Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
dragonwell8_jdk
提交
e64257fc
D
dragonwell8_jdk
项目概览
openanolis
/
dragonwell8_jdk
通知
4
Star
2
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
D
dragonwell8_jdk
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
e64257fc
编写于
5年前
作者:
M
mbalao
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
8005819: Support cross-realm MSSFU
Reviewed-by: weijun
上级
caa310e6
无相关合并请求
变更
7
隐藏空白更改
内联
并排
Showing
7 changed file
with
489 addition
and
57 deletion
+489
-57
src/share/classes/sun/security/krb5/KrbTgsRep.java
src/share/classes/sun/security/krb5/KrbTgsRep.java
+8
-1
src/share/classes/sun/security/krb5/internal/CredentialsUtil.java
...e/classes/sun/security/krb5/internal/CredentialsUtil.java
+186
-29
src/share/classes/sun/security/krb5/internal/Krb5.java
src/share/classes/sun/security/krb5/internal/Krb5.java
+1
-0
src/share/classes/sun/security/krb5/internal/PAForUserEnc.java
...hare/classes/sun/security/krb5/internal/PAForUserEnc.java
+4
-0
src/share/classes/sun/security/krb5/internal/PaPacOptions.java
...hare/classes/sun/security/krb5/internal/PaPacOptions.java
+185
-0
test/sun/security/krb5/auto/KDC.java
test/sun/security/krb5/auto/KDC.java
+1
-2
test/sun/security/krb5/auto/ReferralsTest.java
test/sun/security/krb5/auto/ReferralsTest.java
+104
-25
未找到文件。
src/share/classes/sun/security/krb5/KrbTgsRep.java
浏览文件 @
e64257fc
...
...
@@ -95,9 +95,16 @@ public class KrbTgsRep extends KrbKdcRep {
}
}
PrincipalName
clientAlias
=
null
;
if
(
rep
.
cname
.
equals
(
req
.
reqBody
.
cname
))
{
// Only propagate the client alias if it is not an
// impersonation ticket (S4U2Self or S4U2Proxy).
clientAlias
=
tgsReq
.
getClientAlias
();
}
this
.
creds
=
new
Credentials
(
rep
.
ticket
,
rep
.
cname
,
tgsReq
.
getClientAlias
()
,
clientAlias
,
enc_part
.
sname
,
serverAlias
,
enc_part
.
key
,
...
...
This diff is collapsed.
Click to expand it.
src/share/classes/sun/security/krb5/internal/CredentialsUtil.java
浏览文件 @
e64257fc
...
...
@@ -32,6 +32,8 @@
package
sun.security.krb5.internal
;
import
sun.security.krb5.*
;
import
sun.security.util.DerValue
;
import
java.io.IOException
;
import
java.util.LinkedList
;
import
java.util.List
;
...
...
@@ -45,6 +47,10 @@ public class CredentialsUtil {
private
static
boolean
DEBUG
=
sun
.
security
.
krb5
.
internal
.
Krb5
.
DEBUG
;
private
static
enum
S4U2Type
{
NONE
,
SELF
,
PROXY
}
/**
* Used by a middle server to acquire credentials on behalf of a
* client to itself using the S4U2self extension.
...
...
@@ -54,20 +60,44 @@ public class CredentialsUtil {
*/
public
static
Credentials
acquireS4U2selfCreds
(
PrincipalName
client
,
Credentials
ccreds
)
throws
KrbException
,
IOException
{
if
(!
ccreds
.
isForwardable
())
{
throw
new
KrbException
(
"S4U2self needs a FORWARDABLE ticket"
);
}
PrincipalName
sname
=
ccreds
.
getClient
();
String
uRealm
=
client
.
getRealmString
();
String
localRealm
=
ccreds
.
getClient
().
getRealmString
();
if
(!
uRealm
.
equals
(
localRealm
))
{
// TODO: we do not support kerberos referral now
throw
new
KrbException
(
"Cross realm impersonation not supported"
);
}
if
(!
ccreds
.
isForwardable
())
{
throw
new
KrbException
(
"S4U2self needs a FORWARDABLE ticket"
);
// Referrals will be required because the middle service
// and the client impersonated are on different realms.
if
(
Config
.
DISABLE_REFERRALS
)
{
throw
new
KrbException
(
"Cross-realm S4U2Self request not"
+
" possible when referrals are disabled."
);
}
if
(
ccreds
.
getClientAlias
()
!=
null
)
{
// If the name was canonicalized, the user pick
// has preference. This gives the possibility of
// using FQDNs that KDCs may use to return referrals.
