1 /* 2 * Copyright (c) 2015, 2016 Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24 /* 25 * @test 26 * @bug 8058290 27 * @summary JAAS Krb5LoginModule has suspect ticket-renewal logic, 28 * relies on clockskew grace 29 * @modules java.base/sun.security.util 30 * java.security.jgss/sun.security.krb5 31 * java.security.jgss/sun.security.krb5.internal 32 * java.security.jgss/sun.security.krb5.internal.ccache 33 * java.security.jgss/sun.security.krb5.internal.crypto 34 * java.security.jgss/sun.security.krb5.internal.ktab 35 * @compile -XDignore.symbol.file Renew.java 36 * @run main/othervm Renew 1 37 * @run main/othervm Renew 2 38 * @run main/othervm Renew 3 39 */ 40 41 import sun.security.krb5.Config; 42 43 import java.nio.file.Files; 44 import java.nio.file.Paths; 45 import java.util.Arrays; 46 import java.util.Date; 47 import javax.security.auth.kerberos.KerberosTicket; 48 49 public class Renew { 50 51 public static void main(String[] args) throws Exception { 52 53 // Three test cases: 54 // 1. renewTGT=false 55 // 2. renewTGT=true with a short life time, renew will happen 56 // 3. renewTGT=true with a long life time, renew won't happen 57 int test = Integer.parseInt(args[0]); 58 59 OneKDC k = new OneKDC(null); 60 KDC.saveConfig(OneKDC.KRB5_CONF, k, 61 "renew_lifetime = 1d", 62 "ticket_lifetime = " + (test == 2? "10s": "8h")); 63 Config.refresh(); 64 k.writeJAASConf(); 65 66 // KDC would save ccache in a file 67 System.setProperty("test.kdc.save.ccache", "cache.here"); 68 69 Files.write(Paths.get(OneKDC.JAAS_CONF), Arrays.asList( 70 "first {", 71 " com.sun.security.auth.module.Krb5LoginModule required;", 72 "};", 73 "second {", 74 " com.sun.security.auth.module.Krb5LoginModule required", 75 " doNotPrompt=true", 76 " renewTGT=" + (test != 1), 77 " useTicketCache=true", 78 " ticketCache=cache.here;", 79 "};" 80 )); 81 82 Context c; 83 84 // The first login uses username and password 85 c = Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false); 86 Date d1 = c.s().getPrivateCredentials(KerberosTicket.class).iterator().next().getAuthTime(); 87 88 // 6s is longer than half of 10s 89 Thread.sleep(6000); 90 91 // The second login uses the cache 92 c = Context.fromJAAS("second"); 93 Date d2 = c.s().getPrivateCredentials(KerberosTicket.class).iterator().next().getAuthTime(); 94 95 if (test == 2) { 96 if (d1.equals(d2)) { 97 throw new Exception("Ticket not renewed"); 98 } 99 } else { 100 if (!d1.equals(d2)) { 101 throw new Exception("Ticket renewed"); 102 } 103 } 104 } 105 }