From a9dd3c17a7bf9bcaa123fb2889bdd7e94a9d047b Mon Sep 17 00:00:00 2001 From: weijun Date: Wed, 28 Sep 2011 14:21:10 +0800 Subject: [PATCH] 7089889: Krb5LoginModule.login() throws an exception if used without a keytab Reviewed-by: xuelei, valeriep --- .../security/auth/module/Krb5LoginModule.java | 2 +- .../sun/security/krb5/KrbAsReqBuilder.java | 11 ++-- .../security/krb5/auto/NoInitNoKeytab.java | 66 +++++++++++++++++++ 3 files changed, 74 insertions(+), 5 deletions(-) create mode 100644 test/sun/security/krb5/auto/NoInitNoKeytab.java diff --git a/src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java b/src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java index 5c2580cb2..b6ffb01ec 100644 --- a/src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java +++ b/src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java @@ -725,7 +725,7 @@ public class Krb5LoginModule implements LoginModule { cred = builder.action().getCreds(); } if (storeKey) { - encKeys = builder.getKeys(); + encKeys = builder.getKeys(isInitiator); // When encKeys is empty, the login actually fails. // For compatibility, exception is thrown in commit(). } diff --git a/src/share/classes/sun/security/krb5/KrbAsReqBuilder.java b/src/share/classes/sun/security/krb5/KrbAsReqBuilder.java index 3426d8b20..23b4dd84f 100644 --- a/src/share/classes/sun/security/krb5/KrbAsReqBuilder.java +++ b/src/share/classes/sun/security/krb5/KrbAsReqBuilder.java @@ -144,15 +144,18 @@ public final class KrbAsReqBuilder { /** * Retrieves an array of secret keys for the client. This is used when - * the client supplies password but need keys to act as an acceptor - * (in JAAS words, isInitiator=true and storeKey=true) + * the client supplies password but need keys to act as an acceptor. For + * an initiator, it must be called after AS-REQ is performed (state is OK). + * For an acceptor, it can be called when this KrbAsReqBuilder object is + * constructed (state is INIT). + * @param isInitiator if the caller is an initiator * @return generated keys from password. PA-DATA from server might be used. * All "default_tkt_enctypes" keys will be generated, Never null. * @throws IllegalStateException if not constructed from a password * @throws KrbException */ - public EncryptionKey[] getKeys() throws KrbException { - checkState(State.REQ_OK, "Cannot get keys"); + public EncryptionKey[] getKeys(boolean isInitiator) throws KrbException { + checkState(isInitiator?State.REQ_OK:State.INIT, "Cannot get keys"); if (password != null) { int[] eTypes = EType.getDefaults("default_tkt_enctypes"); EncryptionKey[] result = new EncryptionKey[eTypes.length]; diff --git a/test/sun/security/krb5/auto/NoInitNoKeytab.java b/test/sun/security/krb5/auto/NoInitNoKeytab.java new file mode 100644 index 000000000..cde2ec6bb --- /dev/null +++ b/test/sun/security/krb5/auto/NoInitNoKeytab.java @@ -0,0 +1,66 @@ +/* + * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 7089889 + * @summary Krb5LoginModule.login() throws an exception if used without a keytab + * @compile -XDignore.symbol.file NoInitNoKeytab.java + * @run main/othervm NoInitNoKeytab + */ + +import java.io.FileOutputStream; +import sun.security.jgss.GSSUtil; + +// The basic krb5 test skeleton you can copy from +public class NoInitNoKeytab { + + public static void main(String[] args) throws Exception { + + new OneKDC(null).writeJAASConf(); + try (FileOutputStream fos = + new FileOutputStream(OneKDC.JAAS_CONF, true)) { + fos.write(( + "noinit {\n" + + " com.sun.security.auth.module.Krb5LoginModule required\n" + + " principal=\"" + OneKDC.USER + "\"\n" + + " useKeyTab=false\n" + + " isInitiator=false\n" + + " storeKey=true;\n};\n").getBytes()); + } + Context c, s; + c = Context.fromJAAS("client"); + s = Context.fromJAAS("noinit"); + + c.startAsClient(OneKDC.USER, GSSUtil.GSS_SPNEGO_MECH_OID); + s.startAsServer(GSSUtil.GSS_SPNEGO_MECH_OID); + + Context.handshake(c, s); + + Context.transmit("i say high --", c, s); + Context.transmit(" you say low", s, c); + + s.dispose(); + c.dispose(); + } +} -- GitLab