// I.e.: a SVC/host.realm-2.com@REALM-1.COM name
// may be used by REALM-1.COM KDC to return a
// referral to REALM-2.COM.
sname
=
ccreds
.
getClientAlias
();
}
sname
=
new
PrincipalName
(
sname
.
getNameType
(),
sname
.
getNameStrings
(),
new
Realm
(
uRealm
));
}
Credentials
creds
=
serviceCreds
(
KDCOptions
.
with
(
KDCOptions
.
FORWARDABLE
),
ccreds
,
ccreds
.
getClient
(),
ccreds
.
getClient
(),
null
,
new
PAData
[]
{
new
PAData
(
Krb5
.
PA_FOR_USER
,
new
PAForUserEnc
(
client
,
ccreds
.
getSessionKey
()).
asn1Encode
())});
Credentials
creds
=
serviceCreds
(
KDCOptions
.
with
(
KDCOptions
.
FORWARDABLE
),
ccreds
,
ccreds
.
getClient
(),
sname
,
null
,
new
PAData
[]
{
new
PAData
(
Krb5
.
PA_FOR_USER
,
new
PAForUserEnc
(
client
,
ccreds
.
getSessionKey
()).
asn1Encode
()),
new
PAData
(
Krb5
.
PA_PAC_OPTIONS
,
new
PaPacOptions
()
.
setResourceBasedConstrainedDelegation
(
true
)
.
setClaims
(
true
)
.
asn1Encode
())
},
S4U2Type
.
SELF
);
if
(!
creds
.
getClient
().
equals
(
client
))
{
throw
new
KrbException
(
"S4U2self request not honored by KDC"
);
}
...
...
@@ -89,10 +119,31 @@ public class CredentialsUtil {
String
backend
,
Ticket
second
,
PrincipalName
client
,
Credentials
ccreds
)
throws
KrbException
,
IOException
{
PrincipalName
backendPrincipal
=
new
PrincipalName
(
backend
);
String
backendRealm
=
backendPrincipal
.
getRealmString
();
String
localRealm
=
ccreds
.
getClient
().
getRealmString
();
if
(!
backendRealm
.
equals
(
localRealm
))
{
// The middle service and the backend service are on
// different realms, so referrals will be required.
if
(
Config
.
DISABLE_REFERRALS
)
{
throw
new
KrbException
(
"Cross-realm S4U2Proxy request not"
+
" possible when referrals are disabled."
);
}
backendPrincipal
=
new
PrincipalName
(
backendPrincipal
.
getNameType
(),
backendPrincipal
.
getNameStrings
(),
new
Realm
(
localRealm
));
}
Credentials
creds
=
serviceCreds
(
KDCOptions
.
with
(
KDCOptions
.
CNAME_IN_ADDL_TKT
,
KDCOptions
.
FORWARDABLE
),
ccreds
,
ccreds
.
getClient
(),
new
PrincipalName
(
backend
),
new
Ticket
[]
{
second
},
null
);
ccreds
,
ccreds
.
getClient
(),
backendPrincipal
,
new
Ticket
[]
{
second
},
new
PAData
[]
{
new
PAData
(
Krb5
.
PA_PAC_OPTIONS
,
new
PaPacOptions
()
.
setResourceBasedConstrainedDelegation
(
true
)
.
setClaims
(
true
)
.
asn1Encode
())
},
S4U2Type
.
PROXY
);
if
(!
creds
.
getClient
().
equals
(
client
))
{
throw
new
KrbException
(
"S4U2proxy request not honored by KDC"
);
}
...
...
@@ -261,7 +312,8 @@ public class CredentialsUtil {
PrincipalName
service
,
Credentials
ccreds
)
throws
KrbException
,
IOException
{
return
serviceCreds
(
new
KDCOptions
(),
ccreds
,
ccreds
.
getClient
(),
service
,
null
,
null
);
ccreds
.
getClient
(),
service
,
null
,
null
,
S4U2Type
.
NONE
);
}
/*
...
...
@@ -273,20 +325,21 @@ public class CredentialsUtil {
private
static
Credentials
serviceCreds
(
KDCOptions
options
,
Credentials
asCreds
,
PrincipalName
cname
,
PrincipalName
sname
,
Ticket
[]
additionalTickets
,
PAData
[]
extraPAs
)
Ticket
[]
additionalTickets
,
PAData
[]
extraPAs
,
S4U2Type
s4u2Type
)
throws
KrbException
,
IOException
{
if
(!
Config
.
DISABLE_REFERRALS
)
{
try
{
return
serviceCredsReferrals
(
options
,
asCreds
,
cname
,
snam
e
,
additionalTickets
,
extraPAs
);
return
serviceCredsReferrals
(
options
,
asCreds
,
cname
,
sname
,
s4u2Typ
e
,
additionalTickets
,
extraPAs
);
}
catch
(
KrbException
e
)
{
// Server may raise an error if CANONICALIZE is true.
// Try CANONICALIZE false.
