Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
dragonwell8_jdk
提交
633bf559
D
dragonwell8_jdk
项目概览
openanolis
/
dragonwell8_jdk
通知
4
Star
2
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
D
dragonwell8_jdk
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
633bf559
编写于
1月 12, 2020
作者:
A
andrew
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
8058290: JAAS Krb5LoginModule has suspect ticket-renewal logic, relies on clockskew grace
Reviewed-by: mbalao
上级
cdf11def
变更
3
显示空白变更内容
内联
并排
Showing
3 changed file
with
134 addition
and
18 deletion
+134
-18
src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java
...classes/com/sun/security/auth/module/Krb5LoginModule.java
+33
-16
test/sun/security/krb5/auto/KDC.java
test/sun/security/krb5/auto/KDC.java
+2
-2
test/sun/security/krb5/auto/Renew.java
test/sun/security/krb5/auto/Renew.java
+99
-0
未找到文件。
src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java
浏览文件 @
633bf559
...
@@ -123,8 +123,9 @@ import sun.misc.HexDumpEncoder;
...
@@ -123,8 +123,9 @@ import sun.misc.HexDumpEncoder;
* must also be set to true; Otherwise a configuration error will
* must also be set to true; Otherwise a configuration error will
* be returned.</dd>
* be returned.</dd>
* <dt><b><code>renewTGT</code></b>:</dt>
* <dt><b><code>renewTGT</code></b>:</dt>
* <dd>Set this to true, if you want to renew
* <dd>Set this to true, if you want to renew the TGT when it's more than
* the TGT. If this is set, <code>useTicketCache</code> must also be
* half-way expired (the time until expiration is less than the time
* since start time). If this is set, {@code useTicketCache} must also be
* set to true; otherwise a configuration error will be returned.</dd>
* set to true; otherwise a configuration error will be returned.</dd>
* <dt><b><code>doNotPrompt</code></b>:</dt>
* <dt><b><code>doNotPrompt</code></b>:</dt>
* <dd>Set this to true if you do not want to be
* <dd>Set this to true if you do not want to be
...
@@ -665,15 +666,15 @@ public class Krb5LoginModule implements LoginModule {
...
@@ -665,15 +666,15 @@ public class Krb5LoginModule implements LoginModule {
(
principal
,
ticketCacheName
);
(
principal
,
ticketCacheName
);
if
(
cred
!=
null
)
{
if
(
cred
!=
null
)
{
// check to renew credentials
if
(
renewTGT
&&
isOld
(
cred
))
{
if
(!
isCurrent
(
cred
))
{
// renew if ticket is old.
if
(
renewTGT
)
{
Credentials
newCred
=
renewCredentials
(
cred
);
Credentials
newCred
=
renewCredentials
(
cred
);
if
(
newCred
!=
null
)
{
if
(
newCred
!=
null
)
{
newCred
.
setProxy
(
cred
.
getProxy
());
newCred
.
setProxy
(
cred
.
getProxy
());
}
cred
=
newCred
;
cred
=
newCred
;
}
else
{
}
}
if
(!
isCurrent
(
cred
))
{
// credentials have expired
// credentials have expired
cred
=
null
;
cred
=
null
;
if
(
debug
)
if
(
debug
)
...
@@ -681,7 +682,6 @@ public class Krb5LoginModule implements LoginModule {
...
@@ -681,7 +682,6 @@ public class Krb5LoginModule implements LoginModule {
" no longer valid"
);
" no longer valid"
);
}
}
}
}
}
if
(
cred
!=
null
)
{
if
(
cred
!=
null
)
{
// get the principal name from the ticket cache
// get the principal name from the ticket cache
...
@@ -988,7 +988,7 @@ public class Krb5LoginModule implements LoginModule {
...
@@ -988,7 +988,7 @@ public class Krb5LoginModule implements LoginModule {
}
}
}
}
private
boolean
isCurrent
(
Credentials
creds
)
private
static
boolean
isCurrent
(
Credentials
creds
)
{
{
Date
endTime
=
creds
.
getEndTime
();
Date
endTime
=
creds
.
getEndTime
();
if
(
endTime
!=
null
)
{
if
(
endTime
!=
null
)
{
...
@@ -997,6 +997,23 @@ public class Krb5LoginModule implements LoginModule {
...
@@ -997,6 +997,23 @@ public class Krb5LoginModule implements LoginModule {
return
true
;
return
true
;
}
}
private
static
boolean
isOld
(
Credentials
creds
)
{
Date
endTime
=
creds
.
getEndTime
();
if
(
endTime
!=
null
)
{
Date
authTime
=
creds
.
getAuthTime
();
long
now
=
System
.
currentTimeMillis
();
if
(
authTime
!=
null
)
{
// pass the mid between auth and end
return
now
-
authTime
.
getTime
()
>
endTime
.
getTime
()
-
now
;
}
else
{
// will expire in less than 2 hours
return
now
<=
endTime
.
getTime
()
-
1000
*
3600
*
2L
;
}
}
return
false
;
}
private
Credentials
renewCredentials
(
Credentials
creds
)
private
Credentials
renewCredentials
(
Credentials
creds
)
{
{
Credentials
lcreds
;
Credentials
lcreds
;
...
