| /* |
| * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. |
| * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
| * |
| * This code is free software; you can redistribute it and/or modify it |
| * under the terms of the GNU General Public License version 2 only, as |
| * published by the Free Software Foundation. |
| * |
| * This code is distributed in the hope that it will be useful, but WITHOUT |
| * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
| * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| * version 2 for more details (a copy is included in the LICENSE file that |
| * accompanied this code). |
| * |
| * You should have received a copy of the GNU General Public License version |
| * 2 along with this work; if not, write to the Free Software Foundation, |
| * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
| * |
| * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
| * or visit www.oracle.com if you need additional information or have any |
| * questions. |
| */ |
| |
| import java.nio.file.Files; |
| import java.nio.file.Paths; |
| import java.time.Instant; |
| import java.util.Arrays; |
| import java.util.HashMap; |
| import java.util.Map; |
| import java.util.Set; |
| import javax.security.auth.RefreshFailedException; |
| import javax.security.auth.Subject; |
| import javax.security.auth.kerberos.KerberosTicket; |
| import javax.security.auth.login.LoginContext; |
| |
| /* |
| * @test |
| * @bug 6857795 8075299 |
| * @summary Checks Kerberos ticket properties |
| * @run main/othervm KrbTicket |
| */ |
| public class KrbTicket { |
| |
| private static final String REALM = "TEST.REALM"; |
| private static final String HOST = "localhost"; |
| private static final String USER = "TESTER"; |
| private static final String USER_PRINCIPAL = USER + "@" + REALM; |
| private static final String PASSWORD = "password"; |
| private static final String KRBTGT_PRINCIPAL = "krbtgt/" + REALM; |
| private static final String KRB5_CONF_FILENAME = "krb5.conf"; |
| private static final String JAAS_CONF = "jaas.conf"; |
| private static final long TICKET_LIFTETIME = 5 * 60 * 1000; // 5 mins |
| |
| public static void main(String[] args) throws Exception { |
| // define principals |
| Map<String, String> principals = new HashMap<>(); |
| principals.put(USER_PRINCIPAL, PASSWORD); |
| principals.put(KRBTGT_PRINCIPAL, null); |
| |
| System.setProperty("java.security.krb5.conf", KRB5_CONF_FILENAME); |
| |
| // start a local KDC instance |
| KDC kdc = KDC.startKDC(HOST, null, REALM, principals, null, null); |
| KDC.saveConfig(KRB5_CONF_FILENAME, kdc, |
| "forwardable = true", "proxiable = true"); |
| |
| // create JAAS config |
| Files.write(Paths.get(JAAS_CONF), Arrays.asList( |
| "Client {", |
| " com.sun.security.auth.module.Krb5LoginModule required;", |
| "};" |
| )); |
| System.setProperty("java.security.auth.login.config", JAAS_CONF); |
| System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); |
| |
| long startTime = Instant.now().getEpochSecond() * 1000; |
| |
| LoginContext lc = new LoginContext("Client", |
| new Helper.UserPasswordHandler(USER, PASSWORD)); |
| lc.login(); |
| |
| Subject subject = lc.getSubject(); |
| System.out.println("subject: " + subject); |
| |
| Set creds = subject.getPrivateCredentials( |
| KerberosTicket.class); |
| |
| if (creds.size() > 1) { |
| throw new RuntimeException("Multiple credintials found"); |
| } |
| |
| Object o = creds.iterator().next(); |
| if (!(o instanceof KerberosTicket)) { |
| throw new RuntimeException("Instance of KerberosTicket expected"); |
| } |
| KerberosTicket krbTkt = (KerberosTicket) o; |
| |
| System.out.println("forwardable = " + krbTkt.isForwardable()); |
| System.out.println("proxiable = " + krbTkt.isProxiable()); |
| System.out.println("renewable = " + krbTkt.isRenewable()); |
| System.out.println("current = " + krbTkt.isCurrent()); |
| |
| if (!krbTkt.isForwardable()) { |
| throw new RuntimeException("Forwardable ticket expected"); |
| } |
| |
| if (!krbTkt.isProxiable()) { |
| throw new RuntimeException("Proxiable ticket expected"); |
| } |
| |
| if (!krbTkt.isCurrent()) { |
| throw new RuntimeException("Ticket is not current"); |
| } |
| |
| if (krbTkt.isRenewable()) { |
| throw new RuntimeException("Not renewable ticket expected"); |
| } |
| try { |
| krbTkt.refresh(); |
| throw new RuntimeException( |
| "Expected RefreshFailedException not thrown"); |
| } catch(RefreshFailedException e) { |
| System.out.println("Expected exception: " + e); |
| } |
| |
| if (!checkTime(krbTkt, startTime)) { |
| throw new RuntimeException("Wrong ticket life time"); |
| } |
| |
| krbTkt.destroy(); |
| if (!krbTkt.isDestroyed()) { |
| throw new RuntimeException("Ticket not destroyed"); |
| } |
| |
| System.out.println("Test passed"); |
| } |
| |
| private static boolean checkTime(KerberosTicket krbTkt, long startTime) { |
| long ticketEndTime = krbTkt.getEndTime().getTime(); |
| long roughLifeTime = ticketEndTime - startTime; |
| System.out.println("start time = " + startTime); |
| System.out.println("end time = " + ticketEndTime); |
| System.out.println("rough life time = " + roughLifeTime); |
| return roughLifeTime >= TICKET_LIFTETIME; |
| } |
| } |