--- a/src/java.base/share/conf/security/java.security Thu May 09 18:38:42 2019 -0700
+++ b/src/java.base/share/conf/security/java.security Fri May 10 09:39:49 2019 +0800
@@ -1161,6 +1161,23 @@
#jdk.includeInExceptions=hostInfo,jar
#
+# Disabled mechanisms for the Simple Authentication and Security Layer (SASL)
+#
+# Disabled mechanisms will not be negotiated by both SASL clients and servers.
+# These mechanisms will be ignored if they are specified in the mechanisms argument
+# of `Sasl.createClient` or the mechanism argument of `Sasl.createServer`.
+#
+# The value of this property is a comma-separated list of SASL mechanisms.
+# The mechanisms are case-sensitive. Whitespaces around the commas are ignored.
+#
+# Note: This property is currently used by the JDK Reference implementation.
+# It is not guaranteed to be examined and used by other implementations.
+#
+# Example:
+# jdk.sasl.disabledMechanisms=PLAIN, CRAM-MD5, DIGEST-MD5
+jdk.sasl.disabledMechanisms=
+
+#
# Policies for distrusting Certificate Authorities (CAs).
#
# This is a comma separated value of one or more case-sensitive strings, each
--- a/src/java.security.sasl/share/classes/javax/security/sasl/Sasl.java Thu May 09 18:38:42 2019 -0700
+++ b/src/java.security.sasl/share/classes/javax/security/sasl/Sasl.java Fri May 10 09:39:49 2019 +0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1999, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -26,9 +26,12 @@
package javax.security.sasl;
import javax.security.auth.callback.CallbackHandler;
-
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+import java.util.ArrayList;
import java.util.Enumeration;
import java.util.Iterator;
+import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.HashSet;
@@ -38,6 +41,8 @@
import java.security.Provider;
import java.security.Provider.Service;
import java.security.Security;
+import java.util.logging.Level;
+import java.util.logging.Logger;
/**
* A static class for creating SASL clients and servers.
@@ -65,6 +70,30 @@
* @author Rob Weltman
*/
public class Sasl {
+
+ private static List<String> disabledMechanisms = new ArrayList<>();
+
+ static {
+ String prop = AccessController.doPrivileged(
+ (PrivilegedAction<String>)
+ () -> Security.getProperty("jdk.sasl.disabledMechanisms"));
+
+ if (prop != null) {
+ for (String s : prop.split("\\s*,\\s*")) {
+ if (!s.isEmpty()) {
+ disabledMechanisms.add(s);
+ }
+ }
+ }
+ }
+
+ private static final String SASL_LOGGER_NAME = "javax.security.sasl";
+
+ /**
+ * Logger for debug messages
+ */
+ private static final Logger logger = Logger.getLogger(SASL_LOGGER_NAME);
+
// Cannot create one of these
private Sasl() {
}
@@ -318,6 +347,9 @@
* the preferred provider order for the specified algorithm. This
* may be different than the order of providers returned by
* {@link Security#getProviders() Security.getProviders()}.
+ * <p>
+ * If a mechanism is listed in the {@code jdk.sasl.disabledMechanisms}
+ * security property, it will be ignored and won't be negotiated.
*
* @param mechanisms The non-null list of mechanism names to try. Each is the
* IANA-registered name of a SASL mechanism. (e.g. "GSSAPI", "CRAM-MD5").
@@ -381,6 +413,10 @@
"Mechanism name cannot be null");
} else if (mechName.length() == 0) {
continue;
+ } else if (isDisabled(mechName)) {
+ logger.log(Level.FINE,
+ "Disabled " + mechName + " mechanism ignored");
+ continue;
}
String type = "SaslClientFactory";
Provider[] provs = Security.getProviders(type + "." + mechName);
@@ -468,6 +504,9 @@
* the preferred provider order for the specified algorithm. This
* may be different than the order of providers returned by
* {@link Security#getProviders() Security.getProviders()}.
+ * <p>
+ * If {@code mechanism} is listed in the {@code jdk.sasl.disabledMechanisms}
+ * security property, it will be ignored and this method returns {@code null}.
*
* @param mechanism The non-null mechanism name. It must be an
* IANA-registered name of a SASL mechanism. (e.g. "GSSAPI", "CRAM-MD5").
@@ -521,6 +560,10 @@
throw new NullPointerException("Mechanism name cannot be null");
} else if (mechanism.length() == 0) {
return null;
+ } else if (isDisabled(mechanism)) {
+ logger.log(Level.FINE,
+ "Disabled " + mechanism + " mechanism ignored");
+ return null;
}
String type = "SaslServerFactory";
@@ -616,4 +659,8 @@
}
return Collections.unmodifiableSet(result);
}
+
+ private static boolean isDisabled(String name) {
+ return disabledMechanisms.contains(name);
+ }
}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/test/jdk/javax/security/sasl/Sasl/DisabledMechanisms.java Fri May 10 09:39:49 2019 +0800
@@ -0,0 +1,86 @@
+/*
+ * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8200400
+ * @modules java.security.sasl
+ * @library /test/lib
+ * @run main/othervm DisabledMechanisms
+ * DIGEST-MD5 DIGEST-MD5
+ * @run main/othervm -DdisabledMechanisms= DisabledMechanisms
+ * DIGEST-MD5 DIGEST-MD5
+ * @run main/othervm -DdisabledMechanisms=DIGEST-MD5,NTLM DisabledMechanisms
+ * null null
+ * @run main/othervm -DdisabledMechanisms=DIGEST-MD5 DisabledMechanisms
+ * NTLM null
+ * @run main/othervm -DdisabledMechanisms=NTLM DisabledMechanisms
+ * DIGEST-MD5 DIGEST-MD5
+ */
+
+import java.security.Security;
+import java.util.Collections;
+import java.util.Map;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.sasl.Sasl;
+import javax.security.sasl.SaslClient;
+import javax.security.sasl.SaslServer;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+
+import jdk.test.lib.Asserts;
+
+public class DisabledMechanisms {
+
+ public static void main(String[] args) throws Exception {
+
+ String authorizationId = "username";
+ String protocol = "ldap";
+ String serverName = "server1";
+ Map props = Collections.emptyMap();
+
+ String disabled = System.getProperty("disabledMechanisms");
+ if (disabled != null) {
+ Security.setProperty("jdk.sasl.disabledMechanisms", disabled);
+ }
+
+ CallbackHandler callbackHandler = callbacks -> {
+ for (Callback cb : callbacks) {
+ if (cb instanceof PasswordCallback) {
+ ((PasswordCallback) cb).setPassword("password".toCharArray());
+ }
+ }
+ };
+
+ SaslClient client = Sasl.createSaslClient(
+ new String[]{"DIGEST-MD5", "NTLM"}, authorizationId,
+ protocol, serverName, props, callbackHandler);
+ Asserts.assertEQ(client == null ? null : client.getMechanismName(),
+ args[0].equals("null") ? null : args[0]);
+
+ SaslServer server = Sasl.createSaslServer(
+ "DIGEST-MD5", protocol, serverName, props, callbackHandler);
+ Asserts.assertEQ(server == null ? null : server.getMechanismName(),
+ args[1].equals("null") ? null : args[1]);
+ }
+}