--- a/jdk/src/share/classes/com/sun/jmx/mbeanserver/MXBeanIntrospector.java Thu Oct 23 10:13:13 2008 -0700
+++ b/jdk/src/share/classes/com/sun/jmx/mbeanserver/MXBeanIntrospector.java Thu Oct 23 21:55:13 2008 -0700
@@ -32,6 +32,7 @@
import java.lang.reflect.GenericArrayType;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
+import java.lang.reflect.ParameterizedType;
import java.lang.reflect.Type;
import java.util.Map;
import java.util.WeakHashMap;
@@ -390,7 +391,31 @@
if (type instanceof Class)
return ((Class) type).getName();
else
- return type.toString();
+ return genericTypeString(type);
+ }
+
+ private static String genericTypeString(Type type) {
+ if (type instanceof Class<?>) {
+ Class<?> c = (Class<?>) type;
+ if (c.isArray())
+ return genericTypeString(c.getComponentType()) + "[]";
+ else
+ return c.getName();
+ } else if (type instanceof GenericArrayType) {
+ GenericArrayType gat = (GenericArrayType) type;
+ return genericTypeString(gat.getGenericComponentType()) + "[]";
+ } else if (type instanceof ParameterizedType) {
+ ParameterizedType pt = (ParameterizedType) type;
+ StringBuilder sb = new StringBuilder();
+ sb.append(genericTypeString(pt.getRawType())).append("<");
+ String sep = "";
+ for (Type t : pt.getActualTypeArguments()) {
+ sb.append(sep).append(genericTypeString(t));
+ sep = ", ";
+ }
+ return sb.append(">").toString();
+ } else
+ return "???";
}
private final PerInterfaceMap<ConvertingMethod>
--- a/jdk/src/share/classes/java/nio/channels/SelectableChannel.java Thu Oct 23 10:13:13 2008 -0700
+++ b/jdk/src/share/classes/java/nio/channels/SelectableChannel.java Thu Oct 23 21:55:13 2008 -0700
@@ -191,6 +191,9 @@
* @throws ClosedChannelException
* If this channel is closed
*
+ * @throws ClosedSelectorException
+ * If the selector is closed
+ *
* @throws IllegalBlockingModeException
* If this channel is in blocking mode
*
@@ -246,6 +249,9 @@
* @throws ClosedChannelException
* If this channel is closed
*
+ * @throws ClosedSelectorException
+ * If the selector is closed
+ *
* @throws IllegalBlockingModeException
* If this channel is in blocking mode
*
--- a/jdk/src/share/classes/java/nio/channels/spi/AbstractSelectableChannel.java Thu Oct 23 10:13:13 2008 -0700
+++ b/jdk/src/share/classes/java/nio/channels/spi/AbstractSelectableChannel.java Thu Oct 23 21:55:13 2008 -0700
@@ -175,6 +175,16 @@
* the selector is invoked while holding the appropriate locks. The
* resulting key is added to this channel's key set before being returned.
* </p>
+ *
+ * @throws ClosedSelectorException {@inheritDoc}
+ *
+ * @throws IllegalBlockingModeException {@inheritDoc}
+ *
+ * @throws IllegalSelectorException {@inheritDoc}
+ *
+ * @throws CancelledKeyException {@inheritDoc}
+ *
+ * @throws IllegalArgumentException {@inheritDoc}
*/
public final SelectionKey register(Selector sel, int ops,
Object att)
--- a/jdk/src/share/classes/javax/management/event/EventClient.java Thu Oct 23 10:13:13 2008 -0700
+++ b/jdk/src/share/classes/javax/management/event/EventClient.java Thu Oct 23 21:55:13 2008 -0700
@@ -265,12 +265,20 @@
public ScheduledThreadPoolExecutor createThreadPool(ThreadGroup group) {
ThreadFactory daemonThreadFactory = new DaemonThreadFactory(
"JMX EventClient lease renewer %d");
- ScheduledThreadPoolExecutor exec = new ScheduledThreadPoolExecutor(
- 20, daemonThreadFactory);
- exec.setKeepAliveTime(1, TimeUnit.SECONDS);
- exec.allowCoreThreadTimeOut(true);
- exec.setRemoveOnCancelPolicy(true);
- return exec;
+ ScheduledThreadPoolExecutor executor =
+ new ScheduledThreadPoolExecutor(20, daemonThreadFactory);
+ executor.setKeepAliveTime(1, TimeUnit.SECONDS);
+ executor.allowCoreThreadTimeOut(true);
+ executor.setRemoveOnCancelPolicy(true);
+ // By default, a ScheduledThreadPoolExecutor will keep jobs
+ // in its queue even after they have been cancelled. They
+ // will only be removed when their scheduled time arrives.
+ // Since the job references the LeaseRenewer which references
+ // this EventClient, this can lead to a moderately large number
+ // of objects remaining referenced until the renewal time
+ // arrives. Hence the above call, which removes the job from
+ // the queue as soon as it is cancelled.
+ return executor;
}
};
return leaseRenewerThreadPool.getThreadPoolExecutor(create);
@@ -381,7 +389,7 @@
listenerId =
eventClientDelegate.addListener(clientId, name, filter);
} catch (EventClientNotFoundException ecnfe) {
- final IOException ioe = new IOException();
+ final IOException ioe = new IOException(ecnfe.getMessage());
ioe.initCause(ecnfe);
throw ioe;
}
@@ -488,7 +496,7 @@
listenerId =
eventClientDelegate.addSubscriber(clientId, name, filter);
} catch (EventClientNotFoundException ecnfe) {
- final IOException ioe = new IOException();
+ final IOException ioe = new IOException(ecnfe.getMessage());
ioe.initCause(ecnfe);
throw ioe;
}
--- a/jdk/src/share/classes/javax/management/event/FetchingEventRelay.java Thu Oct 23 10:13:13 2008 -0700
+++ b/jdk/src/share/classes/javax/management/event/FetchingEventRelay.java Thu Oct 23 21:55:13 2008 -0700
@@ -91,7 +91,7 @@
* the fetching.
*
* @param delegate The {@code EventClientDelegateMBean} to work with.
- * @param executor Used to do the fetching. A new thread is created if
+ * @param fetchExecutor Used to do the fetching. A new thread is created if
* {@code null}.
* @throws IOException If failed to work with the {@code delegate}.
* @throws MBeanException if unable to add a client to the remote
@@ -101,12 +101,12 @@
* @throws IllegalArgumentException If {@code delegate} is {@code null}.
*/
public FetchingEventRelay(EventClientDelegateMBean delegate,
- Executor executor) throws IOException, MBeanException {
+ Executor fetchExecutor) throws IOException, MBeanException {
this(delegate,
DEFAULT_BUFFER_SIZE,
DEFAULT_WAITING_TIMEOUT,
DEFAULT_MAX_NOTIFICATIONS,
- executor);
+ fetchExecutor);
}
/**
@@ -120,7 +120,7 @@
* @param timeout The waiting time in millseconds when fetching
* notifications from an {@code EventClientDelegateMBean}.
* @param maxNotifs The maximum notifications to fetch every time.
- * @param executor Used to do the fetching. A new thread is created if
+ * @param fetchExecutor Used to do the fetching. A new thread is created if
* {@code null}.
* @throws IOException if failed to communicate with the {@code delegate}.
* @throws MBeanException if unable to add a client to the remote
@@ -133,12 +133,12 @@
int bufferSize,
long timeout,
int maxNotifs,
- Executor executor) throws IOException, MBeanException {
+ Executor fetchExecutor) throws IOException, MBeanException {
this(delegate,
bufferSize,
timeout,
maxNotifs,
- executor,
+ fetchExecutor,
FetchingEventForwarder.class.getName(),
new Object[] {bufferSize},
new String[] {int.class.getName()});
@@ -155,7 +155,7 @@
* @param timeout The waiting time in millseconds when fetching
* notifications from an {@code EventClientDelegateMBean}.
* @param maxNotifs The maximum notifications to fetch every time.
- * @param executor Used to do the fetching.
+ * @param fetchExecutor Used to do the fetching.
* @param forwarderName the class name of a user specific EventForwarder
* to create in server to forward notifications to this object. The class
* should be a subclass of the class {@link FetchingEventForwarder}.
@@ -174,7 +174,7 @@
int bufferSize,
long timeout,
int maxNotifs,
- Executor executor,
+ Executor fetchExecutor,
String forwarderName,
Object[] params,
String[] sig) throws IOException, MBeanException {
@@ -184,11 +184,11 @@
bufferSize+" "+
timeout+" "+
maxNotifs+" "+
- executor+" "+
+ fetchExecutor+" "+
forwarderName+" ");
}
- if(delegate == null) {
+ if (delegate == null) {
throw new NullPointerException("Null EventClientDelegateMBean!");
}
@@ -212,16 +212,16 @@
this.timeout = timeout;
this.maxNotifs = maxNotifs;
- if (executor == null) {
- ScheduledThreadPoolExecutor stpe = new ScheduledThreadPoolExecutor(1,
- daemonThreadFactory);
- stpe.setKeepAliveTime(1, TimeUnit.SECONDS);
- stpe.allowCoreThreadTimeOut(true);
- executor = stpe;
- this.defaultExecutor = stpe;
+ if (fetchExecutor == null) {
+ ScheduledThreadPoolExecutor executor =
+ new ScheduledThreadPoolExecutor(1, daemonThreadFactory);
+ executor.setKeepAliveTime(1, TimeUnit.SECONDS);
+ executor.allowCoreThreadTimeOut(true);
+ fetchExecutor = executor;
+ this.defaultExecutor = executor;
} else
this.defaultExecutor = null;
- this.executor = executor;
+ this.fetchExecutor = fetchExecutor;
startSequenceNumber = 0;
fetchingJob = new MyJob();
@@ -258,7 +258,7 @@
private class MyJob extends RepeatedSingletonJob {
public MyJob() {
- super(executor);
+ super(fetchExecutor);
}
public boolean isSuspended() {
@@ -368,7 +368,7 @@
private String clientId;
private boolean stopped = false;
- private final Executor executor;
+ private final Executor fetchExecutor;
private final ExecutorService defaultExecutor;
private final MyJob fetchingJob;
--- a/jdk/src/share/classes/javax/management/monitor/Monitor.java Thu Oct 23 10:13:13 2008 -0700
+++ b/jdk/src/share/classes/javax/management/monitor/Monitor.java Thu Oct 23 21:55:13 2008 -0700
@@ -181,7 +181,7 @@
/**
* Executor Service.
*/
- private static final ExecutorService executor;
+ private static final ThreadPoolExecutor executor;
static {
final String maximumPoolSizeSysProp = "jmx.x.monitor.maximum.pool.size";
final String maximumPoolSizeStr = AccessController.doPrivileged(
@@ -218,7 +218,7 @@
TimeUnit.SECONDS,
new LinkedBlockingQueue<Runnable>(),
new DaemonThreadFactory("Executor"));
- ((ThreadPoolExecutor)executor).allowCoreThreadTimeOut(true);
+ executor.allowCoreThreadTimeOut(true);
}
/**
--- a/jdk/src/share/classes/javax/management/remote/rmi/RMIConnector.java Thu Oct 23 10:13:13 2008 -0700
+++ b/jdk/src/share/classes/javax/management/remote/rmi/RMIConnector.java Thu Oct 23 21:55:13 2008 -0700
@@ -71,9 +71,8 @@
import java.util.Properties;
import java.util.Set;
import java.util.WeakHashMap;
-import java.util.concurrent.ArrayBlockingQueue;
import java.util.concurrent.Executor;
-import java.util.concurrent.LinkedBlockingDeque;
+import java.util.concurrent.LinkedBlockingQueue;
import java.util.concurrent.ThreadFactory;
import java.util.concurrent.ThreadPoolExecutor;
import java.util.concurrent.TimeUnit;
@@ -421,12 +420,12 @@
public ThreadPoolExecutor createThreadPool(ThreadGroup group) {
ThreadFactory daemonThreadFactory = new DaemonThreadFactory(
"JMX RMIConnector listener dispatch %d");
- ThreadPoolExecutor exec = new ThreadPoolExecutor(
+ ThreadPoolExecutor executor = new ThreadPoolExecutor(
1, 10, 1, TimeUnit.SECONDS,
- new LinkedBlockingDeque<Runnable>(),
+ new LinkedBlockingQueue<Runnable>(),
daemonThreadFactory);
- exec.allowCoreThreadTimeOut(true);
- return exec;
+ executor.allowCoreThreadTimeOut(true);
+ return executor;
}
};
return listenerDispatchThreadPool.getThreadPoolExecutor(create);
@@ -1503,7 +1502,7 @@
super(period);
}
- public void gotIOException (IOException ioe) throws IOException {
+ public void gotIOException(IOException ioe) throws IOException {
if (ioe instanceof NoSuchObjectException) {
// need to restart
super.gotIOException(ioe);
--- a/jdk/src/share/classes/sun/management/jmxremote/ConnectorBootstrap.java Thu Oct 23 10:13:13 2008 -0700
+++ b/jdk/src/share/classes/sun/management/jmxremote/ConnectorBootstrap.java Thu Oct 23 21:55:13 2008 -0700
@@ -80,7 +80,7 @@
import static sun.management.AgentConfigurationError.*;
import sun.management.ConnectorAddressLink;
import sun.management.FileSystem;
-import sun.management.snmp.util.MibLogger;
+import com.sun.jmx.remote.util.ClassLogger;
import com.sun.jmx.remote.internal.RMIExporter;
import com.sun.jmx.remote.security.JMXPluggableAuthenticator;
@@ -99,6 +99,7 @@
public static final String PORT = "0";
public static final String CONFIG_FILE_NAME = "management.properties";
public static final String USE_SSL = "true";
+ public static final String USE_LOCAL_ONLY = "true";
public static final String USE_REGISTRY_SSL = "false";
public static final String USE_AUTHENTICATION = "true";
public static final String PASSWORD_FILE_NAME = "jmxremote.password";
@@ -115,6 +116,8 @@
"com.sun.management.jmxremote.port";
public static final String CONFIG_FILE_NAME =
"com.sun.management.config.file";
+ public static final String USE_LOCAL_ONLY =
+ "com.sun.management.jmxremote.local.only";
public static final String USE_SSL =
"com.sun.management.jmxremote.ssl";
public static final String USE_REGISTRY_SSL =
@@ -384,7 +387,7 @@
checkAccessFile(accessFileName);
}
- if (log.isDebugOn()) {
+ if (log.debugOn()) {
log.debug("initialize",
Agent.getText("jmxremote.ConnectorBootstrap.initialize") +
"\n\t" + PropertyNames.PORT + "=" + port +
@@ -477,6 +480,18 @@
MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
try {
JMXServiceURL url = new JMXServiceURL("rmi", localhost, 0);
+ // Do we accept connections from local interfaces only?
