From d1b4082923052a40e89179ef00617c1f5af008fe Mon Sep 17 00:00:00 2001 From: weijun Date: Wed, 4 Dec 2013 09:14:42 +0800 Subject: [PATCH] 8028351: JWS doesn't get authenticated when using kerberos auth proxy Reviewed-by: xuelei --- .../security/auth/module/Krb5LoginModule.java | 3 +- test/sun/security/krb5/auto/KDC.java | 6 +- test/sun/security/krb5/auto/LoginNoPass.java | 73 +++++++++++++++++++ 3 files changed, 77 insertions(+), 5 deletions(-) create mode 100644 test/sun/security/krb5/auto/LoginNoPass.java diff --git a/src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java b/src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java index c5b268920..9a5981719 100644 --- a/src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java +++ b/src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java @@ -916,8 +916,7 @@ public class Krb5LoginModule implements LoginModule { char[] tmpPassword = ((PasswordCallback) callbacks[0]).getPassword(); if (tmpPassword == null) { - // treat a NULL password as an empty password - tmpPassword = new char[0]; + throw new LoginException("No password provided"); } password = new char[tmpPassword.length]; System.arraycopy(tmpPassword, 0, diff --git a/test/sun/security/krb5/auto/KDC.java b/test/sun/security/krb5/auto/KDC.java index 0157a9309..6b82a6b4d 100644 --- a/test/sun/security/krb5/auto/KDC.java +++ b/test/sun/security/krb5/auto/KDC.java @@ -605,7 +605,7 @@ public class KDC { * @return the response * @throws java.lang.Exception for various errors */ - private byte[] processMessage(byte[] in) throws Exception { + protected byte[] processMessage(byte[] in) throws Exception { if ((in[0] & 0x1f) == Krb5.KRB_AS_REQ) return processAsReq(in); else @@ -618,7 +618,7 @@ public class KDC { * @return the response * @throws java.lang.Exception for various errors */ - private byte[] processTgsReq(byte[] in) throws Exception { + protected byte[] processTgsReq(byte[] in) throws Exception { TGSReq tgsReq = new TGSReq(in); PrincipalName service = tgsReq.reqBody.sname; if (options.containsKey(KDC.Option.RESP_NT)) { @@ -841,7 +841,7 @@ public class KDC { * @return the response * @throws java.lang.Exception for various errors */ - private byte[] processAsReq(byte[] in) throws Exception { + protected byte[] processAsReq(byte[] in) throws Exception { ASReq asReq = new ASReq(in); int[] eTypes = null; List outPAs = new ArrayList<>(); diff --git a/test/sun/security/krb5/auto/LoginNoPass.java b/test/sun/security/krb5/auto/LoginNoPass.java new file mode 100644 index 000000000..73de94001 --- /dev/null +++ b/test/sun/security/krb5/auto/LoginNoPass.java @@ -0,0 +1,73 @@ +/* + * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8028351 + * @summary JWS doesn't get authenticated when using kerberos auth proxy + * @compile -XDignore.symbol.file LoginNoPass.java + * @run main/othervm LoginNoPass + */ + +import sun.security.jgss.GSSUtil; + +import javax.security.auth.callback.Callback; +import javax.security.auth.callback.CallbackHandler; +import javax.security.auth.callback.NameCallback; +import javax.security.auth.callback.PasswordCallback; +import java.security.Security; + +public class LoginNoPass { + + static boolean kdcTouched = false; + public static void main(String[] args) throws Exception { + + new OneKDC(null) { + protected byte[] processAsReq(byte[] in) throws Exception { + kdcTouched = true; + return super.processAsReq(in); + } + }.writeJAASConf(); + Security.setProperty("auth.login.defaultCallbackHandler", + "LoginNoPass$CallbackForClient"); + System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); + + try { + Context c; + c = Context.fromJAAS("client"); + c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID); + c.take(new byte[0]); + } catch (Exception e) { + e.printStackTrace(System.out); + // OK + } + if (kdcTouched) { + throw new Exception("Failed"); + } + } + public static class CallbackForClient implements CallbackHandler { + public void handle(Callback[] callbacks) { + // Do nothing + } + } +} -- GitLab