Path: blob/master/src/java.security.jgss/share/classes/sun/security/krb5/internal/ReferralsCache.java
41161 views
/*1* Copyright (c) 2019, Red Hat, Inc.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation. Oracle designates this7* particular file as subject to the "Classpath" exception as provided8* by Oracle in the LICENSE file that accompanied this code.9*10* This code is distributed in the hope that it will be useful, but WITHOUT11* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or12* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License13* version 2 for more details (a copy is included in the LICENSE file that14* accompanied this code).15*16* You should have received a copy of the GNU General Public License version17* 2 along with this work; if not, write to the Free Software Foundation,18* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.19*20* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA21* or visit www.oracle.com if you need additional information or have any22* questions.23*/2425package sun.security.krb5.internal;2627import java.util.Date;28import java.util.HashMap;29import java.util.LinkedList;30import java.util.List;31import java.util.Map;32import java.util.Map.Entry;3334import sun.security.krb5.Credentials;35import sun.security.krb5.PrincipalName;3637/*38* ReferralsCache class implements a cache scheme for referral TGTs as39* described in RFC 6806 - 10. Caching Information. The goal is to optimize40* resources (such as network traffic) when a client requests credentials for a41* service principal to a given KDC. If a referral TGT was previously received,42* cached information is used instead of issuing a new query. Once a referral43* TGT expires, the corresponding referral entry in the cache is removed.44*/45final class ReferralsCache {4647private static Map<ReferralCacheKey, Map<String, ReferralCacheEntry>>48referralsMap = new HashMap<>();4950private static final class ReferralCacheKey {51private PrincipalName cname;52private PrincipalName sname;53ReferralCacheKey (PrincipalName cname, PrincipalName sname) {54this.cname = cname;55this.sname = sname;56}57public boolean equals(Object other) {58if (!(other instanceof ReferralCacheKey))59return false;60ReferralCacheKey that = (ReferralCacheKey)other;61return cname.equals(that.cname) &&62sname.equals(that.sname);63}64public int hashCode() {65return cname.hashCode() + sname.hashCode();66}67}6869static final class ReferralCacheEntry {70private final Credentials creds;71private final String toRealm;72ReferralCacheEntry(Credentials creds, String toRealm) {73this.creds = creds;74this.toRealm = toRealm;75}76Credentials getCreds() {77return creds;78}79String getToRealm() {80return toRealm;81}82}8384/*85* Add a new referral entry to the cache, including: client principal,86* service principal, source KDC realm, destination KDC realm and87* referral TGT.88*89* If a loop is generated when adding the new referral, the first hop is90* automatically removed. For example, let's assume that adding a91* REALM-3.COM -> REALM-1.COM referral generates the following loop:92* REALM-1.COM -> REALM-2.COM -> REALM-3.COM -> REALM-1.COM. Then,93* REALM-1.COM -> REALM-2.COM referral entry is removed from the cache.94*/95static synchronized void put(PrincipalName cname, PrincipalName service,96String fromRealm, String toRealm, Credentials creds) {97ReferralCacheKey k = new ReferralCacheKey(cname, service);98pruneExpired(k);99if (creds.getEndTime().before(new Date())) {100return;101}102Map<String, ReferralCacheEntry> entries = referralsMap.get(k);103if (entries == null) {104entries = new HashMap<String, ReferralCacheEntry>();105referralsMap.put(k, entries);106}107entries.remove(fromRealm);108ReferralCacheEntry newEntry = new ReferralCacheEntry(creds, toRealm);109entries.put(fromRealm, newEntry);110111// Remove loops within the cache112ReferralCacheEntry current = newEntry;113List<ReferralCacheEntry> seen = new LinkedList<>();114while (current != null) {115if (seen.contains(current)) {116// Loop found. Remove the first referral to cut the loop.117entries.remove(newEntry.getToRealm());118break;119}120seen.add(current);121current = entries.get(current.getToRealm());122}123}124125/*126* Obtain a referral entry from the cache given a client principal,127* service principal and a source KDC realm.128*/129static synchronized ReferralCacheEntry get(PrincipalName cname,130PrincipalName service, String fromRealm) {131ReferralCacheKey k = new ReferralCacheKey(cname, service);132pruneExpired(k);133Map<String, ReferralCacheEntry> entries = referralsMap.get(k);134if (entries != null) {135ReferralCacheEntry toRef = entries.get(fromRealm);136if (toRef != null) {137return toRef;138}139}140return null;141}142143/*144* Remove referral entries from the cache when referral TGTs expire.145*/146private static void pruneExpired(ReferralCacheKey k) {147Date now = new Date();148Map<String, ReferralCacheEntry> entries = referralsMap.get(k);149if (entries != null) {150for (Entry<String, ReferralCacheEntry> mapEntry :151entries.entrySet()) {152if (mapEntry.getValue().getCreds().getEndTime().before(now)) {153entries.remove(mapEntry.getKey());154}155}156}157}158}159160161