diff --git a/src/share/classes/com/sun/security/jgss/ExtendedGSSContext.java b/src/share/classes/com/sun/security/jgss/ExtendedGSSContext.java index dc7a3556d7d82154a84cdaeee55cc1f0dce1cd81..1ac610d8880dd209190fdee16527470d640decf2 100644 --- a/src/share/classes/com/sun/security/jgss/ExtendedGSSContext.java +++ b/src/share/classes/com/sun/security/jgss/ExtendedGSSContext.java @@ -99,4 +99,58 @@ public interface ExtendedGSSContext extends GSSContext { */ public Object inquireSecContext(InquireType type) throws GSSException; + + /** + * Requests that the delegation policy be respected. When a true value is + * requested, the underlying context would use the delegation policy + * defined by the environment as a hint to determine whether credentials + * delegation should be performed. This request can only be made on the + * context initiator's side and it has to be done prior to the first + * call to initSecContext. + *

+ * When this flag is false, delegation will only be tried when the + * {@link GSSContext#requestCredDeleg(boolean) credentials delegation flag} + * is true. + *

+ * When this flag is true but the + * {@link GSSContext#requestCredDeleg(boolean) credentials delegation flag} + * is false, delegation will be only tried if the delegation policy permits + * delegation. + *

+ * When both this flag and the + * {@link GSSContext#requestCredDeleg(boolean) credentials delegation flag} + * are true, delegation will be always tried. However, if the delegation + * policy does not permit delegation, the value of + * {@link #getDelegPolicyState} will be false, even + * if delegation is performed successfully. + *

+ * In any case, if the delegation is not successful, the value returned + * by {@link GSSContext#getCredDelegState()} is false, and the value + * returned by {@link #getDelegPolicyState()} is also false. + *

+ * Not all mechanisms support delegation policy. Therefore, the + * application should check to see if the request was honored with the + * {@link #getDelegPolicyState() getDelegPolicyState} method. When + * delegation policy is not supported, requestDelegPolicy + * should return silently without throwing an exception. + *

+ * Note: for the Kerberos 5 mechanism, the delegation policy is expressed + * through the OK-AS-DELEGATE flag in the service ticket. When it's true, + * the KDC permits delegation to the target server. In a cross-realm + * environment, in order for delegation be permitted, all cross-realm TGTs + * on the authentication path must also have the OK-AS-DELAGATE flags set. + * @param state true if the policy should be respected + * @throws GSSException containing the following + * major error codes: + * {@link GSSException#FAILURE GSSException.FAILURE} + */ + public void requestDelegPolicy(boolean state) throws GSSException; + + /** + * Returns the delegation policy response. Called after a security context + * is established. This method can be only called on the initiator's side. + * See {@link ExtendedGSSContext#requestDelegPolicy}. + * @return the delegation policy response + */ + public boolean getDelegPolicyState(); } diff --git a/src/share/classes/org/ietf/jgss/GSSContext.java b/src/share/classes/org/ietf/jgss/GSSContext.java index 5fb769dc523ab75fef8ad883f3e9633c16fca23c..e8eb70275807d16ad854100b2f4982fdd8518d80 100644 --- a/src/share/classes/org/ietf/jgss/GSSContext.java +++ b/src/share/classes/org/ietf/jgss/GSSContext.java @@ -1,5 +1,5 @@ /* - * Copyright 2000-2001 Sun Microsystems, Inc. All Rights Reserved. + * Copyright 2000-2009 Sun Microsystems, Inc. All Rights Reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -678,7 +678,7 @@ public interface GSSContext { * are not definitive then the method will attempt to treat all * available bytes as part of the token.

* - * Other than the possible blocking behaviour described above, this + * Other than the possible blocking behavior described above, this * method is equivalent to the byte array based {@link #unwrap(byte[], * int, int, MessageProp) unwrap} method.

* @@ -826,7 +826,7 @@ public interface GSSContext { * are not definitive then the method will attempt to treat all * available bytes as part of the token.

* - * Other than the possible blocking behaviour described above, this + * Other than the possible blocking behavior described above, this * method is equivalent to the byte array based {@link #verifyMIC(byte[], * int, int, byte[], int, int, MessageProp) verifyMIC} method.

* @@ -917,7 +917,7 @@ public interface GSSContext { * getMutualAuthState} method.

