changeset 8076:014a34d10e44

8004488: wrong permissions checked in krb5 Reviewed-by: xuelei
author weijun
date Wed, 08 Oct 2014 14:10:25 +0100
parents 4c1747bcb284
children 715d90e998c9
files src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java src/share/classes/sun/security/jgss/krb5/Krb5Util.java test/sun/security/krb5/auto/KeyPermissions.java test/sun/security/krb5/auto/KeyTabCompat.java
diffstat 4 files changed, 63 insertions(+), 57 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java	Wed Oct 08 14:24:54 2014 +0400
+++ b/src/share/classes/com/sun/security/auth/module/Krb5LoginModule.java	Wed Oct 08 14:10:25 2014 +0100
@@ -1062,10 +1062,6 @@
                     if (ktab != null) {
                         if (!privCredSet.contains(ktab)) {
                             privCredSet.add(ktab);
-                            // Compatibility; also add keys to privCredSet
-                            for (KerberosKey key: ktab.getKeys(kerbClientPrinc)) {
-                                privCredSet.add(new Krb5Util.KeysFromKeyTab(key));
-                            }
                         }
                     } else {
                         succeeded = false;
--- a/src/share/classes/sun/security/jgss/krb5/Krb5Util.java	Wed Oct 08 14:24:54 2014 +0400
+++ b/src/share/classes/sun/security/jgss/krb5/Krb5Util.java	Wed Oct 08 14:10:25 2014 +0100
@@ -40,10 +40,7 @@
 import sun.security.krb5.KrbException;
 import java.io.IOException;
 import java.util.ArrayList;
-import java.util.Iterator;
 import java.util.List;
-import java.util.Objects;
-import java.util.Set;
 import sun.misc.SharedSecrets;
 import sun.security.krb5.PrincipalName;
 /**
@@ -189,16 +186,6 @@
         return subject;
     }
 
-    // A special KerberosKey, used as keys read from a KeyTab object.
-    // Each time new keys are read from KeyTab objects in the private
-    // credentials set, old ones are removed and new ones added.
-    public static class KeysFromKeyTab extends KerberosKey {
-        public KeysFromKeyTab(KerberosKey key) {
-            super(key.getPrincipal(), key.getEncoded(),
-                    key.getKeyType(), key.getVersionNumber());
-        }
-    }
-
     /**
      * Credentials of a service, the private secret to authenticate its
      * identity, which can be:
@@ -237,7 +224,7 @@
                 // Compatibility with old behavior: even when there is no
                 // KerberosPrincipal, we can find one from KerberosKeys
                 List<KerberosKey> keys = SubjectComber.findMany(
-                        subj, null, null, KerberosKey.class);
+                        subj, serverPrincipal, null, KerberosKey.class);
                 if (!keys.isEmpty()) {
                     sc.kp = keys.get(0).getPrincipal();
                     serverPrincipal = sc.kp.getName();
@@ -264,38 +251,17 @@
         }
 
         public KerberosKey[] getKKeys() {
-            if (ktabs.isEmpty()) {
-                return kk.toArray(new KerberosKey[kk.size()]);
-            } else {
                 List<KerberosKey> keys = new ArrayList<>();
+            for (KerberosKey k: kk) {
+                keys.add(k);
+            }
                 for (KeyTab ktab: ktabs) {
                     for (KerberosKey k: ktab.getKeys(kp)) {
                         keys.add(k);
                     }
                 }
-                // Compatibility: also add keys to privCredSet. Remove old
-                // ones first, only remove those from keytab.
-                if (!subj.isReadOnly()) {
-                    Set<Object> pcs = subj.getPrivateCredentials();
-                    synchronized (pcs) {
-                        Iterator<Object> iterator = pcs.iterator();
-                        while (iterator.hasNext()) {
-                            Object obj = iterator.next();
-                            if (obj instanceof KeysFromKeyTab) {
-                                KerberosKey key = (KerberosKey)obj;
-                                if (Objects.equals(key.getPrincipal(), kp)) {
-                                    iterator.remove();
-                                }
-                            }
-                        }
-                    }
-                    for (KerberosKey key: keys) {
-                        subj.getPrivateCredentials().add(new KeysFromKeyTab(key));
-                    }
-                }
                 return keys.toArray(new KerberosKey[keys.size()]);
             }
-        }
 
         public EncryptionKey[] getEKeys() {
             KerberosKey[] kkeys = getKKeys();
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/krb5/auto/KeyPermissions.java	Wed Oct 08 14:10:25 2014 +0100
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8004488
+ * @summary wrong permissions checked in krb5
+ * @compile -XDignore.symbol.file KeyPermissions.java
+ * @run main/othervm KeyPermissions
+ */
+
+import java.security.AccessControlException;
+import java.security.Permission;
+import javax.security.auth.PrivateCredentialPermission;
+import sun.security.jgss.GSSUtil;
+
+public class KeyPermissions extends SecurityManager {
+
+    @Override
+    public void checkPermission(Permission perm) {
+        if (perm instanceof PrivateCredentialPermission) {
+            if (!perm.getName().startsWith("javax.security.auth.kerberos.")) {
+                throw new AccessControlException(
+                        "I don't like this", perm);
+            }
+        }
+    }
+
+    public static void main(String[] args) throws Exception {
+        System.setSecurityManager(new KeyPermissions());
+        new OneKDC(null).writeJAASConf();
+        Context s = Context.fromJAAS("server");
+        s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
+    }
+}
+
--- a/test/sun/security/krb5/auto/KeyTabCompat.java	Wed Oct 08 14:24:54 2014 +0400
+++ b/test/sun/security/krb5/auto/KeyTabCompat.java	Wed Oct 08 14:10:25 2014 +0100
@@ -24,6 +24,7 @@
 /*
  * @test
  * @bug 6894072
+ * @bug 8004488
  * @compile -XDignore.symbol.file KeyTabCompat.java
  * @run main/othervm KeyTabCompat
  * @summary always refresh keytab
@@ -70,21 +71,8 @@
         s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
         s.status();
 
-        if (s.s().getPrivateCredentials(KerberosKey.class).size() != 1) {
-            throw new Exception("There should be one KerberosKey");
+        if (s.s().getPrivateCredentials(KerberosKey.class).size() != 0) {
+            throw new Exception("There should be no KerberosKey");
         }
-
-        Thread.sleep(2000);     // make sure ktab timestamp is different
-
-        kdc.addPrincipal(OneKDC.SERVER, "pass2".toCharArray());
-        kdc.writeKtab(OneKDC.KTAB);
-
-        Context.handshake(c, s);
-        s.status();
-
-        if (s.s().getPrivateCredentials(KerberosKey.class).size() != 1) {
-            throw new Exception("There should be only one KerberosKey");
         }
-
     }
-}