}
}
return
serviceCredsSingle
(
options
,
asCreds
,
cname
,
asCreds
.
getClientAlias
(),
sname
,
sname
,
additionalTickets
,
extraPAs
);
asCreds
.
getClientAlias
(),
sname
,
sname
,
s4u2Type
,
additionalTickets
,
extraPAs
);
}
/*
...
...
@@ -296,8 +349,9 @@ public class CredentialsUtil {
private
static
Credentials
serviceCredsReferrals
(
KDCOptions
options
,
Credentials
asCreds
,
PrincipalName
cname
,
PrincipalName
sname
,
Ticket
[]
additionalTickets
,
PAData
[]
extraPAs
)
throws
KrbException
,
IOException
{
S4U2Type
s4u2Type
,
Ticket
[]
additionalTickets
,
PAData
[]
extraPAs
)
throws
KrbException
,
IOException
{
options
=
new
KDCOptions
(
options
.
toBooleanArray
());
options
.
set
(
KDCOptions
.
CANONICALIZE
,
true
);
PrincipalName
cSname
=
sname
;
...
...
@@ -312,34 +366,58 @@ public class CredentialsUtil {
String
toRealm
=
null
;
if
(
ref
==
null
)
{
creds
=
serviceCredsSingle
(
options
,
asCreds
,
cname
,
clientAlias
,
refSname
,
cSname
,
additionalTickets
,
extraPAs
);
clientAlias
,
refSname
,
cSname
,
s4u2Type
,
additionalTickets
,
extraPAs
);
PrincipalName
server
=
creds
.
getServer
();
if
(!
refSname
.
equals
(
server
))
{
String
[]
serverNameStrings
=
server
.
getNameStrings
();
if
(
serverNameStrings
.
length
==
2
&&
serverNameStrings
[
0
].
equals
(
PrincipalName
.
TGS_DEFAULT_SRV_NAME
)
&&
!
refSname
.
getRealmAsString
().
equals
(
serverNameStrings
[
1
]))
{
!
refSname
.
getRealmAsString
().
equals
(
serverNameStrings
[
1
]))
{
// Server Name (sname) has the following format:
// krbtgt/TO-REALM.COM@FROM-REALM.COM
ReferralsCache
.
put
(
cname
,
sname
,
server
.
getRealmString
(),
serverNameStrings
[
1
],
creds
);
if
(
s4u2Type
==
S4U2Type
.
NONE
)
{
// Do not store S4U2Self or S4U2Proxy referral
// TGTs in the cache. Caching such tickets is not
// defined in MS-SFU and may cause unexpected
// results when using them in a different context.
ReferralsCache
.
put
(
cname
,
sname
,
server
.
getRealmString
(),
serverNameStrings
[
1
],
creds
);
}
toRealm
=
serverNameStrings
[
1
];
isReferral
=
true
;
asCreds
=
creds
;
}
}
}
else
{
creds
=
ref
.
getCreds
();
toRealm
=
ref
.
getToRealm
();
asCreds
=
ref
.
getCreds
();
isReferral
=
true
;
}
if
(
isReferral
)
{
if
(
s4u2Type
==
S4U2Type
.
PROXY
)
{
Credentials
[]
credsInOut
=
new
Credentials
[]
{
creds
,
null
};
toRealm
=
handleS4U2ProxyReferral
(
asCreds
,
credsInOut
,
sname
);
creds
=
credsInOut
[
0
];
if
(
additionalTickets
==
null
||
additionalTickets
.
length
==
0
||
credsInOut
[
1
]
==
null
)
{
throw
new
KrbException
(
"Additional tickets expected"
+
" for S4U2Proxy."
);
}
additionalTickets
[
0
]
=
credsInOut
[
1
].
getTicket
();
}
else
if
(
s4u2Type
==
S4U2Type
.
SELF
)
{
handleS4U2SelfReferral
(
extraPAs
,
asCreds
,
creds
);
}
if
(
referrals
.
contains
(
toRealm
))
{
// Referrals loop detected
return
null
;
}
asCreds
=
creds
;
refSname
=
new
PrincipalName
(
refSname
.
getNameString
(),
refSname
.
getNameType
(),
toRealm
);
referrals
.
add
(
toRealm
);
...
...
@@ -362,8 +440,9 @@ public class CredentialsUtil {
KDCOptions
options
,
Credentials
asCreds
,
PrincipalName
cname
,
PrincipalName
clientAlias
,
PrincipalName
refSname
,
PrincipalName
sname
,
Ticket
[]
additionalTickets
,
PAData
[]
extraPAs
)
throws
KrbException
,
IOException
{
S4U2Type
s4u2Type
,
Ticket
[]
additionalTickets
,
PAData
[]
extraPAs
)
throws
KrbException
,
IOException
{
Credentials
theCreds
=
null
;
boolean
[]
okAsDelegate
=
new
boolean
[]{
true
};
String
[]
serverAsCredsNames
=
asCreds
.
getServer
().
getNameStrings
();
...
...
@@ -389,6 +468,9 @@ public class CredentialsUtil {
" serviceCredsSingle: "
);
Credentials
.
printDebug
(
newTgt
);
}
if
(
s4u2Type
==
S4U2Type
.
SELF
)
{
handleS4U2SelfReferral
(
extraPAs
,
asCreds
,
newTgt
);
}
asCreds
=
newTgt
;
cname
=
asCreds
.
getClient
();
}
else
if
(
DEBUG
)
{
...
...
@@ -409,4 +491,79 @@ public class CredentialsUtil {
}
return
theCreds
;
}
/**
* PA-FOR-USER may need to be regenerated if credentials
* change. This may happen when obtaining a TGT for a
* different realm or when using a referral TGT.
*/
private
static
void
handleS4U2SelfReferral
(
PAData
[]
pas
,
Credentials
oldCeds
,
Credentials
newCreds
)
throws
Asn1Exception
,
KrbException
,
IOException
{
if
(
DEBUG
)
{
System
.
out
.
println
(
">>> Handling S4U2Self referral"
);
}
for
(
int
i
=
0
;
i
<
pas
.
length
;
i
++)
{
PAData
pa
=
pas
[
i
];
if
(
pa
.
getType
()
==
Krb5
.
PA_FOR_USER
)
{
PAForUserEnc
paForUser
=
new
PAForUserEnc
(
new
DerValue
(
pa
.
getValue
()),
oldCeds
.
getSessionKey
());
pas
[
i
]
=
new
PAData
(
Krb5
.
PA_FOR_USER
,
new
PAForUserEnc
(
paForUser
.
getName
(),
newCreds
.
getSessionKey
()).
asn1Encode
());
break
;
}
}
}
/**
* This method is called after receiving the first realm referral for
* a S4U2Proxy request. The credentials and tickets needed for the
* final S4U2Proxy request (in the referrals chain) are returned.
*
* Referrals are handled as described by MS-SFU (section 3.1.5.2.2
* Receives Referral).
*
* @param asCreds middle service credentials used for the first S4U2Proxy
* request
* @param credsInOut (in/out parameter):
* * input: first S4U2Proxy referral TGT received, null
* * output: referral TGT for final S4U2Proxy service request,
* client referral TGT for final S4U2Proxy service request
* (to be sent as additional-ticket)
* @param sname the backend service name
* @param additionalTickets (out parameter): the additional ticket for the
* last S4U2Proxy request is returned
* @return the backend realm for the last S4U2Proxy request
*/
private
static
String
handleS4U2ProxyReferral
(
Credentials
asCreds
,
Credentials
[]
credsInOut
,
PrincipalName
sname
)
throws
KrbException
,
IOException
{
if
(
DEBUG
)
{
System
.
out
.
println
(
">>> Handling S4U2Proxy referral"
);
}
Credentials
refTGT
=
null
;
// Get a credential for the middle service to the backend so we know
// the backend realm, as described in MS-SFU (section 3.1.5.2.2).
Credentials
middleSvcCredsInBackendRealm
=
serviceCreds
(
sname
,
asCreds
);
String
backendRealm
=
middleSvcCredsInBackendRealm
.
getServer
().
getRealmString
();
String
toRealm
=
credsInOut
[
0
].
getServer
().
getNameStrings
()[
1
];
if
(!
toRealm
.
equals
(
backendRealm
))
{
// More than 1 hop. Follow the referrals chain and obtain a
// TGT for the backend realm.
refTGT
=
getTGTforRealm
(
toRealm
,
backendRealm
,
credsInOut
[
0
],
new
boolean
[
1
]);
}
else
{
// There was only 1 hop. The referral TGT received is already
// for the backend realm.
refTGT
=
credsInOut
[
0
];
}
credsInOut
[
0
]
=
getTGTforRealm
(
asCreds
.
getClient
().
getRealmString
(),
backendRealm
,
asCreds
,
new
boolean
[
1
]);
credsInOut
[
1
]
=
refTGT
;
return
backendRealm
;
}
}
This diff is collapsed.
Click to expand it.
src/share/classes/sun/security/krb5/internal/Krb5.java
浏览文件 @
e64257fc
...
...
@@ -163,6 +163,7 @@ public class Krb5 {
// S4U2user info
public
static
final
int
PA_FOR_USER
=
129
;
public
static
final
int
PA_PAC_OPTIONS
=
167
;
// FAST (RFC 6806)
public
static
final
int
PA_REQ_ENC_PA_REP
=
149
;
...
...
This diff is collapsed.
Click to expand it.
src/share/classes/sun/security/krb5/internal/PAForUserEnc.java
浏览文件 @
e64257fc
...
