1 /*
2 * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.net.www.protocol.http;
27
28 import java.net.URL;
29 import java.io.IOException;
30 import java.net.Authenticator.RequestorType;
31 import java.util.Base64;
32 import java.util.HashMap;
33 import sun.net.www.HeaderParser;
34 import sun.util.logging.PlatformLogger;
35 import static sun.net.www.protocol.http.AuthScheme.NEGOTIATE;
36 import static sun.net.www.protocol.http.AuthScheme.KERBEROS;
37 import sun.security.action.GetPropertyAction;
38
39 /**
40 * NegotiateAuthentication:
41 *
42 * @author weijun.wang@sun.com
43 * @since 1.6
44 */
45
46 class NegotiateAuthentication extends AuthenticationInfo {
47
48 @java.io.Serial
49 private static final long serialVersionUID = 100L;
50 private static final PlatformLogger logger = HttpURLConnection.getHttpLogger();
51
52 private final HttpCallerInfo hci;
53
54 // These maps are used to manage the GSS availability for diffrent
55 // hosts. The key for both maps is the host name.
56 // <code>supported</code> is set when isSupported is checked,
57 // if it's true, a cached Negotiator is put into <code>cache</code>.
58 // the cache can be used only once, so after the first use, it's cleaned.
59 static HashMap <String, Boolean> supported = null;
60 static ThreadLocal <HashMap <String, Negotiator>> cache = null;
61 /* Whether cache is enabled for Negotiate/Kerberos */
62 private static final boolean cacheSPNEGO;
63 static {
64 String spnegoCacheProp =
65 GetPropertyAction.privilegedGetProperty("jdk.spnego.cache", "true");
66 cacheSPNEGO = Boolean.parseBoolean(spnegoCacheProp);
67 }
68
69 // The HTTP Negotiate Helper
70 private Negotiator negotiator = null;
71
72 /**
73 * Constructor used for both WWW and proxy entries.
74 * @param hci a schemed object.
75 */
76 public NegotiateAuthentication(HttpCallerInfo hci) {
77 super(RequestorType.PROXY==hci.authType ? PROXY_AUTHENTICATION : SERVER_AUTHENTICATION,
78 hci.scheme.equalsIgnoreCase("Negotiate") ? NEGOTIATE : KERBEROS,
79 hci.url,
80 "",
81 AuthenticatorKeys.getKey(hci.authenticator));
82 this.hci = hci;
83 }
84
85 /**
86 * @return true if this authentication supports preemptive authorization
87 */
88 @Override
89 public boolean supportsPreemptiveAuthorization() {
90 return false;
91 }
92
93 /**
94 * Find out if the HttpCallerInfo supports Negotiate protocol.
95 * @return true if supported
96 */
97 public static boolean isSupported(HttpCallerInfo hci) {
98 ClassLoader loader = null;
99 try {
100 loader = Thread.currentThread().getContextClassLoader();
101 } catch (SecurityException se) {
102 if (logger.isLoggable(PlatformLogger.Level.FINER)) {
103 logger.finer("NegotiateAuthentication: " +
104 "Attempt to get the context class loader failed - " + se);
105 }
106 }
107
108 if (loader != null) {
109 // Lock on the class loader instance to avoid the deadlock engaging
110 // the lock in "ClassLoader.loadClass(String, boolean)" method.
111 synchronized (loader) {
112 return isSupportedImpl(hci);
113 }
114 }
115 return isSupportedImpl(hci);
116 }
117
118 /**
119 * Find out if the HttpCallerInfo supports Negotiate protocol. In order to
120 * find out yes or no, an initialization of a Negotiator object against it
121 * is tried. The generated object will be cached under the name of ths
122 * hostname at a success try.<br>
123 *
124 * If this method is called for the second time on an HttpCallerInfo with
125 * the same hostname, the answer is retrieved from cache.
