krb5/auto/OkAsDelegateXRealm.java

1941N/A/*
2362N/A * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
1941N/A * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
1941N/A *
1941N/A * This code is free software; you can redistribute it and/or modify it
1941N/A * under the terms of the GNU General Public License version 2 only, as
1941N/A * published by the Free Software Foundation.
1941N/A *
1941N/A * This code is distributed in the hope that it will be useful, but WITHOUT
1941N/A * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
1941N/A * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
1941N/A * version 2 for more details (a copy is included in the LICENSE file that
1941N/A * accompanied this code).
1941N/A *
1941N/A * You should have received a copy of the GNU General Public License version
1941N/A * 2 along with this work; if not, write to the Free Software Foundation,
1941N/A * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
1941N/A *
2362N/A * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
2362N/A * or visit www.oracle.com if you need additional information or have any
2362N/A * questions.
1941N/A */
1941N/A
1941N/Aimport com.sun.security.jgss.ExtendedGSSContext;
1941N/Aimport java.io.File;
1941N/Aimport java.io.FileOutputStream;
1941N/Aimport java.io.IOException;
1941N/Aimport java.security.Security;
1941N/Aimport javax.security.auth.callback.Callback;
1941N/Aimport javax.security.auth.callback.CallbackHandler;
1941N/Aimport javax.security.auth.callback.NameCallback;
1941N/Aimport javax.security.auth.callback.PasswordCallback;
1941N/Aimport javax.security.auth.callback.UnsupportedCallbackException;
1941N/Aimport org.ietf.jgss.GSSContext;
1941N/Aimport org.ietf.jgss.GSSCredential;
1941N/Aimport org.ietf.jgss.GSSException;
1941N/Aimport org.ietf.jgss.GSSManager;
1941N/Aimport org.ietf.jgss.GSSName;
1941N/Aimport sun.security.jgss.GSSUtil;
1941N/Aimport sun.security.krb5.Config;
1941N/A
1941N/Apublic class OkAsDelegateXRealm implements CallbackHandler {
1941N/A
1941N/A    /**
1941N/A     * @param args boolean if the program should succeed
1941N/A     */
1941N/A    public static void main(String[] args)
1941N/A            throws Exception {
1941N/A
1941N/A        // Create and start the KDCs. Here we have 3 realms: R1, R2 and R3.
1941N/A        // R1 is trusted by R2, and R2 trusted by R3.
1941N/A        KDC kdc1 = KDC.create("R1");
1941N/A        kdc1.setPolicy("ok-as-delegate",
1941N/A                System.getProperty("test.kdc.policy.ok-as-delegate"));
1941N/A        kdc1.addPrincipal("dummy", "bogus".toCharArray());
1941N/A        kdc1.addPrincipalRandKey("krbtgt/R1");
1941N/A        kdc1.addPrincipal("krbtgt/R2@R1", "r1->r2".toCharArray());
1941N/A
1941N/A        KDC kdc2 = KDC.create("R2");
1941N/A        kdc2.setPolicy("ok-as-delegate",
1941N/A                System.getProperty("test.kdc.policy.ok-as-delegate"));
1941N/A        kdc2.addPrincipalRandKey("krbtgt/R2");
1941N/A        kdc2.addPrincipal("krbtgt/R2@R1", "r1->r2".toCharArray());
1941N/A        kdc2.addPrincipal("krbtgt/R3@R2", "r2->r3".toCharArray());
1941N/A
1941N/A        KDC kdc3 = KDC.create("R3");
1941N/A        kdc3.setPolicy("ok-as-delegate",
1941N/A                System.getProperty("test.kdc.policy.ok-as-delegate"));
1941N/A        kdc3.addPrincipalRandKey("krbtgt/R3");
1941N/A        kdc3.addPrincipal("krbtgt/R3@R2", "r2->r3".toCharArray());
1941N/A        kdc3.addPrincipalRandKey("host/host.r3.local");
1941N/A
1941N/A        KDC.saveConfig("krb5-localkdc.conf", kdc1, kdc2, kdc3,
1941N/A                "forwardable=true",
1941N/A                "[capaths]",
1941N/A                "R1 = {",
1941N/A                "    R2 = .",
1941N/A                "    R3 = R2",
1941N/A                "}",
1941N/A                "[domain_realm]",
1941N/A                ".r3.local=R3"
1941N/A                );
1941N/A
1941N/A        System.setProperty("java.security.krb5.conf", "krb5-localkdc.conf");
1941N/A        kdc3.writeKtab("localkdc.ktab");
1941N/A
1941N/A        FileOutputStream fos = new FileOutputStream("jaas-localkdc.conf");
1941N/A
1941N/A        // Defines the client and server on R1 and R3 respectively.
