8077155: LoginContext Subject ignored by jdk8 sun.net.www.protocol.http.HttpURLConnection

Reviewed-by: michaelm

8077155: LoginContext Subject ignored by jdk8 sun.net.www.protocol.http.HttpURLConnection
Reviewed-by: michaelm
12c1b68e · robm · fa3ea526 · 12c1b68e · 12c1b68e
2 changed file
--- a/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java
+++ b/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java
@@ -982,7 +982,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
        SocketPermission p = URLtoSocketPermission(this.url);
        if (p != null) {
            try {
-                AccessController.doPrivileged(
+                AccessController.doPrivilegedWithCombiner(
                    new PrivilegedExceptionAction<Void>() {
                        public Void run() throws IOException {
                            plainConnect0();
@@ -1243,7 +1243,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection {

        if (p != null) {
            try {
-                return AccessController.doPrivileged(
+                return AccessController.doPrivilegedWithCombiner(
                    new PrivilegedExceptionAction<OutputStream>() {
                        public OutputStream run() throws IOException {
                            return getOutputStream0();
@@ -1426,7 +1426,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection {

        if (p != null) {
            try {
-                return AccessController.doPrivileged(
+                return AccessController.doPrivilegedWithCombiner(
                    new PrivilegedExceptionAction<InputStream>() {
                        public InputStream run() throws IOException {
                            return getInputStream0();
@@ -2568,7 +2568,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection {

        if (p != null) {
            try {
-                return AccessController.doPrivileged(
+                return AccessController.doPrivilegedWithCombiner(
                    new PrivilegedExceptionAction<Boolean>() {
                        public Boolean run() throws IOException {
                            return followRedirect0(loc, stat, locUrl0);

--- a/test/sun/security/krb5/auto/HttpNegotiateServer.java
+++ b/test/sun/security/krb5/auto/HttpNegotiateServer.java
@@ -40,16 +40,28 @@ import java.io.BufferedReader;
 import java.io.File;
 import java.io.FileOutputStream;
 import java.io.IOException;
+import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.net.HttpURLConnection;
 import java.net.InetSocketAddress;
 import java.net.PasswordAuthentication;
 import java.net.Proxy;
 import java.net.URL;
-import java.security.PrivilegedExceptionAction;
+import java.net.URLConnection;
+import java.security.*;
 import java.util.HashMap;
 import java.util.Map;
 import javax.security.auth.Subject;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.login.AppConfigurationEntry;
+import javax.security.auth.login.Configuration;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;
 import org.ietf.jgss.GSSContext;
 import org.ietf.jgss.GSSCredential;
 import org.ietf.jgss.GSSManager;
@@ -191,7 +203,7 @@ public class HttpNegotiateServer {
        proxyUrl = new URL("http://nosuchplace/a/b/c");

        try {
-            Exception e1 = null, e2 = null;
+            Exception e1 = null, e2 = null, e3 = null;
            try {
                test6578647();
            } catch (Exception e) {
@@ -204,7 +216,14 @@ public class HttpNegotiateServer {
                e2 = e;
                e.printStackTrace();
            }
-            if (e1 != null || e2 != null) {
+            try {
+                test8077155();
+            } catch (Exception e) {
+                e3 = e;
+                e.printStackTrace();
+            }
+
+            if (e1 != null || e2 != null || e3 != null) {
                throw new RuntimeException("Test error");
            }
        } finally {
@@ -248,6 +267,121 @@ public class HttpNegotiateServer {
        }
    }

