mirror of
https://github.com/openjdk/jdk.git
synced 2025-08-28 07:14:30 +02:00
8279842: HTTPS Channel Binding support for Java GSS/Kerberos
Co-authored-by: Weijun Wang <weijun.wang@oracle.com> Reviewed-by: dfuchs, weijun, darcy
This commit is contained in:
Michael McMahon
parent
0e70d4504c
commit
de3113b998
11 changed files with 587 additions and 37 deletions
|
|
@ -144,12 +144,27 @@ public class HttpClient extends NetworkClient {
|
|||
// Traffic capture tool, if configured. See HttpCapture class for info
|
||||
private HttpCapture capture = null;
|
||||
|
||||
/* "jdk.https.negotiate.cbt" property can be set to "always" (always sent), "never" (never sent) or
|
||||
* "domain:a,c.d,*.e.f" (sent to host a, or c.d or to the domain e.f and any of its subdomains). This is
|
||||
* a comma separated list of arbitrary length with no white-space allowed.
|
||||
* If enabled (for a particular destination) then Negotiate/SPNEGO authentication requests will include
|
||||
* a channel binding token for the destination server. The default behavior and setting for the
|
||||
* property is "never"
|
||||
*/
|
||||
private static final String spnegoCBT;
|
||||
|
||||
private static final PlatformLogger logger = HttpURLConnection.getHttpLogger();
|
||||
|
||||
private static void logFinest(String msg) {
|
||||
if (logger.isLoggable(PlatformLogger.Level.FINEST)) {
|
||||
logger.finest(msg);
|
||||
}
|
||||
}
|
||||
private static void logError(String msg) {
|
||||
if (logger.isLoggable(PlatformLogger.Level.SEVERE)) {
|
||||
logger.severe(msg);
|
||||
}
|
||||
}
|
||||
|
||||
protected volatile String authenticatorKey;
|
||||
|
||||
|
|
@ -165,6 +180,18 @@ public class HttpClient extends NetworkClient {
|
|||
return keepAliveTimeout;
|
||||
}
|
||||
|
||||
static String normalizeCBT(String s) {
|
||||
if (s == null || s.equals("never")) {
|
||||
return "never";
|
||||
}
|
||||
if (s.equals("always") || s.startsWith("domain:")) {
|
||||
return s;
|
||||
} else {
|
||||
logError("Unexpected value for \"jdk.https.negotiate.cbt\" system property");
|
||||
return "never";
|
||||
}
|
||||
}
|
||||
|
||||
static {
|
||||
Properties props = GetPropertyAction.privilegedGetProperties();
|
||||
String keepAlive = props.getProperty("http.keepAlive");
|
||||
|
|
@ -172,6 +199,9 @@ public class HttpClient extends NetworkClient {
|
|||
String cacheNTLM = props.getProperty("jdk.ntlm.cache");
|
||||
String cacheSPNEGO = props.getProperty("jdk.spnego.cache");
|
||||
|
||||
String s = props.getProperty("jdk.https.negotiate.cbt");
|
||||
spnegoCBT = normalizeCBT(s);
|
||||
|
||||
if (keepAlive != null) {
|
||||
keepAliveProp = Boolean.parseBoolean(keepAlive);
|
||||
} else {
|
||||
|
|
@ -206,6 +236,10 @@ public class HttpClient extends NetworkClient {
|
|||
}
|
||||
|
||||
|
||||
public String getSpnegoCBT() {
|
||||
return spnegoCBT;
|
||||
}
|
||||
|
||||
protected HttpClient() {
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -29,6 +29,7 @@ import java.net.Authenticator;
|
|||
import java.net.Authenticator.RequestorType;
|
||||
import java.net.InetAddress;
|
||||
import java.net.URL;
|
||||
import java.security.cert.X509Certificate;
|
||||
|
||||
/**
|
||||
* Used in HTTP/Negotiate, to feed HTTP request info into JGSS as a HttpCaller,
|
||||
|
|
@ -51,6 +52,9 @@ public final class HttpCallerInfo {
|
|||
public final InetAddress addr;
|
||||
public final RequestorType authType;
|
||||
public final Authenticator authenticator;
|
||||
// Used to obtain server cert for SPNEGO CBT.
