KrbTicket.java example

Explorer
openjdk-master
/*
 * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */

import java.nio.file.Files;
import java.nio.file.Paths;
import java.time.Instant;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import javax.security.auth.RefreshFailedException;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.LoginContext;

/*
 * @test
 * @bug 6857795 8075299
 * @summary Checks Kerberos ticket properties
 * @run main/othervm KrbTicket
 */
public class KrbTicket {

    private static final String REALM = "TEST.REALM";
    private static final String HOST = "localhost";
    private static final String USER = "TESTER";
    private static final String USER_PRINCIPAL = USER + "@" + REALM;
    private static final String PASSWORD = "password";
    private static final String KRBTGT_PRINCIPAL = "krbtgt/" + REALM;
    private static final String KRB5_CONF_FILENAME = "krb5.conf";
    private static final String JAAS_CONF = "jaas.conf";
    private static final long TICKET_LIFTETIME = 5 * 60 * 1000; // 5 mins

    public static void main(String[] args) throws Exception {
        // define principals
        Map<String, String> principals = new HashMap<>();
        principals.put(USER_PRINCIPAL, PASSWORD);
        principals.put(KRBTGT_PRINCIPAL, null);

        System.setProperty("java.security.krb5.conf", KRB5_CONF_FILENAME);

        // start a local KDC instance
        KDC kdc = KDC.startKDC(HOST, null, REALM, principals, null, null);
        KDC.saveConfig(KRB5_CONF_FILENAME, kdc,
                "forwardable = true", "proxiable = true");

        // create JAAS config
        Files.write(Paths.get(JAAS_CONF), Arrays.asList(
                "Client {",
                "    com.sun.security.auth.module.Krb5LoginModule required;",
                "};"
        ));
        System.setProperty("java.security.auth.login.config", JAAS_CONF);
        System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");

        long startTime = Instant.now().getEpochSecond() * 1000;

        LoginContext lc = new LoginContext("Client",
                new Helper.UserPasswordHandler(USER, PASSWORD));
        lc.login();

        Subject subject = lc.getSubject();
        System.out.println("subject: " + subject);

        Set creds = subject.getPrivateCredentials(
                KerberosTicket.class);

        if (creds.size() > 1) {
            throw new RuntimeException("Multiple credintials found");
        }

        Object o = creds.iterator().next();
        if (!(o instanceof KerberosTicket)) {
            throw new RuntimeException("Instance of KerberosTicket expected");
        }
        KerberosTicket krbTkt = (KerberosTicket) o;

        System.out.println("forwardable = " + krbTkt.isForwardable());
        System.out.println("proxiable   = " + krbTkt.isProxiable());
        System.out.println("renewable   = " + krbTkt.isRenewable());
        System.out.println("current     = " + krbTkt.isCurrent());

        if (!krbTkt.isForwardable()) {
            throw new RuntimeException("Forwardable ticket expected");
        }

        if (!krbTkt.isProxiable()) {
            throw new RuntimeException("Proxiable ticket expected");
        }

        if (!krbTkt.isCurrent()) {
            throw new RuntimeException("Ticket is not current");
        }

        if (krbTkt.isRenewable()) {
            throw new RuntimeException("Not renewable ticket expected");
        }
        try {
            krbTkt.refresh();
            throw new RuntimeException(
                    "Expected RefreshFailedException not thrown");
        } catch(RefreshFailedException e) {
            System.out.println("Expected exception: " + e);
        }

        if (!checkTime(krbTkt, startTime)) {
            throw new RuntimeException("Wrong ticket life time");
        }

        krbTkt.destroy();
        if (!krbTkt.isDestroyed()) {
            throw new RuntimeException("Ticket not destroyed");
        }

        System.out.println("Test passed");
    }

    private static boolean checkTime(KerberosTicket krbTkt, long startTime) {
        long ticketEndTime = krbTkt.getEndTime().getTime();
        long roughLifeTime = ticketEndTime - startTime;
        System.out.println("start time            = " + startTime);
        System.out.println("end time              = " + ticketEndTime);
        System.out.println("rough life time       = " + roughLifeTime);
        return roughLifeTime >= TICKET_LIFTETIME;
    }
}