Path: blob/aarch64-shenandoah-jdk8u272-b10/jdk/test/sun/security/krb5/auto/AcceptPermissions.java
38854 views
/*1* Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation.7*8* This code is distributed in the hope that it will be useful, but WITHOUT9* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or10* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License11* version 2 for more details (a copy is included in the LICENSE file that12* accompanied this code).13*14* You should have received a copy of the GNU General Public License version15* 2 along with this work; if not, write to the Free Software Foundation,16* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.17*18* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA19* or visit www.oracle.com if you need additional information or have any20* questions.21*/2223/*24* @test25* @bug 999999926* @summary default principal can act as anyone27* @compile -XDignore.symbol.file AcceptPermissions.java28* @run main/othervm -Dsun.net.spi.nameservice.provider.1=ns,mock AcceptPermissions two29* @run main/othervm -Dsun.net.spi.nameservice.provider.1=ns,mock AcceptPermissions unbound30*/3132import java.nio.file.Files;33import java.nio.file.Paths;34import java.nio.file.StandardOpenOption;35import java.security.Permission;36import javax.security.auth.kerberos.ServicePermission;37import sun.security.jgss.GSSUtil;38import java.util.*;3940public class AcceptPermissions extends SecurityManager {4142private static Map<Permission,String> perms = new HashMap<>();43@Override44public void checkPermission(Permission perm) {45if (!(perm instanceof ServicePermission)) {46return;47}48ServicePermission sp = (ServicePermission)perm;49if (!sp.getActions().equals("accept")) {50return;51}52// We only care about accept ServicePermission in this test53try {54super.checkPermission(sp);55} catch (SecurityException se) {56if (perms.containsKey(sp)) {57perms.put(sp, "checked");58} else {59throw se; // We didn't expect this is needed60}61}62}6364// Fills in permissions we are expecting65private static void initPerms(String... names) {66perms.clear();67for (String name: names) {68perms.put(new ServicePermission(69name + "@" + OneKDC.REALM, "accept"), "expected");70}71}7273// Checks if they are all checked74private static void checkPerms() {75for (Map.Entry<Permission,String> entry: perms.entrySet()) {76if (entry.getValue().equals("expected")) {77throw new RuntimeException(78"Expected but not used: " + entry.getKey());79}80}81}8283public static void main(String[] args) throws Exception {84System.setSecurityManager(new AcceptPermissions());85new OneKDC(null).writeJAASConf();86String moreEntries = "two {\n"87+ " com.sun.security.auth.module.Krb5LoginModule required"88+ " principal=\"" + OneKDC.SERVER + "\" useKeyTab=true"89+ " isInitiator=false storeKey=true;\n"90+ " com.sun.security.auth.module.Krb5LoginModule required"91+ " principal=\"" + OneKDC.BACKEND + "\" useKeyTab=true"92+ " isInitiator=false storeKey=true;\n"93+ "};\n"94+ "unbound {"95+ " com.sun.security.auth.module.Krb5LoginModule required"96+ " principal=* useKeyTab=true"97+ " isInitiator=false storeKey=true;\n"98+ "};\n";99Files.write(Paths.get(OneKDC.JAAS_CONF), moreEntries.getBytes(),100StandardOpenOption.APPEND);101102Context c, s;103104// In all cases, a ServicePermission on the acceptor name is needed105// for a handshake. For default principal with no predictable name,106// permission not needed (yet) for credentials creation.107108// Named principal109initPerms(OneKDC.SERVER);110c = Context.fromJAAS("client");111s = Context.fromJAAS("server");112c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);113s.startAsServer(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);114checkPerms();115initPerms(OneKDC.SERVER);116Context.handshake(c, s);117checkPerms();118119// Named principal (even if there are 2 JAAS modules)120initPerms(OneKDC.SERVER);121c = Context.fromJAAS("client");122s = Context.fromJAAS(args[0]);123c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);124s.startAsServer(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);125checkPerms();126initPerms(OneKDC.SERVER);127Context.handshake(c, s);128checkPerms();129130// Default principal with a predictable name131initPerms(OneKDC.SERVER);132c = Context.fromJAAS("client");133s = Context.fromJAAS("server");134c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);135s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);136checkPerms();137initPerms(OneKDC.SERVER);138Context.handshake(c, s);139checkPerms();140141// Default principal with no predictable name142initPerms(); // permission not needed for cred !!!143c = Context.fromJAAS("client");144s = Context.fromJAAS(args[0]);145c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);146s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);147checkPerms();148initPerms(OneKDC.SERVER); // still needed for handshake !!!149Context.handshake(c, s);150checkPerms();151}152}153154155