* Issues and TODOs:
* <ol>
* <li> Generates krb5.conf to be used on another machine, currently the kdc is
@@ -178,6 +174,10 @@
* Multiple ETYPE-INFO-ENTRY with same etype but different salt
*/
DUP_ETYPE,
+ /**
+ * What backend server can be delegated to
+ */
+ OK_AS_DELEGATE,
};
static {
@@ -232,7 +232,11 @@
* @param obj the value
*/
public void setOption(Option key, Object value) {
- options.put(key, value);
+ if (value == null) {
+ options.remove(key);
+ } else {
+ options.put(key, value);
+ }
}
/**
@@ -579,53 +583,6 @@
}
}
- private Map<String,String> policies = new HashMap<>();
-
- public void setPolicy(String rule, String value) {
- if (value == null) {
- policies.remove(rule);
- } else {
- policies.put(rule, value);
- }
- }
- /**
- * If the provided client/server pair matches a rule
- *
- * A system property named test.kdc.policy.RULE will be consulted.
- * If it's unset, returns false. If its value is "", any pair is
- * matched. Otherwise, it should contains the server name matched.
- *
- * TODO: client name is not used currently.
- *
- * @param c client name
- * @param s server name
- * @param rule rule name
- * @return if a match is found
- */
- private boolean configMatch(String c, String s, String rule) {
- String policy = policies.get(rule);
- boolean result = false;
- if (policy == null) {
- result = false;
- } else if (policy.length() == 0) {
- result = true;
- } else {
- String[] names = policy.split("\\s+");
- for (String name: names) {
- if (name.equals(s)) {
- result = true;
- break;
- }
- }
- }
- if (result) {
- System.out.printf(">>>> Policy match result (%s vs %s on %s) %b\n",
- c, s, rule, result);
- }
- return result;
- }
-
-
/**
* Processes an incoming request and generates a response.
* @param in the request
@@ -724,7 +681,10 @@
bFlags[Krb5.TKT_OPTS_MAY_POSTDATE] = true;
}
- if (configMatch("", service.getNameString(), "ok-as-delegate")) {
+ String okAsDelegate = (String)options.get(Option.OK_AS_DELEGATE);
+ if (okAsDelegate != null && (
+ okAsDelegate.isEmpty() ||
+ okAsDelegate.contains(service.getNameString()))) {
bFlags[Krb5.TKT_OPTS_DELEGATE] = true;
}
bFlags[Krb5.TKT_OPTS_INITIAL] = true;
--- a/jdk/test/sun/security/krb5/auto/OkAsDelegate.java Tue Jun 05 10:16:22 2012 +0800
+++ b/jdk/test/sun/security/krb5/auto/OkAsDelegate.java Tue Jun 05 17:11:26 2012 +0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -21,6 +21,32 @@
* questions.
*/
+/*
+ * @test
+ * @bug 6853328 7172701
+ * @run main/othervm OkAsDelegate false true true false false false
+ * FORWARDABLE ticket not allowed, always fail
+ * @run main/othervm OkAsDelegate true false false false false false
+ * Service ticket no OK-AS-DELEGATE. Request nothing, gain nothing
+ * @run main/othervm OkAsDelegate true false true false false false
+ * Service ticket no OK-AS-DELEGATE. Request deleg policy, gain nothing
+ * @run main/othervm OkAsDelegate true true false true false true
+ * Service ticket no OK-AS-DELEGATE. Request deleg, granted
+ * @run main/othervm OkAsDelegate true true true true false true
+ * Service ticket no OK-AS-DELEGATE. Request deleg and deleg policy, granted, with info not by policy
+ * @run main/othervm -Dtest.kdc.policy.ok-as-delegate OkAsDelegate true false true true true true
+ * Service ticket has OK-AS-DELEGATE. Request deleg policy, granted
+ * @run main/othervm -Dtest.kdc.policy.ok-as-delegate OkAsDelegate true true true true true true
+ * Service ticket has OK-AS-DELEGATE. granted, with info by policy
+ * @run main/othervm -Dtest.spnego OkAsDelegate false true true false false false
+ * @run main/othervm -Dtest.spnego OkAsDelegate true false false false false false
+ * @run main/othervm -Dtest.spnego OkAsDelegate true false true false false false
+ * @run main/othervm -Dtest.spnego OkAsDelegate true true false true false true
+ * @run main/othervm -Dtest.spnego OkAsDelegate true true true true false true
+ * @run main/othervm -Dtest.spnego -Dtest.kdc.policy.ok-as-delegate OkAsDelegate true false true true true true
+ * @run main/othervm -Dtest.spnego -Dtest.kdc.policy.ok-as-delegate OkAsDelegate true true true true true true
+ * @summary Support OK-AS-DELEGATE flag
+ */
import com.sun.security.jgss.ExtendedGSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
@@ -52,7 +78,7 @@
boolean delegated
) throws Exception {
OneKDC kdc = new OneKDC(null);
- kdc.setPolicy("ok-as-delegate",
+ kdc.setOption(KDC.Option.OK_AS_DELEGATE,
System.getProperty("test.kdc.policy.ok-as-delegate"));
kdc.writeJAASConf();
if (!forwardable) {
--- a/jdk/test/sun/security/krb5/auto/OkAsDelegateXRealm.java Tue Jun 05 10:16:22 2012 +0800
+++ b/jdk/test/sun/security/krb5/auto/OkAsDelegateXRealm.java Tue Jun 05 17:11:26 2012 +0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -21,8 +21,19 @@
* questions.
