public static void main(String[] args) throws Exception { Oid mech; if (args[0].equals("spnego")) { mech = GSSUtil.GSS_SPNEGO_MECH_OID; } else if (args[0].contains("krb5")) { mech = GSSUtil.GSS_KRB5_MECH_OID; } else { throw new Exception("Unknown mech"); } OneKDC kdc = new OneKDC(null); kdc.writeJAASConf(); kdc.setOption(KDC.Option.PREAUTH_REQUIRED, false); Map<String, List<String>> map = new HashMap<>(); map.put( OneKDC.SERVER + "@" + OneKDC.REALM, Arrays.asList(new String[] {OneKDC.BACKEND + "@" + OneKDC.REALM})); kdc.setOption(KDC.Option.ALLOW_S4U2PROXY, map); Context c, s, b; c = Context.fromJAAS("client"); s = Context.fromJAAS("server"); b = Context.fromJAAS("backend"); c.startAsClient(OneKDC.SERVER, mech); s.startAsServer(null, mech, false); Context.handshake(c, s); Context p = s.delegated(); p.startAsClient(OneKDC.BACKEND, mech); b.startAsServer(mech); Context.handshake(p, b); p.startAsClient(OneKDC.BACKEND, mech); b.startAsServer(mech); Context.handshake(p, b); }
void go() throws Exception { OneKDC k = new OneKDC(null); k.writeJAASConf(); Files.delete(Paths.get(OneKDC.KTAB)); // Starts with no keytab c = Context.fromJAAS("client"); s = Context.fromJAAS("com.sun.security.jgss.krb5.accept"); // Test 1: read new key 1 from keytab k.addPrincipal(OneKDC.SERVER, "pass1".toCharArray()); k.writeKtab(OneKDC.KTAB); connect(); // Test 2: service key cached, find 1 in keytab (now contains 1 and 2) k.addPrincipal(OneKDC.SERVER, "pass2".toCharArray()); k.appendKtab(OneKDC.KTAB); connect(); // Test 3: re-login. Now find 2 in keytab c = Context.fromJAAS("client"); connect(); // Test 4: re-login, KDC use 3 this time. c = Context.fromJAAS("client"); // Put 3 and 4 into keytab but keep the real key back to 3. k.addPrincipal(OneKDC.SERVER, "pass3".toCharArray()); k.appendKtab(OneKDC.KTAB); k.addPrincipal(OneKDC.SERVER, "pass4".toCharArray()); k.appendKtab(OneKDC.KTAB); k.addPrincipal(OneKDC.SERVER, "pass3".toCharArray()); connect(); // Test 5: invalid keytab file, should ignore try (FileOutputStream fos = new FileOutputStream(OneKDC.KTAB)) { fos.write("BADBADBAD".getBytes()); } connect(); // Test 6: delete keytab file, identical to revoke all Files.delete(Paths.get(OneKDC.KTAB)); try { connect(); throw new Exception("Should not success"); } catch (GSSException gsse) { System.out.println(gsse); KrbException ke = (KrbException) gsse.getCause(); // KrbApReq.authenticate(*) if (dkey == null)... // This should have been Krb5.KRB_AP_ERR_NOKEY if (ke.returnCode() != Krb5.API_INVALID_ARG) { throw new Exception("Not expected failure code: " + ke.returnCode()); } } // Test 7: 3 revoked, should fail (now contains only 5) k.addPrincipal(OneKDC.SERVER, "pass5".toCharArray()); k.writeKtab(OneKDC.KTAB); // overwrite keytab, which means // old key is revoked try { connect(); throw new Exception("Should not success"); } catch (GSSException gsse) { System.out.println(gsse); // Since 7197159, different kvno is accepted, this return code // will never be thrown out again. // KrbException ke = (KrbException)gsse.getCause(); // if (ke.returnCode() != Krb5.KRB_AP_ERR_BADKEYVER) { // throw new Exception("Not expected failure code: " + // ke.returnCode()); // } } // Test 8: an empty KDC means revoke all KDC.create("EMPTY.REALM").writeKtab(OneKDC.KTAB); try { connect(); throw new Exception("Should not success"); } catch (GSSException gsse) { System.out.println(gsse); KrbException ke = (KrbException) gsse.getCause(); // KrbApReq.authenticate(*) if (dkey == null)... // This should have been Krb5.KRB_AP_ERR_NOKEY if (ke.returnCode() != Krb5.API_INVALID_ARG) { throw new Exception("Not expected failure code: " + ke.returnCode()); } } }