|
||||
// May be null in which case CBT is not set
|
||||
public final X509Certificate serverCert;
|
||||
|
||||
/**
|
||||
* Create a schemed object based on an un-schemed one.
|
||||
|
|
@ -65,13 +69,19 @@ public final class HttpCallerInfo {
|
|||
this.authType = old.authType;
|
||||
this.scheme = scheme;
|
||||
this.authenticator = old.authenticator;
|
||||
this.serverCert = old.serverCert;
|
||||
}
|
||||
|
||||
/**
|
||||
* Constructor an un-schemed object for site access.
|
||||
*/
|
||||
public HttpCallerInfo(URL url, Authenticator a) {
|
||||
this(url, null, a);
|
||||
}
|
||||
|
||||
public HttpCallerInfo(URL url, X509Certificate serverCert, Authenticator a) {
|
||||
this.url= url;
|
||||
this.serverCert= serverCert;
|
||||
prompt = "";
|
||||
host = url.getHost();
|
||||
|
||||
|
|
@ -100,9 +110,14 @@ public final class HttpCallerInfo {
|
|||
* Constructor an un-schemed object for proxy access.
|
||||
*/
|
||||
public HttpCallerInfo(URL url, String host, int port, Authenticator a) {
|
||||
this(url, host, port, null, a);
|
||||
}
|
||||
|
||||
public HttpCallerInfo(URL url, String host, int port, X509Certificate serverCert, Authenticator a) {
|
||||
this.url= url;
|
||||
this.host = host;
|
||||
this.port = port;
|
||||
this.serverCert = serverCert;
|
||||
prompt = "";
|
||||
addr = null;
|
||||
protocol = url.getProtocol();
|
||||
|
|
|
|||
|
|
@ -1739,7 +1739,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
|
|||
AuthenticationHeader authhdr = new AuthenticationHeader (
|
||||
"Proxy-Authenticate",
|
||||
responses,
|
||||
new HttpCallerInfo(url,
|
||||
getHttpCallerInfo(url,
|
||||
http.getProxyHostUsed(),
|
||||
http.getProxyPortUsed(),
|
||||
authenticator),
|
||||
|
|
@ -1814,7 +1814,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
|
|||
|
||||
srvHdr = new AuthenticationHeader (
|
||||
"WWW-Authenticate", responses,
|
||||
new HttpCallerInfo(url, authenticator),
|
||||
getHttpCallerInfo(url, authenticator),
|
||||
dontUseNegotiate
|
||||
);
|
||||
|
||||
|
|
@ -2210,7 +2210,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
|
|||
AuthenticationHeader authhdr = new AuthenticationHeader(
|
||||
"Proxy-Authenticate",
|
||||
responses,
|
||||
new HttpCallerInfo(url,
|
||||
getHttpCallerInfo(url,
|
||||
http.getProxyHostUsed(),
|
||||
http.getProxyPortUsed(),
|
||||
authenticator),
|
||||
|
|
@ -2279,6 +2279,21 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
|
|||
responses.reset();
|
||||
}
|
||||
|
||||
/**
|
||||
* Overridden in https to also include the server certificate
|
||||
*/
|
||||
protected HttpCallerInfo getHttpCallerInfo(URL url, String proxy, int port,
|
||||
Authenticator authenticator) {
|
||||
return new HttpCallerInfo(url, proxy, port, authenticator);
|
||||
}
|
||||
|
||||
/**
|
||||
* Overridden in https to also include the server certificate
|
||||
*/
|
||||
protected HttpCallerInfo getHttpCallerInfo(URL url, Authenticator authenticator) {
|
||||
return new HttpCallerInfo(url, authenticator);
|
||||
}
|
||||
|
||||
static String connectRequestURI(URL url) {
|
||||
String host = url.getHost();
|
||||
int port = url.getPort();
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/*
|
||||
/**
|
||||
* Copyright (c) 2001, 2020, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
|
|
@ -25,10 +25,13 @@
|
|||
|
||||
package sun.net.www.protocol.https;
|
||||
|
||||
import java.net.Authenticator;
|
||||
import java.net.URL;
|
||||
import java.net.Proxy;
|
||||
import java.net.SecureCacheResponse;
|
||||
import java.security.Principal;
|
||||
import java.security.cert.Certificate;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.io.IOException;
|
||||
import java.util.List;
|
||||
import java.util.Optional;
|
||||
|
|
@ -36,6 +39,7 @@ import javax.net.ssl.SSLSession;
|
|||
import javax.net.ssl.SSLPeerUnverifiedException;
|
||||
import sun.net.www.http.*;
|
||||
import sun.net.www.protocol.http.HttpURLConnection;
|
||||
import sun.net.www.protocol.http.HttpCallerInfo;
|
||||
|
||||
/**
|
||||
* HTTPS URL connection support.