+ Properties props = Agent.getManagementProperties();
+ if (props == null) {
+ props = new Properties();
+ }
+ String useLocalOnlyStr = props.getProperty(
+ PropertyNames.USE_LOCAL_ONLY, DefaultValues.USE_LOCAL_ONLY);
+ boolean useLocalOnly = Boolean.valueOf(useLocalOnlyStr).booleanValue();
+ if (useLocalOnly) {
+ env.put(RMIConnectorServer.RMI_SERVER_SOCKET_FACTORY_ATTRIBUTE,
+ new LocalRMIServerSocketFactory());
+ }
JMXConnectorServer server =
JMXConnectorServerFactory.newJMXConnectorServer(url, env, mbs);
server.start();
@@ -764,7 +779,7 @@
private ConnectorBootstrap() {
}
- // XXX Revisit: should probably clone this MibLogger....
- private static final MibLogger log =
- new MibLogger(ConnectorBootstrap.class);
+ private static final ClassLogger log =
+ new ClassLogger(ConnectorBootstrap.class.getPackage().getName(),
+ "ConnectorBootstrap");
}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/src/share/classes/sun/management/jmxremote/LocalRMIServerSocketFactory.java Thu Oct 23 21:55:13 2008 -0700
@@ -0,0 +1,114 @@
+/*
+ * Copyright 2007 Sun Microsystems, Inc. All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Sun designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Sun in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+package sun.management.jmxremote;
+
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.NetworkInterface;
+import java.net.ServerSocket;
+import java.net.Socket;
+import java.net.SocketException;
+import java.rmi.server.RMIServerSocketFactory;
+import java.util.Enumeration;
+
+/**
+ * This RMI server socket factory creates server sockets that
+ * will only accept connection requests from clients running
+ * on the host where the RMI remote objects have been exported.
+ */
+public final class LocalRMIServerSocketFactory implements RMIServerSocketFactory {
+ /**
+ * Creates a server socket that only accepts connection requests from
+ * clients running on the host where the RMI remote objects have been
+ * exported.
+ */
+ public ServerSocket createServerSocket(int port) throws IOException {
+ return new ServerSocket(port) {
+ @Override
+ public Socket accept() throws IOException {
+ Socket socket = super.accept();
+ InetAddress remoteAddr = socket.getInetAddress();
+ final String msg = "The server sockets created using the " +
+ "LocalRMIServerSocketFactory only accept connections " +
+ "from clients running on the host where the RMI " +
+ "remote objects have been exported.";
+ if (remoteAddr.isAnyLocalAddress()) {
+ // local address: accept the connection.
+ return socket;
+ }
+ // Retrieve all the network interfaces on this host.
+ Enumeration<NetworkInterface> nis;
+ try {
+ nis = NetworkInterface.getNetworkInterfaces();
+ } catch (SocketException e) {
+ try {
+ socket.close();
+ } catch (IOException ioe) {
+ // Ignore...
+ }
+ throw new IOException(msg, e);
+ }
+ // Walk through the network interfaces to see
+ // if any of them matches the client's address.
+ // If true, then the client's address is local.
+ while (nis.hasMoreElements()) {
+ NetworkInterface ni = nis.nextElement();
+ Enumeration<InetAddress> addrs = ni.getInetAddresses();
+ while (addrs.hasMoreElements()) {
+ InetAddress localAddr = addrs.nextElement();
+ if (localAddr.equals(remoteAddr)) {
+ return socket;
+ }
+ }
+ }
+ // The client's address is remote so refuse the connection.
+ try {
+ socket.close();
+ } catch (IOException ioe) {
+ // Ignore...
+ }
+ throw new IOException(msg);
+ }
+ };
+ }
+
+ /**
+ * Two LocalRMIServerSocketFactory objects
+ * are equal if they are of the same type.
+ */
+ @Override
+ public boolean equals(Object obj) {
+ return (obj instanceof LocalRMIServerSocketFactory);
+ }
+
+ /**
+ * Returns a hash code value for this LocalRMIServerSocketFactory.
+ */
+ @Override
+ public int hashCode() {
+ return getClass().hashCode();
+ }
+}
--- a/jdk/src/share/classes/sun/nio/ch/AbstractPollSelectorImpl.java Thu Oct 23 10:13:13 2008 -0700
+++ b/jdk/src/share/classes/sun/nio/ch/AbstractPollSelectorImpl.java Thu Oct 23 21:55:13 2008 -0700
@@ -58,6 +58,9 @@
// True if this Selector has been closed
private boolean closed = false;
+ // Lock for close and cleanup
+ private Object closeLock = new Object();
+
AbstractPollSelectorImpl(SelectorProvider sp, int channels, int offset) {
super(sp);
this.totalChannels = channels;
@@ -65,7 +68,11 @@
}
void putEventOps(SelectionKeyImpl sk, int ops) {
- pollWrapper.putEventOps(sk.getIndex(), ops);
+ synchronized (closeLock) {
+ if (closed)
+ throw new ClosedSelectorException();
+ pollWrapper.putEventOps(sk.getIndex(), ops);
+ }
}
public Selector wakeup() {
@@ -76,7 +83,9 @@
protected abstract int doSelect(long timeout) throws IOException;
protected void implClose() throws IOException {
- if (!closed) {
+ synchronized (closeLock) {
+ if (closed)
+ return;
closed = true;
// Deregister channels
for(int i=channelOffset; i<totalChannels; i++) {
@@ -129,23 +138,28 @@
}
protected void implRegister(SelectionKeyImpl ski) {
- // Check to see if the array is large enough
- if (channelArray.length == totalChannels) {
- // Make a larger array
- int newSize = pollWrapper.totalChannels * 2;
- SelectionKeyImpl temp[] = new SelectionKeyImpl[newSize];
- // Copy over
- for (int i=channelOffset; i<totalChannels; i++)
- temp[i] = channelArray[i];
- channelArray = temp;
- // Grow the NativeObject poll array
- pollWrapper.grow(newSize);
+ synchronized (closeLock) {
+ if (closed)
+ throw new ClosedSelectorException();
+
+ // Check to see if the array is large enough
+ if (channelArray.length == totalChannels) {
+ // Make a larger array
+ int newSize = pollWrapper.totalChannels * 2;
+ SelectionKeyImpl temp[] = new SelectionKeyImpl[newSize];
+ // Copy over
+ for (int i=channelOffset; i<totalChannels; i++)
+ temp[i] = channelArray[i];
+ channelArray = temp;
+ // Grow the NativeObject poll array
+ pollWrapper.grow(newSize);
+ }
+ channelArray[totalChannels] = ski;
+ ski.setIndex(totalChannels);
+ pollWrapper.addEntry(ski.channel);
+ totalChannels++;
+ keys.add(ski);
}
- channelArray[totalChannels] = ski;
- ski.setIndex(totalChannels);
- pollWrapper.addEntry(ski.channel);
- totalChannels++;
- keys.add(ski);
}
protected void implDereg(SelectionKeyImpl ski) throws IOException {
--- a/jdk/src/share/classes/sun/security/provider/certpath/BasicChecker.java Thu Oct 23 10:13:13 2008 -0700
+++ b/jdk/src/share/classes/sun/security/provider/certpath/BasicChecker.java Thu Oct 23 21:55:13 2008 -0700
@@ -162,7 +162,7 @@
throw new CertPathValidatorException
(msg + " check failed", e, null, -1,
BasicReason.INVALID_SIGNATURE);
- } catch (GeneralSecurityException e) {
+ } catch (Exception e) {
throw new CertPathValidatorException(msg + " check failed", e);
}
--- a/jdk/src/share/lib/management/management.properties Thu Oct 23 10:13:13 2008 -0700
+++ b/jdk/src/share/lib/management/management.properties Thu Oct 23 21:55:13 2008 -0700
@@ -82,7 +82,7 @@
#
# com.sun.management.snmp.interface=<InetAddress>
# Specifies the local interface on which the SNMP agent will bind.
-# This is usefull when running on machines which have several
+# This is useful when running on machines which have several
# interfaces defined. It makes it possible to listen to a specific
# subnet accessible through that interface.
# Default for this property is "localhost".
@@ -144,6 +144,26 @@
#
#
+# ########## RMI connector settings for local management ##########
+#
+# com.sun.management.jmxremote.local.only=true|false
+# Default for this property is true. (Case for true/false ignored)
+# If this property is specified as true then the local JMX RMI connector
+# server will only accept connection requests from clients running on
+# the host where the out-of-the-box JMX management agent is running.
+# In order to ensure backwards compatibility this property could be
+# set to false. However, deploying the local management agent in this
+# way is discouraged because the local JMX RMI connector server will
+# accept connection requests from any client either local or remote.
+# For remote management the remote JMX RMI connector server should
+# be used instead with authentication and SSL/TLS encryption enabled.
+#
+
+# For allowing the local management agent accept local
+# and remote connection requests use the following line
+# com.sun.management.jmxremote.local.only=false
+
+#
# ###################### RMI SSL #############################
#
# com.sun.management.jmxremote.ssl=true|false
--- a/jdk/src/solaris/classes/sun/nio/ch/DevPollSelectorImpl.java Thu Oct 23 10:13:13 2008 -0700
+++ b/jdk/src/solaris/classes/sun/nio/ch/DevPollSelectorImpl.java Thu Oct 23 21:55:13 2008 -0700
@@ -46,15 +46,15 @@
// The poll object
DevPollArrayWrapper pollWrapper;
- // The number of valid channels in this Selector's poll array
- private int totalChannels;
-
// Maps from file descriptors to keys
private Map<Integer,SelectionKeyImpl> fdToKey;
// True if this Selector has been closed
private boolean closed = false;
+ // Lock for close/cleanup
+ private Object closeLock = new Object();
+
// Lock for interrupt triggering and clearing
private Object interruptLock = new Object();
private boolean interruptTriggered = false;
@@ -72,7 +72,6 @@
pollWrapper = new DevPollArrayWrapper();
pollWrapper.initInterrupt(fd0, fd1);
fdToKey = new HashMap<Integer,SelectionKeyImpl>();
- totalChannels = 1;
}
protected int doSelect(long timeout)
@@ -131,45 +130,39 @@
}
protected void implClose() throws IOException {
- if (!closed) {
- closed = true;
-
- // prevent further wakeup
- synchronized (interruptLock) {
- interruptTriggered = true;
- }
+ if (closed)
+ return;
+ closed = true;
- FileDispatcher.closeIntFD(fd0);
- FileDispatcher.closeIntFD(fd1);
- if (pollWrapper != null) {
+ // prevent further wakeup
+ synchronized (interruptLock) {
+ interruptTriggered = true;
+ }
- pollWrapper.release(fd0);
- pollWrapper.closeDevPollFD();
- pollWrapper = null;
- selectedKeys = null;
+ FileDispatcher.closeIntFD(fd0);
+ FileDispatcher.closeIntFD(fd1);
- // Deregister channels
- Iterator i = keys.iterator();
- while (i.hasNext()) {
- SelectionKeyImpl ski = (SelectionKeyImpl)i.next();
- deregister(ski);
- SelectableChannel selch = ski.channel();
- if (!selch.isOpen() && !selch.isRegistered())
- ((SelChImpl)selch).kill();
- i.remove();
- }
- totalChannels = 0;
+ pollWrapper.release(fd0);
+ pollWrapper.closeDevPollFD();
+ selectedKeys = null;
- }
- fd0 = -1;
- fd1 = -1;
+ // Deregister channels
+ Iterator i = keys.iterator();
+ while (i.hasNext()) {
+ SelectionKeyImpl ski = (SelectionKeyImpl)i.next();
+ deregister(ski);
+ SelectableChannel selch = ski.channel();
+ if (!selch.isOpen() && !selch.isRegistered())
+ ((SelChImpl)selch).kill();
+ i.remove();
}
+ fd0 = -1;
+ fd1 = -1;
}
protected void implRegister(SelectionKeyImpl ski) {
int fd = IOUtil.fdVal(ski.channel.getFD());
fdToKey.put(Integer.valueOf(fd), ski);
- totalChannels++;
keys.add(ski);
}
@@ -179,7 +172,6 @@
int fd = ski.channel.getFDVal();
fdToKey.remove(Integer.valueOf(fd));
pollWrapper.release(fd);
- totalChannels--;
ski.setIndex(-1);
keys.remove(ski);
selectedKeys.remove(ski);
@@ -190,6 +182,8 @@
}
void putEventOps(SelectionKeyImpl sk, int ops) {
+ if (closed)
+ throw new ClosedSelectorException();
int fd = IOUtil.fdVal(sk.channel.getFD());
pollWrapper.setInterest(fd, ops);
}
--- a/jdk/src/solaris/classes/sun/nio/ch/EPollSelectorImpl.java Thu Oct 23 10:13:13 2008 -0700
+++ b/jdk/src/solaris/classes/sun/nio/ch/EPollSelectorImpl.java Thu Oct 23 21:55:13 2008 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright 2005-2008 Sun Microsystems, Inc. All Rights Reserved.
