svn path=/trunk/mcs/; revision=52628
+2005-11-06 Konstantin Triger <kostat@mainsoft.com>
+
+ * SecureStream.cs, CreateContextPrivilegedAction.cs, Krb5Helper.cs:
+ create GSSCredential only once, cleanup
+
2005-11-03 Konstantin Triger <kostat@mainsoft.com>
* CreateContextPrivilegedAction.cs: always require mutual auth;
2005-11-03 Konstantin Triger <kostat@mainsoft.com>
* CreateContextPrivilegedAction.cs: always require mutual auth;
private readonly bool _signing;\r
private readonly bool _delegation;\r
private readonly string _name;\r
private readonly bool _signing;\r
private readonly bool _delegation;\r
private readonly string _name;\r
+ private readonly string _clientName;\r
private readonly string _mech;\r
\r
#endregion //Fields\r
\r
#region Constructors\r
\r
private readonly string _mech;\r
\r
#endregion //Fields\r
\r
#region Constructors\r
\r
- public CreateContextPrivilegedAction(string name, string mech, bool encryption, bool signing, bool delegation)\r
+ public CreateContextPrivilegedAction(string name, string clientName, string mech, bool encryption, bool signing, bool delegation)\r
+ _clientName = clientName;\r
_mech = mech;\r
_encryption = encryption;\r
_signing = signing;\r
_mech = mech;\r
_encryption = encryption;\r
_signing = signing;\r
try { \r
Oid krb5Oid = new Oid (_mech);\r
GSSManager manager = GSSManager.getInstance ();\r
try { \r
Oid krb5Oid = new Oid (_mech);\r
GSSManager manager = GSSManager.getInstance ();\r
- GSSName serverName = manager.createName (_name, GSSName__Finals.NT_HOSTBASED_SERVICE, krb5Oid);\r
- GSSContext context = manager.createContext (serverName, krb5Oid, null, GSSContext__Finals.INDEFINITE_LIFETIME);\r
+ GSSName clientName = \r
+ manager.createName(_clientName, GSSName__Finals.NT_USER_NAME);\r
+ GSSCredential clientCreds =\r
+ manager.createCredential(clientName,\r
+ GSSContext__Finals.INDEFINITE_LIFETIME,\r
+ krb5Oid,\r
+ GSSCredential__Finals.INITIATE_ONLY);\r
- context.requestMutualAuth(true); \r
- context.requestConf (_encryption);\r
- if (!_encryption || _signing)\r
- context.requestInteg (!_encryption || _signing); \r
- context.requestCredDeleg (_delegation);\r
+// try {\r
+ GSSName serverName = manager.createName (_name, GSSName__Finals.NT_HOSTBASED_SERVICE, krb5Oid);\r
+ GSSContext context = manager.createContext (serverName, krb5Oid, clientCreds, GSSContext__Finals.INDEFINITE_LIFETIME);\r
+ context.requestMutualAuth(true); \r
+ context.requestConf (_encryption);\r
+ if (!_encryption || _signing)\r
+ context.requestInteg (!_encryption || _signing); \r
+ context.requestCredDeleg (_delegation);\r
+\r
+ return context;\r
+// }\r
+// finally {\r
+// // Calling this throws GSSException: Operation unavailable...\r
+// clientCreds.dispose();\r
+// }\r
}\r
catch (GSSException e) {\r
throw new PrivilegedActionException (e);\r
}\r
catch (GSSException e) {\r
throw new PrivilegedActionException (e);\r
\r
namespace Novell.Directory.Ldap.Security\r
{\r
\r
namespace Novell.Directory.Ldap.Security\r
{\r
- internal class Krb5Helper\r
+ internal class Krb5Helper : IDisposable\r
{\r
enum QOP {\r
NO_PROTECTION = 1,
{\r
enum QOP {\r
NO_PROTECTION = 1,
\r
private readonly GSSContext _context;\r
\r
\r
private readonly GSSContext _context;\r
\r
- private readonly string _name;\r
- private readonly Subject _subject;\r
- private readonly string _mech;\r
-\r
#endregion // Fields\r
\r
#region Constructors\r
\r
#endregion // Fields\r
\r
#region Constructors\r
\r
- public Krb5Helper(string name, Subject subject, AuthenticationTypes authenticationTypes, string mech)\r
+ public Krb5Helper(string name, string clientName, Subject subject, AuthenticationTypes authenticationTypes, string mech)\r
- _name = name;\r
- _subject = subject;\r
- _mech = mech;\r
-\r
_encryption = (authenticationTypes & AuthenticationTypes.Sealing) != 0;\r
_signing = (authenticationTypes & AuthenticationTypes.Signing) != 0;\r
_delegation = (authenticationTypes & AuthenticationTypes.Delegation) != 0;\r
\r
_encryption = (authenticationTypes & AuthenticationTypes.Sealing) != 0;\r
_signing = (authenticationTypes & AuthenticationTypes.Signing) != 0;\r
_delegation = (authenticationTypes & AuthenticationTypes.Delegation) != 0;\r
\r
- CreateContextPrivilegedAction action = new CreateContextPrivilegedAction (_name,_mech,_encryption,_signing,_delegation);\r
- _context = (GSSContext) Subject.doAs (_subject,action);\r
+ CreateContextPrivilegedAction action = new CreateContextPrivilegedAction (name, clientName, mech,_encryption,_signing,_delegation);\r
+ try {\r
+ _context = (GSSContext) Subject.doAs (subject,action);\r
+ }\r
+ catch (PrivilegedActionException e) {\r
+ throw new LdapException ("Problem performing token exchange with the server",LdapException.OTHER,"",e.getCause()); \r
+ }\r
