Mercurial > hg > release > icedtea7-forest-2.1 > jdk
changeset 3947:cc989209cbf1
6997851: Create NTLM AuthenticationCallBack class to avoid NTLM info leakage on client side
Reviewed-by: michaelm
author | chegar |
---|---|
date | Mon, 10 Jan 2011 18:12:43 +0000 |
parents | 85ccd221280b |
children | b5c340d6c905 |
files | make/sun/net/FILES_java.gmk src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java src/share/classes/sun/net/www/protocol/http/NTLMAuthenticationProxy.java src/share/classes/sun/net/www/protocol/http/ntlm/NTLMAuthenticationCallback.java src/solaris/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java src/windows/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java |
diffstat | 6 files changed, 108 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/make/sun/net/FILES_java.gmk Mon Nov 01 11:32:50 2010 -0400 +++ b/make/sun/net/FILES_java.gmk Mon Jan 10 18:12:43 2011 +0000 @@ -100,6 +100,7 @@ sun/net/www/protocol/http/NegotiateAuthentication.java \ sun/net/www/protocol/http/Negotiator.java \ sun/net/www/protocol/http/ntlm/NTLMAuthentication.java \ + sun/net/www/protocol/http/ntlm/NTLMAuthenticationCallback.java \ sun/net/www/protocol/http/spnego/NegotiatorImpl.java \ sun/net/www/protocol/http/spnego/NegotiateCallbackHandler.java \ sun/net/www/protocol/http/logging/HttpLogFormatter.java \
--- a/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java Mon Nov 01 11:32:50 2010 -0400 +++ b/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java Mon Jan 10 18:12:43 2011 +0000 @@ -2173,6 +2173,13 @@ if (tryTransparentNTLMServer) { tryTransparentNTLMServer = NTLMAuthenticationProxy.proxy.supportsTransparentAuth; + /* If the platform supports transparent authentication + * then check if we are in a secure environment + * whether, or not, we should try transparent authentication.*/ + if (tryTransparentNTLMServer) { + tryTransparentNTLMServer = + NTLMAuthenticationProxy.proxy.isTrustedSite(url); + } } a = null; if (tryTransparentNTLMServer) {
--- a/src/share/classes/sun/net/www/protocol/http/NTLMAuthenticationProxy.java Mon Nov 01 11:32:50 2010 -0400 +++ b/src/share/classes/sun/net/www/protocol/http/NTLMAuthenticationProxy.java Mon Jan 10 18:12:43 2011 +0000 @@ -36,12 +36,14 @@ */ class NTLMAuthenticationProxy { private static Method supportsTA; + private static Method isTrustedSite; private static final String clazzStr = "sun.net.www.protocol.http.ntlm.NTLMAuthentication"; private static final String supportsTAStr = "supportsTransparentAuth"; + private static final String isTrustedSiteStr = "isTrustedSite"; static final NTLMAuthenticationProxy proxy = tryLoadNTLMAuthentication(); static final boolean supported = proxy != null ? true : false; - static final boolean supportsTransparentAuth = supported ? supportsTransparentAuth(supportsTA) : false; + static final boolean supportsTransparentAuth = supported ? supportsTransparentAuth() : false; private final Constructor<? extends AuthenticationInfo> threeArgCtr; private final Constructor<? extends AuthenticationInfo> fiveArgCtr; @@ -82,9 +84,22 @@ * authentication (try with the current users credentials before * prompting for username and password, etc). */ - private static boolean supportsTransparentAuth(Method method) { + private static boolean supportsTransparentAuth() { try { - return (Boolean)method.invoke(null); + return (Boolean)supportsTA.invoke(null); + } catch (ReflectiveOperationException roe) { + finest(roe); + } + + return false; + } + + /* Transparent authentication should only be tried with a trusted + * site ( when running in a secure environment ). + */ + public static boolean isTrustedSite(URL url) { + try { + return (Boolean)isTrustedSite.invoke(null, url); } catch (ReflectiveOperationException roe) { finest(roe); } @@ -112,6 +127,7 @@ int.class, PasswordAuthentication.class); supportsTA = cl.getDeclaredMethod(supportsTAStr); + isTrustedSite = cl.getDeclaredMethod(isTrustedSiteStr, java.net.URL.class); return new NTLMAuthenticationProxy(threeArg, fiveArg); }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/share/classes/sun/net/www/protocol/http/ntlm/NTLMAuthenticationCallback.java Mon Jan 10 18:12:43 2011 +0000 @@ -0,0 +1,59 @@ +/* + * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.net.www.protocol.http.ntlm; + +import java.net.URL; + +/** + * This class is used to call back to deployment to determine if a given + * URL is trusted. Transparent authentication (try with logged in users + * credentials without prompting) should only be tried with trusted sites. + */ +public abstract class NTLMAuthenticationCallback { + private static volatile NTLMAuthenticationCallback callback = + new DefaultNTLMAuthenticationCallback(); + + public static void setNTLMAuthenticationCallback( + NTLMAuthenticationCallback callback) { + NTLMAuthenticationCallback.callback = callback; + } + + public static NTLMAuthenticationCallback getNTLMAuthenticationCallback() { + return callback; + } + + /** + * Returns true if the given site is trusted, i.e. we can try + * transparent Authentication. + */ + public abstract boolean isTrustedSite(URL url); + + static class DefaultNTLMAuthenticationCallback extends NTLMAuthenticationCallback { + @Override + public boolean isTrustedSite(URL url) { return true; } + } +} +
--- a/src/solaris/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java Mon Nov 01 11:32:50 2010 -0400 +++ b/src/solaris/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java Mon Jan 10 18:12:43 2011 +0000 @@ -68,6 +68,9 @@ public class NTLMAuthentication extends AuthenticationInfo { private static final long serialVersionUID = 170L; + private static final NTLMAuthenticationCallback NTLMAuthCallback = + NTLMAuthenticationCallback.getNTLMAuthenticationCallback(); + private String hostname; private static String defaultDomain; /* Domain to use if not specified by user */ @@ -81,6 +84,14 @@ return false; } + /** + * Returns true if the given site is trusted, i.e. we can try + * transparent Authentication. + */ + public static boolean isTrustedSite(URL url) { + return NTLMAuthCallback.isTrustedSite(url); + } + private void init0() { hostname = java.security.AccessController.doPrivileged(
--- a/src/windows/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java Mon Nov 01 11:32:50 2010 -0400 +++ b/src/windows/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java Mon Jan 10 18:12:43 2011 +0000 @@ -45,6 +45,9 @@ private static final long serialVersionUID = 100L; + private static final NTLMAuthenticationCallback NTLMAuthCallback = + NTLMAuthenticationCallback.getNTLMAuthenticationCallback(); + private String hostname; private static String defaultDomain; /* Domain to use if not specified by user */ @@ -143,6 +146,14 @@ } /** + * Returns true if the given site is trusted, i.e. we can try + * transparent Authentication. + */ + public static boolean isTrustedSite(URL url) { + return NTLMAuthCallback.isTrustedSite(url); + } + + /** * Not supported. Must use the setHeaders() method */ @Override