+    static void testConnect() {
+        InputStream inputStream = null;
+        try {
+            URL url = webUrl;
+
+            URLConnection conn = url.openConnection();
+            conn.connect();
+            inputStream = conn.getInputStream();
+            byte[] b = new byte[inputStream.available()];
+            for (int j = 0; j < b.length; j++) {
+                b[j] = (byte) inputStream.read();
+            }
+            String s = new String(b);
+            System.out.println("Length: " + s.length());
+            System.out.println(s);
+        } catch (Exception ex) {
+              throw new RuntimeException(ex);
+        } finally {
+            if (inputStream != null) {
+                try {
+                    inputStream.close();
+                } catch (IOException e) {
+                    e.printStackTrace();
+                }
+            }
+        }
+    }
+
+    static void test8077155() throws Exception {
+        final String username = WEB_USER;
+        final char[] password = WEB_PASS;
+
+        SecurityManager security = new SecurityManager();
+        Policy.setPolicy(new SecurityPolicy());
+        System.setSecurityManager(security);
+
+        CallbackHandler callback = new CallbackHandler() {
+            @Override
+            public void handle(Callback[] pCallbacks) throws IOException, UnsupportedCallbackException {
+                for (Callback cb : pCallbacks) {
+                    if (cb instanceof NameCallback) {
+                        NameCallback ncb = (NameCallback)cb;
+                        ncb.setName(username);
+
+                    } else  if (cb instanceof PasswordCallback) {
+                        PasswordCallback pwdcb = (PasswordCallback) cb;
+                        pwdcb.setPassword(password);
+                    }
+                }
+            }
+
+        };
+
+        final String jaasConfigName = "oracle.test.kerberos.login";
+        final String krb5LoginModule = "com.sun.security.auth.module.Krb5LoginModule";
+
+        Configuration loginConfig = new Configuration() {
+            @Override
+            public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
+                if (! jaasConfigName.equals(name)) {
+                    return new AppConfigurationEntry[0];
+                }
+
+                Map<String, String> options = new HashMap<String, String>();
+                options.put("useTicketCache", Boolean.FALSE.toString());
+                options.put("useKeyTab", Boolean.FALSE.toString());
+
+                return new AppConfigurationEntry[] {
+                        new AppConfigurationEntry(krb5LoginModule,
+                                LoginModuleControlFlag.REQUIRED,
+                                options)
+                        };
+            }
+        };
+
+        // oracle context/subject/login
+        LoginContext context = null;
+        try {
+            context = new LoginContext("oracle.test.kerberos.login", null, callback, loginConfig);
+            context.login();
+
+        } catch (LoginException ex) {
+            ex.printStackTrace();
+            throw new RuntimeException(ex);
+        }
+
+
+        Subject subject = context.getSubject();
+
+        final PrivilegedExceptionAction<Object> test_action = new PrivilegedExceptionAction<Object>() {
+            public Object run() throws Exception {
+                testConnect();
+                return null;
+            }
+        };
+
+        System.err.println("\n\nExpecting to succeed when executing with the the logged in subject.");
+
+        try {
+            Subject.doAs(subject, test_action);
+            System.err.println("\n\nConnection succeed when executing with the the logged in subject.");
+        } catch (PrivilegedActionException e) {
+            System.err.println("\n\nFailure unexpected when executing with the the logged in subject.");
+            e.printStackTrace();
+            throw new RuntimeException("Failed to login as subject");
+        }
+
+        try {
+            System.err.println("\n\nExpecting to fail when running with the current user's login.");
+            testConnect();
+        } catch (Exception ex) {
+            System.err.println("\nConnect failed when running with the current user's login:\n" + ex.getMessage());
+        }
+    }
+
    /**
     * Creates and starts an HTTP or proxy server that requires
     * Negotiate authentication.
@@ -360,3 +494,22 @@ public class HttpNegotiateServer {
        }
    }
 }
+
+class SecurityPolicy extends Policy {
+
+    private static Permissions perms;
+
+    public SecurityPolicy() {
+        super();
+        if (perms == null) {
+            perms = new Permissions();
+            perms.add(new AllPermission());
+        }
+    }
+
+    @Override
+    public PermissionCollection getPermissions(CodeSource codesource) {
+        return perms;
+    }
+
+}