Mercurial > hg > icedtea8-forest > jdk
changeset 11418:8027bdc8f3d2 jdk8u45-b36
8077155: LoginContext Subject ignored by jdk8 sun.net.www.protocol.http.HttpURLConnection
Reviewed-by: michaelm
| author | robm |
|---|---|
| date | Thu, 21 May 2015 13:21:38 +0100 |
| parents | 409df6e80e1e |
| children | c05a28757ba5 |
| files | src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java test/sun/security/krb5/auto/HttpNegotiateServer.java |
| diffstat | 2 files changed, 160 insertions(+), 7 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java Mon Feb 16 20:23:18 2015 +0300 +++ b/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java Thu May 21 13:21:38 2015 +0100 @@ -982,7 +982,7 @@ SocketPermission p = URLtoSocketPermission(this.url); if (p != null) { try { - AccessController.doPrivileged( + AccessController.doPrivilegedWithCombiner( new PrivilegedExceptionAction<Void>() { public Void run() throws IOException { plainConnect0(); @@ -1243,7 +1243,7 @@ if (p != null) { try { - return AccessController.doPrivileged( + return AccessController.doPrivilegedWithCombiner( new PrivilegedExceptionAction<OutputStream>() { public OutputStream run() throws IOException { return getOutputStream0(); @@ -1426,7 +1426,7 @@ if (p != null) { try { - return AccessController.doPrivileged( + return AccessController.doPrivilegedWithCombiner( new PrivilegedExceptionAction<InputStream>() { public InputStream run() throws IOException { return getInputStream0(); @@ -2568,7 +2568,7 @@ if (p != null) { try { - return AccessController.doPrivileged( + return AccessController.doPrivilegedWithCombiner( new PrivilegedExceptionAction<Boolean>() { public Boolean run() throws IOException { return followRedirect0(loc, stat, locUrl0);
--- a/test/sun/security/krb5/auto/HttpNegotiateServer.java Mon Feb 16 20:23:18 2015 +0300 +++ b/test/sun/security/krb5/auto/HttpNegotiateServer.java Thu May 21 13:21:38 2015 +0100 @@ -40,16 +40,28 @@ import java.io.File; import java.io.FileOutputStream; import java.io.IOException; +import java.io.InputStream; import java.io.InputStreamReader; import java.net.HttpURLConnection; import java.net.InetSocketAddress; import java.net.PasswordAuthentication; import java.net.Proxy; import java.net.URL; -import java.security.PrivilegedExceptionAction; +import java.net.URLConnection; +import java.security.*; import java.util.HashMap; import java.util.Map; import javax.security.auth.Subject; +import javax.security.auth.callback.Callback; +import javax.security.auth.callback.CallbackHandler; +import javax.security.auth.callback.NameCallback; +import javax.security.auth.callback.PasswordCallback; +import javax.security.auth.callback.UnsupportedCallbackException; +import javax.security.auth.login.AppConfigurationEntry; +import javax.security.auth.login.Configuration; +import javax.security.auth.login.LoginContext; +import javax.security.auth.login.LoginException; +import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag; import org.ietf.jgss.GSSContext; import org.ietf.jgss.GSSCredential; import org.ietf.jgss.GSSManager; @@ -191,7 +203,7 @@ proxyUrl = new URL("http://nosuchplace/a/b/c"); try { - Exception e1 = null, e2 = null; + Exception e1 = null, e2 = null, e3 = null; try { test6578647(); } catch (Exception e) { @@ -204,7 +216,14 @@ e2 = e; e.printStackTrace(); } - if (e1 != null || e2 != null) { + try { + test8077155(); + } catch (Exception e) { + e3 = e; + e.printStackTrace(); + } + + if (e1 != null || e2 != null || e3 != null) { throw new RuntimeException("Test error"); } } finally { @@ -248,6 +267,121 @@ } } + static void testConnect() { + InputStream inputStream = null; + try { + URL url = webUrl; + + URLConnection conn = url.openConnection(); + conn.connect(); + inputStream = conn.getInputStream(); + byte[] b = new byte[inputStream.available()]; + for (int j = 0; j < b.length; j++) { + b[j] = (byte) inputStream.read(); + } + String s = new String(b); + System.out.println("Length: " + s.length()); + System.out.println(s); + } catch (Exception ex) { + throw new RuntimeException(ex); + } finally { + if (inputStream != null) { + try { + inputStream.close(); + } catch (IOException e) { + e.printStackTrace(); + } + } + } + } + + static void test8077155() throws Exception { + final String username = WEB_USER; + final char[] password = WEB_PASS; + + SecurityManager security = new SecurityManager(); + Policy.setPolicy(new SecurityPolicy()); + System.setSecurityManager(security); + + CallbackHandler callback = new CallbackHandler() { + @Override + public void handle(Callback[] pCallbacks) throws IOException, UnsupportedCallbackException { + for (Callback cb : pCallbacks) { + if (cb instanceof NameCallback) { + NameCallback ncb = (NameCallback)cb; + ncb.setName(username); + + } else if (cb instanceof PasswordCallback) { + PasswordCallback pwdcb = (PasswordCallback) cb; + pwdcb.setPassword(password); + } + } + } + + }; + + final String jaasConfigName = "oracle.test.kerberos.login"; + final String krb5LoginModule = "com.sun.security.auth.module.Krb5LoginModule"; + + Configuration loginConfig = new Configuration() { + @Override + public AppConfigurationEntry[] getAppConfigurationEntry(String name) { + if (! jaasConfigName.equals(name)) { + return new AppConfigurationEntry[0]; + } + + Map<String, String> options = new HashMap<String, String>(); + options.put("useTicketCache", Boolean.FALSE.toString()); + options.put("useKeyTab", Boolean.FALSE.toString()); + + return new AppConfigurationEntry[] { + new AppConfigurationEntry(krb5LoginModule, + LoginModuleControlFlag.REQUIRED, + options) + }; + } + }; + + // oracle context/subject/login + LoginContext context = null; + try { + context = new LoginContext("oracle.test.kerberos.login", null, callback, loginConfig); + context.login(); + + } catch (LoginException ex) { + ex.printStackTrace(); + throw new RuntimeException(ex); + } + + + Subject subject = context.getSubject(); + + final PrivilegedExceptionAction<Object> test_action = new PrivilegedExceptionAction<Object>() { + public Object run() throws Exception { + testConnect(); + return null; + } + }; + + System.err.println("\n\nExpecting to succeed when executing with the the logged in subject."); + + try { + Subject.doAs(subject, test_action); + System.err.println("\n\nConnection succeed when executing with the the logged in subject."); + } catch (PrivilegedActionException e) { + System.err.println("\n\nFailure unexpected when executing with the the logged in subject."); + e.printStackTrace(); + throw new RuntimeException("Failed to login as subject"); + } + + try { + System.err.println("\n\nExpecting to fail when running with the current user's login."); + testConnect(); + } catch (Exception ex) { + System.err.println("\nConnect failed when running with the current user's login:\n" + ex.getMessage()); + } + } + /** * Creates and starts an HTTP or proxy server that requires * Negotiate authentication. @@ -360,3 +494,22 @@ } } } + +class SecurityPolicy extends Policy { + + private static Permissions perms; + + public SecurityPolicy() { + super(); + if (perms == null) { + perms = new Permissions(); + perms.add(new AllPermission()); + } + } + + @Override + public PermissionCollection getPermissions(CodeSource codesource) { + return perms; + } + +}