+ * Copyright 2005-2007 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -31,7 +31,6 @@
import java.util.*;
import sun.misc.*;
-
/**
* An implementation of Selector for Linux 2.6+ kernels that uses
* the epoll event notification facility.
@@ -51,7 +50,7 @@
private Map<Integer,SelectionKeyImpl> fdToKey;
// True if this Selector has been closed
- private boolean closed = false;
+ private volatile boolean closed = false;
// Lock for interrupt triggering and clearing
private Object interruptLock = new Object();
@@ -128,40 +127,41 @@
}
protected void implClose() throws IOException {
- if (!closed) {
- closed = true;
+ if (closed)
+ return;
+ closed = true;
- // prevent further wakeup
- synchronized (interruptLock) {
- interruptTriggered = true;
- }
+ // prevent further wakeup
+ synchronized (interruptLock) {
+ interruptTriggered = true;
+ }
- FileDispatcher.closeIntFD(fd0);
- FileDispatcher.closeIntFD(fd1);
- if (pollWrapper != null) {
+ FileDispatcher.closeIntFD(fd0);
+ FileDispatcher.closeIntFD(fd1);
- pollWrapper.release(fd0);
- pollWrapper.closeEPollFD();
- pollWrapper = null;
- selectedKeys = null;
+ pollWrapper.release(fd0);
+ pollWrapper.closeEPollFD();
+ // it is possible
+ selectedKeys = null;
- // Deregister channels
- Iterator i = keys.iterator();
- while (i.hasNext()) {
- SelectionKeyImpl ski = (SelectionKeyImpl)i.next();
- deregister(ski);
- SelectableChannel selch = ski.channel();
- if (!selch.isOpen() && !selch.isRegistered())
- ((SelChImpl)selch).kill();
- i.remove();
- }
- }
- fd0 = -1;
- fd1 = -1;
+ // Deregister channels
+ Iterator i = keys.iterator();
+ while (i.hasNext()) {
+ SelectionKeyImpl ski = (SelectionKeyImpl)i.next();
+ deregister(ski);
+ SelectableChannel selch = ski.channel();
+ if (!selch.isOpen() && !selch.isRegistered())
+ ((SelChImpl)selch).kill();
+ i.remove();
}
+
+ fd0 = -1;
+ fd1 = -1;
}
protected void implRegister(SelectionKeyImpl ski) {
+ if (closed)
+ throw new ClosedSelectorException();
int fd = IOUtil.fdVal(ski.channel.getFD());
fdToKey.put(Integer.valueOf(fd), ski);
pollWrapper.add(fd);
@@ -183,6 +183,8 @@
}
void putEventOps(SelectionKeyImpl sk, int ops) {
+ if (closed)
+ throw new ClosedSelectorException();
int fd = IOUtil.fdVal(sk.channel.getFD());
pollWrapper.setInterest(fd, ops);
}
--- a/jdk/src/windows/classes/sun/nio/ch/WindowsSelectorImpl.java Thu Oct 23 10:13:13 2008 -0700
+++ b/jdk/src/windows/classes/sun/nio/ch/WindowsSelectorImpl.java Thu Oct 23 21:55:13 2008 -0700
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2008 Sun Microsystems, Inc. All Rights Reserved.
+ * Copyright 2002-2007 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -80,6 +80,9 @@
// File descriptors corresponding to source and sink
private final int wakeupSourceFd, wakeupSinkFd;
+ // Lock for close cleanup
+ private Object closeLock = new Object();
+
// Maps file descriptors to their indices in pollArray
private final static class FdMap extends HashMap<Integer, MapEntry> {
static final long serialVersionUID = 0L;
@@ -473,42 +476,48 @@
}
protected void implClose() throws IOException {
- if (channelArray != null) {
- if (pollWrapper != null) {
- // prevent further wakeup
- synchronized (interruptLock) {
- interruptTriggered = true;
- }
- wakeupPipe.sink().close();
- wakeupPipe.source().close();
- for(int i = 1; i < totalChannels; i++) { // Deregister channels
- if (i % MAX_SELECTABLE_FDS != 0) { // skip wakeupEvent
- deregister(channelArray[i]);
- SelectableChannel selch = channelArray[i].channel();
- if (!selch.isOpen() && !selch.isRegistered())
- ((SelChImpl)selch).kill();
+ synchronized (closeLock) {
+ if (channelArray != null) {
+ if (pollWrapper != null) {
+ // prevent further wakeup
+ synchronized (interruptLock) {
+ interruptTriggered = true;
}
- }
- pollWrapper.free();
- pollWrapper = null;
- selectedKeys = null;
- channelArray = null;
- threads.clear();
- // Call startThreads. All remaining helper threads now exit,
- // since threads.size() = 0;
- startLock.startThreads();
+ wakeupPipe.sink().close();
+ wakeupPipe.source().close();
+ for(int i = 1; i < totalChannels; i++) { // Deregister channels
+ if (i % MAX_SELECTABLE_FDS != 0) { // skip wakeupEvent
+ deregister(channelArray[i]);
+ SelectableChannel selch = channelArray[i].channel();
+ if (!selch.isOpen() && !selch.isRegistered())
+ ((SelChImpl)selch).kill();
+ }
+ }
+ pollWrapper.free();
+ pollWrapper = null;
+ selectedKeys = null;
+ channelArray = null;
+ threads.clear();
+ // Call startThreads. All remaining helper threads now exit,
+ // since threads.size() = 0;
+ startLock.startThreads();
+ }
}
}
}
protected void implRegister(SelectionKeyImpl ski) {
- growIfNeeded();
- channelArray[totalChannels] = ski;
- ski.setIndex(totalChannels);
- fdMap.put(ski);
- keys.add(ski);
- pollWrapper.addEntry(totalChannels, ski);
- totalChannels++;
+ synchronized (closeLock) {
+ if (pollWrapper == null)
+ throw new ClosedSelectorException();
+ growIfNeeded();
+ channelArray[totalChannels] = ski;
+ ski.setIndex(totalChannels);
+ fdMap.put(ski);
+ keys.add(ski);
+ pollWrapper.addEntry(totalChannels, ski);
+ totalChannels++;
+ }
}
private void growIfNeeded() {
@@ -554,7 +563,11 @@
}
void putEventOps(SelectionKeyImpl sk, int ops) {
- pollWrapper.putEventOps(sk.getIndex(), ops);
+ synchronized (closeLock) {
+ if (pollWrapper == null)
+ throw new ClosedSelectorException();
+ pollWrapper.putEventOps(sk.getIndex(), ops);
+ }
}
public Selector wakeup() {
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/java/nio/channels/Selector/CloseThenRegister.java Thu Oct 23 21:55:13 2008 -0700
@@ -0,0 +1,48 @@
+/*
+ * Copyright 2008 Sun Microsystems, Inc. All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/* @test
+ * @bug 5025260
+ * @summary ClosedSelectorException is expected when register after close
+ */
+
+import java.net.*;
+import java.nio.channels.*;
+
+public class CloseThenRegister {
+
+ public static void main (String [] args) throws Exception {
+ try {
+ Selector s = Selector.open();
+ s.close();
+ ServerSocketChannel c = ServerSocketChannel.open();
+ c.socket().bind(new InetSocketAddress(40000));
+ c.configureBlocking(false);
+ c.register(s, SelectionKey.OP_ACCEPT);
+ } catch (ClosedSelectorException cse) {
+ return;
+ }
+ throw new RuntimeException("register after close does not cause CSE!");
+ }
+
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/javax/management/mxbean/TypeNameTest.java Thu Oct 23 21:55:13 2008 -0700
@@ -0,0 +1,97 @@
+/*
+ * Copyright 2008 Sun Microsystems, Inc. All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/*
+ * @test
+ * @bug 6757225
+ * @summary Test that type names in MXBeans match their spec.
+ * @author Eamonn McManus
+ */
+
+import java.lang.reflect.Field;
+import java.lang.reflect.InvocationHandler;
+import java.lang.reflect.Method;
+import java.lang.reflect.Proxy;
+import java.util.List;
+import java.util.Map;
+import javax.management.MBeanAttributeInfo;
+import javax.management.MBeanInfo;
+import javax.management.MBeanServer;
+import javax.management.MBeanServerFactory;
+import javax.management.ObjectName;
+import javax.management.StandardMBean;
+
+public class TypeNameTest {
+ public static interface TestMXBean {
+ public int getInt();
+ public String IntName = "int";
+
+ public Map<String, Integer> getMapSI();
+ public String MapSIName = "java.util.Map<java.lang.String, java.lang.Integer>";
+
+ public Map<String, int[]> getMapSInts();
+ public String MapSIntsName = "java.util.Map<java.lang.String, int[]>";
+
+ public List<List<int[]>> getListListInts();
+ public String ListListIntsName = "java.util.List<java.util.List<int[]>>";
+ }
+
+ private static InvocationHandler nullIH = new InvocationHandler() {
+ public Object invoke(Object proxy, Method method, Object[] args)
+ throws Throwable {
+ return null;
+ }
+ };
+
+ static String failure;
+
+ public static void main(String[] args) throws Exception {
+ TestMXBean testImpl = (TestMXBean) Proxy.newProxyInstance(
+ TestMXBean.class.getClassLoader(), new Class<?>[] {TestMXBean.class}, nullIH);
+ Object mxbean = new StandardMBean(testImpl, TestMXBean.class, true);
+ MBeanServer mbs = MBeanServerFactory.newMBeanServer();
+ ObjectName name = new ObjectName("a:b=c");
+ mbs.registerMBean(mxbean, name);
+ MBeanInfo mbi = mbs.getMBeanInfo(name);
+ MBeanAttributeInfo[] mbais = mbi.getAttributes();
+ for (MBeanAttributeInfo mbai : mbais) {
+ String attrName = mbai.getName();
+ String attrTypeName = (String) mbai.getDescriptor().getFieldValue("originalType");
+ String fieldName = attrName + "Name";
+ Field nameField = TestMXBean.class.getField(fieldName);
+ String expectedTypeName = (String) nameField.get(null);
+ if (expectedTypeName.equals(attrTypeName)) {
+ System.out.println("OK: " + attrName + ": " + attrTypeName);
+ } else {
+ failure = "For attribute " + attrName + " expected type name \"" +
+ expectedTypeName + "\", found type name \"" + attrTypeName +
+ "\"";
+ System.out.println("FAIL: " + failure);
+ }
+ }
+ if (failure == null)
+ System.out.println("TEST PASSED");
+ else
+ throw new Exception("TEST FAILED: " + failure);
+ }
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/krb5/auto/Action.java Thu Oct 23 21:55:13 2008 -0700
@@ -0,0 +1,33 @@
+/*
+ * Copyright 2008 Sun Microsystems, Inc. All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/**
+ * Action used in Context.doAs
+ */
+public interface Action {
+ /**
+ * This method always reads a byte block and emits another one
+ */
+ byte[] run(Context s, byte[] input) throws Exception;
+}
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/krb5/auto/BasicKrb5Test.java Thu Oct 23 21:55:13 2008 -0700
@@ -0,0 +1,114 @@
+/*
+ * Copyright 2008 Sun Microsystems, Inc. All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/*
+ * @test
+ * @bug 6706974
+ * @summary Add krb5 test infrastructure
+ */
+
+import org.ietf.jgss.GSSName;
+import sun.security.jgss.GSSUtil;
+import sun.security.krb5.Config;
+import sun.security.krb5.internal.crypto.EType;
+
+/**
+ * Basic JGSS/krb5 test with 3 parties: client, server, backend server. Each
+ * party uses JAAS login to get subjects and executes JGSS calls using
+ * Subject.doAs.
+ */
+public class BasicKrb5Test {
+
+ /**
+ * @param args empty or etype
+ */
+ public static void main(String[] args)
+ throws Exception {
+
+ String etype = null;
+ if (args.length > 0) {
+ etype = args[0];
+ }
+
+ // Creates and starts the KDC. This line must be put ahead of etype check
+ // since the check needs a krb5.conf.
