8209094: Improve web server connections
Reviewed-by: chegar, dfuchs, mschoene, igerasim
--- a/make/lib/Lib-java.base.gmk Wed Aug 22 15:55:04 2018 -0700
+++ b/make/lib/Lib-java.base.gmk Fri Oct 05 08:54:10 2018 +0100
@@ -56,7 +56,7 @@
LIBS_solaris := -lnsl -lsocket $(LIBDL), \
LIBS_aix := $(LIBDL),\
LIBS_windows := ws2_32.lib jvm.lib secur32.lib iphlpapi.lib winhttp.lib \
- delayimp.lib $(WIN_JAVA_LIB) advapi32.lib, \
+ urlmon.lib delayimp.lib $(WIN_JAVA_LIB) advapi32.lib, \
LIBS_macosx := -framework CoreFoundation -framework CoreServices, \
))
--- a/src/java.base/share/classes/sun/net/www/protocol/http/ntlm/NTLMAuthenticationCallback.java Wed Aug 22 15:55:04 2018 -0700
+++ b/src/java.base/share/classes/sun/net/www/protocol/http/ntlm/NTLMAuthenticationCallback.java Fri Oct 05 08:54:10 2018 +0100
@@ -33,8 +33,7 @@
* credentials without prompting) should only be tried with trusted sites.
*/
public abstract class NTLMAuthenticationCallback {
- private static volatile NTLMAuthenticationCallback callback =
- new DefaultNTLMAuthenticationCallback();
+ private static volatile NTLMAuthenticationCallback callback;
public static void setNTLMAuthenticationCallback(
NTLMAuthenticationCallback callback) {
@@ -50,10 +49,5 @@
* transparent Authentication.
*/
public abstract boolean isTrustedSite(URL url);
-
- static class DefaultNTLMAuthenticationCallback extends NTLMAuthenticationCallback {
- @Override
- public boolean isTrustedSite(URL url) { return true; }
- }
}
--- a/src/java.base/share/conf/net.properties Wed Aug 22 15:55:04 2018 -0700
+++ b/src/java.base/share/conf/net.properties Fri Oct 05 08:54:10 2018 +0100
@@ -1,5 +1,5 @@
############################################################
-# Default Networking Configuration File
+# Default Networking Configuration File
#
# This file may contain default values for the networking system properties.
# These values are only used when the system properties are not specified
@@ -110,3 +110,23 @@
#
# jdk.httpclient.allowRestrictedHeaders=host
#
+#
+# Transparent NTLM HTTP authentication mode on Windows. Transparent authentication
+# can be used for the NTLM scheme, where the security credentials based on the
+# currently logged in user's name and password can be obtained directly from the
+# operating system, without prompting the user. This property has three possible
+# values which regulate the behavior as shown below. Other unrecognized values
+# are handled the same as 'disabled'. Note, that NTLM is not considered to be a
+# strongly secure authentication scheme and care should be taken before enabling
+# this mechanism.
+#
+# Transparent authentication never used.
+#jdk.http.ntlm.transparentAuth=disabled
+#
+# Enabled for all hosts.
+#jdk.http.ntlm.transparentAuth=allHosts
+#
+# Enabled for hosts that are trusted in Windows Internet settings
+#jdk.http.ntlm.transparentAuth=trustedHosts
+#
+jdk.http.ntlm.transparentAuth=disabled
--- a/src/java.base/unix/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java Wed Aug 22 15:55:04 2018 -0700
+++ b/src/java.base/unix/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java Fri Oct 05 08:54:10 2018 +0100
@@ -93,10 +93,13 @@
/**
* Returns true if the given site is trusted, i.e. we can try
- * transparent Authentication.
+ * transparent Authentication. Shouldn't be called since
+ * capability not supported on Unix
*/
public static boolean isTrustedSite(URL url) {
- return NTLMAuthCallback.isTrustedSite(url);
+ if (NTLMAuthCallback != null)
+ return NTLMAuthCallback.isTrustedSite(url);
+ return false;
}
private void init0() {
--- a/src/java.base/windows/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java Wed Aug 22 15:55:04 2018 -0700
+++ b/src/java.base/windows/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java Fri Oct 05 08:54:10 2018 +0100
@@ -32,6 +32,7 @@
import java.net.URL;
import java.util.Objects;
import java.util.Properties;
+import sun.net.NetProperties;
import sun.net.www.HeaderParser;
import sun.net.www.protocol.http.AuthenticationInfo;
import sun.net.www.protocol.http.AuthScheme;
@@ -56,11 +57,33 @@
private static final String defaultDomain;
/* Whether cache is enabled for NTLM */
private static final boolean ntlmCache;
+
+ enum TransparentAuth {
+ DISABLED, // disable for all hosts (default)
+ TRUSTED_HOSTS, // use Windows trusted hosts settings
+ ALL_HOSTS // attempt for all hosts
+ }
+
+ private static final TransparentAuth authMode;
+
static {
Properties props = GetPropertyAction.privilegedGetProperties();
defaultDomain = props.getProperty("http.auth.ntlm.domain", "domain");
String ntlmCacheProp = props.getProperty("jdk.ntlm.cache", "true");
ntlmCache = Boolean.parseBoolean(ntlmCacheProp);
+ String modeProp = java.security.AccessController.doPrivileged(
+ new java.security.PrivilegedAction<String>() {
+ public String run() {
+ return NetProperties.get("jdk.http.ntlm.transparentAuth");
+ }
+ });
+
+ if ("trustedHosts".equalsIgnoreCase(modeProp))
+ authMode = TransparentAuth.TRUSTED_HOSTS;
+ else if ("allHosts".equalsIgnoreCase(modeProp))
+ authMode = TransparentAuth.ALL_HOSTS;
+ else
+ authMode = TransparentAuth.DISABLED;
}
private void init0() {
@@ -166,9 +189,21 @@
* transparent Authentication.
