Path: blob/master/test/jdk/sun/security/krb5/auto/AcceptPermissions.java
41152 views
/*1* Copyright (c) 2012, 2018, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation.7*8* This code is distributed in the hope that it will be useful, but WITHOUT9* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or10* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License11* version 2 for more details (a copy is included in the LICENSE file that12* accompanied this code).13*14* You should have received a copy of the GNU General Public License version15* 2 along with this work; if not, write to the Free Software Foundation,16* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.17*18* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA19* or visit www.oracle.com if you need additional information or have any20* questions.21*/2223/*24* @test25* @bug 8005447 819448626* @summary default principal can act as anyone27* @library /test/lib28* @compile -XDignore.symbol.file AcceptPermissions.java29* @run main jdk.test.lib.FileInstaller TestHosts TestHosts30* @run main/othervm -Djava.security.manager=allow -Djdk.net.hosts.file=TestHosts AcceptPermissions two31* @run main/othervm -Djava.security.manager=allow -Djdk.net.hosts.file=TestHosts AcceptPermissions unbound32*/3334import java.nio.file.Files;35import java.nio.file.Paths;36import java.nio.file.StandardOpenOption;37import java.security.Permission;38import javax.security.auth.kerberos.ServicePermission;39import sun.security.jgss.GSSUtil;40import java.util.*;4142public class AcceptPermissions extends SecurityManager {4344private static Map<Permission,String> perms = new HashMap<>();45@Override46public void checkPermission(Permission perm) {47if (!(perm instanceof ServicePermission)) {48return;49}50ServicePermission sp = (ServicePermission)perm;51if (!sp.getActions().equals("accept")) {52return;53}54// We only care about accept ServicePermission in this test55try {56super.checkPermission(sp);57} catch (SecurityException se) {58if (perms.containsKey(sp)) {59perms.put(sp, "checked");60} else {61throw se; // We didn't expect this is needed62}63}64}6566// Fills in permissions we are expecting67private static void initPerms(String... names) {68perms.clear();69for (String name: names) {70perms.put(new ServicePermission(71name + "@" + OneKDC.REALM, "accept"), "expected");72}73}7475// Checks if they are all checked76private static void checkPerms() {77for (Map.Entry<Permission,String> entry: perms.entrySet()) {78if (entry.getValue().equals("expected")) {79throw new RuntimeException(80"Expected but not used: " + entry.getKey());81}82}83}8485public static void main(String[] args) throws Exception {86System.setSecurityManager(new AcceptPermissions());87new OneKDC(null).writeJAASConf();88String moreEntries = "two {\n"89+ " com.sun.security.auth.module.Krb5LoginModule required"90+ " principal=\"" + OneKDC.SERVER + "\" useKeyTab=true"91+ " isInitiator=false storeKey=true;\n"92+ " com.sun.security.auth.module.Krb5LoginModule required"93+ " principal=\"" + OneKDC.BACKEND + "\" useKeyTab=true"94+ " isInitiator=false storeKey=true;\n"95+ "};\n"96+ "unbound {"97+ " com.sun.security.auth.module.Krb5LoginModule required"98+ " principal=* useKeyTab=true"99+ " isInitiator=false storeKey=true;\n"100+ "};\n";101Files.write(Paths.get(OneKDC.JAAS_CONF), moreEntries.getBytes(),102StandardOpenOption.APPEND);103104Context c, s;105106// In all cases, a ServicePermission on the acceptor name is needed107// for a handshake. For default principal with no predictable name,108// permission not needed (yet) for credentials creation.109110// Named principal111initPerms(OneKDC.SERVER);112c = Context.fromJAAS("client");113s = Context.fromJAAS("server");114c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);115s.startAsServer(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);116checkPerms();117initPerms(OneKDC.SERVER);118Context.handshake(c, s);119checkPerms();120121// Named principal (even if there are 2 JAAS modules)122initPerms(OneKDC.SERVER);123c = Context.fromJAAS("client");124s = Context.fromJAAS(args[0]);125c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);126s.startAsServer(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);127checkPerms();128initPerms(OneKDC.SERVER);129Context.handshake(c, s);130checkPerms();131132// Default principal with a predictable name133initPerms(OneKDC.SERVER);134c = Context.fromJAAS("client");135s = Context.fromJAAS("server");136c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);137s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);138checkPerms();139initPerms(OneKDC.SERVER);140Context.handshake(c, s);141checkPerms();142143// Default principal with no predictable name144initPerms(); // permission not needed for cred !!!145c = Context.fromJAAS("client");146s = Context.fromJAAS(args[0]);147c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);148s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);149checkPerms();150initPerms(OneKDC.SERVER); // still needed for handshake !!!151Context.handshake(c, s);152checkPerms();153}154}155156157