1941N/A        fos.write(("com.sun.security.jgss.krb5.initiate {\n" +
1941N/A                "    com.sun.security.auth.module.Krb5LoginModule\n" +
1941N/A                "    required\n" +
1941N/A                "    principal=dummy\n" +
1941N/A                "    doNotPrompt=false\n" +
1941N/A                "    useTicketCache=false\n" +
1941N/A                "    ;\n};\n" +
1941N/A                "com.sun.security.jgss.krb5.accept {\n" +
1941N/A                "    com.sun.security.auth.module.Krb5LoginModule required\n" +
1941N/A                "    principal=\"host/host.r3.local@R3\"\n" +
1941N/A                "    useKeyTab=true\n" +
1941N/A                "    keyTab=localkdc.ktab\n" +
1941N/A                "    isInitiator=false\n" +
1941N/A                "    storeKey=true;\n};\n" +
1941N/A                "\n").getBytes());
1941N/A        fos.close();
1941N/A
1941N/A        Security.setProperty("auth.login.defaultCallbackHandler",
1941N/A                "OkAsDelegateXRealm");
1941N/A
1941N/A        System.setProperty("java.security.auth.login.config", "jaas-localkdc.conf");
1941N/A
1941N/A        new File("krb5-localkdc.conf").deleteOnExit();
1941N/A        new File("localkdc.ktab").deleteOnExit();
1941N/A        new File("jaas-localkdc.conf").deleteOnExit();
1941N/A        Config.refresh();
1941N/A
1941N/A        Context c = Context.fromJAAS("com.sun.security.jgss.krb5.initiate");
1941N/A        Context s = Context.fromJAAS("com.sun.security.jgss.krb5.accept");
1941N/A
1941N/A        // Test twice. The frist time the whole cross realm process is tried,
1941N/A        // the second time the cached service ticket is used. This is to make sure
1941N/A        // the behaviors are the same, especailly for the case when one of the
1941N/A        // cross-realm TGTs does not have OK-AS-DELEGATE on.
1941N/A
1941N/A        for (int i=0; i<2; i++) {
1941N/A            c.startAsClient("host@host.r3.local", GSSUtil.GSS_KRB5_MECH_OID);
1941N/A            s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
1941N/A            c.x().requestDelegPolicy(true);
1941N/A
1941N/A            Context.handshake(c, s);
1941N/A            boolean succeed = true;
1941N/A            try {
1941N/A                s.x().getDelegCred();
1941N/A            } catch (GSSException gsse) {
1941N/A                succeed = false;
1941N/A            }
1941N/A            if (succeed != Boolean.parseBoolean(args[0])) {
1941N/A                throw new Exception("Test fail at round #" + i);
1941N/A            }
1941N/A        }
1941N/A    }
1941N/A
1941N/A    @Override
1941N/A    public void handle(Callback[] callbacks)
1941N/A            throws IOException, UnsupportedCallbackException {
1941N/A        for (Callback callback : callbacks) {
1941N/A            if (callback instanceof NameCallback) {
1941N/A                ((NameCallback) callback).setName("dummy");
1941N/A            }
1941N/A            if (callback instanceof PasswordCallback) {
1941N/A                ((PasswordCallback) callback).setPassword("bogus".toCharArray());
1941N/A            }
1941N/A        }
1941N/A    }
1941N/A}
1941N/A