/* * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this * particular file as subject to the "Classpath" exception as provided * by Oracle in the LICENSE file that accompanied this code. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ package sun.security.jgss; import java.util.HashMap; import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.Configuration; import org.ietf.jgss.Oid; import sun.security.action.GetPropertyAction; /** * A Configuration implementation especially designed for JGSS. * * @author weijun.wang * @since 1.6 */ public class LoginConfigImpl extends Configuration { private final Configuration config; private final GSSCaller caller; private final String mechName; private static final sun.security.util.Debug debug = sun.security.util.Debug.getInstance("gssloginconfig", "\t[GSS LoginConfigImpl]"); public static final boolean HTTP_USE_GLOBAL_CREDS; static { String prop = GetPropertyAction .privilegedGetProperty("http.use.global.creds"); //HTTP_USE_GLOBAL_CREDS = "true".equalsIgnoreCase(prop); // default false HTTP_USE_GLOBAL_CREDS = !"false".equalsIgnoreCase(prop); // default true } /** * A new instance of LoginConfigImpl must be created for each login request * since it's only used by a single (caller, mech) pair * @param caller defined in GSSUtil as CALLER_XXX final fields * @param oid defined in GSSUtil as XXX_MECH_OID final fields */ public LoginConfigImpl(GSSCaller caller, Oid mech) { this.caller = caller; if (mech.equals(GSSUtil.GSS_KRB5_MECH_OID)) { mechName = "krb5"; } else { throw new IllegalArgumentException(mech.toString() + " not supported"); } config = java.security.AccessController.doPrivileged (new java.security.PrivilegedAction () { public Configuration run() { return Configuration.getConfiguration(); } }); } /** * @param name Almost useless, since the (caller, mech) is already passed * into constructor. The only use will be detecting OTHER which * is called in LoginContext */ public AppConfigurationEntry[] getAppConfigurationEntry(String name) { AppConfigurationEntry[] entries = null; // This is the second call from LoginContext, which we will just ignore if ("OTHER".equalsIgnoreCase(name)) { return null; } String[] alts = null; // Compatibility: // For the 4 old callers, old entry names will be used if the new // entry name is not provided. if ("krb5".equals(mechName)) { if (caller == GSSCaller.CALLER_INITIATE) { alts = new String[] { "com.sun.security.jgss.krb5.initiate", "com.sun.security.jgss.initiate", }; } else if (caller == GSSCaller.CALLER_ACCEPT) { alts = new String[] { "com.sun.security.jgss.krb5.accept", "com.sun.security.jgss.accept", }; } else if (caller == GSSCaller.CALLER_SSL_CLIENT) { alts = new String[] { "com.sun.security.jgss.krb5.initiate", "com.sun.net.ssl.client", }; } else if (caller == GSSCaller.CALLER_SSL_SERVER) { alts = new String[] { "com.sun.security.jgss.krb5.accept", "com.sun.net.ssl.server", }; } else if (caller instanceof HttpCaller) { alts = new String[] { "com.sun.security.jgss.krb5.initiate", }; } else if (caller == GSSCaller.CALLER_UNKNOWN) { throw new AssertionError("caller not defined"); } } else { throw new IllegalArgumentException(mechName + " not supported"); // No other mech at the moment, maybe -- /* switch (caller) { case GSSUtil.CALLER_INITIATE: case GSSUtil.CALLER_SSL_CLIENT: case GSSUtil.CALLER_HTTP_NEGOTIATE: alts = new String[] { "com.sun.security.jgss." + mechName + ".initiate", }; break; case GSSUtil.CALLER_ACCEPT: case GSSUtil.CALLER_SSL_SERVER: alts = new String[] { "com.sun.security.jgss." + mechName + ".accept", }; break; case GSSUtil.CALLER_UNKNOWN: // should never use throw new AssertionError("caller cannot be unknown"); default: throw new AssertionError("caller not defined"); } */ } for (String alt: alts) { entries = config.getAppConfigurationEntry(alt); if (debug != null) { debug.println("Trying " + alt + ((entries == null)?": does not exist.":": Found!")); } if (entries != null) { break; } } if (entries == null) { if (debug != null) { debug.println("Cannot read JGSS entry, use default values instead."); } entries = getDefaultConfigurationEntry(); } return entries; } /** * Default value for a caller-mech pair when no entry is defined in * the system-wide Configuration object. */ private AppConfigurationEntry[] getDefaultConfigurationEntry() { HashMap options = new HashMap (2); if (mechName == null || mechName.equals("krb5")) { if (isServerSide(caller)) { // Assuming the keytab file can be found through // krb5 config file or under user home directory options.put("useKeyTab", "true"); options.put("storeKey", "true"); options.put("doNotPrompt", "true"); options.put("principal", "*"); options.put("isInitiator", "false"); } else { if (caller instanceof HttpCaller && !HTTP_USE_GLOBAL_CREDS) { options.put("useTicketCache", "false"); } else { options.put("useTicketCache", "true"); } options.put("doNotPrompt", "false"); } return new AppConfigurationEntry[] { new AppConfigurationEntry( "com.sun.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options) }; } return null; } private static boolean isServerSide (GSSCaller caller) { return GSSCaller.CALLER_ACCEPT == caller || GSSCaller.CALLER_SSL_SERVER == caller; } }