+ new OneKDC(etype).writeJAASConf();
+
+ System.out.println("Testing etype " + etype);
+ if (etype != null && !EType.isSupported(Config.getInstance().getType(etype))) {
+ System.out.println("Not supported.");
+ System.exit(0);
+ }
+
+ new BasicKrb5Test().go(OneKDC.SERVER, OneKDC.BACKEND);
+ }
+
+ void go(final String server, final String backend) throws Exception {
+ Context c, s, s2, b;
+ c = Context.fromJAAS("client");
+ s = Context.fromJAAS("server");
+ b = Context.fromJAAS("backend");
+
+ c.startAsClient(server, GSSUtil.GSS_KRB5_MECH_OID);
+ c.x().requestCredDeleg(true);
+ s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
+
+ c.status();
+ s.status();
+
+ Context.handshake(c, s);
+ GSSName client = c.x().getSrcName();
+
+ c.status();
+ s.status();
+
+ Context.transmit("i say high --", c, s);
+ Context.transmit(" you say low", s, c);
+
+ s2 = s.delegated();
+ s.dispose();
+ s = null;
+
+ s2.startAsClient(backend, GSSUtil.GSS_KRB5_MECH_OID);
+ b.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
+
+ s2.status();
+ b.status();
+
+ Context.handshake(s2, b);
+ GSSName client2 = b.x().getSrcName();
+
+ if (!client.equals(client2)) {
+ throw new Exception("Delegation failed");
+ }
+
+ s2.status();
+ b.status();
+
+ Context.transmit("you say hello --", s2, b);
+ Context.transmit(" i say goodbye", b, s2);
+
+ s2.dispose();
+ b.dispose();
+ }
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/krb5/auto/CleanState.java Thu Oct 23 21:55:13 2008 -0700
@@ -0,0 +1,75 @@
+/*
+ * Copyright 2008 Sun Microsystems, Inc. All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/*
+ * @test
+ * @bug 6716534
+ * @summary Krb5LoginModule has not cleaned temp info between authentication attempts
+ */
+import com.sun.security.auth.module.Krb5LoginModule;
+import java.util.HashMap;
+import java.util.Map;
+import javax.security.auth.Subject;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.PasswordCallback;
+
+public class CleanState {
+ public static void main(String[] args) throws Exception {
+ CleanState x = new CleanState();
+ new OneKDC(null);
+ x.go();
+ }
+
+ void go() throws Exception {
+ Krb5LoginModule krb5 = new Krb5LoginModule();
+
+ final String name = OneKDC.USER;
+ final char[] password = OneKDC.PASS;
+ char[] badpassword = "hellokitty".toCharArray();
+
+ Map<String,String> map = new HashMap<String,String>();
+ map.put("useTicketCache", "false");
+ map.put("doNotPrompt", "false");
+ map.put("tryFirstPass", "true");
+ Map<String,Object> shared = new HashMap<String,Object>();
+ shared.put("javax.security.auth.login.name", name);
+ shared.put("javax.security.auth.login.password", badpassword);
+
+ krb5.initialize(new Subject(), new CallbackHandler() {
+ @Override
+ public void handle(Callback[] callbacks) {
+ for(Callback callback: callbacks) {
+ if (callback instanceof NameCallback) {
+ ((NameCallback)callback).setName(name);
+ }
+ if (callback instanceof PasswordCallback) {
+ ((PasswordCallback)callback).setPassword(password);
+ }
+ }
+ }
+ }, shared, map);
+ krb5.login();
+ }
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/krb5/auto/Context.java Thu Oct 23 21:55:13 2008 -0700
@@ -0,0 +1,386 @@
+/*
+ * Copyright 2008 Sun Microsystems, Inc. All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+import com.sun.security.auth.module.Krb5LoginModule;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.Map;
+import javax.security.auth.Subject;
+import javax.security.auth.kerberos.KerberosKey;
+import javax.security.auth.kerberos.KerberosTicket;
+import javax.security.auth.login.LoginContext;
+import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSCredential;
+import org.ietf.jgss.GSSException;
+import org.ietf.jgss.GSSManager;
+import org.ietf.jgss.GSSName;
+import org.ietf.jgss.MessageProp;
+import org.ietf.jgss.Oid;
+
+/**
+ * Context of a JGSS subject, encapsulating Subject and GSSContext.
+ *
+ * Three "constructors", which acquire the (private) credentials and fill
+ * it into the Subject:
+ *
+ * 1. static fromJAAS(): Creates a Context using a JAAS login config entry
+ * 2. static fromUserPass(): Creates a Context using a username and a password
+ * 3. delegated(): A new context which uses the delegated credentials from a
+ * previously established acceptor Context
+ *
+ * Two context initiators, which create the GSSContext object inside:
+ *
+ * 1. startAsClient()
+ * 2. startAsServer()
+ *
+ * Privileged action:
+ * doAs(): Performs an action in the name of the Subject
+ *
+ * Handshake process:
+ * static handShake(initiator, acceptor)
+ *
+ * A four-phase typical data communication which includes all four GSS
+ * actions (wrap, unwrap, getMic and veryfyMiC):
+ * static transmit(message, from, to)
+ */
+public class Context {
+
+ private Subject s;
+ private GSSContext x;
+ private boolean f; // context established?
+ private String name;
+ private GSSCredential cred; // see static method delegated().
+
+ private Context() {}
+
+ /**
+ * Using the delegated credentials from a previous acceptor
+ * @param c
+ */
+ public Context delegated() throws Exception {
+ Context out = new Context();
+ out.s = s;
+ out.cred = x.getDelegCred();
+ out.name = name + " as " + out.cred.getName().toString();
+ return out;
+ }
+
+ /**
+ * Logins with a JAAS login config entry name
+ */
+ public static Context fromJAAS(final String name) throws Exception {
+ Context out = new Context();
+ out.name = name;
+ LoginContext lc = new LoginContext(name);
+ lc.login();
+ out.s = lc.getSubject();
+ return out;
+ }
+
+ /**
+ * Logins with a username and a password, using Krb5LoginModule directly
+ * @param storeKey true if key should be saved, used on acceptor side
+ */
+ public static Context fromUserPass(String user, char[] pass, boolean storeKey) throws Exception {
+ Context out = new Context();
+ out.name = user;
+ out.s = new Subject();
+ Krb5LoginModule krb5 = new Krb5LoginModule();
+ Map<String, String> map = new HashMap<String, String>();
+ map.put("tryFirstPass", "true");
+ if (storeKey) {
+ map.put("storeKey", "true");
+ }
+ Map<String, Object> shared = new HashMap<String, Object>();
+ shared.put("javax.security.auth.login.name", user);
+ shared.put("javax.security.auth.login.password", pass);
+
+ krb5.initialize(out.s, null, shared, map);
+ krb5.login();
+ krb5.commit();
+ return out;
+ }
+
+ /**
+ * Starts as a client
+ * @param target communication peer
+ * @param mech GSS mech
+ * @throws java.lang.Exception
+ */
+ public void startAsClient(final String target, final Oid mech) throws Exception {
+ doAs(new Action() {
+ @Override
+ public byte[] run(Context me, byte[] dummy) throws Exception {
+ GSSManager m = GSSManager.getInstance();
+ me.x = m.createContext(
+ target.indexOf('@') < 0 ?
+ m.createName(target, null) :
+ m.createName(target, GSSName.NT_HOSTBASED_SERVICE),
+ mech,
+ cred,
+ GSSContext.DEFAULT_LIFETIME);
+ return null;
+ }
+ }, null);
+ f = false;
+ }
+
+ /**
+ * Starts as a server
+ * @param mech GSS mech
+ * @throws java.lang.Exception
+ */
+ public void startAsServer(final Oid mech) throws Exception {
+ doAs(new Action() {
+ @Override
+ public byte[] run(Context me, byte[] dummy) throws Exception {
+ GSSManager m = GSSManager.getInstance();
+ me.x = m.createContext(m.createCredential(
+ null,
+ GSSCredential.INDEFINITE_LIFETIME,
+ mech,
+ GSSCredential.ACCEPT_ONLY));
+ return null;
+ }
+ }, null);
+ f = false;
+ }
+
+ /**
+ * Accesses the internal GSSContext object. Currently it's used for --
+ *
+ * 1. calling requestXXX() before handshake
+ * 2. accessing source name
+ *
+ * Note: If the application needs to do any privileged call on this
+ * object, please use doAs(). Otherwise, it can be done directly. The
+ * methods listed above are all non-privileged calls.
+ *
+ * @return the GSSContext object
+ */
+ public GSSContext x() {
+ return x;
+ }
+
+ /**
+ * Disposes the GSSContext within
+ * @throws org.ietf.jgss.GSSException
+ */
+ public void dispose() throws GSSException {
+ x.dispose();
+ }
+
+ /**
+ * Does something using the Subject inside
+ * @param action the action
+ * @param in the input byte
+ * @return the output byte
+ * @throws java.lang.Exception
+ */
+ public byte[] doAs(final Action action, final byte[] in) throws Exception {
+ try {
+ return Subject.doAs(s, new PrivilegedExceptionAction<byte[]>() {
+
+ @Override
+ public byte[] run() throws Exception {
+ return action.run(Context.this, in);
+ }
+ });
+ } catch (PrivilegedActionException pae) {
+ throw pae.getException();
+ }
+ }
+
+ /**
+ * Prints status of GSSContext and Subject
+ * @throws java.lang.Exception
+ */
+ public void status() throws Exception {
+ System.out.println("STATUS OF " + name.toUpperCase());
+ try {
+ StringBuffer sb = new StringBuffer();
+ if (x.getAnonymityState()) {
+ sb.append("anon, ");
+ }
+ if (x.getConfState()) {
+ sb.append("conf, ");
+ }
+ if (x.getCredDelegState()) {
+ sb.append("deleg, ");
+ }
+ if (x.getIntegState()) {
+ sb.append("integ, ");
+ }
+ if (x.getMutualAuthState()) {
+ sb.append("mutual, ");
+ }
+ if (x.getReplayDetState()) {
+ sb.append("rep det, ");
+ }
+ if (x.getSequenceDetState()) {
+ sb.append("seq det, ");
+ }
+ System.out.println("Context status of " + name + ": " + sb.toString());
+ System.out.println(x.getSrcName() + " -> " + x.getTargName());
+ } catch (Exception e) {
+ ;// Don't care
+ }
+ System.out.println("=====================================");
+ for (Object o : s.getPrivateCredentials()) {
+ System.out.println(" " + o.getClass());
+ if (o instanceof KerberosTicket) {
+ KerberosTicket kt = (KerberosTicket) o;
+ System.out.println(" " + kt.getServer() + " for " + kt.getClient());
+ } else if (o instanceof KerberosKey) {
+ KerberosKey kk = (KerberosKey) o;
+ System.out.print(" " + kk.getKeyType() + " " + kk.getVersionNumber() + " " + kk.getAlgorithm() + " ");
+ for (byte b : kk.getEncoded()) {
+ System.out.printf("%02X", b & 0xff);
+ }
+ System.out.println();
+ } else if (o instanceof Map) {
+ Map map = (Map) o;
+ for (Object k : map.keySet()) {
+ System.out.println(" " + k + ": " + map.get(k));
+ }
+ }
+ }
+ }
+
+ /**
+ * Transmits a message from one Context to another. The sender wraps the
+ * message and sends it to the receiver. The receiver unwraps it, creates
+ * a MIC of the clear text and sends it back to the sender. The sender
+ * verifies the MIC against the message sent earlier.