...
@@ -185,6 +185,10 @@ public class PAForUserEnc {
}
}
public
PrincipalName
getName
()
{
return
name
;
}
public
String
toString
()
{
return
"PA-FOR-USER: "
+
name
;
}
...
...
This diff is collapsed.
Click to expand it.
src/share/classes/sun/security/krb5/internal/PaPacOptions.java
0 → 100644
浏览文件 @
e64257fc
/*
* Copyright (c) 2019, Red Hat, Inc.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package
sun.security.krb5.internal
;
import
java.io.IOException
;
import
sun.security.krb5.Asn1Exception
;
import
sun.security.krb5.internal.util.KerberosFlags
;
import
sun.security.util.DerOutputStream
;
import
sun.security.util.DerValue
;
/**
* Implements the ASN.1 PA-PAC-OPTIONS type.
*
* <pre>{@code
* PA-PAC-OPTIONS ::= SEQUENCE {
* KerberosFlags
* -- Claims (0)
* -- Branch Aware (1)
* -- Forward to Full DC (2)
* }
* Note: KerberosFlags ::= BIT STRING (SIZE (32..MAX))
* -- minimum number of bits shall be sent, but no fewer than 32
*
* PA-PAC-OPTIONS ::= KerberosFlags
* -- resource-based constrained delegation (3)
* }</pre>
*
* This definition reflects MS-KILE (section 2.2.10)
* and MS-SFU (section 2.2.5).
*/
public
class
PaPacOptions
{
private
static
final
int
CLAIMS
=
0
;
private
static
final
int
BRANCH_AWARE
=
1
;
private
static
final
int
FORWARD_TO_FULL_DC
=
2
;
private
static
final
int
RESOURCE_BASED_CONSTRAINED_DELEGATION
=
3
;
private
KerberosFlags
flags
;
public
PaPacOptions
()
{
this
.
flags
=
new
KerberosFlags
(
Krb5
.
AP_OPTS_MAX
+
1
);
}
/**
* Constructs a PA-PAC-OPTIONS object from a DER encoding.
* @param encoding the ASN.1 encoded input
* @throws Asn1Exception if invalid DER
* @throws IOException if there is an error reading the DER value
*/
public
PaPacOptions
(
DerValue
encoding
)
throws
Asn1Exception
,
IOException
{
if
(
encoding
.
getTag
()
!=
DerValue
.
tag_Sequence
)
{
throw
new
Asn1Exception
(
Krb5
.
ASN1_BAD_ID
);
}
DerValue
der
=
encoding
.
getData
().
getDerValue
();
if
((
der
.
getTag
()
&
0x1F
)
==
0x00
)
{
flags
=
new
KDCOptions
(
der
.
getData
().
getDerValue
());
}
else
{
throw
new
Asn1Exception
(
Krb5
.
ASN1_BAD_ID
);
}
}
/**
* Setter for the claims flag
* @param value whether the claims flag is set or not
* @return the same PaPacOptions instance
*/
public
PaPacOptions
setClaims
(
boolean
value
)
{
flags
.
set
(
CLAIMS
,
value
);
return
this
;
}
/**
* Getter for the claims flag
* @return the claims flag value
*/
public
boolean
getClaims
()
{
return
flags
.
get
(
CLAIMS
);
}
/**
* Setter for the branch-aware flag
* @param value whether the branch-aware flag is set or not
* @return the same PaPacOptions instance
*/
public
PaPacOptions
setBranchAware
(
boolean
value
)
{
flags
.
set
(
BRANCH_AWARE
,
value
);
return
this
;
}
/**
* Getter for the branch-aware flag
* @return the branch-aware flag value
*/
public
boolean
getBranchAware
()
{
return
flags
.
get
(
BRANCH_AWARE
);
}
/**
* Setter for the forward-to-full-DC flag
* @param value whether the forward-to-full-DC flag is set or not
* @return the same PaPacOptions instance
*/
public
PaPacOptions
setForwardToFullDC
(
boolean
value
)
{
flags
.
set
(
FORWARD_TO_FULL_DC
,
value
);
return
this
;
}
/**
* Getter for the forward-to-full-DC flag
* @return the forward-to-full-DC flag value
*/
public
boolean
getForwardToFullDC
()
{
return
flags
.
get
(
FORWARD_TO_FULL_DC
);
}
/**
* Setter for the resource-based-constrained-delegation flag
* @param value whether the resource-based-constrained-delegation
* is set or not
* @return the same PaPacOptions instance
*/
public
PaPacOptions
setResourceBasedConstrainedDelegation
(
boolean
value
)
{
flags
.
set
(
RESOURCE_BASED_CONSTRAINED_DELEGATION
,
value
);
return
this
;
}
/**
* Getter for the resource-based-constrained-delegation flag
* @return the resource-based-constrained-delegation flag value
*/
public
boolean
getResourceBasedConstrainedDelegation
()
{
return
flags
.
get
(
RESOURCE_BASED_CONSTRAINED_DELEGATION
);
}
/**
* Encodes this PaPacOptions instance.
