1 /* 2 * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24 import java.io.IOException; 25 import java.security.NoSuchAlgorithmException; 26 import java.security.PrivilegedActionException; 27 import java.util.HashMap; 28 import java.util.Map; 29 import java.security.Security; 30 31 import javax.security.auth.login.LoginException; 32 33 /* 34 * @test 35 * @bug 8025123 8208350 36 * @summary Checks if an unbound server can handle connections 37 * only for allowed service principals 38 * @run main/othervm/java.security.policy=unbound.ssl.policy -Dsun.net.spi.nameservice.provider.1=ns,mock UnboundSSL 39 * unbound.ssl.jaas.conf server_star 40 * @run main/othervm/java.security.policy=unbound.ssl.policy -Dsun.net.spi.nameservice.provider.1=ns,mock UnboundSSL 41 * unbound.ssl.jaas.conf server_multiple_principals 42 */ 43 public class UnboundSSL { 44 main(String[] args)45 public static void main(String[] args) throws IOException, 46 NoSuchAlgorithmException,LoginException, PrivilegedActionException, 47 InterruptedException { 48 Security.setProperty("jdk.tls.disabledAlgorithms", ""); 49 UnboundSSL test = new UnboundSSL(); 50 test.start(args[0], args[1]); 51 } 52 start(String jaacConfigFile, String serverJaasConfig)53 private void start(String jaacConfigFile, String serverJaasConfig) 54 throws IOException, NoSuchAlgorithmException,LoginException, 55 PrivilegedActionException, InterruptedException { 56 57 // define principals 58 String service1host = "service1." + UnboundSSLUtils.HOST; 59 String service2host = "service2." + UnboundSSLUtils.HOST; 60 String service3host = "service3." + UnboundSSLUtils.HOST; 61 String service1Principal = "host/" + service1host + "@" 62 + UnboundSSLUtils.REALM; 63 String service2Principal = "host/" + service2host + "@" 64 + UnboundSSLUtils.REALM; 65 String service3Principal = "host/" + service3host + "@" 66 + UnboundSSLUtils.REALM; 67 68 Map<String, String> principals = new HashMap<>(); 69 principals.put(UnboundSSLUtils.USER_PRINCIPAL, 70 UnboundSSLUtils.USER_PASSWORD); 71 principals.put(UnboundSSLUtils.KRBTGT_PRINCIPAL, null); 72 principals.put(service1Principal, null); 73 principals.put(service2Principal, null); 74 principals.put(service3Principal, null); 75 76 System.setProperty("java.security.krb5.conf", 77 UnboundSSLUtils.KRB5_CONF_FILENAME); 78 79 // start a local KDC instance 80 KDC.startKDC(UnboundSSLUtils.HOST, UnboundSSLUtils.KRB5_CONF_FILENAME, 81 UnboundSSLUtils.REALM, principals, 82 UnboundSSLUtils.KTAB_FILENAME, KDC.KtabMode.APPEND); 83 84 System.setProperty("java.security.auth.login.config", 85 UnboundSSLUtils.TEST_SRC + UnboundSSLUtils.FS + jaacConfigFile); 86 System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); 87 88 try (final SSLEchoServer server = SSLEchoServer.init( 89 UnboundSSLUtils.TLS_KRB5_FILTER, UnboundSSLUtils.SNI_PATTERN)) { 90 91 // start a server instance 92 UnboundSSLUtils.startServerWithJaas(server, serverJaasConfig); 93 94 // wait for the server is ready 95 while (!server.isReady()) { 96 Thread.sleep(UnboundSSLUtils.DELAY); 97 } 98 99 int port = server.getPort(); 100 101 // run clients 102 103 // the server should have a permission to handle a request 104 // with this service principal (there should be an appropriate 105 // javax.security.auth.kerberos.ServicePermission in policy file) 106 System.out.println("Connect: SNI hostname = " + service1host 107 + ", successful connection is expected"); 108 SSLClient.init(UnboundSSLUtils.HOST, port, 109 UnboundSSLUtils.TLS_KRB5_FILTER, service1host).connect(); 110 111 // the server should NOT have a permission to handle a request 112 // with this service principal (there should be an appropriate 113 // javax.security.auth.kerberos.ServicePermission in policy file) 114 // handshake failures is expected 115 System.out.println("Connect: SNI hostname = " + service2host 116 + ", connection failure is expected"); 117 try { 118 SSLClient.init(UnboundSSLUtils.HOST, port, 119 UnboundSSLUtils.TLS_KRB5_FILTER, service2host) 120 .connect(); 121 throw new RuntimeException("Test failed: " 122 + "expected IOException not thrown"); 123 } catch (IOException e) { 124 System.out.println("Expected exception: " + e); 125 } 126 127 // the server should have a permission to handle a request 128 // with this service principal (there should be an appropriate 129 // javax.security.auth.kerberos.ServicePermission in policy file) 130 System.out.println("Connect: SNI hostname = " + service3host 131 + ", successful connection is expected"); 132 SSLClient.init(UnboundSSLUtils.HOST, port, 133 UnboundSSLUtils.TLS_KRB5_FILTER, service3host).connect(); 134 } 135 136 System.out.println("Test passed"); 137 } 138 } 139