...
test/sun/security/krb5/auto/KDC.java
浏览文件 @
633bf559
...
@@ -920,7 +920,7 @@ public class KDC {
...
@@ -920,7 +920,7 @@ public class KDC {
new
TransitedEncoding
(
1
,
new
byte
[
0
]),
// TODO
new
TransitedEncoding
(
1
,
new
byte
[
0
]),
// TODO
new
KerberosTime
(
new
Date
()),
new
KerberosTime
(
new
Date
()),
body
.
from
,
body
.
from
,
till
,
body
.
rtime
,
till
,
etp
.
renewTill
,
body
.
addresses
!=
null
// always set caddr
body
.
addresses
!=
null
// always set caddr
?
body
.
addresses
?
body
.
addresses
:
new
HostAddresses
(
:
new
HostAddresses
(
...
@@ -947,7 +947,7 @@ public class KDC {
...
@@ -947,7 +947,7 @@ public class KDC {
tFlags
,
tFlags
,
new
KerberosTime
(
new
Date
()),
new
KerberosTime
(
new
Date
()),
body
.
from
,
body
.
from
,
till
,
rtime
,
till
,
etp
.
renewTill
,
service
,
service
,
body
.
addresses
!=
null
// always set caddr
body
.
addresses
!=
null
// always set caddr
?
body
.
addresses
?
body
.
addresses
...
...
test/sun/security/krb5/auto/Renew.java
0 → 100644
浏览文件 @
633bf559
/*
* Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @bug 8058290
* @summary JAAS Krb5LoginModule has suspect ticket-renewal logic,
* relies on clockskew grace
* @compile -XDignore.symbol.file Renew.java
* @run main/othervm -Dsun.net.spi.nameservice.provider.1=ns,mock Renew 1
* @run main/othervm -Dsun.net.spi.nameservice.provider.1=ns,mock Renew 2
* @run main/othervm -Dsun.net.spi.nameservice.provider.1=ns,mock Renew 3
*/
import
sun.security.krb5.Config
;
import
java.nio.file.Files
;
import
java.nio.file.Paths
;
import
java.util.Arrays
;
import
java.util.Date
;
import
javax.security.auth.kerberos.KerberosTicket
;
public
class
Renew
{
public
static
void
main
(
String
[]
args
)
throws
Exception
{
// Three test cases:
// 1. renewTGT=false
// 2. renewTGT=true with a short life time, renew will happen
// 3. renewTGT=true with a long life time, renew won't happen
int
test
=
Integer
.
parseInt
(
args
[
0
]);
OneKDC
k
=
new
OneKDC
(
null
);
KDC
.
saveConfig
(
OneKDC
.
KRB5_CONF
,
k
,
"renew_lifetime = 1d"
,
"ticket_lifetime = "
+
(
test
==
2
?
"10s"
:
"8h"
));
Config
.
refresh
();
k
.
writeJAASConf
();
// KDC would save ccache in a file
System
.
setProperty
(
"test.kdc.save.ccache"
,
"cache.here"
);
Files
.
write
(
Paths
.
get
(
OneKDC
.
JAAS_CONF
),
Arrays
.
asList
(
"first {"
,
" com.sun.security.auth.module.Krb5LoginModule required;"
,
"};"
,
"second {"
,
" com.sun.security.auth.module.Krb5LoginModule required"
,
" doNotPrompt=true"
,
" renewTGT="
+
(
test
!=
1
),
" useTicketCache=true"
,
" ticketCache=cache.here;"
,
"};"
));
Context
c
;
// The first login uses username and password
c
=
Context
.
fromUserPass
(
OneKDC
.
USER
,
OneKDC
.
PASS
,
false
);
Date
d1
=
c
.
s
().
getPrivateCredentials
(
KerberosTicket
.
class
).
iterator
().
next
().
getAuthTime
();
// 6s is longer than half of 10s
Thread
.
sleep
(
6000
);
// The second login uses the cache
c
=
Context
.
fromJAAS
(
"second"
);
Date
d2
=
c
.
s
().
getPrivateCredentials
(
KerberosTicket
.
class
).
iterator
().
next
().
getAuthTime
();
if
(
test
==
2
)
{
if
(
d1
.
equals
(
d2
))
{
throw
new
Exception
(
"Ticket not renewed"
);
}
}
else
{
if
(!
d1
.
equals
(
d2
))
{
throw
new
Exception
(
"Ticket renewed"
);
}
}
}
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录