/hg/icedtea8-forest/jdk: 3 new changesets
andrew at icedtea.classpath.org
andrew at icedtea.classpath.org
Mon Oct 24 04:36:15 UTC 2016
changeset 82c774b19fb1 in /hg/icedtea8-forest/jdk
details: http://icedtea.classpath.org/hg/icedtea8-forest/jdk?cmd=changeset;node=82c774b19fb1
author: ebaron
date: Mon Oct 24 04:22:57 2016 +0100
PR1537: Handle alternative Kerberos credential cache locations
changeset 8456f8cc2bcc in /hg/icedtea8-forest/jdk
details: http://icedtea.classpath.org/hg/icedtea8-forest/jdk?cmd=changeset;node=8456f8cc2bcc
author: andrew
date: Tue Sep 03 15:19:59 2013 +0100
PR1537: Only define _GNU_SOURCE if not already defined.
changeset 9185a15650c3 in /hg/icedtea8-forest/jdk
details: http://icedtea.classpath.org/hg/icedtea8-forest/jdk?cmd=changeset;node=9185a15650c3
author: andrew
date: Mon Oct 24 05:20:00 2016 +0100
PR1537: Fix Kerberos cache support to check for null, fallback on old path support and not hardcode the krb5 library.
diffstat:
make/lib/SecurityLibraries.gmk | 6 +-
src/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java | 96 ++++++-
src/solaris/native/sun/security/krb5/krb5ccache.c | 113 ++++++++++
3 files changed, 194 insertions(+), 21 deletions(-)
diffs (288 lines):
diff -r 5f55ff33a471 -r 9185a15650c3 make/lib/SecurityLibraries.gmk
--- a/make/lib/SecurityLibraries.gmk Mon Aug 08 15:51:30 2016 +0100
+++ b/make/lib/SecurityLibraries.gmk Mon Oct 24 05:20:00 2016 +0100
@@ -130,6 +130,10 @@
BUILD_LIBKRB5_NAME := osxkrb5
BUILD_LIBKRB5_SRC := $(JDK_TOPDIR)/src/share/native/sun/security/krb5
BUILD_LIBKRB5_LIBS := -framework Kerberos
+ else ifeq ($(USE_EXTERNAL_KRB5), true)
+ BUILD_LIBKRB5_NAME := j2krb5
+ BUILD_LIBKRB5_SRC := $(JDK_TOPDIR)/src/$(OPENJDK_TARGET_OS_API_DIR)/native/sun/security/krb5
+ BUILD_LIBKRB5_LIBS := $(KRB5_LIBS)
endif
ifneq ($(BUILD_LIBKRB5_NAME), )
@@ -139,7 +143,7 @@
SRC := $(BUILD_LIBKRB5_SRC), \
LANG := C, \
OPTIMIZATION := LOW, \
- CFLAGS := $(CFLAGS_JDKLIB) \
+ CFLAGS := $(CFLAGS_JDKLIB) $(KRB5_CFLAGS) \
-I$(JDK_TOPDIR)/src/share/native/sun/security/krb5 \
-I$(JDK_TOPDIR)/src/$(OPENJDK_TARGET_OS_API_DIR)/native/sun/security/krb5, \
LDFLAGS := $(LDFLAGS_JDKLIB) \
diff -r 5f55ff33a471 -r 9185a15650c3 src/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java
--- a/src/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java Mon Aug 08 15:51:30 2016 +0100
+++ b/src/share/classes/sun/security/krb5/internal/ccache/FileCredentialsCache.java Mon Oct 24 05:20:00 2016 +0100
@@ -1,5 +1,6 @@
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013 Red Hat, Inc. and/or its affiliates.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -43,7 +44,9 @@
import java.io.FileOutputStream;
import java.io.BufferedReader;
import java.io.InputStreamReader;
-import java.lang.reflect.*;
+
+import java.lang.reflect.Constructor;
+import java.lang.reflect.Method;
/**
* CredentialsCache stores credentials(tickets, session keys, etc) in a
@@ -62,6 +65,8 @@
private Vector<Credentials> credentialsList;
private static String dir;
private static boolean DEBUG = Krb5.DEBUG;
+ private static boolean alreadyLoaded = false;
+ private static boolean alreadyTried = false;
public static synchronized FileCredentialsCache acquireInstance(