*/
-import com.sun.security.jgss.ExtendedGSSContext;
-import java.io.File;
+/*
+ * @test
+ * @bug 6853328 7172701
+ * @run main/othervm OkAsDelegateXRealm false
+ * KDC no OK-AS-DELEGATE, fail
+ * @run main/othervm -Dtest.kdc.policy.ok-as-delegate OkAsDelegateXRealm true
+ * KDC set OK-AS-DELEGATE for all, succeed
+ * @run main/othervm -Dtest.kdc.policy.ok-as-delegate=host/host.r3.local OkAsDelegateXRealm false
+ * KDC set OK-AS-DELEGATE for host/host.r3.local only, fail
+ * @run main/othervm -Dtest.kdc.policy.ok-as-delegate=host/host.r3.local,krbtgt/R2,krbtgt/R3 OkAsDelegateXRealm true
+ * KDC set OK-AS-DELEGATE for all three, succeed
+ * @summary Support OK-AS-DELEGATE flag
+ */
import java.io.FileOutputStream;
import java.io.IOException;
import java.security.Security;
@@ -31,11 +42,7 @@
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
-import org.ietf.jgss.GSSContext;
-import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
-import org.ietf.jgss.GSSManager;
-import org.ietf.jgss.GSSName;
import sun.security.jgss.GSSUtil;
import sun.security.krb5.Config;
@@ -50,21 +57,21 @@
// Create and start the KDCs. Here we have 3 realms: R1, R2 and R3.
// R1 is trusted by R2, and R2 trusted by R3.
KDC kdc1 = KDC.create("R1");
- kdc1.setPolicy("ok-as-delegate",
+ kdc1.setOption(KDC.Option.OK_AS_DELEGATE,
System.getProperty("test.kdc.policy.ok-as-delegate"));
kdc1.addPrincipal("dummy", "bogus".toCharArray());
kdc1.addPrincipalRandKey("krbtgt/R1");
kdc1.addPrincipal("krbtgt/R2@R1", "r1->r2".toCharArray());
KDC kdc2 = KDC.create("R2");
- kdc2.setPolicy("ok-as-delegate",
+ kdc2.setOption(KDC.Option.OK_AS_DELEGATE,
System.getProperty("test.kdc.policy.ok-as-delegate"));
kdc2.addPrincipalRandKey("krbtgt/R2");
kdc2.addPrincipal("krbtgt/R2@R1", "r1->r2".toCharArray());
kdc2.addPrincipal("krbtgt/R3@R2", "r2->r3".toCharArray());
KDC kdc3 = KDC.create("R3");
- kdc3.setPolicy("ok-as-delegate",
+ kdc3.setOption(KDC.Option.OK_AS_DELEGATE,
System.getProperty("test.kdc.policy.ok-as-delegate"));
kdc3.addPrincipalRandKey("krbtgt/R3");
kdc3.addPrincipal("krbtgt/R3@R2", "r2->r3".toCharArray());
--- a/jdk/test/sun/security/krb5/auto/ok-as-delegate-xrealm.sh Tue Jun 05 10:16:22 2012 +0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,79 +0,0 @@
-#
-# Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
-# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-#
-# This code is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License version 2 only, as
-# published by the Free Software Foundation.
-#
-# This code is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-# version 2 for more details (a copy is included in the LICENSE file that
-# accompanied this code).
-#
-# You should have received a copy of the GNU General Public License version
-# 2 along with this work; if not, write to the Free Software Foundation,
-# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-# or visit www.oracle.com if you need additional information or have any
-# questions.
-#
-
-# @test
-# @bug 6853328
-# @summary Support OK-AS-DELEGATE flag
-# @run shell/timeout=600 ok-as-delegate-xrealm.sh
-#
-
-if [ "${TESTSRC}" = "" ] ; then
- TESTSRC=`dirname $0`
-fi
-
-if [ "${TESTJAVA}" = "" ] ; then
- JAVAC_CMD=`which javac`
- TESTJAVA=`dirname $JAVAC_CMD`/..