126 *
127 * @return true if supported
128 */
129 private static synchronized boolean isSupportedImpl(HttpCallerInfo hci) {
130 if (supported == null) {
131 supported = new HashMap<>();
132 }
133 String hostname = hci.host;
134 hostname = hostname.toLowerCase();
135 if (supported.containsKey(hostname)) {
136 return supported.get(hostname);
137 }
138
139 Negotiator neg = Negotiator.getNegotiator(hci);
140 if (neg != null) {
141 supported.put(hostname, true);
142 // the only place cache.put is called. here we can make sure
143 // the object is valid and the oneToken inside is not null
144 if (cache == null) {
145 cache = new ThreadLocal<>() {
146 @Override
147 protected HashMap<String, Negotiator> initialValue() {
148 return new HashMap<>();
149 }
150 };
151 }
152 cache.get().put(hostname, neg);
153 return true;
154 } else {
155 supported.put(hostname, false);
156 return false;
157 }
158 }
159
160 private static synchronized HashMap<String, Negotiator> getCache() {
161 if (cache == null) return null;
162 return cache.get();
163 }
164
165 @Override
166 protected boolean useAuthCache() {
167 return super.useAuthCache() && cacheSPNEGO;
168 }
169
170 /**
171 * Not supported. Must use the setHeaders() method
172 */
173 @Override
174 public String getHeaderValue(URL url, String method) {
175 throw new RuntimeException ("getHeaderValue not supported");
176 }
177
178 /**
179 * Check if the header indicates that the current auth. parameters are stale.
180 * If so, then replace the relevant field with the new value
181 * and return true. Otherwise return false.
182 * returning true means the request can be retried with the same userid/password
183 * returning false means we have to go back to the user to ask for a new
184 * username password.
185 */
186 @Override
187 public boolean isAuthorizationStale (String header) {
188 return false; /* should not be called for Negotiate */
189 }
190
191 /**
192 * Set header(s) on the given connection.
193 * @param conn The connection to apply the header(s) to
194 * @param p A source of header values for this connection, not used because
195 * HeaderParser converts the fields to lower case, use raw instead
196 * @param raw The raw header field.
197 * @return true if all goes well, false if no headers were set.
198 */
199 @Override
200 public synchronized boolean setHeaders(HttpURLConnection conn, HeaderParser p, String raw) {
201
202 try {
203 String response;
204 byte[] incoming = null;
205 String[] parts = raw.split("\\s+");
206 if (parts.length > 1) {
207 incoming = Base64.getDecoder().decode(parts[1]);
208 }
209 response = hci.scheme + " " + Base64.getEncoder().encodeToString(
210 incoming==null?firstToken():nextToken(incoming));
211
212 conn.setAuthenticationProperty(getHeaderName(), response);
213 return true;
214 } catch (IOException e) {
215 return false;
216 }
217 }
218
219 /**
220 * return the first token.
221 * @return the token
222 * @throws IOException if <code>Negotiator.getNegotiator()</code> or
223 * <code>Negotiator.firstToken()</code> failed.
224 */
225 private byte[] firstToken() throws IOException {
226 negotiator = null;
227 HashMap <String, Negotiator> cachedMap = getCache();
228 if (cachedMap != null) {
229 negotiator = cachedMap.get(getHost());
230 if (negotiator != null) {
231 cachedMap.remove(getHost()); // so that it is only used once
232 }
233 }
234 if (negotiator == null) {
235 negotiator = Negotiator.getNegotiator(hci);
236 if (negotiator == null) {
237 IOException ioe = new IOException("Cannot initialize Negotiator");
238 throw ioe;
239 }
240 }
241
242 return negotiator.firstToken();
243 }
244
245 /**
246 * return more tokens
247 * @param token the token to be fed into <code>negotiator.nextToken()</code>
248 * @return the token
249 * @throws IOException if <code>negotiator.nextToken()</code> throws Exception.
250 * May happen if the input token is invalid.
251 */
252 private byte[] nextToken(byte[] token) throws IOException {
253 return negotiator.nextToken(token);
254 }
255
256 // MS will send a final WWW-Authenticate even if the status is already
257 // 200 OK. The token can be fed into initSecContext() again to determine
258 // if the server can be trusted. This is not the same concept as Digest's
259 // Authentication-Info header.
260 //
261 // Currently we ignore this header.
262
263 }