|
||||
|
|
@ -309,4 +313,71 @@ public abstract class AbstractDelegateHttpsURLConnection extends
|
|||
|
||||
return ((HttpsClient)http).getSSLSession();
|
||||
}
|
||||
|
||||
/*
|
||||
* If no SSL Session available or if the system config does not allow it
|
||||
* don't use the extended caller info (the server cert).
|
||||
* Otherwise return true to include the server cert
|
||||
*/
|
||||
private boolean useExtendedCallerInfo(URL url) {
|
||||
HttpsClient https = (HttpsClient)http;
|
||||
if (https.getSSLSession() == null) {
|
||||
return false;
|
||||
}
|
||||
String prop = http.getSpnegoCBT();
|
||||
if (prop.equals("never")) {
|
||||
return false;
|
||||
}
|
||||
String target = url.getHost();
|
||||
if (prop.startsWith("domain:")) {
|
||||
String[] domains = prop.substring(7).split(",");
|
||||
for (String domain : domains) {
|
||||
if (target.equals(domain)) {
|
||||
return true;
|
||||
}
|
||||
if (domain.startsWith("*.") && target.endsWith(domain.substring(1))) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
@Override
|
||||
protected HttpCallerInfo getHttpCallerInfo(URL url, String proxy, int port,
|
||||
Authenticator authenticator)
|
||||
{
|
||||
if (!useExtendedCallerInfo(url)) {
|
||||
return super.getHttpCallerInfo(url, proxy, port, authenticator);
|
||||
}
|
||||
HttpsClient https = (HttpsClient)http;
|
||||
try {
|
||||
Certificate[] certs = https.getServerCertificates();
|
||||
if (certs[0] instanceof X509Certificate x509Cert) {
|
||||
return new HttpCallerInfo(url, proxy, port, x509Cert, authenticator);
|
||||
}
|
||||
} catch (SSLPeerUnverifiedException e) {
|
||||
// ignore
|
||||
}
|
||||
return super.getHttpCallerInfo(url, proxy, port, authenticator);
|
||||
}
|
||||
|
||||
@Override
|
||||
protected HttpCallerInfo getHttpCallerInfo(URL url, Authenticator authenticator)
|
||||
{
|
||||
if (!useExtendedCallerInfo(url)) {
|
||||
return super.getHttpCallerInfo(url, authenticator);
|
||||
}
|
||||
HttpsClient https = (HttpsClient)http;
|
||||
try {
|
||||
Certificate[] certs = https.getServerCertificates();
|
||||
if (certs[0] instanceof X509Certificate x509Cert) {
|
||||
return new HttpCallerInfo(url, x509Cert, authenticator);
|
||||
}
|
||||
} catch (SSLPeerUnverifiedException e) {
|
||||
// ignore
|
||||
}
|
||||
return super.getHttpCallerInfo(url, authenticator);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue