1 /* 2 * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24 import java.nio.file.Files; 25 import java.nio.file.Paths; 26 import java.time.Instant; 27 import java.util.Arrays; 28 import java.util.HashMap; 29 import java.util.Map; 30 import java.util.Set; 31 import javax.security.auth.RefreshFailedException; 32 import javax.security.auth.Subject; 33 import javax.security.auth.kerberos.KerberosTicket; 34 import javax.security.auth.login.LoginContext; 35 36 /* 37 * @test 38 * @bug 6857795 8075299 8194486 39 * @summary Checks Kerberos ticket properties 40 * @library /test/lib 41 * @run main jdk.test.lib.FileInstaller TestHosts TestHosts 42 * @run main/othervm -Djdk.net.hosts.file=TestHosts KrbTicket 43 */ 44 public class KrbTicket { 45 46 private static final String REALM = "TEST.REALM"; 47 private static final String HOST = "localhost"; 48 private static final String USER = "TESTER"; 49 private static final String USER_PRINCIPAL = USER + "@" + REALM; 50 private static final String PASSWORD = "password"; 51 private static final String KRBTGT_PRINCIPAL = "krbtgt/" + REALM; 52 private static final String KRB5_CONF_FILENAME = "krb5.conf"; 53 private static final String JAAS_CONF = "jaas.conf"; 54 private static final long TICKET_LIFTETIME = 5 * 60 * 1000; // 5 mins 55 main(String[] args)56 public static void main(String[] args) throws Exception { 57 // define principals 58 Map<String, String> principals = new HashMap<>(); 59 principals.put(USER_PRINCIPAL, PASSWORD); 60 principals.put(KRBTGT_PRINCIPAL, null); 61 62 System.setProperty("java.security.krb5.conf", KRB5_CONF_FILENAME); 63 64 // start a local KDC instance 65 KDC kdc = KDC.startKDC(HOST, null, REALM, principals, null, null); 66 KDC.saveConfig(KRB5_CONF_FILENAME, kdc, 67 "forwardable = true", "proxiable = true"); 68 69 // create JAAS config 70 Files.write(Paths.get(JAAS_CONF), Arrays.asList( 71 "Client {", 72 " com.sun.security.auth.module.Krb5LoginModule required;", 73 "};" 74 )); 75 System.setProperty("java.security.auth.login.config", JAAS_CONF); 76 System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); 77 78 long startTime = Instant.now().getEpochSecond() * 1000; 79 80 LoginContext lc = new LoginContext("Client", 81 new Helper.UserPasswordHandler(USER, PASSWORD)); 82 lc.login(); 83 84 Subject subject = lc.getSubject(); 85 System.out.println("subject: " + subject); 86 87 Set creds = subject.getPrivateCredentials( 88 KerberosTicket.class); 89 90 if (creds.size() > 1) { 91 throw new RuntimeException("Multiple credintials found"); 92 } 93 94 Object o = creds.iterator().next(); 95 if (!(o instanceof KerberosTicket)) { 96 throw new RuntimeException("Instance of KerberosTicket expected"); 97 } 98 KerberosTicket krbTkt = (KerberosTicket) o; 99 100 System.out.println("forwardable = " + krbTkt.isForwardable()); 101 System.out.println("proxiable = " + krbTkt.isProxiable()); 102 System.out.println("renewable = " + krbTkt.isRenewable()); 103 System.out.println("current = " + krbTkt.isCurrent()); 104 105 if (!krbTkt.isForwardable()) { 106 throw new RuntimeException("Forwardable ticket expected"); 107 } 108 109 if (!krbTkt.isProxiable()) { 110 throw new RuntimeException("Proxiable ticket expected"); 111 } 112 113 if (!krbTkt.isCurrent()) { 114 throw new RuntimeException("Ticket is not current"); 115 } 116 117 if (krbTkt.isRenewable()) { 118 throw new RuntimeException("Not renewable ticket expected"); 119 } 120 try { 121 krbTkt.refresh(); 122 throw new RuntimeException( 123 "Expected RefreshFailedException not thrown"); 124 } catch(RefreshFailedException e) { 125 System.out.println("Expected exception: " + e); 126 } 127 128 if (!checkTime(krbTkt, startTime)) { 129 throw new RuntimeException("Wrong ticket life time"); 130 } 131 132 krbTkt.destroy(); 133 if (!krbTkt.isDestroyed()) { 134 throw new RuntimeException("Ticket not destroyed"); 135 } 136 137 System.out.println("Test passed"); 138 } 139 checkTime(KerberosTicket krbTkt, long startTime)140 private static boolean checkTime(KerberosTicket krbTkt, long startTime) { 141 long ticketEndTime = krbTkt.getEndTime().getTime(); 142 long roughLifeTime = ticketEndTime - startTime; 143 System.out.println("start time = " + startTime); 144 System.out.println("end time = " + ticketEndTime); 145 System.out.println("rough life time = " + roughLifeTime); 146 return roughLifeTime >= TICKET_LIFTETIME; 147 } 148 } 149