* @return an ASN.1 encoded PaPacOptions byte array
* @throws IOException if an I/O error occurs while encoding this
* PaPacOptions instance
*/
public
byte
[]
asn1Encode
()
throws
IOException
{
byte
[]
bytes
=
null
;
try
(
DerOutputStream
temp
=
new
DerOutputStream
())
{
temp
.
write
(
DerValue
.
createTag
(
DerValue
.
TAG_CONTEXT
,
true
,
(
byte
)
0x00
),
flags
.
asn1Encode
());
bytes
=
temp
.
toByteArray
();
}
try
(
DerOutputStream
temp
=
new
DerOutputStream
())
{
temp
.
write
(
DerValue
.
tag_Sequence
,
bytes
);
return
temp
.
toByteArray
();
}
}
@Override
public
String
toString
()
{
return
flags
.
toString
();
}
}
This diff is collapsed.
Click to expand it.
test/sun/security/krb5/auto/KDC.java
浏览文件 @
e64257fc
...
...
@@ -926,8 +926,7 @@ public class KDC {
if
(
body
.
kdcOptions
.
get
(
KDCOptions
.
ALLOW_POSTDATE
))
{
bFlags
[
Krb5
.
TKT_OPTS_MAY_POSTDATE
]
=
true
;
}
if
(
body
.
kdcOptions
.
get
(
KDCOptions
.
CNAME_IN_ADDL_TKT
)
&&
!
isReferral
)
{
if
(
body
.
kdcOptions
.
get
(
KDCOptions
.
CNAME_IN_ADDL_TKT
))
{
if
(!
options
.
containsKey
(
Option
.
ALLOW_S4U2PROXY
))
{
// Don't understand CNAME_IN_ADDL_TKT
throw
new
KrbException
(
Krb5
.
KDC_ERR_BADOPTION
);
...
...
This diff is collapsed.
Click to expand it.
test/sun/security/krb5/auto/ReferralsTest.java
浏览文件 @
e64257fc
...
...
@@ -52,9 +52,13 @@ public class ReferralsTest {
// Names
private
static
final
String
clientName
=
"test"
;
private
static
final
String
userName
=
"user"
;
private
static
final
String
serviceName
=
"http"
+
PrincipalName
.
NAME_COMPONENT_SEPARATOR_STR
+
"server.dev.rabbit.hole"
;
private
static
final
String
backendServiceName
=
"cifs"
+
PrincipalName
.
NAME_COMPONENT_SEPARATOR_STR
+
"backend.rabbit.hole"
;
// Alias
private
static
final
String
clientAlias
=
clientName
+
...
...
@@ -67,14 +71,34 @@ public class ReferralsTest {
PrincipalName
.
NAME_REALM_SEPARATOR_STR
+
realmKDC1
;
private
static
final
String
clientKDC2Name
=
clientName
+
PrincipalName
.
NAME_REALM_SEPARATOR_STR
+
realmKDC2
;
private
static
final
String
userKDC1Name
=
userName
+
PrincipalName
.
NAME_REALM_SEPARATOR_STR
+
realmKDC1
;
private
static
final
String
serviceKDC2Name
=
serviceName
+
PrincipalName
.
NAME_REALM_SEPARATOR_STR
+
realmKDC2
;
private
static
final
String
backendKDC1Name
=
backendServiceName
+
PrincipalName
.
NAME_REALM_SEPARATOR_STR
+
realmKDC1
;
private
static
final
String
krbtgtKDC1
=
PrincipalName
.
TGS_DEFAULT_SRV_NAME
+
PrincipalName
.
NAME_COMPONENT_SEPARATOR_STR
+
realmKDC1
;
private
static
final
String
krbtgtKDC2
=
PrincipalName
.
TGS_DEFAULT_SRV_NAME
+
PrincipalName
.
NAME_COMPONENT_SEPARATOR_STR
+
realmKDC2
;
private
static
final
String
krbtgtKDC1toKDC2
=
PrincipalName
.
TGS_DEFAULT_SRV_NAME
+
PrincipalName
.
NAME_COMPONENT_SEPARATOR_STR
+
realmKDC2
+
PrincipalName
.
NAME_REALM_SEPARATOR_STR
+
realmKDC1
;
private
static
final
String
krbtgtKDC2toKDC1
=
PrincipalName
.
TGS_DEFAULT_SRV_NAME
+
PrincipalName
.
NAME_COMPONENT_SEPARATOR_STR
+
realmKDC1
+
PrincipalName
.