+ * @param message the message
+ * @param s1 the sender
+ * @param s2 the receiver
+ * @throws java.lang.Exception If anything goes wrong
+ */
+ static public void transmit(final String message, final Context s1,
+ final Context s2) throws Exception {
+ final byte[] messageBytes = message.getBytes();
+ System.out.printf("-------------------- TRANSMIT from %s to %s------------------------\n",
+ s1.name, s2.name);
+
+ byte[] t = s1.doAs(new Action() {
+ @Override
+ public byte[] run(Context me, byte[] dummy) throws Exception {
+ System.out.println("wrap");
+ MessageProp p1 = new MessageProp(0, true);
+ byte[] out = me.x.wrap(messageBytes, 0, messageBytes.length, p1);
+ System.out.println(printProp(p1));
+ return out;
+ }
+ }, null);
+
+ t = s2.doAs(new Action() {
+ @Override
+ public byte[] run(Context me, byte[] input) throws Exception {
+ MessageProp p1 = new MessageProp(0, true);
+ byte[] bytes = me.x.unwrap(input, 0, input.length, p1);
+ if (!Arrays.equals(messageBytes, bytes))
+ throw new Exception("wrap/unwrap mismatch");
+ System.out.println("unwrap");
+ System.out.println(printProp(p1));
+ p1 = new MessageProp(0, true);
+ System.out.println("getMIC");
+ bytes = me.x.getMIC(bytes, 0, bytes.length, p1);
+ System.out.println(printProp(p1));
+ return bytes;
+ }
+ }, t);
+ // Re-unwrap should make p2.isDuplicateToken() returns true
+ s1.doAs(new Action() {
+ @Override
+ public byte[] run(Context me, byte[] input) throws Exception {
+ MessageProp p1 = new MessageProp(0, true);
+ System.out.println("verifyMIC");
+ me.x.verifyMIC(input, 0, input.length,
+ messageBytes, 0, messageBytes.length,
+ p1);
+ System.out.println(printProp(p1));
+ return null;
+ }
+ }, t);
+ }
+
+ /**
+ * Returns a string description of a MessageProp object
+ * @param prop the object
+ * @return the description
+ */
+ static public String printProp(MessageProp prop) {
+ StringBuffer sb = new StringBuffer();
+ sb.append("MessagePop: ");
+ sb.append("QOP="+ prop.getQOP() + ", ");
+ sb.append(prop.getPrivacy()?"privacy, ":"");
+ sb.append(prop.isDuplicateToken()?"dup, ":"");
+ sb.append(prop.isGapToken()?"gap, ":"");
+ sb.append(prop.isOldToken()?"old, ":"");
+ sb.append(prop.isUnseqToken()?"unseq, ":"");
+ sb.append(prop.getMinorString()+ "(" + prop.getMinorStatus()+")");
+ return sb.toString();
+ }
+
+ /**
+ * Handshake (security context establishment process) between two Contexts
+ * @param c the initiator
+ * @param s the acceptor
+ * @throws java.lang.Exception
+ */
+ static public void handshake(final Context c, final Context s) throws Exception {
+ byte[] t = new byte[0];
+ while (!c.f || !s.f) {
+ t = c.doAs(new Action() {
+ @Override
+ public byte[] run(Context me, byte[] input) throws Exception {
+ if (me.x.isEstablished()) {
+ me.f = true;
+ System.out.println(c.name + " side established");
+ return null;
+ } else {
+ System.out.println(c.name + " call initSecContext");
+ return me.x.initSecContext(input, 0, input.length);
+ }
+ }
+ }, t);
+
+ t = s.doAs(new Action() {
+ @Override
+ public byte[] run(Context me, byte[] input) throws Exception {
+ if (me.x.isEstablished()) {
+ me.f = true;
+ System.out.println(s.name + " side established");
+ return null;
+ } else {
+ System.out.println(s.name + " called acceptSecContext");
+ return me.x.acceptSecContext(input, 0, input.length);
+ }
+ }
+ }, t);
+ }
+ }
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/krb5/auto/CrossRealm.java Thu Oct 23 21:55:13 2008 -0700
@@ -0,0 +1,101 @@
+/*
+ * Copyright 2008 Sun Microsystems, Inc. All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/*
+ * @test
+ * @bug 6706974
+ * @summary Add krb5 test infrastructure
+ */
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.security.Security;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import org.ietf.jgss.GSSContext;
+import org.ietf.jgss.GSSManager;
+import org.ietf.jgss.GSSName;
+import sun.security.jgss.GSSUtil;
+
+public class CrossRealm implements CallbackHandler {
+ public static void main(String[] args) throws Exception {
+ startKDCs();
+ xRealmAuth();
+ }
+
+ static void startKDCs() throws Exception {
+ // Create and start the KDC
+ KDC kdc1 = KDC.create("RABBIT.HOLE");
+ kdc1.addPrincipal("dummy", "bogus".toCharArray());
+ kdc1.addPrincipalRandKey("krbtgt/RABBIT.HOLE");
+ kdc1.addPrincipal("krbtgt/SNAKE.HOLE", "sharedsec".toCharArray());
+
+ KDC kdc2 = KDC.create("SNAKE.HOLE");
+ kdc2.addPrincipalRandKey("krbtgt/SNAKE.HOLE");
+ kdc2.addPrincipal("krbtgt/RABBIT.HOLE", "sharedsec".toCharArray());
+ kdc2.addPrincipalRandKey("host/www.snake.hole");
+
+ KDC.saveConfig("krb5-localkdc.conf", kdc1, kdc2,
+ "forwardable=true",
+ "[domain_realm]",
+ ".snake.hole=SNAKE.HOLE");
+ System.setProperty("java.security.krb5.conf", "krb5-localkdc.conf");
+ }
+
+ static void xRealmAuth() throws Exception {
+ Security.setProperty("auth.login.defaultCallbackHandler", "CrossRealm");
+ System.setProperty("java.security.auth.login.config", "jaas-localkdc.conf");
+ System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
+ FileOutputStream fos = new FileOutputStream("jaas-localkdc.conf");
+ fos.write(("com.sun.security.jgss.krb5.initiate {\n" +
+ " com.sun.security.auth.module.Krb5LoginModule\n" +
+ " required\n" +
+ " principal=dummy\n" +
+ " doNotPrompt=false\n" +
+ " useTicketCache=false\n" +
+ " ;\n" +
+ "};").getBytes());
+ fos.close();
+
+ GSSManager m = GSSManager.getInstance();
+ m.createContext(
+ m.createName("host@www.snake.hole", GSSName.NT_HOSTBASED_SERVICE),
+ GSSUtil.GSS_KRB5_MECH_OID,
+ null,
+ GSSContext.DEFAULT_LIFETIME).initSecContext(new byte[0], 0, 0);
+ }
+
+ @Override
+ public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
+ for (Callback callback : callbacks) {
+ if (callback instanceof NameCallback) {
+ ((NameCallback) callback).setName("dummy");
+ }
+ if (callback instanceof PasswordCallback) {
+ ((PasswordCallback) callback).setPassword("bogus".toCharArray());
+ }
+ }
+ }
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/krb5/auto/KDC.java Thu Oct 23 21:55:13 2008 -0700
@@ -0,0 +1,969 @@
+/*
+ * Copyright 2008 Sun Microsystems, Inc. All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Field;
+import java.lang.reflect.InvocationTargetException;
+import java.net.*;
+import java.io.*;
+import java.lang.reflect.Method;
+import java.security.SecureRandom;
+import java.util.*;
+import java.util.concurrent.*;
+import sun.security.krb5.*;
+import sun.security.krb5.internal.*;
+import sun.security.krb5.internal.crypto.KeyUsage;
+import sun.security.krb5.internal.ktab.KeyTab;
+import sun.security.util.DerInputStream;
+import sun.security.util.DerOutputStream;
+import sun.security.util.DerValue;
+
+/**
+ * A KDC server.
+ * <p>
+ * Features:
+ * <ol>
+ * <li> Supports TCP and UDP
+ * <li> Supports AS-REQ and TGS-REQ
+ * <li> Principal db and other settings hard coded in application
+ * <li> Options, say, request preauth or not
+ * </ol>
+ * Side effects:
+ * <ol>
+ * <li> The Sun-internal class <code>sun.security.krb5.Config</code> is a
+ * singleton and initialized according to Kerberos settings (krb5.conf and
+ * java.security.krb5.* system properties). This means once it's initialized
+ * it will not automatically notice any changes to these settings (or file
+ * changes of krb5.conf). The KDC class normally does not touch these
+ * settings (except for the <code>writeKtab()</code> method). However, to make
+ * sure nothing ever goes wrong, if you want to make any changes to these
+ * settings after calling a KDC method, call <code>Config.refresh()</code> to
+ * make sure your changes are reflected in the <code>Config</code> object.
+ * </ol>
+ * Issues and TODOs:
+ * <ol>
+ * <li> Generates krb5.conf to be used on another machine, currently the kdc is
+ * always localhost
+ * <li> More options to KDC, say, error output, say, response nonce !=
+ * request nonce
+ * </ol>
+ * Note: This program uses internal krb5 classes (including reflection to
+ * access private fields and methods).
+ * <p>
+ * Usages:
+ * <p>
+ * 1. Init and start the KDC:
+ * <pre>
+ * KDC kdc = KDC.create("REALM.NAME", port, isDaemon);
+ * KDC kdc = KDC.create("REALM.NAME");
+ * </pre>
+ * Here, <code>port</code> is the UDP and TCP port number the KDC server
+ * listens on. If zero, a random port is chosen, which you can use getPort()
+ * later to retrieve the value.
+ * <p>
+ * If <code>isDaemon</code> is true, the KDC worker threads will be daemons.
+ * <p>
+ * The shortcut <code>KDC.create("REALM.NAME")</code> has port=0 and
+ * isDaemon=false, and is commonly used in an embedded KDC.
+ * <p>
+ * 2. Adding users:
+ * <pre>
+ * kdc.addPrincipal(String principal_name, char[] password);
+ * kdc.addPrincipalRandKey(String principal_name);
+ * </pre>
+ * A service principal's name should look like "host/f.q.d.n". The second form
+ * generates a random key. To expose this key, call <code>writeKtab()</code> to
+ * save the keys into a keytab file.
+ * <p>
+ * Note that you need to add the principal name krbtgt/REALM.NAME yourself.
+ * <p>
+ * Note that you can safely add a principal at any time after the KDC is
+ * started and before a user requests info on this principal.
+ * <p>
+ * 3. Other public methods:
+ * <ul>
+ * <li> <code>getPort</code>: Returns the port number the KDC uses
+ * <li> <code>getRealm</code>: Returns the realm name
+ * <li> <code>writeKtab</code>: Writes all principals' keys into a keytab file
+ * <li> <code>saveConfig</code>: Saves a krb5.conf file to access this KDC
+ * <li> <code>setOption</code>: Sets various options
+ * </ul>
+ * Read the javadoc for details. Lazy developer can use <code>OneKDC</code>
+ * directly.
+ */
+public class KDC {
+
+ // Under the hood.
+
+ // The random generator to generate random keys (including session keys)
+ private static SecureRandom secureRandom = new SecureRandom();
+ // Principal db
+ private Map<String,char[]> passwords = new HashMap<String,char[]>();
+ // Realm name
+ private String realm;
+ // The request/response job queue
+ private BlockingQueue<Job> q = new ArrayBlockingQueue<Job>(100);
+ // Service port number
+ private int port;
+ // Options
+ private Map<Option,Object> options = new HashMap<Option,Object>();
+
+ /**
+ * Option names, to be expanded forever.
+ */
+ public static enum Option {
+ /**
+ * Whether pre-authentication is required. Default Boolean.TRUE
+ */
+ PREAUTH_REQUIRED,
+ };
+
+ /**
+ * A standalone KDC server.
+ * @param args
+ * @throws java.lang.Exception
+ */
+ public static void main(String[] args) throws Exception {
+ if (args.length > 0) {
+ if (args[0].equals("-help") || args[0].equals("--help")) {
+ System.out.println("Usage:");
+ System.out.println(" java " + KDC.class + " " +
+ "Start KDC on port 8888");
+ return;
+ }
+ }
+ String localhost = "localhost";
+ try {
+ localhost = InetAddress.getByName(localhost)
+ .getCanonicalHostName();
+ } catch (UnknownHostException uhe) {
+ ; // Ignore, localhost is still "localhost"
+ }
+ KDC kdc = create("RABBIT.HOLE", 8888, false);
+ kdc.addPrincipal("dummy", "bogus".toCharArray());
+ kdc.addPrincipal("foo", "bar".toCharArray());
+ kdc.addPrincipalRandKey("krbtgt/" + kdc.realm);
+ kdc.addPrincipalRandKey("server/" + localhost);
+ kdc.addPrincipalRandKey("backend/" + localhost);
+ }
+
+ /**
+ * Creates and starts a KDC running as a daemon on a random port.
+ * @param realm the realm name
+ * @return the running KDC instance
+ * @throws java.io.IOException for any socket creation error
+ */
+ public static KDC create(String realm) throws IOException {
+ return create(realm, 0, true);
+ }
+
+ /**
+ * Creates and starts a KDC server.
+ * @param realm the realm name
+ * @param port the TCP and UDP port to listen to. A random port will to
+ * chosen if zero.
+ * @param asDaemon if true, KDC threads will be daemons. Otherwise, not.
+ * @return the running KDC instance
+ * @throws java.io.IOException for any socket creation error
+ */
+ public static KDC create(String realm, int port, boolean asDaemon) throws IOException {
+ return new KDC(realm, port, asDaemon);
+ }
+
+ /**
+ * Sets an option
+ * @param key the option name
+ * @param obj the value
+ */
+ public void setOption(Option key, Object value) {
+ options.put(key, value);
+ }
+
+ /**
+ * Write all principals' keys into a keytab file. Note that the keys for
+ * the krbtgt principal for this realm will not be written.
+ * <p>
+ * Attention: This method references krb5.conf settings. If you need to
+ * setup krb5.conf later, please call <code>Config.refresh()</code> after
+ * the new setting. For example:
+ * <pre>
+ * kdc.writeKtab("/etc/kdc/ktab"); // Config is initialized,
+ * System.setProperty("java.security.krb5.conf", "/home/mykrb5.conf");
+ * Config.refresh();
+ * </pre>
+ *
+ * Inside this method there are 2 places krb5.conf is used:
+ * <ol>
+ * <li> (Fatal) Generating keys: EncryptionKey.acquireSecretKeys
+ * <li> (Has workaround) Creating PrincipalName
+ * </ol>
+ * @param tab The keytab filename to write to.
+ * @throws java.io.IOException for any file output error
+ * @throws sun.security.krb5.KrbException for any realm and/or principal
+ * name error.
+ */
+ public void writeKtab(String tab) throws IOException, KrbException {
+ KeyTab ktab = KeyTab.create(tab);
+ for (String name : passwords.keySet()) {
+ if (name.equals("krbtgt/" + realm)) {
+ continue;
+ }
+ ktab.addEntry(new PrincipalName(name + "@" + realm,
+ name.indexOf('/') < 0 ?
+ PrincipalName.KRB_NT_UNKNOWN :
+ PrincipalName.KRB_NT_SRV_HST), passwords.get(name));
+ }
+ ktab.save();
+ }
+
+ /**
+ * Adds a new principal to this realm with a given password.