* * @param state a boolean value indicating whether mutual - * authentication shouls be used or not. + * authentication should be used or not. * @see #getMutualAuthState() * * @throws GSSException containing the following @@ -928,7 +928,7 @@ public interface GSSContext { /** * Requests that replay detection be enabled for the - * per-message security services after context establishemnt. This + * per-message security services after context establishment. This * request can only be made on the context initiator's side and it has * to be done prior to the first call to * initSecContext. During context establishment replay @@ -958,7 +958,7 @@ public interface GSSContext { /** * Requests that sequence checking be enabled for the - * per-message security services after context establishemnt. This + * per-message security services after context establishment. This * request can only be made on the context initiator's side and it has * to be done prior to the first call to * initSecContext. During context establishment sequence diff --git a/src/share/classes/sun/net/www/protocol/http/spnego/NegotiatorImpl.java b/src/share/classes/sun/net/www/protocol/http/spnego/NegotiatorImpl.java index dd4a39bd875ce78ee51855952e3e61b2cbf8850e..af0c9726ad9e06ba1515bc12611ec618db2f27a5 100644 --- a/src/share/classes/sun/net/www/protocol/http/spnego/NegotiatorImpl.java +++ b/src/share/classes/sun/net/www/protocol/http/spnego/NegotiatorImpl.java @@ -25,6 +25,7 @@ package sun.net.www.protocol.http.spnego; +import com.sun.security.jgss.ExtendedGSSContext; import java.io.IOException; import org.ietf.jgss.GSSContext; @@ -100,15 +101,10 @@ public class NegotiatorImpl extends Negotiator { null, GSSContext.DEFAULT_LIFETIME); - // In order to support credential delegation in HTTP/SPNEGO, - // we always request it before initSecContext. The current - // implementation will check the OK-AS-DELEGATE flag inside - // the service ticket of the web server, and only enable - // delegation when this flag is set. This check is only - // performed when the GSS caller is CALLER_HTTP_NEGOTIATE, - // so all other normal GSS-API calls are not affected. - - context.requestCredDeleg(true); + // Always respect delegation policy in HTTP/SPNEGO. + if (context instanceof ExtendedGSSContext) { + ((ExtendedGSSContext)context).requestDelegPolicy(true); + } oneToken = context.initSecContext(new byte[0], 0, 0); } diff --git a/src/share/classes/sun/security/jgss/GSSContextImpl.java b/src/share/classes/sun/security/jgss/GSSContextImpl.java index de703ef4dedba60c655e48a6c0b3f64197535e4e..210ba5b869ae59d721567961a8e9628696492a60 100644 --- a/src/share/classes/sun/security/jgss/GSSContextImpl.java +++ b/src/share/classes/sun/security/jgss/GSSContextImpl.java @@ -89,7 +89,8 @@ import com.sun.security.jgss.*; */ class GSSContextImpl implements ExtendedGSSContext { - private GSSManagerImpl gssManager = null; + private final GSSManagerImpl gssManager; + private final boolean initiator; // private flags for the context state private static final int PRE_INIT = 1; @@ -99,14 +100,12 @@ class GSSContextImpl implements ExtendedGSSContext { // instance variables private int currentState = PRE_INIT; - private boolean initiator; private GSSContextSpi mechCtxt = null; private Oid mechOid = null; private ObjectIdentifier objId = null; private GSSCredentialImpl myCred = null; - private GSSCredentialImpl delegCred = null; private GSSNameImpl srcName = null; private GSSNameImpl targName = null; @@ -121,6 +120,7 @@ class GSSContextImpl implements ExtendedGSSContext { private boolean reqSequenceDetState = true; private boolean reqCredDelegState = false; private boolean reqAnonState = false; + private boolean reqDelegPolicyState = false; /** * Creates a GSSContextImp on the context initiator's side. @@ -221,6 +221,7 @@ class GSSContextImpl implements ExtendedGSSContext { mechCtxt.requestSequenceDet(reqSequenceDetState); mechCtxt.requestAnonymity(reqAnonState); mechCtxt.setChannelBinding(channelBindings); + mechCtxt.requestDelegPolicy(reqDelegPolicyState); objId = new ObjectIdentifier(mechOid.toString()); @@ -465,42 +466,42 @@ class GSSContextImpl implements ExtendedGSSContext { } public void requestMutualAuth(boolean state) throws GSSException { - if (mechCtxt == null) + if (mechCtxt == null && initiator) reqMutualAuthState = state; } public void requestReplayDet(boolean state) throws GSSException { - if (mechCtxt == null) + if (mechCtxt == null && initiator) reqReplayDetState = state; } public void requestSequenceDet(boolean state) throws GSSException { - if (mechCtxt == null) + if (mechCtxt == null && initiator) reqSequenceDetState = state; } public void requestCredDeleg(boolean state) throws GSSException { - if (mechCtxt == null) + if (mechCtxt == null && initiator) reqCredDelegState = state; } public void requestAnonymity(boolean state) throws GSSException { - if (mechCtxt == null) + if (mechCtxt == null && initiator) reqAnonState = state; } public void requestConf(boolean state) throws GSSException { - if (mechCtxt == null) + if (mechCtxt == null && initiator) reqConfState = state; } public void requestInteg(boolean state) throws GSSException { - if (mechCtxt == null) + if (mechCtxt == null && initiator) reqIntegState = state; } public void requestLifetime(int lifetime) throws GSSException { - if (mechCtxt == null) + if (mechCtxt == null && initiator) reqLifetime = lifetime; } @@ -630,6 +631,8 @@ class GSSContextImpl implements ExtendedGSSContext { targName = null; } + // ExtendedGSSContext methods: + @Override public Object inquireSecContext(InquireType type) throws GSSException { SecurityManager security = System.getSecurityManager(); @@ -641,4 +644,18 @@ class GSSContextImpl implements ExtendedGSSContext { } return mechCtxt.inquireSecContext(type); } + + @Override + public void requestDelegPolicy(boolean state) throws GSSException { + if (mechCtxt == null && initiator) + reqDelegPolicyState = state; + } + + @Override + public boolean getDelegPolicyState() { + if (mechCtxt != null) + return mechCtxt.getDelegPolicyState(); + else + return reqDelegPolicyState; + } } diff --git a/src/share/classes/sun/security/jgss/krb5/InitialToken.java b/src/share/classes/sun/security/jgss/krb5/InitialToken.java index 2f0b834c1b91cb118f2000fb348fcc939cb20621..ed7eb8c6e18fbbe434cea569a27548aeb38e153f 100644 --- a/src/share/classes/sun/security/jgss/krb5/InitialToken.java +++ b/src/share/classes/sun/security/jgss/krb5/InitialToken.java @@ -85,32 +85,39 @@ abstract class InitialToken extends Krb5Token { int size = CHECKSUM_LENGTH_SIZE + CHECKSUM_BINDINGS_SIZE + CHECKSUM_FLAGS_SIZE; + if (!tgt.isForwardable()) { + context.setCredDelegState(false); + context.setDelegPolicyState(false); + } else if (context.getCredDelegState()) { + if (context.getDelegPolicyState()) { + if (!serviceTicket.checkDelegate()) { + // delegation not permitted by server policy, mark it + context.setDelegPolicyState(false); + } + } + } else if (context.getDelegPolicyState()) { + if (serviceTicket.checkDelegate()) { + context.setCredDelegState(true); + } else { + context.setDelegPolicyState(false); + } + } + if (context.getCredDelegState()) { - if (context.getCaller() instanceof HttpCaller && - !serviceTicket.getFlags()[Krb5.TKT_OPTS_DELEGATE]) { - // When the caller is HTTP/SPNEGO and OK-AS-DELEGATE - // is not present in the service ticket, delegation - // is disabled. - context.setCredDelegState(false); - } else if (!tgt.isForwardable()) { - // XXX log this resetting of delegation state - context.setCredDelegState(false); + KrbCred krbCred = null; + CipherHelper cipherHelper = + context.getCipherHelper(serviceTicket.getSessionKey()); + if (useNullKey(cipherHelper)) { + krbCred = new KrbCred(tgt, serviceTicket, + EncryptionKey.NULL_KEY); } else { - KrbCred krbCred = null; - CipherHelper cipherHelper = - context.getCipherHelper(serviceTicket.getSessionKey()); - if (useNullKey(cipherHelper)) { - krbCred = new KrbCred(tgt, serviceTicket, - EncryptionKey.NULL_KEY); - } else { - krbCred = new KrbCred(tgt, serviceTicket, - serviceTicket.getSessionKey()); - } - krbCredMessage = krbCred.getMessage(); - size += CHECKSUM_DELEG_OPT_SIZE + - CHECKSUM_DELEG_LGTH_SIZE + - krbCredMessage.length; + krbCred = new KrbCred(tgt, serviceTicket, + serviceTicket.getSessionKey()); } + krbCredMessage = krbCred.getMessage(); + size += CHECKSUM_DELEG_OPT_SIZE + + CHECKSUM_DELEG_LGTH_SIZE + + krbCredMessage.length; } checksumBytes = new byte[size]; @@ -296,6 +303,7 @@ abstract class InitialToken extends Krb5Token { return delegCreds; } + // Only called by acceptor public void setContextFlags(Krb5Context context) { // default for cred delegation is false if ((flags & CHECKSUM_DELEG_FLAG) > 0) diff --git a/src/share/classes/sun/security/jgss/krb5/Krb5Context.java b/src/share/classes/sun/security/jgss/krb5/Krb5Context.java index 4fe1e80f5f94afca5173933ce397374cfc1ec78c..8810ed606f9350f6bbfb644038185fa22ebce315 100644 --- a/src/share/classes/sun/security/jgss/krb5/Krb5Context.java +++ b/src/share/classes/sun/security/jgss/krb5/Krb5Context.java @@ -78,6 +78,7 @@ class Krb5Context implements GSSContextSpi { private boolean sequenceDetState = true; private boolean confState = true; private boolean integState = true; + private boolean delegPolicyState = false; private int mySeqNumber; private int peerSeqNumber; @@ -299,6 +300,21 @@ class Krb5Context implements GSSContextSpi { return sequenceDetState || replayDetState; } + /** + * Requests that the deleg policy be respected. + */ + public final void requestDelegPolicy(boolean value) { + if (state == STATE_NEW && isInitiator()) + delegPolicyState = value; + } + + /** + * Is deleg policy respected? + */ + public final boolean getDelegPolicyState() { + return delegPolicyState; + } + /* * Anonymity is a little different in that after an application * requests anonymity it will want to know whether the mechanism @@ -422,6 +438,10 @@ class Krb5Context implements GSSContextSpi { integState = state; } + final void setDelegPolicyState(boolean state) { + delegPolicyState = state; + } + /** * Sets the channel bindings to be used during context * establishment. diff --git a/src/share/classes/sun/security/jgss/spi/GSSContextSpi.java b/src/share/classes/sun/security/jgss/spi/GSSContextSpi.java index 5bf359a1f8ccf1d776a6ef8272a8b88d28e28aaf..aaf4eebc29fbd3ee7e8063ad9978b811f7df063b 100644 --- a/src/share/classes/sun/security/jgss/spi/GSSContextSpi.java +++ b/src/share/classes/sun/security/jgss/spi/GSSContextSpi.java @@ -124,6 +124,8 @@ public interface GSSContextSpi { public void requestInteg(boolean state) throws GSSException; + public void requestDelegPolicy(boolean state) throws GSSException; + public void setChannelBinding(ChannelBinding cb) throws GSSException; public boolean getCredDelegState(); @@ -136,6 +138,8 @@ public interface GSSContextSpi { public boolean getAnonymityState(); + public boolean getDelegPolicyState(); + public boolean isTransferable() throws GSSException; public boolean isProtReady(); diff --git a/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java b/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java index a436092f1bb6b4f98e0373b2960a6df648a78729..7fbff5ef475328632a3ea6ffb3e1ec29dc74748d 100644 --- a/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java +++ b/src/share/classes/sun/security/jgss/spnego/SpNegoContext.java @@ -63,6 +63,7 @@ public class SpNegoContext implements GSSContextSpi { private boolean sequenceDetState = true; private boolean confState = true; private boolean integState = true; + private boolean delegPolicyState = false; private GSSNameSpi peerName = null; private GSSNameSpi myName = null; @@ -153,6 +154,14 @@ public class SpNegoContext implements GSSContextSpi { integState = value; } + /** + * Requests that deleg policy be respected. + */ + public final void requestDelegPolicy(boolean value) throws GSSException { + if (state == STATE_NEW && isInitiator()) + delegPolicyState = value; + } + /** * Is integrity available? */ @@ -160,6 +169,19 @@ public class SpNegoContext implements GSSContextSpi { return integState; } + /** + * Is deleg policy respected? + */ + public final boolean getDelegPolicyState() { + if (isInitiator() && mechContext != null && + mechContext instanceof ExtendedGSSContext && + (state == STATE_IN_PROCESS || state == STATE_DONE)) { + return ((ExtendedGSSContext)mechContext).getDelegPolicyState(); + } else { + return delegPolicyState; + } + } + /** * Requests that credential delegation be done during context * establishment. @@ -173,7 +195,7 @@ public class SpNegoContext implements GSSContextSpi { * Is credential delegation enabled? */ public final boolean getCredDelegState() { - if (mechContext != null && + if (isInitiator() && mechContext != null && (state == STATE_IN_PROCESS || state == STATE_DONE)) { return mechContext.getCredDelegState(); } else { @@ -201,30 +223,6 @@ public class SpNegoContext implements GSSContextSpi { return mutualAuthState; } - final void setCredDelegState(boolean state) { - credDelegState = state; - } - - final void setMutualAuthState(boolean state) { - mutualAuthState = state; - } - - final void setReplayDetState(boolean state) { - replayDetState = state; - } - - final void setSequenceDetState(boolean state) { - sequenceDetState = state; - } - - final void setConfState(boolean state) { - confState = state; - } - - final void setIntegState(boolean state) { - integState = state; - } - /** * Returns the mechanism oid. * @@ -653,6 +651,10 @@ public class SpNegoContext implements GSSContextSpi { throw gssException; } + if (state == STATE_DONE) { + // now set the context flags for acceptor + setContextFlags(); + } return retVal; } @@ -703,28 +705,31 @@ public class SpNegoContext implements GSSContextSpi { return out; } + // Only called on acceptor side. On the initiator side, most flags + // are already set at request. For those that might get chanegd, + // state from mech below is used. private void setContextFlags() { if (mechContext != null) { // default for cred delegation is false if (mechContext.getCredDelegState()) { - setCredDelegState(true); + credDelegState = true; } // default for the following are true if (!mechContext.getMutualAuthState()) { - setMutualAuthState(false); + mutualAuthState = false; } if (!mechContext.getReplayDetState()) { - setReplayDetState(false); + replayDetState = false; } if (!mechContext.getSequenceDetState()) { - setSequenceDetState(false); + sequenceDetState = false; } if (!mechContext.getIntegState()) { - setIntegState(false); + integState = false; } if (!mechContext.getConfState()) { - setConfState(false); + confState = false; } } } @@ -837,6 +842,10 @@ public class SpNegoContext implements GSSContextSpi { mechContext.requestMutualAuth(mutualAuthState); mechContext.requestReplayDet(replayDetState); mechContext.requestSequenceDet(sequenceDetState); + if (mechContext instanceof ExtendedGSSContext) { + ((ExtendedGSSContext)mechContext).requestDelegPolicy( + delegPolicyState); + } } // pass token @@ -1202,5 +1211,5 @@ public class SpNegoContext implements GSSContextSpi { "inquireSecContext not supported by underlying mech."); } } - } + diff --git a/src/share/classes/sun/security/jgss/wrapper/NativeGSSContext.java b/src/share/classes/sun/security/jgss/wrapper/NativeGSSContext.java index 5b2a670b054bf3e6e43033e86b5ab142ad12d6f1..dc8c2bfafa998607cb655d693cce7c97dae0d625 100644 --- a/src/share/classes/sun/security/jgss/wrapper/NativeGSSContext.java +++ b/src/share/classes/sun/security/jgss/wrapper/NativeGSSContext.java @@ -549,6 +549,9 @@ class NativeGSSContext implements GSSContextSpi { public void requestInteg(boolean state) throws GSSException { changeFlags(GSS_C_INTEG_FLAG, state); } + public void requestDelegPolicy(boolean state) throws GSSException { + // Not supported, ignore + } public void requestLifetime(int lifetime) throws GSSException { if (isInitiator && pContext == 0) { this.lifetime = lifetime; @@ -590,6 +593,9 @@ class NativeGSSContext implements GSSContextSpi { public boolean getIntegState() { return checkFlags(GSS_C_INTEG_FLAG); } + public boolean getDelegPolicyState() { + return false; + } public int getLifetime() { return cStub.getContextTime(pContext); } diff --git a/src/share/classes/sun/security/krb5/Credentials.java b/src/share/classes/sun/security/krb5/Credentials.java index c003a29fa644368fd7738c31d22cc1708fea2fc7..e2f2f901097e6fa2b8c3db8e865cc1c5caf4bf9a 100644 --- a/src/share/classes/sun/security/krb5/Credentials.java +++ b/src/share/classes/sun/security/krb5/Credentials.java @@ -234,7 +234,19 @@ public class Credentials { * @return true if OK-AS_DELEGATE flag is set, otherwise, return false. */ public boolean checkDelegate() { - return (flags.get(Krb5.TKT_OPTS_DELEGATE)); + return flags.get(Krb5.TKT_OPTS_DELEGATE); + } + + /** + * Reset TKT_OPTS_DELEGATE to false, called at credentials acquirement + * when one of the cross-realm TGTs does not have the OK-AS-DELEGATE + * flag set. This info must be preservable and restorable through + * the