PrincipalName principal, String cache) {
@@ -349,9 +354,10 @@
* The path name is searched in the following order:
*
* 1. KRB5CCNAME (bare file name without FILE:)
- * 2. /tmp/krb5cc_<uid> on unix systems
- * 3. <user.home>/krb5cc_<user.name>
- * 4. <user.home>/krb5cc (if can't get <user.name>)
+ * 2. location specified by Kerberos API on unix systems
+ * 3. /tmp/krb5cc_<uid> on unix systems
+ * 4. <user.home>/krb5cc_<user.name>
+ * 5. <user.home>/krb5cc (if can't get <user.name>)
*/
public static String getDefaultCacheName() {
@@ -398,25 +404,61 @@
*/
if (osname != null) {
- String cmd = null;
- String uidStr = null;
- long uid = 0;
-
if (!osname.startsWith("Windows")) {
try {
- Class<?> c = Class.forName
- ("com.sun.security.auth.module.UnixSystem");
- Constructor<?> constructor = c.getConstructor();
- Object obj = constructor.newInstance();
- Method method = c.getMethod("getUid");
- uid = ((Long)method.invoke(obj)).longValue();
- name = File.separator + "tmp" +
- File.separator + stdCacheNameComponent + "_" + uid;
- if (DEBUG) {
- System.out.println(">>>KinitOptions cache name is " +
- name);
+ // Load the native code if necessary
+ if (!alreadyTried) {
+ // See if there's any native code to load
+ try {
+ ensureLoaded();
+ } catch (Exception e) {
+ if (DEBUG) {
+ System.out.println("Could not load native Kerberos bridge");
+ e.printStackTrace();
+ }
+ alreadyTried = true;
+ }
}
- return name;
+ if (alreadyLoaded) {
+ // There is some native code
+ if (DEBUG) {
+ System.out.println(">> Look up native default credential cache");
+ }
+ // Query the native Kerberos API for the cache location
+ name = nativeGetDefaultCacheName();
+ }
+
+ /*
+ * We require the default cache location to be a file name.
+ * DIR: can point to a cache collection, while DIR:: points
+ * to a specific cache file.
+ *
+ * http://k5wiki.kerberos.org/wiki?title=Projects/Client_principal_selection&oldid=4118
+ */
+ if (name != null && (name.startsWith("FILE:") || name.startsWith("DIR::"))) {
+ name = name.substring(5);
+ if (DEBUG) {
+ System.out.println(">>>KinitOptions cache name is " +
+ name);
+ }
+ return name;
+ } else {
+ long uid = 0;
+
+ Class<?> c = Class.forName
+ ("com.sun.security.auth.module.UnixSystem");
+ Constructor<?> constructor = c.getConstructor();
+ Object obj = constructor.newInstance();
+ Method method = c.getMethod("getUid");
+ uid = ((Long)method.invoke(obj)).longValue();
+ name = File.separator + "tmp" +
+ File.separator + stdCacheNameComponent + "_" + uid;
+ if (DEBUG) {
+ System.out.println(">>>KinitOptions cache name is " +
+ name);
+ }
+ return name;
+ }
} catch (Exception e) {
if (DEBUG) {
System.out.println("Exception in obtaining uid " +
@@ -461,6 +503,8 @@
return name;
}
+ private native static String nativeGetDefaultCacheName() throws Exception;
+
public static String checkValidation(String name) {
String fullname = null;
if (name == null) {
@@ -541,4 +585,16 @@
}
return null;
}
+
+ private static void ensureLoaded() {
+ java.security.AccessController.doPrivileged(
+ new java.security.PrivilegedAction<Void> () {
+ public Void run() {
+ System.loadLibrary("j2krb5");
+ return null;
+ }
+ });