NAME_REALM_SEPARATOR_STR
+
realmKDC2
;
public
static
void
main
(
String
[]
args
)
throws
Exception
{
try
{
initializeKDCs
();
testSubjectCredentials
();
testDelegated
();
testDelegation
();
testImpersonation
();
testDelegationWithReferrals
();
}
finally
{
cleanup
();
}
...
...
@@ -82,36 +106,35 @@ public class ReferralsTest {
private
static
void
initializeKDCs
()
throws
Exception
{
KDC
kdc1
=
KDC
.
create
(
realmKDC1
,
"localhost"
,
0
,
true
);
kdc1
.
addPrincipalRandKey
(
PrincipalName
.
TGS_DEFAULT_SRV_NAME
+
PrincipalName
.
NAME_COMPONENT_SEPARATOR_STR
+
realmKDC1
);
kdc1
.
addPrincipal
(
PrincipalName
.
TGS_DEFAULT_SRV_NAME
+
PrincipalName
.
NAME_COMPONENT_SEPARATOR_STR
+
realmKDC1
+
PrincipalName
.
NAME_REALM_SEPARATOR_STR
+
realmKDC2
,
password
);
kdc1
.
addPrincipal
(
PrincipalName
.
TGS_DEFAULT_SRV_NAME
+
PrincipalName
.
NAME_COMPONENT_SEPARATOR_STR
+
realmKDC2
,
password
);
kdc1
.
addPrincipalRandKey
(
krbtgtKDC1
);
kdc1
.
addPrincipal
(
krbtgtKDC2toKDC1
,
password
);
kdc1
.
addPrincipal
(
krbtgtKDC2
,
password
);
kdc1
.
addPrincipal
(
userKDC1Name
,
password
);
kdc1
.
addPrincipal
(
backendServiceName
,
password
);
KDC
kdc2
=
KDC
.
create
(
realmKDC2
,
"localhost"
,
0
,
true
);
kdc2
.
addPrincipalRandKey
(
PrincipalName
.
TGS_DEFAULT_SRV_NAME
+
PrincipalName
.
NAME_COMPONENT_SEPARATOR_STR
+
realmKDC2
);
kdc2
.
addPrincipalRandKey
(
krbtgtKDC2
);
kdc2
.
addPrincipal
(
clientKDC2Name
,
password
);
kdc2
.
addPrincipal
(
serviceName
,
password
);
kdc2
.
addPrincipal
(
PrincipalName
.
TGS_DEFAULT_SRV_NAME
+
PrincipalName
.
NAME_COMPONENT_SEPARATOR_STR
+
realmKDC1
,
password
);
kdc2
.
addPrincipal
(
PrincipalName
.
TGS_DEFAULT_SRV_NAME
+
PrincipalName
.
NAME_COMPONENT_SEPARATOR_STR
+
realmKDC2
+
PrincipalName
.
NAME_REALM_SEPARATOR_STR
+
realmKDC1
,
password
);
kdc2
.
addPrincipal
(
krbtgtKDC1
,
password
);
kdc2
.
addPrincipal
(
krbtgtKDC1toKDC2
,
password
);
kdc1
.
registerAlias
(
clientAlias
,
kdc2
);
kdc1
.
registerAlias
(
serviceName
,
kdc2
);
kdc2
.
registerAlias
(
clientAlias
,
clientKDC2Name
);
kdc2
.
registerAlias
(
backendServiceName
,
kdc1
);
kdc1
.
setOption
(
KDC
.
Option
.
ALLOW_S4U2SELF
,
Arrays
.
asList
(
new
String
[]{
serviceName
+
"@"
+
realmKDC2
}));
Map
<
String
,
List
<
String
>>
mapKDC1
=
new
HashMap
<>();
mapKDC1
.
put
(
serviceName
+
"@"
+
realmKDC2
,
Arrays
.
asList
(
new
String
[]{
backendKDC1Name
}));
kdc1
.
setOption
(
KDC
.
Option
.
ALLOW_S4U2PROXY
,
mapKDC1
);
Map
<
String
,
List
<
String
>>
mapKDC2
=
new
HashMap
<>();
mapKDC2
.
put
(
serviceName
+
"@"
+
realmKDC2
,
Arrays
.
asList
(
new
String
[]{
serviceName
+
"@"
+
realmKDC2
}));
new
String
[]{
serviceName
+
"@"
+
realmKDC2
,
krbtgtKDC2toKDC1
}));
kdc2
.
setOption
(
KDC
.
Option
.
ALLOW_S4U2PROXY
,
mapKDC2
);
KDC
.
saveConfig
(
krbConfigName
,
kdc1
,
kdc2
,
...
...
