diff options
Diffstat (limited to 'src/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java')
-rw-r--r-- | src/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java | 105 |
1 files changed, 102 insertions, 3 deletions
diff --git a/src/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java b/src/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java index a682dddcba..91828292d7 100644 --- a/src/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java +++ b/src/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -35,6 +35,12 @@ package sun.security.krb5.internal.ccache; import sun.security.krb5.*; import sun.security.krb5.internal.*; +import sun.security.util.SecurityProperties; + +import java.nio.charset.StandardCharsets; +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; import java.util.StringTokenizer; import java.util.Vector; import java.io.IOException; @@ -182,9 +188,13 @@ public class FileCredentialsCache extends CredentialsCache primaryPrincipal = p; credentialsList = new Vector<Credentials>(); while (cis.available() > 0) { - Credentials cred = cis.readCred(version); + Object cred = cis.readCred(version); if (cred != null) { - credentialsList.addElement(cred); + if (cred instanceof Credentials) { + credentialsList.addElement((Credentials)cred); + } else { + addConfigEntry((CredentialsCache.ConfigEntry)cred); + } } } } @@ -255,6 +265,9 @@ public class FileCredentialsCache extends CredentialsCache cos.addCreds(tmp[i]); } } + for (ConfigEntry e : getConfigEntries()) { + cos.addConfigEntry(primaryPrincipal, e); + } } } @@ -307,6 +320,17 @@ public class FileCredentialsCache extends CredentialsCache } } + private List<ConfigEntry> configEntries = new ArrayList<>(); + + @Override + public void addConfigEntry(ConfigEntry e) { + configEntries.add(e); + } + + @Override + public List<ConfigEntry> getConfigEntries() { + return Collections.unmodifiableList(configEntries); + } /** * Gets a credentials for a specified service. @@ -326,6 +350,81 @@ public class FileCredentialsCache extends CredentialsCache return null; } + public sun.security.krb5.Credentials getInitialCreds() { + + Credentials defaultCreds = getDefaultCreds(); + if (defaultCreds == null) { + return null; + } + sun.security.krb5.Credentials tgt = defaultCreds.setKrbCreds(); + + CredentialsCache.ConfigEntry entry = getConfigEntry("proxy_impersonator"); + if (entry == null) { + if (DEBUG) { + System.out.println("get normal credential"); + } + return tgt; + } + + boolean force; + String prop = SecurityProperties.privilegedGetOverridable( + "jdk.security.krb5.default.initiate.credential"); + if (prop == null) { + prop = "always-impersonate"; + } + switch (prop) { + case "no-impersonate": // never try impersonation + if (DEBUG) { + System.out.println("get normal credential"); + } + return tgt; + case "try-impersonate": + force = false; + break; + case "always-impersonate": + force = true; + break; + default: + throw new RuntimeException( + "Invalid jdk.security.krb5.default.initiate.credential"); + } + + try { + PrincipalName service = new PrincipalName( + new String(entry.getData(), StandardCharsets.UTF_8)); + if (!tgt.getClient().equals(service)) { + if (DEBUG) { + System.out.println("proxy_impersonator does not match service name"); + } + return force ? null : tgt; + } + PrincipalName client = getPrimaryPrincipal(); + Credentials proxy = null; + for (Credentials c : getCredsList()) { + if (c.getClientPrincipal().equals(client) + && c.getServicePrincipal().equals(service)) { + proxy = c; + break; + } + } + if (proxy == null) { + if (DEBUG) { + System.out.println("Cannot find evidence ticket in ccache"); + } + return force ? null : tgt; + } + if (DEBUG) { + System.out.println("Get proxied credential"); + } + return tgt.setProxy(proxy.setKrbCreds()); + } catch (KrbException e) { + if (DEBUG) { + System.out.println("Impersonation with ccache failed"); + } + return force ? null : tgt; + } + } + public Credentials getDefaultCreds() { Credentials[] list = getCredsList(); if (list == null) { |