}\r
\r
#endregion // Constructors\r
}\r
\r
#endregion // Constructors\r
return TypeUtils.ToSByteArray (gssOutToken);\r
}\r
\r
return TypeUtils.ToSByteArray (gssOutToken);\r
}\r
\r
- sbyte [] token;\r
- try {\r
- ExchangeTokenPrivilegedAction action = new ExchangeTokenPrivilegedAction (Context, clientToken);
- token = (sbyte []) Subject.doAs (_subject, action);\r
- } \r
- catch (PrivilegedActionException e) {\r
- throw new LdapException ("Problem performing token exchange with the server",LdapException.OTHER,"",e); \r
- }\r
+ sbyte [] token = Context.initSecContext (clientToken, 0, clientToken.Length);\r
\r
if (Context.isEstablished ()) {\r
\r
\r
if (Context.isEstablished ()) {\r
\r
- try {\r
- WrapPrivilegedAction action = new WrapPrivilegedAction (Context, outgoing, start, len, messageProp);\r
- return (byte []) Subject.doAs (_subject, action); \r
- } \r
- catch (PrivilegedActionException e) {\r
- throw new LdapException ("Problem performing GSS wrap",LdapException.OTHER,"",e); \r
- }\r
+ sbyte [] result = Context.wrap (TypeUtils.ToSByteArray (outgoing), start, len, messageProp);\r
+ return (byte []) TypeUtils.ToByteArray (result);\r
}\r
\r
public byte [] Unwrap(byte [] incoming, int start, int len) \r
}\r
\r
public byte [] Unwrap(byte [] incoming, int start, int len) \r
- try {\r
- UnwrapPrivilegedAction action = new UnwrapPrivilegedAction (Context, incoming, start, len, messageProp);\r
- return (byte []) Subject.doAs (_subject, action);\r
- } \r
- catch (PrivilegedActionException e) {\r
- throw new LdapException("Problems unwrapping SASL buffer",LdapException.OTHER,"",e);\r
- }\r
+ sbyte [] result = Context.unwrap (TypeUtils.ToSByteArray (incoming), start, len, messageProp);\r
+ return (byte []) TypeUtils.ToByteArray (result);\r
}\r
\r
#endregion // Methods\r
}\r
\r
#endregion // Methods\r
+\r
+ #region IDisposable Members\r
+\r
+ public void Dispose() {\r
+ Context.dispose();\r
+ }\r
+\r
+ #endregion\r
+ public override void Close() {\r
+ _stream.Close();\r
+ _helper.Dispose();\r
+ }\r
+\r
private int Fill()\r
{\r
int actual = ReadAll (_lenBuf, 4);\r
private int Fill()\r
{\r
int actual = ReadAll (_lenBuf, 4);\r
+2005-11-06 Konstantin Triger <kostat@mainsoft.com>
+
+ * LdapConnection.cs: TARGET_JVM: create GSSCredential only once, cleanup
+
2005-11-03 Konstantin Triger <kostat@mainsoft.com>
* LdapConnection.cs: TARGET_JVM: throw an exception if failed during
2005-11-03 Konstantin Triger <kostat@mainsoft.com>
* LdapConnection.cs: TARGET_JVM: throw an exception if failed during
- catch (LoginException e) {
throw new LdapException ("Failed to create login security context", 80, "", e);
}
throw new LdapException ("Failed to create login security context", 80, "", e);
}
- Subject subject = loginContext.getSubject ();
-
- Krb5Helper krb5Helper = new Krb5Helper ("ldap@" + conn.Host, subject, authenticationTypes, SecurityMech);
+ Krb5Helper krb5Helper = null;
+ try {
+ krb5Helper = new Krb5Helper ("ldap@" + conn.Host, username, loginContext.getSubject (), authenticationTypes, SecurityMech);
+ }
+ finally {
+ loginContext.logout();
+ }
sbyte [] token = krb5Helper.ExchangeTokens (Krb5Helper.EmptyToken);
for (;;) {
LdapResponseQueue queue = Bind(LdapConnection.Ldap_V3, username, token, null, null, AuthenticationMech);
LdapResponse res = (LdapResponse) queue.getResponse ();
if (res.ResultCode != LdapException.SASL_BIND_IN_PROGRESS &&
sbyte [] token = krb5Helper.ExchangeTokens (Krb5Helper.EmptyToken);
for (;;) {
LdapResponseQueue queue = Bind(LdapConnection.Ldap_V3, username, token, null, null, AuthenticationMech);
LdapResponse res = (LdapResponse) queue.getResponse ();
if (res.ResultCode != LdapException.SASL_BIND_IN_PROGRESS &&
- res.ResultCode != LdapException.SUCCESS)
+ res.ResultCode != LdapException.SUCCESS) {
+ krb5Helper.Dispose();
throw new LdapException(ExceptionMessages.CONNECTION_ERROR, res.ResultCode, res.ErrorMessage);
throw new LdapException(ExceptionMessages.CONNECTION_ERROR, res.ResultCode, res.ErrorMessage);
Asn1OctetString serverSaslCreds = ((RfcBindResponse)res.Asn1Object.Response).ServerSaslCreds;
token = serverSaslCreds != null ? serverSaslCreds.byteValue () : null;
Asn1OctetString serverSaslCreds = ((RfcBindResponse)res.Asn1Object.Response).ServerSaslCreds;
token = serverSaslCreds != null ? serverSaslCreds.byteValue () : null;
- private string SecurityMech
+ static string SecurityMech
{
get {
string securityMech = null;
{
get {
string securityMech = null;
- private string SecurityAppName
+ static string SecurityAppName
{
get {
string securityAppName = null;
{
get {
string securityAppName = null;
- private string AuthenticationMech
+ static string AuthenticationMech
{
get {
string authenticationMech = null;
{
get {
string authenticationMech = null;