Path: blob/master/test/jdk/com/sun/security/sasl/gsskerb/NoSecurityLayer.java
41154 views
/*1* Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation.7*8* This code is distributed in the hope that it will be useful, but WITHOUT9* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or10* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License11* version 2 for more details (a copy is included in the LICENSE file that12* accompanied this code).13*14* You should have received a copy of the GNU General Public License version15* 2 along with this work; if not, write to the Free Software Foundation,16* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.17*18* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA19* or visit www.oracle.com if you need additional information or have any20* questions.21*/2223/*24* @test25* @bug 487355226* @summary GSS-API/krb5 SASL mechanism should throw IllegalStateException27* for auth-only28* @run main/manual NoSecurityLayer29*/3031/*32* Set logging to FINEST to view exchange.33* See run-nosec-wjaas.csh for instructions for how to run this test.34*/3536import javax.security.sasl.*;37import javax.security.auth.callback.*;38import java.security.*;39import javax.security.auth.Subject;40import javax.security.auth.login.*;41import com.sun.security.auth.callback.*;42import java.util.HashMap;4344public class NoSecurityLayer {45private static final String MECH = "GSSAPI";46private static final String SERVER_FQDN = "anti.imc.org";47private static final String PROTOCOL = "sample";4849private static String namesfile, proxyfile;50private static final byte[] EMPTY = new byte[0];51private static boolean auto;52private static boolean verbose = false;5354public static void main(String[] args) throws Exception {55if (args.length == 0) {56namesfile = null;57auto = true;58} else {59int i = 0;60if (args[i].equals("-m")) {61i++;62auto = false;63}64if (args.length > i) {65namesfile = args[i++];66if (args.length > i) {67proxyfile = args[i];68}69} else {70namesfile = null;71}72}7374CallbackHandler clntCbh = null;75final CallbackHandler srvCbh = new PropertiesFileCallbackHandler(76null, namesfile, proxyfile);7778Subject clntSubj = doLogin("client");79Subject srvSubj = doLogin("server");80final HashMap clntprops = new HashMap();81final HashMap srvprops = new HashMap();8283clntprops.put(Sasl.QOP, "auth");84srvprops.put(Sasl.QOP, "auth,auth-int,auth-conf");8586final SaslClient clnt = (SaslClient)87Subject.doAs(clntSubj, new PrivilegedExceptionAction() {88public Object run() throws Exception {89return Sasl.createSaslClient(90new String[]{MECH}, null, PROTOCOL, SERVER_FQDN,91clntprops, null);92}93});9495if (verbose) {96System.out.println(clntSubj);97System.out.println(srvSubj);98}99final SaslServer srv = (SaslServer)100Subject.doAs(srvSubj, new PrivilegedExceptionAction() {101public Object run() throws Exception {102return Sasl.createSaslServer(MECH, PROTOCOL, SERVER_FQDN,103srvprops, srvCbh);104}105});106107108if (clnt == null) {109throw new IllegalStateException(110"Unable to find client impl for " + MECH);111}112if (srv == null) {113throw new IllegalStateException(114"Unable to find server impl for " + MECH);115}116117byte[] response;118byte[] challenge;119120response = (byte[]) Subject.doAs(clntSubj,121new PrivilegedExceptionAction() {122public Object run() throws Exception {123return (clnt.hasInitialResponse()? clnt.evaluateChallenge(EMPTY) : EMPTY);124}});125126while (!clnt.isComplete() || !srv.isComplete()) {127final byte[] responseCopy = response;128challenge = (byte[]) Subject.doAs(srvSubj,129new PrivilegedExceptionAction() {130public Object run() throws Exception {131return srv.evaluateResponse(responseCopy);132}});133134if (challenge != null) {135final byte[] challengeCopy = challenge;136response = (byte[]) Subject.doAs(clntSubj,137new PrivilegedExceptionAction() {138public Object run() throws Exception {139return clnt.evaluateChallenge(challengeCopy);140}});141}142}143144if (clnt.isComplete() && srv.isComplete()) {145if (verbose) {146System.out.println("SUCCESS");147System.out.println("authzid is " + srv.getAuthorizationID());148}149} else {150throw new IllegalStateException("FAILURE: mismatched state:" +151" client complete? " + clnt.isComplete() +152" server complete? " + srv.isComplete());153}154155if (verbose) {156System.out.println(clnt.getNegotiatedProperty(Sasl.QOP));157}158159// Now try to use security layer160161byte[] clntBuf = new byte[]{0, 1, 2, 3};162try {163byte[] wrapped = clnt.wrap(clntBuf, 0, clntBuf.length);164throw new Exception(165"clnt wrap should not be allowed w/no security layer");166} catch (IllegalStateException e) {167// expected168}169170byte[] srvBuf = new byte[]{10, 11, 12, 13};171try {172byte[] wrapped = srv.wrap(srvBuf, 0, srvBuf.length);173throw new Exception(174"srv wrap should not be allowed w/no security layer");175} catch (IllegalStateException e) {176// expected177}178179try {180byte[] unwrapped = clnt.unwrap(clntBuf, 0, clntBuf.length);181throw new Exception(182"clnt wrap should not be allowed w/no security layer");183} catch (IllegalStateException e) {184// expected185}186187try {188byte[] unwrapped = srv.unwrap(srvBuf, 0, srvBuf.length);189throw new Exception(190"srv wrap should not be allowed w/no security layer");191} catch (IllegalStateException e) {192// expected193}194}195196private static Subject doLogin(String msg) throws LoginException {197LoginContext lc = null;198if (verbose) {199System.out.println(msg);200}201try {202lc = new LoginContext(msg, new TextCallbackHandler());203204// Attempt authentication205// You might want to do this in a "for" loop to give206// user more than one chance to enter correct username/password207lc.login();208209} catch (LoginException le) {210throw le;211}212return lc.getSubject();213}214}215216217