Krb5Util.credsToTicket/ticketToCreds() methods so that even if + * the service ticket is cached it still remembers the cross-realm + * authentication result. + */ + public void resetDelegate() { + flags.set(Krb5.TKT_OPTS_DELEGATE, false); } public Credentials renew() throws KrbException, IOException { diff --git a/src/share/classes/sun/security/krb5/internal/CredentialsUtil.java b/src/share/classes/sun/security/krb5/internal/CredentialsUtil.java index fd2c925c046930052f3495a42281f0c70cb9f614..7286aebcc8417b59fad497d926e408394b3c705e 100644 --- a/src/share/classes/sun/security/krb5/internal/CredentialsUtil.java +++ b/src/share/classes/sun/security/krb5/internal/CredentialsUtil.java @@ -1,5 +1,5 @@ /* - * Portions Copyright 2001-2004 Sun Microsystems, Inc. All Rights Reserved. + * Portions Copyright 2001-2009 Sun Microsystems, Inc. All Rights Reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -117,6 +117,7 @@ rs. // Get a list of realms to traverse String[] realms = Realm.getRealmsList(localRealm, serviceRealm); + boolean okAsDelegate = true; if (realms == null || realms.length == 0) { @@ -194,6 +195,15 @@ rs. */ newTgtRealm = newTgt.getServer().getInstanceComponent(); + if (okAsDelegate && !newTgt.checkDelegate()) { + if (DEBUG) + { + System.out.println(">>> Credentials acquireServiceCreds: " + + "global OK-AS-DELEGATE turned off at " + + newTgt.getServer()); + } + okAsDelegate = false; + } if (DEBUG) { @@ -283,6 +293,9 @@ rs. System.out.println(">>> Credentials acquireServiceCreds: returning creds:"); Credentials.printDebug(theCreds); } + if (!okAsDelegate) { + theCreds.resetDelegate(); + } return theCreds; } throw new KrbApErrException(Krb5.KRB_AP_ERR_GEN_CRED, diff --git a/test/sun/security/krb5/auto/Context.java b/test/sun/security/krb5/auto/Context.java index 140623f83103117ee371be9a3f6904800fcc1f47..3187e99d87e2ff87c883086ab39ca8d8cb93bb43 100644 --- a/test/sun/security/krb5/auto/Context.java +++ b/test/sun/security/krb5/auto/Context.java @@ -72,7 +72,7 @@ import com.sun.security.jgss.AuthorizationDataEntry; public class Context { private Subject s; - private GSSContext x; + private ExtendedGSSContext x; private boolean f; // context established? private String name; private GSSCredential cred; // see static method delegated(). @@ -147,8 +147,8 @@ public class Context { @Override public byte[] run(Context me, byte[] dummy) throws Exception { GSSManager m = GSSManager.getInstance(); - me.x = m.createContext( - target.indexOf('@') < 0 ? + me.x = (ExtendedGSSContext)m.createContext( + target.indexOf('@') < 0 ? m.createName(target, null) : m.createName(target, GSSName.NT_HOSTBASED_SERVICE), mech, @@ -170,7 +170,7 @@ public class Context { @Override public byte[] run(Context me, byte[] dummy) throws Exception { GSSManager m = GSSManager.getInstance(); - me.x = m.createContext(m.createCredential( + me.x = (ExtendedGSSContext)m.createContext(m.createCredential( null, GSSCredential.INDEFINITE_LIFETIME, mech, @@ -193,7 +193,7 @@ public class Context { * * @return the GSSContext object */ - public GSSContext x() { + public ExtendedGSSContext x() { return x; } @@ -255,6 +255,11 @@ public class Context { if (x.getSequenceDetState()) { sb.append("seq det, "); } + if (x instanceof ExtendedGSSContext) { + if (((ExtendedGSSContext)x).getDelegPolicyState()) { + sb.append("deleg policy, "); + } + } System.out.println("Context status of " + name + ": " + sb.toString()); System.out.println(x.getSrcName() + " -> " + x.getTargName()); } catch (Exception e) { diff --git a/test/sun/security/krb5/auto/KDC.java b/test/sun/security/krb5/auto/KDC.java index 586d8b23e61d71aad61b70d4a1eb2695ba34baec..169094c779ba8a9421826a5d7db9dc232d31aea4 100644 --- a/test/sun/security/krb5/auto/KDC.java +++ b/test/sun/security/krb5/auto/KDC.java @@ -63,6 +63,14 @@ import sun.security.util.DerValue; * settings after calling a KDC method, call Config.refresh() to * make sure your changes are reflected in the Config object. * + * System properties recognized: + *

+ * Support policies: + * * Issues and TODOs: *
    *
  1. Generates krb5.conf to be used on another machine, currently the kdc is @@ -151,7 +159,7 @@ public class KDC { * A standalone KDC server. */ public static void main(String[] args) throws Exception { - KDC kdc = create("RABBIT.HOLE", "kdc.rabbit,hole", 0, false); + KDC kdc = create("RABBIT.HOLE", "kdc.rabbit.hole", 0, false); kdc.addPrincipal("dummy", "bogus".toCharArray()); kdc.addPrincipal("foo", "bar".toCharArray()); kdc.addPrincipalRandKey("krbtgt/RABBIT.HOLE"); @@ -426,14 +434,17 @@ public class KDC { * @throws sun.security.krb5.KrbException when the principal is not inside * the database. */ - private char[] getPassword(PrincipalName p) throws KrbException { + private char[] getPassword(PrincipalName p, boolean server) + throws KrbException { String pn = p.toString(); if (p.getRealmString() == null) { pn = pn + "@" + getRealm(); } char[] pass = passwords.get(pn); if (pass == null) { - throw new KrbException(Krb5.KDC_ERR_C_PRINCIPAL_UNKNOWN); + throw new KrbException(server? + Krb5.KDC_ERR_S_PRINCIPAL_UNKNOWN: + Krb5.KDC_ERR_C_PRINCIPAL_UNKNOWN); } return pass; } @@ -457,10 +468,12 @@ public class KDC { * Returns the key for a given principal of the given encryption type * @param p the principal * @param etype the encryption type + * @param server looking for a server principal? * @return the key * @throws sun.security.krb5.KrbException for unknown/unsupported etype */ - private EncryptionKey keyForUser(PrincipalName p, int etype) throws KrbException { + private EncryptionKey keyForUser(PrincipalName p, int etype, boolean server) + throws KrbException { try { // Do not call