+ * @param user the principal's name. For a service principal, use the
+ * form of host/f.q.d.n
+ * @param pass the password for the principal
+ */
+ public void addPrincipal(String user, char[] pass) {
+ passwords.put(user, pass);
+ }
+
+ /**
+ * Adds a new principal to this realm with a random password
+ * @param user the principal's name. For a service principal, use the
+ * form of host/f.q.d.n
+ */
+ public void addPrincipalRandKey(String user) {
+ passwords.put(user, randomPassword());
+ }
+
+ /**
+ * Returns the name of this realm
+ * @return the name of this realm
+ */
+ public String getRealm() {
+ return realm;
+ }
+
+ /**
+ * Writes a krb5.conf for one or more KDC that includes KDC locations for
+ * each realm and the default realm name. You can also add extra strings
+ * into the file. The method should be called like:
+ * <pre>
+ * KDC.saveConfig("krb5.conf", kdc1, kdc2, ..., line1, line2, ...);
+ * </pre>
+ * Here you can provide one or more kdc# and zero or more line# arguments.
+ * The line# will be put after [libdefaults] and before [realms]. Therefore
+ * you can append new lines into [libdefaults] and/or create your new
+ * stanzas as well. Note that a newline character will be appended to
+ * each line# argument.
+ * <p>
+ * For example:
+ * <pre>
+ * KDC.saveConfig("krb5.conf", this);
+ * </pre>
+ * generates:
+ * <pre>
+ * [libdefaults]
+ * default_realm = REALM.NAME
+ *
+ * [realms]
+ * REALM.NAME = {
+ * kdc = localhost:port_number
+ * }
+ * </pre>
+ *
+ * Another example:
+ * <pre>
+ * KDC.saveConfig("krb5.conf", kdc1, kdc2, "forwardable = true", "",
+ * "[domain_realm]",
+ * ".kdc1.com = KDC1.NAME");
+ * </pre>
+ * generates:
+ * <pre>
+ * [libdefaults]
+ * default_realm = KDC1.NAME
+ * forwardable = true
+ *
+ * [domain_realm]
+ * .kdc1.com = KDC1.NAME
+ *
+ * [realms]
+ * KDC1.NAME = {
+ * kdc = localhost:port1
+ * }
+ * KDC2.NAME = {
+ * kdc = localhost:port2
+ * }
+ * </pre>
+ * @param file the name of the file to write into
+ * @param kdc the first (and default) KDC
+ * @param more more KDCs or extra lines (in their appearing order) to
+ * insert into the krb5.conf file. This method reads each argument's type
+ * to determine what it's for. This argument can be empty.
+ * @throws java.io.IOException for any file output error
+ */
+ public static void saveConfig(String file, KDC kdc, Object... more)
+ throws IOException {
+ File f = new File(file);
+ StringBuffer sb = new StringBuffer();
+ sb.append("[libdefaults]\ndefault_realm = ");
+ sb.append(kdc.realm);
+ sb.append("\n");
+ for (Object o: more) {
+ if (o instanceof String) {
+ sb.append(o);
+ sb.append("\n");
+ }
+ }
+ sb.append("\n[realms]\n");
+ sb.append(realmLineForKDC(kdc));
+ for (Object o: more) {
+ if (o instanceof KDC) {
+ sb.append(realmLineForKDC((KDC)o));
+ }
+ }
+ FileOutputStream fos = new FileOutputStream(f);
+ fos.write(sb.toString().getBytes());
+ fos.close();
+ }
+
+ /**
+ * Returns the service port of the KDC server.
+ * @return the KDC service port
+ */
+ public int getPort() {
+ return port;
+ }
+
+ // Private helper methods
+
+ /**
+ * Private constructor, cannot be called outside.
+ * @param realm
+ */
+ private KDC(String realm) {
+ this.realm = realm;
+ }
+
+ /**
+ * A constructor that starts the KDC service also.
+ */
+ protected KDC(String realm, int port, boolean asDaemon)
+ throws IOException {
+ this(realm);
+ startServer(port, asDaemon);
+ }
+ /**
+ * Generates a 32-char random password
+ * @return the password
+ */
+ private static char[] randomPassword() {
+ char[] pass = new char[32];
+ for (int i=0; i<32; i++)
+ pass[i] = (char)secureRandom.nextInt();
+ return pass;
+ }
+
+ /**
+ * Generates a random key for the given encryption type.
+ * @param eType the encryption type
+ * @return the generated key
+ * @throws sun.security.krb5.KrbException for unknown/unsupported etype
+ */
+ private static EncryptionKey generateRandomKey(int eType)
+ throws KrbException {
+ // Is 32 enough for AES256? I should have generated the keys directly
+ // but different cryptos have different rules on what keys are valid.
+ char[] pass = randomPassword();
+ String algo;
+ switch (eType) {
+ case EncryptedData.ETYPE_DES_CBC_MD5: algo = "DES"; break;
+ case EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD: algo = "DESede"; break;
+ case EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96: algo = "AES128"; break;
+ case EncryptedData.ETYPE_ARCFOUR_HMAC: algo = "ArcFourHMAC"; break;
+ case EncryptedData.ETYPE_AES256_CTS_HMAC_SHA1_96: algo = "AES256"; break;
+ default: algo = "DES"; break;
+ }
+ return new EncryptionKey(pass, "NOTHING", algo); // Silly
+ }
+
+ /**
+ * Returns the password for a given principal
+ * @param p principal
+ * @return the password
+ * @throws sun.security.krb5.KrbException when the principal is not inside
+ * the database.
+ */
+ private char[] getPassword(PrincipalName p) throws KrbException {
+ char[] pass = passwords.get(p.getNameString());
+ if (pass == null) {
+ throw new KrbException(Krb5.KDC_ERR_C_PRINCIPAL_UNKNOWN);
+ }
+ return pass;
+ }
+
+ /**
+ * Returns the salt string for the principal. For normal users, the
+ * concatenation for the realm name and the sections of the principal;
+ * for krgtgt/A@B and krbtgt/B@A, always return AB (so that inter-realm
+ * principals have the same key).
+ * @param p principal
+ * @return the salt
+ */
+ private String getSalt(PrincipalName p) {
+ String[] ns = p.getNameStrings();
+ if (ns[0].equals("krbtgt") && ns.length > 1) {
+ // Shared cross-realm keys must be the same
+ if (ns[1].compareTo(realm) < 0) {
+ return ns[1] + realm;
+ } else {
+ return realm + ns[1];
+ }
+ } else {
+ String s = getRealm();
+ for (String n: p.getNameStrings()) {
+ s += n;
+ }
+ return s;
+ }
+ }
+
+ /**
+ * Returns the key for a given principal of the given encryption type
+ * @param p the principal
+ * @param etype the encryption type
+ * @return the key
+ * @throws sun.security.krb5.KrbException for unknown/unsupported etype
+ */
+ private EncryptionKey keyForUser(PrincipalName p, int etype) throws KrbException {
+ try {
+ // Do not call EncryptionKey.acquireSecretKeys(), otherwise
+ // the krb5.conf config file would be loaded.
+ Method stringToKey = EncryptionKey.class.getDeclaredMethod("stringToKey", char[].class, String.class, byte[].class, Integer.TYPE);
+ stringToKey.setAccessible(true);
+ return new EncryptionKey((byte[]) stringToKey.invoke(null, getPassword(p), getSalt(p), null, etype), etype, null);
+ } catch (InvocationTargetException ex) {
+ KrbException ke = (KrbException)ex.getCause();
+ throw ke;
+ } catch (Exception e) {
+ throw new RuntimeException(e); // should not happen
+ }
+ }
+
+ /**
+ * Processes an incoming request and generates a response.
+ * @param in the request
+ * @return the response
+ * @throws java.lang.Exception for various errors
+ */
+ private byte[] processMessage(byte[] in) throws Exception {
+ if ((in[0] & 0x1f) == Krb5.KRB_AS_REQ)
+ return processAsReq(in);
+ else
+ return processTgsReq(in);
+ }
+
+ /**
+ * Processes a TGS_REQ and generates a TGS_REP (or KRB_ERROR)
+ * @param in the request
+ * @return the response
+ * @throws java.lang.Exception for various errors
+ */
+ private byte[] processTgsReq(byte[] in) throws Exception {
+ TGSReq tgsReq = new TGSReq(in);
+ try {
+ System.out.println(realm + "> " + tgsReq.reqBody.cname +
+ " sends TGS-REQ for " +
+ tgsReq.reqBody.sname);
+ KDCReqBody body = tgsReq.reqBody;
+ int etype = 0;
+
+ // Reflection: PAData[] pas = tgsReq.pAData;
+ Field f = KDCReq.class.getDeclaredField("pAData");
+ f.setAccessible(true);
+ PAData[] pas = (PAData[])f.get(tgsReq);
+
+ Ticket tkt = null;
+ EncTicketPart etp = null;
+ if (pas == null || pas.length == 0) {
+ throw new KrbException(Krb5.KDC_ERR_PADATA_TYPE_NOSUPP);
+ } else {
+ for (PAData pa: pas) {
+ if (pa.getType() == Krb5.PA_TGS_REQ) {
+ APReq apReq = new APReq(pa.getValue());
+ EncryptedData ed = apReq.authenticator;
+ tkt = apReq.ticket;
+ etype = tkt.encPart.getEType();
+ EncryptionKey kkey = null;
+ if (!tkt.realm.toString().equals(realm)) {
+ if (tkt.sname.getNameString().equals("krbtgt/" + realm)) {
+ kkey = keyForUser(new PrincipalName("krbtgt/" + tkt.realm.toString(), realm), etype);
+ }
+ } else {
+ kkey = keyForUser(tkt.sname, etype);
+ }
+ byte[] bb = tkt.encPart.decrypt(kkey, KeyUsage.KU_TICKET);
+ DerInputStream derIn = new DerInputStream(bb);
+ DerValue der = derIn.getDerValue();
+ etp = new EncTicketPart(der.toByteArray());
+ }
+ }
+ if (tkt == null) {
+ throw new KrbException(Krb5.KDC_ERR_PADATA_TYPE_NOSUPP);
+ }
+ }
+ EncryptionKey skey = keyForUser(body.sname, etype);
+ if (skey == null) {
+ throw new KrbException(Krb5.KDC_ERR_SUMTYPE_NOSUPP); // TODO
+ }
+
+ // Session key for original ticket, TGT
+ EncryptionKey ckey = etp.key;
+
+ // Session key for session with the service
+ EncryptionKey key = generateRandomKey(etype);
+
+ // Check time, TODO
+ KerberosTime till = body.till;
+ if (till == null) {
+ throw new KrbException(Krb5.KDC_ERR_NEVER_VALID); // TODO
+ } else if (till.isZero()) {
+ till = new KerberosTime(new Date().getTime() + 1000 * 3600 * 11);
+ }
+
+ boolean[] bFlags = new boolean[Krb5.TKT_OPTS_MAX+1];
+ if (body.kdcOptions.get(KDCOptions.FORWARDABLE)) {
+ bFlags[Krb5.TKT_OPTS_FORWARDABLE] = true;
+ }
+ if (body.kdcOptions.get(KDCOptions.FORWARDED) ||
+ etp.flags.get(Krb5.TKT_OPTS_FORWARDED)) {
+ bFlags[Krb5.TKT_OPTS_FORWARDED] = true;
+ }
+ if (body.kdcOptions.get(KDCOptions.RENEWABLE)) {
+ bFlags[Krb5.TKT_OPTS_RENEWABLE] = true;
+ //renew = new KerberosTime(new Date().getTime() + 1000 * 3600 * 24 * 7);
+ }
+ if (body.kdcOptions.get(KDCOptions.PROXIABLE)) {
+ bFlags[Krb5.TKT_OPTS_PROXIABLE] = true;
+ }
+ if (body.kdcOptions.get(KDCOptions.POSTDATED)) {
+ bFlags[Krb5.TKT_OPTS_POSTDATED] = true;
+ }
+ if (body.kdcOptions.get(KDCOptions.ALLOW_POSTDATE)) {
+ bFlags[Krb5.TKT_OPTS_MAY_POSTDATE] = true;
+ }
+ bFlags[Krb5.TKT_OPTS_INITIAL] = true;
+
+ TicketFlags tFlags = new TicketFlags(bFlags);
+ EncTicketPart enc = new EncTicketPart(
+ tFlags,
+ key,
+ etp.crealm,
