1/* 2 * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. 8 * 9 * This code is distributed in the hope that it will be useful, but WITHOUT 10 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 11 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 12 * version 2 for more details (a copy is included in the LICENSE file that 13 * accompanied this code). 14 * 15 * You should have received a copy of the GNU General Public License version 16 * 2 along with this work; if not, write to the Free Software Foundation, 17 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 18 * 19 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 20 * or visit www.oracle.com if you need additional information or have any 21 * questions. 22 */ 23 24/* 25 * @test 26 * @bug 8022582 27 * @summary Relax response flags checking in sun.security.krb5.KrbKdcRep.check. 28 * @compile -XDignore.symbol.file ForwardableCheck.java 29 * @run main/othervm ForwardableCheck 30 */ 31 32import org.ietf.jgss.GSSException; 33import sun.security.jgss.GSSUtil; 34 35import java.util.Arrays; 36 37public class ForwardableCheck { 38 39 public static void main(String[] args) throws Exception { 40 OneKDC kdc = new OneKDC(null); 41 kdc.writeJAASConf(); 42 43 // USER can impersonate someone else 44 kdc.setOption(KDC.Option.ALLOW_S4U2SELF, 45 Arrays.asList(OneKDC.USER + "@" + OneKDC.REALM)); 46 // USER2 is sensitive 47 kdc.setOption(KDC.Option.SENSITIVE_ACCOUNTS, 48 Arrays.asList(OneKDC.USER2 + "@" + OneKDC.REALM)); 49 50 Context c; 51 52 // USER2 is sensitive but it's still able to get a normal ticket 53 c = Context.fromUserPass(OneKDC.USER2, OneKDC.PASS2, false); 54 55 // ... and connect to another account 56 c.startAsClient(OneKDC.USER, GSSUtil.GSS_KRB5_MECH_OID); 57 c.x().requestCredDeleg(true); 58 c.x().requestMutualAuth(false); 59 60 c.take(new byte[0]); 61 62 if (!c.x().isEstablished()) { 63 throw new Exception("Context should have been established"); 64 } 65 66 // ... but will not be able to delegate itself 67 if (c.x().getCredDelegState()) { 68 throw new Exception("Impossible"); 69 } 70 71 // Although USER is allowed to impersonate other people, 72 // it cannot impersonate USER2 coz it's sensitive. 73 c = Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false); 74 try { 75 c.impersonate(OneKDC.USER2); 76 throw new Exception("Should fail"); 77 } catch (GSSException e) { 78 e.printStackTrace(); 79 } 80 } 81} 82