EncryptionKey.acquireSecretKeys(), otherwise // the krb5.conf config file would be loaded. @@ -469,22 +482,71 @@ public class KDC { Integer kvno = null; // For service whose password ending with a number, use it as kvno if (p.toString().indexOf('/') >= 0) { - char[] pass = getPassword(p); + char[] pass = getPassword(p, server); if (Character.isDigit(pass[pass.length-1])) { kvno = pass[pass.length-1] - '0'; } } return new EncryptionKey((byte[]) stringToKey.invoke( - null, getPassword(p), getSalt(p), null, etype), + null, getPassword(p, server), getSalt(p), null, etype), etype, kvno); } catch (InvocationTargetException ex) { KrbException ke = (KrbException)ex.getCause(); throw ke; + } catch (KrbException ke) { + throw ke; } catch (Exception e) { throw new RuntimeException(e); // should not happen } } + private Map policies = new HashMap(); + + public void setPolicy(String rule, String value) { + if (value == null) { + policies.remove(rule); + } else { + policies.put(rule, value); + } + } + /** + * If the provided client/server pair matches a rule + * + * A system property named test.kdc.policy.RULE will be consulted. + * If it's unset, returns false. If its value is "", any pair is + * matched. Otherwise, it should contains the server name matched. + * + * TODO: client name is not used currently. + * + * @param c client name + * @param s server name + * @param rule rule name + * @return if a match is found + */ + private boolean configMatch(String c, String s, String rule) { + String policy = policies.get(rule); + boolean result = false; + if (policy == null) { + result = false; + } else if (policy.length() == 0) { + result = true; + } else { + String[] names = policy.split("\\s+"); + for (String name: names) { + if (name.equals(s)) { + result = true; + break; + } + } + } + if (result) { + System.out.printf(">>>> Policy match result (%s vs %s on %s) %b\n", + c, s, rule, result); + } + return result; + } + + /** * Processes an incoming request and generates a response. * @param in the request @@ -530,7 +592,7 @@ public class KDC { tkt = apReq.ticket; etype = tkt.encPart.getEType(); tkt.sname.setRealm(tkt.realm); - EncryptionKey kkey = keyForUser(tkt.sname, etype); + EncryptionKey kkey = keyForUser(tkt.sname, etype, true); byte[] bb = tkt.encPart.decrypt(kkey, KeyUsage.KU_TICKET); DerInputStream derIn = new DerInputStream(bb); DerValue der = derIn.getDerValue(); @@ -541,7 +603,7 @@ public class KDC { throw new KrbException(Krb5.KDC_ERR_PADATA_TYPE_NOSUPP); } } - EncryptionKey skey = keyForUser(body.sname, etype); + EncryptionKey skey = keyForUser(body.sname, etype, true); if (skey == null) { throw new KrbException(Krb5.KDC_ERR_SUMTYPE_NOSUPP); // TODO } @@ -581,6 +643,10 @@ public class KDC { if (body.kdcOptions.get(KDCOptions.ALLOW_POSTDATE)) { bFlags[Krb5.TKT_OPTS_MAY_POSTDATE] = true; } + + if (configMatch("", body.sname.getNameString(), "ok-as-delegate")) { + bFlags[Krb5.TKT_OPTS_DELEGATE] = true; + } bFlags[Krb5.TKT_OPTS_INITIAL] = true; TicketFlags tFlags = new TicketFlags(bFlags); @@ -671,8 +737,8 @@ public class KDC { eTypes = (int[])f.get(body); int eType = eTypes[0]; - EncryptionKey ckey = keyForUser(body.cname, eType); - EncryptionKey skey = keyForUser(body.sname, eType); + EncryptionKey ckey = keyForUser(body.cname, eType, false); + EncryptionKey skey = keyForUser(body.sname, eType, true); if (ckey == null) { throw new KrbException(Krb5.KDC_ERR_ETYPE_NOSUPP); } diff --git a/test/sun/security/krb5/auto/OkAsDelegate.java b/test/sun/security/krb5/auto/OkAsDelegate.java new file mode 100644 index 0000000000000000000000000000000000000000..fee677b536b8a39f603afe93fa5696a35176296f --- /dev/null +++ b/test/sun/security/krb5/auto/OkAsDelegate.java @@ -0,0 +1,104 @@ +/* + * Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, + * CA 95054 USA or visit www.sun.com if you need additional information or + * have any questions. + */ + +import com.sun.security.jgss.ExtendedGSSContext; +import org.ietf.jgss.GSSCredential; +import org.ietf.jgss.GSSException; +import org.ietf.jgss.Oid; +import sun.security.jgss.GSSUtil; +import sun.security.krb5.Config; + +public class OkAsDelegate { + + public static void main(String[] args) + throws Exception { + OkAsDelegate ok = new OkAsDelegate(); + ok.go( + Boolean.valueOf(args[0]), // FORWARDABLE in krb5.conf on? + Boolean.valueOf(args[1]), // requestDelegState + Boolean.valueOf(args[2]), // requestDelegPolicyState + Boolean.valueOf(args[3]), // DelegState in response + Boolean.valueOf(args[4]), // DelegPolicyState in response + Boolean.valueOf(args[5]) // getDelegCred OK? + ); + } + + void go( + boolean forwardable, + boolean requestDelegState, + boolean requestDelegPolicyState, + boolean delegState, + boolean delegPolicyState, + boolean delegated + ) throws Exception { + OneKDC kdc = new OneKDC(null); + kdc.setPolicy("ok-as-delegate", + System.getProperty("test.kdc.policy.ok-as-delegate")); + kdc.writeJAASConf(); + if (!forwardable) { + // The default OneKDC always includes "forwardable = true" + // in krb5.conf, override it. + KDC.saveConfig(OneKDC.KRB5_CONF, kdc, + "default_keytab_name = " + OneKDC.KTAB); + Config.refresh(); + } + + Context c, s; + c = Context.fromJAAS("client"); + s = Context.fromJAAS("server"); + + Oid mech = GSSUtil.GSS_KRB5_MECH_OID; + if (System.getProperty("test.spnego") != null) { + mech = GSSUtil.GSS_SPNEGO_MECH_OID; + } + c.startAsClient(OneKDC.SERVER, mech); + ExtendedGSSContext cx = (ExtendedGSSContext)c.x(); + cx.requestCredDeleg(requestDelegState); + cx.requestDelegPolicy(requestDelegPolicyState); + s.startAsServer(mech); + ExtendedGSSContext sx = (ExtendedGSSContext)s.x(); + + Context.handshake(c, s); + + if (cx.getCredDelegState() != delegState) { + throw new Exception("Initiator cred state error"); + } + if (sx.getCredDelegState() != delegState) { + throw new Exception("Acceptor cred state error"); + } + if (cx.getDelegPolicyState() != delegPolicyState) { + throw new Exception("Initiator cred policy state error"); + } + + GSSCredential cred = null; + try { + cred = s.x().getDelegCred(); + } catch (GSSException e) { + // leave cred as null + } + + if (delegated != (cred != null)) { + throw new Exception("get cred error"); + } + } +} diff --git a/test/sun/security/krb5/auto/OkAsDelegateXRealm.java b/test/sun/security/krb5/auto/OkAsDelegateXRealm.java new file mode 100644 index 0000000000000000000000000000000000000000..54c181fc8f61f93e785e4a7628ec338b5efb0761 --- /dev/null +++ b/test/sun/security/krb5/auto/OkAsDelegateXRealm.java @@ -0,0 +1,156 @@ +/* + * Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, + * CA 95054 USA or visit www.sun.com if you need additional information or + * have any questions. + */ + +import com.sun.security.jgss.ExtendedGSSContext; +import java.io.File; +import java.io.FileOutputStream; +import java.io.IOException; +import java.security.Security; +import javax.security.auth.callback.Callback; +import javax.security.auth.callback.CallbackHandler; +import javax.security.auth.callback.NameCallback; +import javax.security.auth.callback.PasswordCallback; +import javax.security.auth.callback.UnsupportedCallbackException; +import org.ietf.jgss.GSSContext; +import org.ietf.jgss.GSSCredential; +import org.ietf.jgss.GSSException; +import org.ietf.jgss.GSSManager; +import org.ietf.jgss.GSSName; +import sun.security.jgss.GSSUtil; +import sun.security.krb5.Config; + +public class OkAsDelegateXRealm implements CallbackHandler { + + /** + * @param args boolean if the program should succeed + */ + public static void main(String[] args) + throws Exception { + + // Create and start the KDCs. Here we have 3 realms: R1, R2 and R3. + // R1 is trusted by R2, and R2 trusted by R3. + KDC kdc1 = KDC.create("R1"); + kdc1.setPolicy("ok-as-delegate", + System.getProperty("test.kdc.policy.ok-as-delegate")); + kdc1.addPrincipal("dummy", "bogus".toCharArray()); + kdc1.addPrincipalRandKey("krbtgt/R1"); + kdc1.addPrincipal("krbtgt/R2@R1", "r1->r2".toCharArray()); + + KDC kdc2 = KDC.create("R2"); + kdc2.setPolicy("ok-as-delegate", + System.getProperty("test.kdc.policy.ok-as-delegate")); + kdc2.addPrincipalRandKey("krbtgt/R2"); + kdc2.addPrincipal("krbtgt/R2@R1", "r1->r2".toCharArray()); + kdc2.addPrincipal("krbtgt/R3@R2", "r2->r3".toCharArray()); + + KDC kdc3 = KDC.create("R3"); + kdc3.setPolicy("ok-as-delegate", + System.getProperty("test.kdc.policy.ok-as-delegate")); + kdc3.addPrincipalRandKey("krbtgt/R3"); + kdc3.addPrincipal("krbtgt/R3@R2", "r2->r3".toCharArray()); + kdc3.addPrincipalRandKey("host/host.r3.local"); + + KDC.saveConfig("krb5-localkdc.conf", kdc1, kdc2, kdc3, + "forwardable=true", + "[capaths]", + "R1 = {", + " R2 = .", + " R3 = R2", + "}", + "[domain_realm]", + ".r3.local=R3" + ); + + System.setProperty("java.security.krb5.conf", "krb5-localkdc.conf"); + kdc3.writeKtab("localkdc.ktab"); + + FileOutputStream fos = new FileOutputStream("jaas-localkdc.conf"); + + // Defines the client and server on R1 and R3 respectively. + fos.write(("com.sun.security.jgss.krb5.initiate {\n" + + " com.sun.security.auth.module.Krb5LoginModule\n" + + " required\n" + + " principal=dummy\n" + + " doNotPrompt=false\n" + + " useTicketCache=false\n" + + " ;\n};\n" + + "com.sun.security.jgss.krb5.accept {\n" + + " com.sun.security.auth.module.Krb5LoginModule required\n" + + " principal=\"host/host.r3.local@R3\"\n" + + " useKeyTab=true\n" + + " keyTab=localkdc.ktab\n" + + " isInitiator=false\n" + + " storeKey=true;\n};\n" + + "\n").getBytes()); + fos.close(); + + Security.setProperty("auth.login.defaultCallbackHandler", + "OkAsDelegateXRealm"); + + System.setProperty("java.security.auth.login.config", "jaas-localkdc.conf"); + + new File("krb5-localkdc.conf").deleteOnExit(); + new File("localkdc.ktab").deleteOnExit(); + new File("jaas-localkdc.conf").deleteOnExit(); + Config.refresh(); + + Context c = Context.fromJAAS("com.sun.security.jgss.krb5.initiate"); + Context s = Context.fromJAAS("com.sun.security.jgss.krb5.accept"); + + // Test twice. The frist time the whole cross realm process is tried, + // the second time the cached service ticket is used. This is to make sure + // the behaviors are the same, especailly for the case when one of the + // cross-realm TGTs does not have OK-AS-DELEGATE on. + + for (int i=0; i<2; i++) { + c.startAsClient("host@host.r3.local", GSSUtil.GSS_KRB5_MECH_OID); + s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID); + c.x().requestDelegPolicy(true); + + Context.handshake(c, s); + boolean succeed = true; + try { + s.x().getDelegCred(); + } catch (GSSException gsse) { + succeed = false; + } + if (succeed != Boolean.parseBoolean(args[0])) { + throw new Exception("Test fail at round #" + i); + } + } + } + + @Override + public void handle(Callback[] callbacks) + throws IOException, UnsupportedCallbackException { + for (Callback callback : callbacks) { + if (callback instanceof NameCallback) { + ((NameCallback) callback).setName("dummy"); + } + if (callback instanceof PasswordCallback) { + ((PasswordCallback) callback).setPassword("bogus".toCharArray()); + } + } + } +} + diff --git a/test/sun/security/krb5/auto/ok-as-delegate-xrealm.sh b/test/sun/security/krb5/auto/ok-as-delegate-xrealm.sh new file mode 100644 index 0000000000000000000000000000000000000000..850dae3e443f7fcb197762c9105b794a08e01515 --- /dev/null +++ b/test/sun/security/krb5/auto/ok-as-delegate-xrealm.sh @@ -0,0 +1,79 @@ +# +# Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# +# This code is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 2 only, as +# published by the Free Software Foundation. +# +# This code is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# version 2 for more details (a copy is included in the LICENSE file that +# accompanied this code). +# +# You should have received a copy of the GNU General Public License version +# 2 along with this work; if not, write to the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, +# CA 95054 USA or visit www.sun.com if you need additional information or +# have any questions. +# + +# @test +# @bug 6853328 +# @summary Support OK-AS-DELEGATE flag +# @run shell/timeout=600 ok-as-delegate-xrealm.sh +# + +if [ "${TESTSRC}" = "" ] ; then + TESTSRC=`dirname $0` +fi + +if [ "${TESTJAVA}" = "" ] ; then + JAVAC_CMD=`which javac` + TESTJAVA=`dirname $JAVAC_CMD`/.. +fi + +# set platform-dependent variables +OS=`uname -s` +case "$OS" in + Windows_* ) + FS="\\" + SEP=";" + ;; + CYGWIN* ) + FS="/" + SEP=";" + ;; + * ) + FS="/" + SEP=":" + ;; +esac + +${TESTJAVA}${FS}bin${FS}javac -XDignore.symbol.file -d . \ + ${TESTSRC}${FS}OkAsDelegateXRealm.java \ + ${TESTSRC}${FS}KDC.java \ + ${TESTSRC}${FS}OneKDC.java \ + ${TESTSRC}${FS}Action.java \ + ${TESTSRC}${FS}Context.java \ + || exit 10 + +# Add $TESTSRC to classpath so that customized nameservice can be used +J="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}." + +# KDC no OK-AS-DELEGATE, fail +$J OkAsDelegateXRealm false || exit 1 + +# KDC set OK-AS-DELEGATE for all, succeed +$J -Dtest.kdc.policy.ok-as-delegate OkAsDelegateXRealm true || exit 2 + +# KDC set OK-AS-DELEGATE for host/host.r3.local only, fail +$J -Dtest.kdc.policy.ok-as-delegate=host/host.r3.local OkAsDelegateXRealm false || exit 3 + +# KDC set OK-AS-DELEGATE for all, succeed +$J "-Dtest.kdc.policy.ok-as-delegate=host/host.r3.local krbtgt/R2 krbtgt/R3" OkAsDelegateXRealm true || exit 4 + +exit 0 diff --git a/test/sun/security/krb5/auto/ok-as-delegate.sh b/test/sun/security/krb5/auto/ok-as-delegate.sh new file mode 100644 index 0000000000000000000000000000000000000000..1647e1561f54b61def80b9461654e59c6ba2f783 --- /dev/null +++ b/test/sun/security/krb5/auto/ok-as-delegate.sh @@ -0,0 +1,118 @@ +# +# Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# +# This code is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 2 only, as +# published by the Free Software Foundation. +# +# This code is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# version 2 for more details (a copy is included in the LICENSE file that +# accompanied this code). +# +# You should have received a copy of the GNU General Public License version +# 2 along with this work; if not, write to the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, +# CA 95054 USA or visit www.sun.com if you need additional information or +# have any questions. +# + +# @test +# @bug 6853328 +# @summary Support OK-AS-DELEGATE flag +# @run shell/timeout=600 ok-as-delegate.sh +# + +if [ "${TESTSRC}" = "" ] ; then + TESTSRC=`dirname $0` +fi + +if [ "${TESTJAVA}" = "" ] ; then + JAVAC_CMD=`which javac` + TESTJAVA=`dirname $JAVAC_CMD`/.. +fi + +# set platform-dependent variables +OS=`uname -s` +case "$OS" in + Windows_* ) + FS="\\" + SEP=";" + ;; + CYGWIN* ) + FS="/" + SEP=";" + ;; + * ) + FS="/" + SEP=":" + ;; +esac + +${TESTJAVA}${FS}bin${FS}javac -XDignore.symbol.file -d . \ + ${TESTSRC}${FS}OkAsDelegate.java \ + ${TESTSRC}${FS}KDC.java \ + ${TESTSRC}${FS}OneKDC.java \ + ${TESTSRC}${FS}Action.java \ + ${TESTSRC}${FS}Context.java \ + || exit 10 + +# Testing Kerberos 5 + +# Add $TESTSRC to classpath so that customized nameservice can be used +J="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}. OkAsDelegate" +JOK="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}. -Dtest.kdc.policy.ok-as-delegate OkAsDelegate" + +# FORWARDABLE ticket not allowed, always fail +$J false true true false false false || exit 1 + +# Service ticket no OK-AS-DELEGATE + +# Request nothing, gain nothing +$J true false false false false false || exit 2 +# Request deleg policy, gain nothing +$J true false true false false false || exit 3 +# Request deleg, granted +$J true true false true false true || exit 4 +# Request deleg and deleg policy, granted, with info not by policy +$J true true true true false true || exit 5 + +# Service ticket has OK-AS-DELEGATE + +# Request deleg policy, granted +$JOK true false true true true true || exit 6 +# Request deleg and deleg policy, granted, with info by policy +$JOK true true true true true true || exit 7 + +# Testing SPNEGO + +# Add $TESTSRC to classpath so that customized nameservice can be used +J="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}. -Dtest.spnego OkAsDelegate" +JOK="${TESTJAVA}${FS}bin${FS}java -cp $TESTSRC${SEP}. -Dtest.spnego -Dtest.kdc.policy.ok-as-delegate OkAsDelegate" + +# FORWARDABLE ticket not allowed, always fail +$J false true true false false false || exit 11 + +# Service ticket no OK-AS-DELEGATE + +# Request nothing, gain nothing +$J true false false false false false || exit 12 +# Request deleg policy, gain nothing +$J true false true false false false || exit 13 +# Request deleg, granted +$J true true false true false true || exit 14 +# Request deleg and deleg policy, granted, with info not by policy +$J true true true true false true || exit 15 + +# Service ticket has OK-AS-DELEGATE + +# Request deleg policy, granted +$JOK true false true true true true || exit 16 +# Request deleg and deleg policy, granted, with info by policy +$JOK true true true true true true || exit 17 + +exit 0