Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
dragonwell8_jdk
提交
4cefd50f
D
dragonwell8_jdk
项目概览
openanolis
/
dragonwell8_jdk
通知
3
Star
2
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
D
dragonwell8_jdk
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
4cefd50f
编写于
5月 10, 2019
作者:
M
mbalao
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
8200400: Restrict Sasl mechanisms
Reviewed-by: andrew
上级
210addb5
变更
7
隐藏空白更改
内联
并排
Showing
7 changed file
with
219 addition
and
2 deletion
+219
-2
src/share/classes/javax/security/sasl/Sasl.java
src/share/classes/javax/security/sasl/Sasl.java
+49
-2
src/share/lib/security/java.security-aix
src/share/lib/security/java.security-aix
+17
-0
src/share/lib/security/java.security-linux
src/share/lib/security/java.security-linux
+17
-0
src/share/lib/security/java.security-macosx
src/share/lib/security/java.security-macosx
+17
-0
src/share/lib/security/java.security-solaris
src/share/lib/security/java.security-solaris
+17
-0
src/share/lib/security/java.security-windows
src/share/lib/security/java.security-windows
+17
-0
test/javax/security/sasl/Sasl/DisabledMechanisms.java
test/javax/security/sasl/Sasl/DisabledMechanisms.java
+85
-0
未找到文件。
src/share/classes/javax/security/sasl/Sasl.java
浏览文件 @
4cefd50f
/*
* Copyright (c) 1999, 201
3
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1999, 201
9
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -26,15 +26,20 @@
package
javax.security.sasl
;
import
javax.security.auth.callback.CallbackHandler
;
import
java.security.AccessController
;
import
java.security.PrivilegedAction
;
import
java.util.ArrayList
;
import
java.util.Enumeration
;
import
java.util.Iterator
;
import
java.util.List
;
import
java.util.Map
;
import
java.util.Set
;
import
java.util.HashSet
;
import
java.util.Collections
;
import
java.security.Provider
;
import
java.security.Security
;
import
java.util.logging.Level
;
import
java.util.logging.Logger
;
/**
* A static class for creating SASL clients and servers.
...
...
@@ -62,6 +67,30 @@ import java.security.Security;
* @author Rob Weltman
*/
public
class
Sasl
{
private
static
List
<
String
>
disabledMechanisms
=
new
ArrayList
<>();
static
{
String
prop
=
AccessController
.
doPrivileged
(
(
PrivilegedAction
<
String
>)
()
->
Security
.
getProperty
(
"jdk.sasl.disabledMechanisms"
));
if
(
prop
!=
null
)
{
for
(
String
s
:
prop
.
split
(
"\\s*,\\s*"
))
{
if
(!
s
.
isEmpty
())
{
disabledMechanisms
.
add
(
s
);
}
}
}
}
private
static
final
String
SASL_LOGGER_NAME
=
"javax.security.sasl"
;
/**
* Logger for debug messages
*/
private
static
final
Logger
logger
=
Logger
.
getLogger
(
SASL_LOGGER_NAME
);
// Cannot create one of these
private
Sasl
()
{
}
...
...
@@ -306,6 +335,9 @@ public class Sasl {
* "Java Cryptography Architecture API Specification & Reference"
* for information about how to install and configure security service
* providers.
* <p>
* If a mechanism is listed in the {@code jdk.sasl.disabledMechanisms}
* security property, it will be ignored and won't be negotiated.
*
* @param mechanisms The non-null list of mechanism names to try. Each is the
* IANA-registered name of a SASL mechanism. (e.g. "GSSAPI", "CRAM-MD5").
...
...
@@ -369,6 +401,10 @@ public class Sasl {
"Mechanism name cannot be null"
);
}
else
if
(
mechName
.
length
()
==
0
)
{
continue
;
}
else
if
(
isDisabled
(
mechName
))
{
logger
.
log
(
Level
.
FINE
,
"Disabled "
+
mechName
+
" mechanism ignored"
);
continue
;
}
String
mechFilter
=
"SaslClientFactory."
+
mechName
;
Provider
[]
provs
=
Security
.
getProviders
(
mechFilter
);
...
...
@@ -456,6 +492,9 @@ public class Sasl {
* "Java Cryptography Architecture API Specification & Reference"
* for information about how to install and configure security
* service providers.
* <p>
* If {@code mechanism} is listed in the {@code jdk.sasl.disabledMechanisms}
* security property, it will be ignored and this method returns {@code null}.
*
* @param mechanism The non-null mechanism name. It must be an
* IANA-registered name of a SASL mechanism. (e.g. "GSSAPI", "CRAM-MD5").