+ etp.cname,
+ new TransitedEncoding(1, new byte[0]), // TODO
+ new KerberosTime(new Date()),
+ body.from,
+ till, body.rtime,
+ body.addresses,
+ null);
+ Ticket t = new Ticket(
+ body.crealm,
+ body.sname,
+ new EncryptedData(skey, enc.asn1Encode(), KeyUsage.KU_TICKET)
+ );
+ EncTGSRepPart enc_part = new EncTGSRepPart(
+ key,
+ new LastReq(new LastReqEntry[]{
+ new LastReqEntry(0, new KerberosTime(new Date().getTime() - 10000))
+ }),
+ body.getNonce(), // TODO: detect replay
+ new KerberosTime(new Date().getTime() + 1000 * 3600 * 24),
+ // Next 5 and last MUST be same with ticket
+ tFlags,
+ new KerberosTime(new Date()),
+ body.from,
+ till, body.rtime,
+ body.crealm,
+ body.sname,
+ body.addresses
+ );
+ EncryptedData edata = new EncryptedData(ckey, enc_part.asn1Encode(), KeyUsage.KU_ENC_TGS_REP_PART_SESSKEY);
+ TGSRep tgsRep = new TGSRep(null,
+ etp.crealm,
+ etp.cname,
+ t,
+ edata);
+ System.out.println(" Return " + tgsRep.cname
+ + " ticket for " + tgsRep.ticket.sname);
+
+ DerOutputStream out = new DerOutputStream();
+ out.write(DerValue.createTag(DerValue.TAG_APPLICATION,
+ true, (byte)Krb5.KRB_TGS_REP), tgsRep.asn1Encode());
+ return out.toByteArray();
+ } catch (KrbException ke) {
+ ke.printStackTrace(System.out);
+ KRBError kerr = ke.getError();
+ KDCReqBody body = tgsReq.reqBody;
+ System.out.println(" Error " + ke.returnCode()
+ + " " +ke.returnCodeMessage());
+ if (kerr == null) {
+ kerr = new KRBError(null, null, null,
+ new KerberosTime(new Date()),
+ 0,
+ ke.returnCode(),
+ body.crealm, body.cname,
+ new Realm(getRealm()), body.sname,
+ KrbException.errorMessage(ke.returnCode()),
+ null);
+ }
+ return kerr.asn1Encode();
+ }
+ }
+
+ /**
+ * Processes a AS_REQ and generates a AS_REP (or KRB_ERROR)
+ * @param in the request
+ * @return the response
+ * @throws java.lang.Exception for various errors
+ */
+ private byte[] processAsReq(byte[] in) throws Exception {
+ ASReq asReq = new ASReq(in);
+ int[] eTypes = null;
+ try {
+ System.out.println(realm + "> " + asReq.reqBody.cname +
+ " sends AS-REQ for " +
+ asReq.reqBody.sname);
+
+ KDCReqBody body = asReq.reqBody;
+
+ // Reflection: int[] eType = body.eType;
+ Field f = KDCReqBody.class.getDeclaredField("eType");
+ f.setAccessible(true);
+ eTypes = (int[])f.get(body);
+ int eType = eTypes[0];
+
+ EncryptionKey ckey = keyForUser(body.cname, eType);
+ EncryptionKey skey = keyForUser(body.sname, eType);
+ if (ckey == null) {
+ throw new KrbException(Krb5.KDC_ERR_ETYPE_NOSUPP);
+ }
+ if (skey == null) {
+ throw new KrbException(Krb5.KDC_ERR_SUMTYPE_NOSUPP); // TODO
+ }
+
+ // Session key
+ EncryptionKey key = generateRandomKey(eType);
+ // Check time, TODO
+ KerberosTime till = body.till;
+ if (till == null) {
+ throw new KrbException(Krb5.KDC_ERR_NEVER_VALID); // TODO
+ } else if (till.isZero()) {
+ till = new KerberosTime(new Date().getTime() + 1000 * 3600 * 11);
+ }
+ //body.from
+ boolean[] bFlags = new boolean[Krb5.TKT_OPTS_MAX+1];
+ if (body.kdcOptions.get(KDCOptions.FORWARDABLE)) {
+ bFlags[Krb5.TKT_OPTS_FORWARDABLE] = true;
+ }
+ if (body.kdcOptions.get(KDCOptions.RENEWABLE)) {
+ bFlags[Krb5.TKT_OPTS_RENEWABLE] = true;
+ //renew = new KerberosTime(new Date().getTime() + 1000 * 3600 * 24 * 7);
+ }
+ if (body.kdcOptions.get(KDCOptions.PROXIABLE)) {
+ bFlags[Krb5.TKT_OPTS_PROXIABLE] = true;
+ }
+ if (body.kdcOptions.get(KDCOptions.POSTDATED)) {
+ bFlags[Krb5.TKT_OPTS_POSTDATED] = true;
+ }
+ if (body.kdcOptions.get(KDCOptions.ALLOW_POSTDATE)) {
+ bFlags[Krb5.TKT_OPTS_MAY_POSTDATE] = true;
+ }
+ bFlags[Krb5.TKT_OPTS_INITIAL] = true;
+
+ f = KDCReq.class.getDeclaredField("pAData");
+ f.setAccessible(true);
+ PAData[] pas = (PAData[])f.get(asReq);
+ if (pas == null || pas.length == 0) {
+ Object preauth = options.get(Option.PREAUTH_REQUIRED);
+ if (preauth == null || preauth.equals(Boolean.TRUE)) {
+ throw new KrbException(Krb5.KDC_ERR_PREAUTH_REQUIRED);
+ }
+ } else {
+ try {
+ Constructor<EncryptedData> ctor = EncryptedData.class.getDeclaredConstructor(DerValue.class);
+ ctor.setAccessible(true);
+ EncryptedData data = ctor.newInstance(new DerValue(pas[0].getValue()));
+ data.decrypt(ckey, KeyUsage.KU_PA_ENC_TS);
+ } catch (Exception e) {
+ throw new KrbException(Krb5.KDC_ERR_PREAUTH_FAILED);
+ }
+ bFlags[Krb5.TKT_OPTS_PRE_AUTHENT] = true;
+ }
+
+ TicketFlags tFlags = new TicketFlags(bFlags);
+ EncTicketPart enc = new EncTicketPart(
+ tFlags,
+ key,
+ body.crealm,
+ body.cname,
+ new TransitedEncoding(1, new byte[0]),
+ new KerberosTime(new Date()),
+ body.from,
+ till, body.rtime,
+ body.addresses,
+ null);
+ Ticket t = new Ticket(
+ body.crealm,
+ body.sname,
+ new EncryptedData(skey, enc.asn1Encode(), KeyUsage.KU_TICKET)
+ );
+ EncASRepPart enc_part = new EncASRepPart(
+ key,
+ new LastReq(new LastReqEntry[]{
+ new LastReqEntry(0, new KerberosTime(new Date().getTime() - 10000))
+ }),
+ body.getNonce(), // TODO: detect replay?
+ new KerberosTime(new Date().getTime() + 1000 * 3600 * 24),
+ // Next 5 and last MUST be same with ticket
+ tFlags,
+ new KerberosTime(new Date()),
+ body.from,
+ till, body.rtime,
+ body.crealm,
+ body.sname,
+ body.addresses
+ );
+ EncryptedData edata = new EncryptedData(ckey, enc_part.asn1Encode(), KeyUsage.KU_ENC_AS_REP_PART);
+ ASRep asRep = new ASRep(null,
+ body.crealm,
+ body.cname,
+ t,
+ edata);
+
+ System.out.println(" Return " + asRep.cname
+ + " ticket for " + asRep.ticket.sname);
+
+ DerOutputStream out = new DerOutputStream();
+ out.write(DerValue.createTag(DerValue.TAG_APPLICATION,
+ true, (byte)Krb5.KRB_AS_REP), asRep.asn1Encode());
+ return out.toByteArray();
+ } catch (KrbException ke) {
+ ke.printStackTrace(System.out);
+ KRBError kerr = ke.getError();
+ KDCReqBody body = asReq.reqBody;
+ System.out.println(" Error " + ke.returnCode()
+ + " " +ke.returnCodeMessage());
+ byte[] eData = null;
+ if (kerr == null) {
+ if (ke.returnCode() == Krb5.KDC_ERR_PREAUTH_REQUIRED ||
+ ke.returnCode() == Krb5.KDC_ERR_PREAUTH_FAILED) {
+ PAData pa;
+
+ ETypeInfo2 ei2 = new ETypeInfo2(eTypes[0], null, null);
+ DerOutputStream eid = new DerOutputStream();
+ eid.write(DerValue.tag_Sequence, ei2.asn1Encode());
+
+ pa = new PAData(Krb5.PA_ETYPE_INFO2, eid.toByteArray());
+
+ DerOutputStream bytes = new DerOutputStream();
+ bytes.write(new PAData(Krb5.PA_ENC_TIMESTAMP, new byte[0]).asn1Encode());
+ bytes.write(pa.asn1Encode());
+
+ boolean allOld = true;
+ for (int i: eTypes) {
+ if (i == EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96 ||
+ i == EncryptedData.ETYPE_AES256_CTS_HMAC_SHA1_96) {
+ allOld = false;
+ break;
+ }
+ }
+ if (allOld) {
+ ETypeInfo ei = new ETypeInfo(eTypes[0], null);
+ eid = new DerOutputStream();
+ eid.write(DerValue.tag_Sequence, ei.asn1Encode());
+ pa = new PAData(Krb5.PA_ETYPE_INFO, eid.toByteArray());
+ bytes.write(pa.asn1Encode());
+ }
+ DerOutputStream temp = new DerOutputStream();
+ temp.write(DerValue.tag_Sequence, bytes);
+ eData = temp.toByteArray();
+ }
+ kerr = new KRBError(null, null, null,
+ new KerberosTime(new Date()),
+ 0,
+ ke.returnCode(),
+ body.crealm, body.cname,
+ new Realm(getRealm()), body.sname,
+ KrbException.errorMessage(ke.returnCode()),
+ eData);
+ }
+ return kerr.asn1Encode();
+ }
+ }
+
+ /**
+ * Generates a line for a KDC to put inside [realms] of krb5.conf
+ * @param kdc the KDC
+ * @return REALM.NAME = { kdc = localhost:port }
+ */
+ private static String realmLineForKDC(KDC kdc) {
+ return String.format(" %s = {\n kdc = localhost:%d\n }\n", kdc.realm, kdc.port);
+ }
+
+ /**
+ * Start the KDC service. This server listens on both UDP and TCP using
+ * the same port number. It uses three threads to deal with requests.
+ * They can be set to daemon threads if requested.
+ * @param port the port number to listen to. If zero, a random available
+ * port no less than 8000 will be chosen and used.
+ * @param asDaemon true if the KDC threads should be daemons
+ * @throws java.io.IOException for any communication error
+ */
+ protected void startServer(int port, boolean asDaemon) throws IOException {
+ DatagramSocket u1 = null;
+ ServerSocket t1 = null;
+ if (port > 0) {
+ u1 = new DatagramSocket(port, InetAddress.getByName("127.0.0.1"));
+ t1 = new ServerSocket(port);
+ } else {
+ while (true) {
+ // Try to find a port number that's both TCP and UDP free
+ try {
+ port = 8000 + new java.util.Random().nextInt(10000);
+ u1 = null;
+ u1 = new DatagramSocket(port, InetAddress.getByName("127.0.0.1"));
+ t1 = new ServerSocket(port);
+ break;
+ } catch (Exception e) {
+ if (u1 != null) u1.close();
+ }
+ }
+ }
+ final DatagramSocket udp = u1;
+ final ServerSocket tcp = t1;
+ System.out.println("Start KDC on " + port);
+
+ this.port = port;
+
+ // The UDP consumer
+ Thread thread = new Thread() {
+ public void run() {
+ while (true) {
+ try {
+ byte[] inbuf = new byte[8192];
+ DatagramPacket p = new DatagramPacket(inbuf, inbuf.length);
+ udp.receive(p);
+ System.out.println("-----------------------------------------------");
+ System.out.println(">>>>> UDP packet received");
+ q.put(new Job(processMessage(Arrays.copyOf(inbuf, p.getLength())), udp, p));
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+ }
+ };
+ thread.setDaemon(asDaemon);
+ thread.start();
+
+ // The TCP consumer
+ thread = new Thread() {
+ public void run() {
+ while (true) {
+ try {
+ Socket socket = tcp.accept();
+ System.out.println("-----------------------------------------------");
+ System.out.println(">>>>> TCP connection established");
+ DataInputStream in = new DataInputStream(socket.getInputStream());
+ DataOutputStream out = new DataOutputStream(socket.getOutputStream());
+ byte[] token = new byte[in.readInt()];
+ in.readFully(token);
+ q.put(new Job(processMessage(token), socket, out));
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+ }
+ };
+ thread.setDaemon(asDaemon);
+ thread.start();
+
+ // The dispatcher
+ thread = new Thread() {
+ public void run() {
+ while (true) {
+ try {
+ q.take().send();
+ } catch (Exception e) {
+ }
+ }
+ }
+ };
+ thread.setDaemon(true);
+ thread.start();
+ }
+
+ /**
+ * Helper class to encapsulate a job in a KDC.