*/
public static boolean isTrustedSite(URL url) {
- return NTLMAuthCallback.isTrustedSite(url);
+ if (NTLMAuthCallback != null)
+ return NTLMAuthCallback.isTrustedSite(url);
+
+ switch (authMode) {
+ case TRUSTED_HOSTS:
+ return isTrustedSite(url.toString());
+ case ALL_HOSTS:
+ return true;
+ default:
+ return false;
+ }
}
+ static native boolean isTrustedSite(String url);
+
/**
* Not supported. Must use the setHeaders() method
*/
@@ -218,5 +253,4 @@
return false;
}
}
-
}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/java.base/windows/native/libnet/NTLMAuthentication.c Fri Oct 05 08:54:10 2018 +0100
@@ -0,0 +1,106 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+#include <jni.h>
+#include <windows.h>
+#include "jni_util.h"
+#include <urlmon.h>
+
+JNIEXPORT jboolean JNICALL Java_sun_net_www_protocol_http_ntlm_NTLMAuthentication_isTrustedSite(JNIEnv *env, jclass clazz, jstring url )
+{
+
+ HRESULT hr;
+ DWORD dwZone;
+ DWORD pPolicy = 0;
+ IInternetSecurityManager *spSecurityManager;
+ jboolean ret;
+
+ // Create IInternetSecurityManager
+ hr = CoInternetCreateSecurityManager(NULL, &spSecurityManager, (DWORD)0);
+ if (FAILED(hr)) {
+ return JNI_FALSE;
+ }
+
+ const LPCWSTR bstrURL = (LPCWSTR)((*env)->GetStringChars(env, url, NULL));
+ if (bstrURL == NULL) {
+ if (!(*env)->ExceptionCheck(env))
+ JNU_ThrowOutOfMemoryError(env, NULL);
+ spSecurityManager->lpVtbl->Release(spSecurityManager);
+ return JNI_FALSE;
+ }
+
+ // Determines the policy for the URLACTION_CREDENTIALS_USE action and display
+ // a user interface, if the policy indicates that the user should be queried
+ hr = spSecurityManager->lpVtbl->ProcessUrlAction(
+ spSecurityManager,
+ bstrURL,
+ URLACTION_CREDENTIALS_USE,
+ (LPBYTE)&pPolicy,
+ sizeof(DWORD), 0, 0, 0, 0);
+
+ if (FAILED(hr)) {
+ ret = JNI_FALSE;
+ goto cleanupAndReturn;
+ }
+
+ // If these two User Authentication Logon options is selected
+ // Anonymous logon
+ // Prompt for user name and password
+ if (pPolicy == URLPOLICY_CREDENTIALS_ANONYMOUS_ONLY ||
+ pPolicy == URLPOLICY_CREDENTIALS_MUST_PROMPT_USER) {
+ ret = JNI_FALSE;
+ goto cleanupAndReturn;
+ }
+
+ // Option "Automatic logon with current user name and password" is selected
+ if (pPolicy == URLPOLICY_CREDENTIALS_SILENT_LOGON_OK) {
+ ret = JNI_TRUE;
+ goto cleanupAndReturn;
+ }
+
+ // Option "Automatic logon only in intranet zone" is selected
+ if (pPolicy == URLPOLICY_CREDENTIALS_CONDITIONAL_PROMPT) {
+
+ // Gets the zone index from the specified URL
+ hr = spSecurityManager->lpVtbl->MapUrlToZone(
+ spSecurityManager, bstrURL, &dwZone, 0);
+ if (FAILED(hr)) {
+ ret = JNI_FALSE;
+ goto cleanupAndReturn;
+ }
+
+ // Check if the URL is in Local or Intranet zone
+ if (dwZone == URLZONE_INTRANET || dwZone == URLZONE_LOCAL_MACHINE) {
+ ret = JNI_TRUE;
+ goto cleanupAndReturn;
+ }
+ }
+ ret = JNI_FALSE;
+
+cleanupAndReturn:
+ (*env)->ReleaseStringChars(env, url, bstrURL);
+ spSecurityManager->lpVtbl->Release(spSecurityManager);
+ return ret;
+}