...
...
@@ -509,6 +548,10 @@ public class Sasl {
throw
new
NullPointerException
(
"Mechanism name cannot be null"
);
}
else
if
(
mechanism
.
length
()
==
0
)
{
return
null
;
}
else
if
(
isDisabled
(
mechanism
))
{
logger
.
log
(
Level
.
FINE
,
"Disabled "
+
mechanism
+
" mechanism ignored"
);
return
null
;
}
String
mechFilter
=
"SaslServerFactory."
+
mechanism
;
...
...
@@ -618,4 +661,8 @@ public class Sasl {
}
return
Collections
.
unmodifiableSet
(
result
);
}
private
static
boolean
isDisabled
(
String
name
)
{
return
disabledMechanisms
.
contains
(
name
);
}
}
src/share/lib/security/java.security-aix
浏览文件 @
4cefd50f
...
...
@@ -986,6 +986,23 @@ jceks.key.serialFilter = java.lang.Enum;java.security.KeyRep;\
#
#jdk.jceks.iterationCount = 200000
#
# Disabled mechanisms for the Simple Authentication and Security Layer (SASL)
#
# Disabled mechanisms will not be negotiated by both SASL clients and servers.
# These mechanisms will be ignored if they are specified in the mechanisms argument
# of `Sasl.createClient` or the mechanism argument of `Sasl.createServer`.
#
# The value of this property is a comma-separated list of SASL mechanisms.
# The mechanisms are case-sensitive. Whitespaces around the commas are ignored.
#
# Note: This property is currently used by the JDK Reference implementation.
# It is not guaranteed to be examined and used by other implementations.
#
# Example:
# jdk.sasl.disabledMechanisms=PLAIN, CRAM-MD5, DIGEST-MD5
jdk.sasl.disabledMechanisms=
#
# Policies for distrusting Certificate Authorities (CAs).
#
...
...
src/share/lib/security/java.security-linux
浏览文件 @
4cefd50f
...
...
@@ -992,6 +992,23 @@ jceks.key.serialFilter = java.lang.Enum;java.security.KeyRep;\
#
#jdk.jceks.iterationCount = 200000
#
# Disabled mechanisms for the Simple Authentication and Security Layer (SASL)
#
# Disabled mechanisms will not be negotiated by both SASL clients and servers.
# These mechanisms will be ignored if they are specified in the mechanisms argument
# of `Sasl.createClient` or the mechanism argument of `Sasl.createServer`.
#
# The value of this property is a comma-separated list of SASL mechanisms.
# The mechanisms are case-sensitive. Whitespaces around the commas are ignored.
#
# Note: This property is currently used by the JDK Reference implementation.
# It is not guaranteed to be examined and used by other implementations.
#
# Example:
# jdk.sasl.disabledMechanisms=PLAIN, CRAM-MD5, DIGEST-MD5
jdk.sasl.disabledMechanisms=
#
# Policies for distrusting Certificate Authorities (CAs).
#
...
...
src/share/lib/security/java.security-macosx
浏览文件 @
4cefd50f
...
...
@@ -990,6 +990,23 @@ jceks.key.serialFilter = java.lang.Enum;java.security.KeyRep;\
#
#jdk.jceks.iterationCount = 200000
#
# Disabled mechanisms for the Simple Authentication and Security Layer (SASL)
#
# Disabled mechanisms will not be negotiated by both SASL clients and servers.
# These mechanisms will be ignored if they are specified in the mechanisms argument
# of `Sasl.createClient` or the mechanism argument of `Sasl.createServer`.
#
# The value of this property is a comma-separated list of SASL mechanisms.
# The mechanisms are case-sensitive. Whitespaces around the commas are ignored.
#
# Note: This property is currently used by the JDK Reference implementation.
# It is not guaranteed to be examined and used by other implementations.
#
# Example:
# jdk.sasl.disabledMechanisms=PLAIN, CRAM-MD5, DIGEST-MD5
jdk.sasl.disabledMechanisms=
#
# Policies for distrusting Certificate Authorities (CAs).
#
...
...
src/share/lib/security/java.security-solaris
浏览文件 @
4cefd50f
...
...