+ alreadyLoaded = true;
+ }
+
}
diff -r 5f55ff33a471 -r 9185a15650c3 src/solaris/native/sun/security/krb5/krb5ccache.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/solaris/native/sun/security/krb5/krb5ccache.c Mon Oct 24 05:20:00 2016 +0100
@@ -0,0 +1,113 @@
+/*
+ * Copyright (c) 2013 Red Hat Inc. and/or its affiliates.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+#ifndef _GNU_SOURCE
+#define _GNU_SOURCE
+#endif
+
+#include <krb5.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+#include "sun_security_krb5_internal_ccache_FileCredentialsCache.h"
+
+static void handle_error(JNIEnv *env, krb5_context context, krb5_error_code err, const char *func_name);
+static jint throw_Exception(JNIEnv *env, const char *class_name, const char *message);
+
+/*
+ * Class: sun_security_krb5_internal_ccache_FileCredentialsCache
+ * Method: nativeGetDefaultCacheName
+ * Signature: ()Ljava/lang/String;
+ */
+JNIEXPORT jstring JNICALL Java_sun_security_krb5_internal_ccache_FileCredentialsCache_nativeGetDefaultCacheName
+(JNIEnv *env, jclass krbcredsClass)
+{
+ krb5_context context;
+ krb5_error_code err;
+ krb5_ccache cache;
+ const char *cc_type, *cc_name;
+ char *cc_full_name;
+ jstring result;
+
+ /* Need a krb5_context to proceed further */
+ err = krb5_init_context(&context);
+ if (err) {
+ handle_error(env, context, err, "krb5_init_context");
+ return NULL;
+ }
+
+ /* Get the default credential cache.
+ * We intentionally do not use krb5_cc_default_name because when the cache
+ * is a collection, krb5_cc_default_name returns the collection directory.
+ * By using krb5_cc_default and then krb5_cc_get_name, we get the primary
+ * cache file within the collection. */
+ err = krb5_cc_default(context, &cache);
+ if (err) {
+ handle_error(env, context, err, "krb5_cc_default");
+ krb5_free_context(context);
+ return NULL;
+ }
+
+ /* Get the type and name of the default cache and construct a string
+ * of the form 'type:name'. */
+ cc_type = krb5_cc_get_type(context, cache);
+ cc_name = krb5_cc_get_name(context, cache);
+ if (asprintf(&cc_full_name, "%s:%s", cc_type, cc_name) < 0) {
+ throw_Exception(env, "java/lang/OutOfMemoryError", "Unable to construct credential cache string");
+ krb5_free_context(context);
+ return NULL;
+ }
+
+ result = (*env)->NewStringUTF(env, cc_full_name);
+
+ free(cc_full_name);
+ krb5_free_context(context);
+ return result;
+}
+
+static void handle_error(JNIEnv *env, krb5_context context, krb5_error_code err, const char *func_name) {
+ const char *err_msg;
+ char *result;
+
+ err_msg = krb5_get_error_message(context, err);
+ if (asprintf(&result, "%s: %s", func_name, err_msg) < 0) {
+ throw_Exception(env, "java/lang/OutOfMemoryError", "Unable to construct error message");
+ return;
+ }
+ throw_Exception(env, "java/lang/Exception", result);
+
+ free(result);
+ krb5_free_error_message(context, err_msg);
+}
+
+static jint throw_Exception(JNIEnv *env, const char *class_name, const char *message) {
+ jclass class;
+
+ class = (*env)->FindClass(env, class_name);
+ if (class == NULL) {
+ return -1;
+ }
+ return (*env)->ThrowNew(env, class, message);
+}
More information about the distro-pkg-dev
mailing list