@@ -170,10 +193,8 @@ public class ReferralsTest {
String
cname
=
clientTicket
.
getClient
().
getName
();
String
sname
=
clientTicket
.
getServer
().
getName
();
if
(
cname
.
equals
(
clientKDC2Name
))
{
if
(
sname
.
equals
(
PrincipalName
.
TGS_DEFAULT_SRV_NAME
+
PrincipalName
.
NAME_COMPONENT_SEPARATOR_STR
+
realmKDC2
+
PrincipalName
.
NAME_REALM_SEPARATOR_STR
+
realmKDC2
))
{
if
(
sname
.
equals
(
krbtgtKDC2
+
PrincipalName
.
NAME_REALM_SEPARATOR_STR
+
realmKDC2
))
{
tgtFound
=
true
;
}
else
if
(
sname
.
equals
(
serviceKDC2Name
))
{
tgsFound
=
true
;
...
...
@@ -212,7 +233,7 @@ public class ReferralsTest {
* when requesting different TGTs and TGSs (including the
* request for delegated credentials).
*/
private
static
void
testDelegat
ed
()
throws
Exception
{
private
static
void
testDelegat
ion
()
throws
Exception
{
Context
c
=
Context
.
fromUserPass
(
clientKDC2Name
,
password
,
false
);
c
.
startAsClient
(
serviceName
,
GSSUtil
.
GSS_KRB5_MECH_OID
);
...
...
@@ -245,4 +266,62 @@ public class ReferralsTest {
throw
new
Exception
(
"Unexpected initiator or acceptor names"
);
}
}
/*
* The server (http/server.dev.rabbit.hole@DEV.RABBIT.HOLE)
* will get a TGS ticket for itself on behalf of the client
* (user@RABBIT.HOLE). Cross-realm referrals will be handled
* in S4U2Self requests because the user and the server are
* on different realms.
*/
private
static
void
testImpersonation
()
throws
Exception
{
Context
s
=
Context
.
fromUserPass
(
serviceKDC2Name
,
password
,
true
);
s
.
startAsServer
(
GSSUtil
.
GSS_KRB5_MECH_OID
);
GSSName
impName
=
s
.
impersonate
(
userKDC1Name
).
cred
().
getName
();
if
(
DEBUG
)
{
System
.
out
.
println
(
"Impersonated name: "
+
impName
);
}
if
(!
impName
.
toString
().
equals
(
userKDC1Name
))
{
throw
new
Exception
(
"Unexpected impersonated name"
);
}
}
/*
* The server (http/server.dev.rabbit.hole@DEV.RABBIT.HOLE)
* will use delegated credentials (user@RABBIT.HOLE) to
* authenticate in the backend (cifs/backend.rabbit.hole@RABBIT.HOLE).
* Cross-realm referrals will be handled in S4U2Proxy requests
* because the server and the backend are on different realms.
*/
private
static
void
testDelegationWithReferrals
()
throws
Exception
{
Context
c
=
Context
.
fromUserPass
(
userKDC1Name
,
password
,
false
);
c
.
startAsClient
(
serviceName
,
GSSUtil
.
GSS_KRB5_MECH_OID
);
Context
s
=
Context
.
fromUserPass
(
serviceKDC2Name
,
password
,
true
);
s
.
startAsServer
(
GSSUtil
.
GSS_KRB5_MECH_OID
);
Context
.
handshake
(
c
,
s
);
Context
delegatedContext
=
s
.
delegated
();
delegatedContext
.
startAsClient
(
backendServiceName
,
GSSUtil
.
GSS_KRB5_MECH_OID
);
delegatedContext
.
x
().
requestMutualAuth
(
false
);
Context
b
=
Context
.
fromUserPass
(
backendKDC1Name
,
password
,
true
);
b
.
startAsServer
(
GSSUtil
.
GSS_KRB5_MECH_OID
);
// Test authentication
Context
.
handshake
(
delegatedContext
,
b
);
if
(!
delegatedContext
.
x
().
isEstablished
()
||
!
b
.
x
().
isEstablished
())
{
throw
new
Exception
(
"Delegated authentication failed"
);
}
// Test identities
GSSName
contextInitiatorName
=
delegatedContext
.
x
().
getSrcName
();
GSSName
contextAcceptorName
=
delegatedContext
.
x
().
getTargName
();
if
(
DEBUG
)
{
System
.
out
.
println
(
"Context initiator: "
+
contextInitiatorName
);
System
.
out
.
println
(
"Context acceptor: "
+
contextAcceptorName
);
}
if
(!
contextInitiatorName
.
toString
().
equals
(
userKDC1Name
)
||
!
contextAcceptorName
.
toString
().
equals
(
backendServiceName
))
{
throw
new
Exception
(
"Unexpected initiator or acceptor names"
);
}
}
}
This diff is collapsed.
Click to expand it.
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录
新手
引导
客服
返回
顶部