@@ -989,6 +989,23 @@ jceks.key.serialFilter = java.lang.Enum;java.security.KeyRep;\
#
#jdk.jceks.iterationCount = 200000
#
# Disabled mechanisms for the Simple Authentication and Security Layer (SASL)
#
# Disabled mechanisms will not be negotiated by both SASL clients and servers.
# These mechanisms will be ignored if they are specified in the mechanisms argument
# of `Sasl.createClient` or the mechanism argument of `Sasl.createServer`.
#
# The value of this property is a comma-separated list of SASL mechanisms.
# The mechanisms are case-sensitive. Whitespaces around the commas are ignored.
#
# Note: This property is currently used by the JDK Reference implementation.
# It is not guaranteed to be examined and used by other implementations.
#
# Example:
# jdk.sasl.disabledMechanisms=PLAIN, CRAM-MD5, DIGEST-MD5
jdk.sasl.disabledMechanisms=
#
# Policies for distrusting Certificate Authorities (CAs).
#
...
...
src/share/lib/security/java.security-windows
浏览文件 @
4cefd50f
...
...
@@ -990,6 +990,23 @@ jceks.key.serialFilter = java.lang.Enum;java.security.KeyRep;\
#
#jdk.jceks.iterationCount = 200000
#
# Disabled mechanisms for the Simple Authentication and Security Layer (SASL)
#
# Disabled mechanisms will not be negotiated by both SASL clients and servers.
# These mechanisms will be ignored if they are specified in the mechanisms argument
# of `Sasl.createClient` or the mechanism argument of `Sasl.createServer`.
#
# The value of this property is a comma-separated list of SASL mechanisms.
# The mechanisms are case-sensitive. Whitespaces around the commas are ignored.
#
# Note: This property is currently used by the JDK Reference implementation.
# It is not guaranteed to be examined and used by other implementations.
#
# Example:
# jdk.sasl.disabledMechanisms=PLAIN, CRAM-MD5, DIGEST-MD5
jdk.sasl.disabledMechanisms=
#
# Policies for distrusting Certificate Authorities (CAs).
#
...
...
test/javax/security/sasl/Sasl/DisabledMechanisms.java
0 → 100644
浏览文件 @
4cefd50f
/*
* Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @bug 8200400
* @library /lib/testlibrary
* @run main/othervm DisabledMechanisms
* DIGEST-MD5 DIGEST-MD5
* @run main/othervm -DdisabledMechanisms= DisabledMechanisms
* DIGEST-MD5 DIGEST-MD5
* @run main/othervm -DdisabledMechanisms=DIGEST-MD5,NTLM DisabledMechanisms
* null null
* @run main/othervm -DdisabledMechanisms=DIGEST-MD5 DisabledMechanisms
* NTLM null
* @run main/othervm -DdisabledMechanisms=NTLM DisabledMechanisms
* DIGEST-MD5 DIGEST-MD5
*/
import
java.security.Security
;
import
java.util.Collections
;
import
java.util.Map
;
import
javax.security.auth.callback.PasswordCallback
;
import
javax.security.sasl.Sasl
;
import
javax.security.sasl.SaslClient
;
import
javax.security.sasl.SaslServer
;
import
javax.security.auth.callback.Callback
;
import
javax.security.auth.callback.CallbackHandler
;
import
jdk.testlibrary.Asserts
;
public
class
DisabledMechanisms
{
public
static
void
main
(
String
[]
args
)
throws
Exception
{
String
authorizationId
=
"username"
;
String
protocol
=
"ldap"
;
String
serverName
=
"server1"
;
Map
props
=
Collections
.
emptyMap
();
String
disabled
=
System
.
getProperty
(
"disabledMechanisms"
);
if
(
disabled
!=
null
)
{
Security
.
setProperty
(
"jdk.sasl.disabledMechanisms"
,
disabled
);
}
CallbackHandler
callbackHandler
=
callbacks
->
{
for
(
Callback
cb
:
callbacks
)
{
if
(
cb
instanceof
PasswordCallback
)
{
((
PasswordCallback
)
cb
).
setPassword
(
"password"
.
toCharArray
());
}
}
};
SaslClient
client
=
Sasl
.
createSaslClient
(
new
String
[]{
"DIGEST-MD5"
,
"NTLM"
},
authorizationId
,
protocol
,
serverName
,
props
,
callbackHandler
);
Asserts
.
assertEQ
(
client
==
null
?
null
:
client
.
getMechanismName
(),
args
[
0
].
equals
(
"null"
)
?
null
:
args
[
0
]);
SaslServer
server
=
Sasl
.
createSaslServer
(
"DIGEST-MD5"
,
protocol
,
serverName
,
props
,
callbackHandler
);
Asserts
.
assertEQ
(
server
==
null
?
null
:
server
.
getMechanismName
(),
args
[
1
].
equals
(
"null"
)
?
null
:
args
[
1
]);
}
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录