+ */
+ private static class Job {
+ byte[] token; // The received request at creation time and
+ // the response at send time
+ Socket s; // The TCP socket from where the request comes
+ DataOutputStream out; // The OutputStream of the TCP socket
+ DatagramSocket s2; // The UDP socket from where the request comes
+ DatagramPacket dp; // The incoming UDP datagram packet
+ boolean useTCP; // Whether TCP or UDP is used
+
+ // Creates a job object for TCP
+ Job(byte[] token, Socket s, DataOutputStream out) {
+ useTCP = true;
+ this.token = token;
+ this.s = s;
+ this.out = out;
+ }
+
+ // Creates a job object for UDP
+ Job(byte[] token, DatagramSocket s2, DatagramPacket dp) {
+ useTCP = false;
+ this.token = token;
+ this.s2 = s2;
+ this.dp = dp;
+ }
+
+ // Sends the output back to the client
+ void send() {
+ try {
+ if (useTCP) {
+ System.out.println(">>>>> TCP request honored");
+ out.writeInt(token.length);
+ out.write(token);
+ s.close();
+ } else {
+ System.out.println(">>>>> UDP request honored");
+ s2.send(new DatagramPacket(token, token.length, dp.getAddress(), dp.getPort()));
+ }
+ } catch (Exception e) {
+ e.printStackTrace();
+ }
+ }
+ }
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/krb5/auto/KerberosHashEqualsTest.java Thu Oct 23 21:55:13 2008 -0700
@@ -0,0 +1,173 @@
+/*
+ * Copyright 2005-2008 Sun Microsystems, Inc. All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/*
+ * @test
+ * @bug 4641821
+ * @summary hashCode() and equals() for KerberosKey and KerberosTicket
+ */
+
+import java.net.InetAddress;
+import java.util.Date;
+import javax.security.auth.kerberos.KerberosKey;
+import javax.security.auth.kerberos.KerberosPrincipal;
+import javax.security.auth.kerberos.KerberosTicket;
+
+public class KerberosHashEqualsTest {
+ public static void main(String[] args) throws Exception {
+ new OneKDC(null);
+ new KerberosHashEqualsTest().check();
+ }
+
+ void checkSame(Object o1, Object o2) {
+ if(!o1.equals(o2)) {
+ throw new RuntimeException("equals() fails");
+ }
+ if(o1.hashCode() != o2.hashCode()) {
+ throw new RuntimeException("hashCode() not same");
+ }
+ }
+
+ void checkNotSame(Object o1, Object o2) {
+ if(o1.equals(o2)) {
+ throw new RuntimeException("equals() succeeds");
+ }
+ }
+
+ void check() throws Exception {
+
+ // The key part:
+ // new KerberosKey(principal, bytes, keyType, version)
+
+ KerberosKey k1, k2;
+ KerberosPrincipal CLIENT = new KerberosPrincipal("client");
+ KerberosPrincipal SERVER = new KerberosPrincipal("server");
+ byte[] PASS = "pass".getBytes();
+
+ k1 = new KerberosKey(CLIENT, PASS, 1, 1);
+ k2 = new KerberosKey(CLIENT, PASS, 1, 1);
+ checkSame(k1, k1); // me is me
+ checkSame(k1, k2); // same
+
+ // A destroyed key doesn't equal to any key
+ k2.destroy();
+ checkNotSame(k1, k2);
+ checkNotSame(k2, k1);
+ k1.destroy();
+ checkNotSame(k1, k2); // even if they are both destroyed
+ checkNotSame(k2, k1);
+ checkSame(k2, k2);
+
+ // a little difference means not equal
+ k1 = new KerberosKey(CLIENT, PASS, 1, 1);
+ k2 = new KerberosKey(SERVER, PASS, 1, 1);
+ checkNotSame(k1, k2); // Different principal name
+
+ k2 = new KerberosKey(CLIENT, "ssap".getBytes(), 1, 1);
+ checkNotSame(k1, k2); // Different password
+
+ k2 = new KerberosKey(CLIENT, PASS, 2, 1);
+ checkNotSame(k1, k2); // Different keytype
+
+ k2 = new KerberosKey(CLIENT, PASS, 1, 2);
+ checkNotSame(k1, k2); // Different version
+
+ k2 = new KerberosKey(null, PASS, 1, 2);
+ checkNotSame(k1, k2); // null is not non-null
+
+ k1 = new KerberosKey(null, PASS, 1, 2);
+ checkSame(k1, k2); // null is null
+
+ checkNotSame(k1, "Another Object");
+
+ // The ticket part:
+ // new KerberosTicket(asn1 bytes, client, server, session key, type, flags,
+ // auth, start, end, renewUntil times, address)
+
+ KerberosTicket t1, t2;
+
+ byte[] ASN1 = "asn1".getBytes();
+ boolean[] FORWARDABLE = new boolean[] {true, true};
+ boolean[] ALLTRUE = new boolean[] {true, true, true, true, true, true, true, true, true, true};
+ Date D0 = new Date(0);
+
+ t1 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, D0, null);
+ t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, D0, null);
+ checkSame(t1, t1);
+ checkSame(t1, t2);
+
+ // destroyed tickets doesn't equal to each other
+ t1.destroy();
+ checkNotSame(t1, t2);
+ checkNotSame(t2, t1);
+
+ t2.destroy();
+ checkNotSame(t1, t2); // even if they are both destroyed
+ checkNotSame(t2, t1);
+
+ checkSame(t2, t2); // unless they are the same object
+
+ // a little difference means not equal
+ t1 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, D0, null);
+ t2 = new KerberosTicket("asn11".getBytes(), CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, D0, null);
+ checkNotSame(t1, t2); // Different ASN1 encoding
+
+ t2 = new KerberosTicket(ASN1, new KerberosPrincipal("client1"), SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, D0, null);
+ checkNotSame(t1, t2); // Different client
+
+ t2 = new KerberosTicket(ASN1, CLIENT, new KerberosPrincipal("server1"), PASS, 1, FORWARDABLE, D0, D0, D0, D0, null);
+ checkNotSame(t1, t2); // Different server
+
+ t2 = new KerberosTicket(ASN1, CLIENT, SERVER, "pass1".getBytes(), 1, FORWARDABLE, D0, D0, D0, D0, null);
+ checkNotSame(t1, t2); // Different session key
+
+ t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 2, FORWARDABLE, D0, D0, D0, D0, null);
+ checkNotSame(t1, t2); // Different key type
+
+ t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, new boolean[] {true, false}, D0, D0, D0, D0, null);
+ checkNotSame(t1, t2); // Different flags, not FORWARDABLE
+
+ t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, new Date(1), D0, D0, D0, null);
+ checkNotSame(t1, t2); // Different authtime
+
+ t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, new Date(1), D0, D0, null);
+ checkNotSame(t1, t2); // Different starttime
+
+ t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, new Date(1), D0, null);
+ checkNotSame(t1, t2); // Different endtime
+
+ t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, D0, new InetAddress[2]);
+ checkNotSame(t1, t2); // Different client addresses
+
+ t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, new Date(1), null);
+ t1 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, new Date(2), null);
+ checkSame(t1, t2); // renewtill is ignored when RENEWABLE ticket flag is not set.
+
+ t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, ALLTRUE, D0, D0, D0, new Date(1), null);
+ t1 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, ALLTRUE, D0, D0, D0, new Date(2), null);
+ checkNotSame(t1, t2); // renewtill is used when RENEWABLE is set.
+
+ checkNotSame(t1, "Another Object");
+ System.out.println("Good!");
+ }
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/krb5/auto/OneKDC.java Thu Oct 23 21:55:13 2008 -0700
@@ -0,0 +1,155 @@
+/*
+ * Copyright 2008 Sun Microsystems, Inc. All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.UnknownHostException;
+import java.security.Security;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.PasswordCallback;
+import sun.security.krb5.Config;
+
+/**
+ * This class starts a simple KDC with one realm, several typical principal
+ * names, generates delete-on-exit krb5.conf and keytab files, and setup
+ * system properties for them. There's also a helper method to generate a
+ * JAAS login config file that can be used for JAAS or JGSS apps.
+ * <p>
+ * Just call this line to start everything:
+ * <pre>
+ * new OneKDC(null).writeJaasConf();
+ * </pre>
+ */
+public class OneKDC extends KDC {
+
+ // The krb5 codes would try to canonicalize hostnames before creating
+ // a service principal name, so let's find out the canonicalized form
+ // of localhost first. The following codes mimic the process inside
+ // PrincipalName.java.
+ static String localhost = "localhost";
+ static {
+ try {
+ localhost = InetAddress.getByName(localhost)
+ .getCanonicalHostName();
+ } catch (UnknownHostException uhe) {
+ ; // Ignore, localhost is still "localhost"
+ }
+ }
+ public static final String USER = "dummy";
+ public static final char[] PASS = "bogus".toCharArray();
+ public static String SERVER = "server/" + localhost;
+ public static String BACKEND = "backend/" + localhost;
+ public static final String KRB5_CONF = "localkdc-krb5.conf";
+ public static final String KTAB = "localkdc.ktab";
+ public static final String JAAS_CONF = "localkdc-jaas.conf";
+ public static final String REALM = "RABBIT.HOLE";
+
+ /**
+ * Creates the KDC and starts it.
+ * @param etype Encryption type, null if not specified
+ * @throws java.lang.Exception if there's anything wrong
+ */
+ public OneKDC(String etype) throws Exception {
+ super(REALM, 0, true);
+ addPrincipal(USER, PASS);
+ addPrincipalRandKey("krbtgt/" + REALM);
+ addPrincipalRandKey(SERVER);
+ addPrincipalRandKey(BACKEND);
+ KDC.saveConfig(KRB5_CONF, this,
+ "forwardable = true",
+ "default_keytab_name = " + KTAB,
+ etype == null ? "" : "default_tkt_enctypes=" + etype + "\ndefault_tgs_enctypes=" + etype);
+ System.setProperty("java.security.krb5.conf", KRB5_CONF);
+ // Whatever krb5.conf had been loaded before, we reload ours now.
+ Config.refresh();
+
+ writeKtab(KTAB);
+ new File(KRB5_CONF).deleteOnExit();
+ new File(KTAB).deleteOnExit();
+ }
+
+ /**
+ * Writes a JAAS login config file, which contains as many as useful
+ * entries, including JGSS style initiator/acceptor and normal JAAS
+ * entries with names using existing OneKDC principals.
+ * @throws java.lang.Exception if anything goes wrong
+ */
+ public void writeJAASConf() throws IOException {
+ System.setProperty("java.security.auth.login.config", JAAS_CONF);
+ File f = new File(JAAS_CONF);
+ FileOutputStream fos = new FileOutputStream(f);
+ fos.write((
+ "com.sun.security.jgss.krb5.initiate {\n" +
+ " com.sun.security.auth.module.Krb5LoginModule required;\n};\n" +
+ "com.sun.security.jgss.krb5.accept {\n" +
+ " com.sun.security.auth.module.Krb5LoginModule required\n" +
+ " principal=\"" + SERVER + "\"\n" +
+ " useKeyTab=true\n" +
+ " isInitiator=false\n" +
+ " storeKey=true;\n};\n" +
+ "client {\n" +
+ " com.sun.security.auth.module.Krb5LoginModule required;\n};\n" +
+ "server {\n" +
+ " com.sun.security.auth.module.Krb5LoginModule required\n" +
+ " principal=\"" + SERVER + "\"\n" +
+ " useKeyTab=true\n" +
+ " storeKey=true;\n};\n" +
+ "backend {\n" +
+ " com.sun.security.auth.module.Krb5LoginModule required\n" +
+ " principal=\"" + BACKEND + "\"\n" +
+ " useKeyTab=true\n" +
+ " storeKey=true\n" +
+ " isInitiator=false;\n};\n"
+ ).getBytes());
+ fos.close();
+ f.deleteOnExit();
+ Security.setProperty("auth.login.defaultCallbackHandler", "OneKDC$CallbackForClient");
+ }
+
+ /**
+ * The default callback handler for JAAS login. Note that this handler is
+ * hard coded to provide only info for USER1. If you need to provide info
+ * for another principal, please use Context.fromUserPass() instead.
+ */
+ public static class CallbackForClient implements CallbackHandler {
+ public void handle(Callback[] callbacks) {
+ String user = OneKDC.USER;
+ char[] pass = OneKDC.PASS;
+ for (Callback callback : callbacks) {
+ if (callback instanceof NameCallback) {
+ System.out.println("Callback for name: " + user);
+ ((NameCallback) callback).setName(user);
+ }
+ if (callback instanceof PasswordCallback) {
+ System.out.println("Callback for pass: "
+ + new String(pass));
+ ((PasswordCallback) callback).setPassword(pass);
+ }
+ }
+ }
+ }
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/krb5/auto/basic.sh Thu Oct 23 21:55:13 2008 -0700
@@ -0,0 +1,65 @@
+#
+# Copyright 2008 Sun Microsystems, Inc. All Rights Reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+# CA 95054 USA or visit www.sun.com if you need additional information or
+# have any questions.
+#
+
+# @test
+# @bug 6706974
+# @summary Add krb5 test infrastructure
+# @run shell/timeout=300 basic.sh
+#
+
+if [ "${TESTSRC}" = "" ] ; then
+ TESTSRC="."
+fi
+if [ "${TESTJAVA}" = "" ] ; then
+ echo "TESTJAVA not set. Test cannot execute."
+ echo "FAILED!!!"
+ exit 1
+fi
+
+# set platform-dependent variables
+OS=`uname -s`
+case "$OS" in
+ Windows_* )
+ FS="\\"
+ ;;
+ * )
+ FS="/"
+ ;;
+esac
+
+${TESTJAVA}${FS}bin${FS}javac -d . \
+ ${TESTSRC}${FS}BasicKrb5Test.java \
+ ${TESTSRC}${FS}KDC.java \
+ ${TESTSRC}${FS}OneKDC.java \
+ ${TESTSRC}${FS}Action.java \
+ ${TESTSRC}${FS}Context.java \
+ || exit 10
+${TESTJAVA}${FS}bin${FS}java -Dtest.src=$TESTSRC BasicKrb5Test || exit 100
+${TESTJAVA}${FS}bin${FS}java -Dtest.src=$TESTSRC BasicKrb5Test des-cbc-crc || exit 1
+${TESTJAVA}${FS}bin${FS}java -Dtest.src=$TESTSRC BasicKrb5Test des-cbc-md5 || exit 3
+${TESTJAVA}${FS}bin${FS}java -Dtest.src=$TESTSRC BasicKrb5Test des3-cbc-sha1 || exit 16
+${TESTJAVA}${FS}bin${FS}java -Dtest.src=$TESTSRC BasicKrb5Test aes128-cts || exit 17
+${TESTJAVA}${FS}bin${FS}java -Dtest.src=$TESTSRC BasicKrb5Test aes256-cts || exit 18
+${TESTJAVA}${FS}bin${FS}java -Dtest.src=$TESTSRC BasicKrb5Test rc4-hmac || exit 23
+
+exit 0