OpenJDK / jdk8u / jdk8u / jdk

changeset 12476:6805783b9875

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
8178794: Correct Kerberos ticket grants Reviewed-by: coffeys, valeriep Contributed-by: prasadarao.koppula@oracle.com
author rpatil
date Mon, 24 Jul 2017 13:56:39 +0530
parents 0c7e380005ee
children b7246d50996b
files src/share/classes/sun/security/krb5/KrbAsRep.java src/share/classes/sun/security/krb5/KrbTgsRep.java test/sun/security/krb5/auto/KDC.java test/sun/security/krb5/auto/TicketSName.java
diffstat 4 files changed, 66 insertions(+), 6 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/krb5/KrbAsRep.java	Tue Jul 25 14:18:04 2017 +0100
+++ b/src/share/classes/sun/security/krb5/KrbAsRep.java	Mon Jul 24 13:56:39 2017 +0530
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -160,7 +160,7 @@
         creds = new Credentials(
                                 rep.ticket,
                                 req.reqBody.cname,
-                                rep.ticket.sname,
+                                enc_part.sname,
                                 enc_part.key,
                                 enc_part.flags,
                                 enc_part.authtime,
--- a/src/share/classes/sun/security/krb5/KrbTgsRep.java	Tue Jul 25 14:18:04 2017 +0100
+++ b/src/share/classes/sun/security/krb5/KrbTgsRep.java	Mon Jul 24 13:56:39 2017 +0530
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -88,7 +88,7 @@
 
         this.creds = new Credentials(rep.ticket,
                                 rep.cname,
-                                rep.ticket.sname,
+                                enc_part.sname,
                                 enc_part.key,
                                 enc_part.flags,
                                 enc_part.authtime,
--- a/test/sun/security/krb5/auto/KDC.java	Tue Jul 25 14:18:04 2017 +0100
+++ b/test/sun/security/krb5/auto/KDC.java	Mon Jul 24 13:56:39 2017 +0530
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2008, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2008, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -808,7 +808,9 @@
                 throw new KrbException(Krb5.KDC_ERR_SUMTYPE_NOSUPP); // TODO
             }
             Ticket t = new Ticket(
-                    service,
+                    System.getProperty("test.kdc.diff.sname") != null ?
+                        new PrincipalName("xx" + service.toString()) :
+                        service,
                     new EncryptedData(skey, enc.asn1Encode(), KeyUsage.KU_TICKET)
             );
             EncTGSRepPart enc_part = new EncTGSRepPart(
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/krb5/auto/TicketSName.java	Mon Jul 24 13:56:39 2017 +0530
@@ -0,0 +1,58 @@
+/*
+ * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8178794
+ * @summary krb5 client should ignore sname in incoming tickets
+ * @compile -XDignore.symbol.file TicketSName.java
+ * @run main/othervm -Dtest.kdc.diff.sname TicketSName
+ */
+
+import sun.security.jgss.GSSUtil;
+import javax.security.auth.kerberos.KerberosTicket;
+
+public class TicketSName {
+
+    public static void main(String[] args) throws Exception {
+
+        new OneKDC(null).writeJAASConf();
+
+        Context c, s;
+        c = Context.fromJAAS("client");
+        s = Context.fromJAAS("server");
+
+        c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
+        s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
+
+        Context.handshake(c, s);
+
+        String expected = OneKDC.SERVER + "@" + OneKDC.REALM;
+        if (!c.s().getPrivateCredentials(KerberosTicket.class)
+                .stream()
+                .anyMatch(t -> t.getServer().toString().equals(expected))) {
+            c.status();
+            throw new Exception("no " + expected);
+        }
+    }
+}
© 2007, Oracle and/or its affiliates
Terms of Use · Privacy · Trademarks