-fi
-
-# set platform-dependent variables
-OS=`uname -s`
-case "$OS" in
- Windows_* )
- FS="\\"
- SEP=";"
- ;;
- CYGWIN* )
- FS="/"
- SEP=";"
- ;;
- * )
- FS="/"
- SEP=":"
- ;;
-esac
-
-${TESTJAVA}${FS}bin${FS}javac -XDignore.symbol.file -d . \
- ${TESTSRC}${FS}OkAsDelegateXRealm.java \
- ${TESTSRC}${FS}KDC.java \
- ${TESTSRC}${FS}OneKDC.java \
- ${TESTSRC}${FS}Action.java \
- ${TESTSRC}${FS}Context.java \
- || exit 10
-
-# Add $TESTSRC to classpath so that customized nameservice can be used
-J="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}."
-
-# KDC no OK-AS-DELEGATE, fail
-$J OkAsDelegateXRealm false || exit 1
-
-# KDC set OK-AS-DELEGATE for all, succeed
-$J -Dtest.kdc.policy.ok-as-delegate OkAsDelegateXRealm true || exit 2
-
-# KDC set OK-AS-DELEGATE for host/host.r3.local only, fail
-$J -Dtest.kdc.policy.ok-as-delegate=host/host.r3.local OkAsDelegateXRealm false || exit 3
-
-# KDC set OK-AS-DELEGATE for all, succeed
-$J "-Dtest.kdc.policy.ok-as-delegate=host/host.r3.local krbtgt/R2 krbtgt/R3" OkAsDelegateXRealm true || exit 4
-
-exit 0
--- a/jdk/test/sun/security/krb5/auto/ok-as-delegate.sh Tue Jun 05 10:16:22 2012 +0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,118 +0,0 @@
-#
-# Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
-# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-#
-# This code is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License version 2 only, as
-# published by the Free Software Foundation.
-#
-# This code is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
-# version 2 for more details (a copy is included in the LICENSE file that
-# accompanied this code).
-#
-# You should have received a copy of the GNU General Public License version
-# 2 along with this work; if not, write to the Free Software Foundation,
-# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-# or visit www.oracle.com if you need additional information or have any
-# questions.
-#
-
-# @test
-# @bug 6853328
-# @summary Support OK-AS-DELEGATE flag
-# @run shell/timeout=600 ok-as-delegate.sh
-#
-
-if [ "${TESTSRC}" = "" ] ; then
- TESTSRC=`dirname $0`
-fi
-
-if [ "${TESTJAVA}" = "" ] ; then
- JAVAC_CMD=`which javac`
- TESTJAVA=`dirname $JAVAC_CMD`/..
-fi
-
-# set platform-dependent variables
-OS=`uname -s`
-case "$OS" in
- Windows_* )
- FS="\\"
- SEP=";"
- ;;
- CYGWIN* )
- FS="/"
- SEP=";"
- ;;
- * )
- FS="/"
- SEP=":"
- ;;
-esac
-
-${TESTJAVA}${FS}bin${FS}javac -XDignore.symbol.file -d . \
- ${TESTSRC}${FS}OkAsDelegate.java \
- ${TESTSRC}${FS}KDC.java \
- ${TESTSRC}${FS}OneKDC.java \
- ${TESTSRC}${FS}Action.java \
- ${TESTSRC}${FS}Context.java \
- || exit 10
-
-# Testing Kerberos 5
-
-# Add $TESTSRC to classpath so that customized nameservice can be used
-J="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}. OkAsDelegate"
-JOK="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}. -Dtest.kdc.policy.ok-as-delegate OkAsDelegate"
-
-# FORWARDABLE ticket not allowed, always fail
-$J false true true false false false || exit 1
-
-# Service ticket no OK-AS-DELEGATE
-
-# Request nothing, gain nothing
-$J true false false false false false || exit 2
-# Request deleg policy, gain nothing
-$J true false true false false false || exit 3
-# Request deleg, granted
-$J true true false true false true || exit 4
-# Request deleg and deleg policy, granted, with info not by policy
-$J true true true true false true || exit 5
-
-# Service ticket has OK-AS-DELEGATE
-
-# Request deleg policy, granted
-$JOK true false true true true true || exit 6
-# Request deleg and deleg policy, granted, with info by policy
-$JOK true true true true true true || exit 7
-
-# Testing SPNEGO
-
-# Add $TESTSRC to classpath so that customized nameservice can be used
-J="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}. -Dtest.spnego OkAsDelegate"
-JOK="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}. -Dtest.spnego -Dtest.kdc.policy.ok-as-delegate OkAsDelegate"
-
-# FORWARDABLE ticket not allowed, always fail
-$J false true true false false false || exit 11
-
-# Service ticket no OK-AS-DELEGATE
-
-# Request nothing, gain nothing
-$J true false false false false false || exit 12
-# Request deleg policy, gain nothing
-$J true false true false false false || exit 13
-# Request deleg, granted
-$J true true false true false true || exit 14
-# Request deleg and deleg policy, granted, with info not by policy
-$J true true true true false true || exit 15
-
-# Service ticket has OK-AS-DELEGATE
-
-# Request deleg policy, granted
-$JOK true false true true true true || exit 16
-# Request deleg and deleg policy, granted, with info by policy
-$JOK true true true true true true || exit 17
-
-exit 0