diff options
author | Konstantin Triger <kostat@mono-cvs.ximian.com> | 2005-11-06 20:20:34 +0300 |
---|---|---|
committer | Konstantin Triger <kostat@mono-cvs.ximian.com> | 2005-11-06 20:20:34 +0300 |
commit | 74882de47240e96910f05430881fa1dabf92aec7 (patch) | |
tree | d21ca38da6dde02c0cdd95ae0408bfb34653583c /mcs/class/Novell.Directory.Ldap | |
parent | 46680c8d115fba7cbb4553c584ff490bc17b98a8 (diff) |
create GSSCredential only once, cleanup
svn path=/trunk/mcs/; revision=52628
Diffstat (limited to 'mcs/class/Novell.Directory.Ldap')
6 files changed, 75 insertions, 51 deletions
diff --git a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/ChangeLog b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/ChangeLog index 97267527548..cc77f724ea8 100644 --- a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/ChangeLog +++ b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/ChangeLog @@ -1,3 +1,8 @@ +2005-11-06 Konstantin Triger <kostat@mainsoft.com> + + * SecureStream.cs, CreateContextPrivilegedAction.cs, Krb5Helper.cs: + create GSSCredential only once, cleanup + 2005-11-03 Konstantin Triger <kostat@mainsoft.com> * CreateContextPrivilegedAction.cs: always require mutual auth; diff --git a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/CreateContextPrivilegedAction.cs b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/CreateContextPrivilegedAction.cs index e98fb9d4053..73b280f5581 100644 --- a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/CreateContextPrivilegedAction.cs +++ b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/CreateContextPrivilegedAction.cs @@ -44,15 +44,17 @@ namespace Novell.Directory.Ldap.Security private readonly bool _signing;
private readonly bool _delegation;
private readonly string _name;
+ private readonly string _clientName;
private readonly string _mech;
#endregion //Fields
#region Constructors
- public CreateContextPrivilegedAction(string name, string mech, bool encryption, bool signing, bool delegation)
+ public CreateContextPrivilegedAction(string name, string clientName, string mech, bool encryption, bool signing, bool delegation)
{
_name = name;
+ _clientName = clientName;
_mech = mech;
_encryption = encryption;
_signing = signing;
@@ -68,16 +70,30 @@ namespace Novell.Directory.Ldap.Security try {
Oid krb5Oid = new Oid (_mech);
GSSManager manager = GSSManager.getInstance ();
- GSSName serverName = manager.createName (_name, GSSName__Finals.NT_HOSTBASED_SERVICE, krb5Oid);
- GSSContext context = manager.createContext (serverName, krb5Oid, null, GSSContext__Finals.INDEFINITE_LIFETIME);
+ GSSName clientName =
+ manager.createName(_clientName, GSSName__Finals.NT_USER_NAME);
+ GSSCredential clientCreds =
+ manager.createCredential(clientName,
+ GSSContext__Finals.INDEFINITE_LIFETIME,
+ krb5Oid,
+ GSSCredential__Finals.INITIATE_ONLY);
- context.requestMutualAuth(true);
- context.requestConf (_encryption);
- if (!_encryption || _signing)
- context.requestInteg (!_encryption || _signing);
- context.requestCredDeleg (_delegation);
+// try {
+ GSSName serverName = manager.createName (_name, GSSName__Finals.NT_HOSTBASED_SERVICE, krb5Oid);
+ GSSContext context = manager.createContext (serverName, krb5Oid, clientCreds, GSSContext__Finals.INDEFINITE_LIFETIME);
- return context;
+ context.requestMutualAuth(true);
+ context.requestConf (_encryption);
+ if (!_encryption || _signing)
+ context.requestInteg (!_encryption || _signing);
+ context.requestCredDeleg (_delegation);
+
+ return context;
+// }
+// finally {
+// // Calling this throws GSSException: Operation unavailable...
+// clientCreds.dispose();
+// }
}
catch (GSSException e) {
throw new PrivilegedActionException (e);
diff --git a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/Krb5Helper.cs b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/Krb5Helper.cs index 41889337d15..65c037f6d7b 100644 --- a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/Krb5Helper.cs +++ b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/Krb5Helper.cs @@ -39,7 +39,7 @@ using org.ietf.jgss; namespace Novell.Directory.Ldap.Security
{
- internal class Krb5Helper
+ internal class Krb5Helper : IDisposable
{
enum QOP {
NO_PROTECTION = 1, @@ -57,26 +57,23 @@ namespace Novell.Directory.Ldap.Security private readonly GSSContext _context;
- private readonly string _name;
- private readonly Subject _subject;
- private readonly string _mech;
-
#endregion // Fields
#region Constructors
- public Krb5Helper(string name, Subject subject, AuthenticationTypes authenticationTypes, string mech)
+ public Krb5Helper(string name, string clientName, Subject subject, AuthenticationTypes authenticationTypes, string mech)
{
- _name = name;
- _subject = subject;
- _mech = mech;
-
_encryption = (authenticationTypes & AuthenticationTypes.Sealing) != 0;
_signing = (authenticationTypes & AuthenticationTypes.Signing) != 0;
_delegation = (authenticationTypes & AuthenticationTypes.Delegation) != 0;
- CreateContextPrivilegedAction action = new CreateContextPrivilegedAction (_name,_mech,_encryption,_signing,_delegation);
- _context = (GSSContext) Subject.doAs (_subject,action);
+ CreateContextPrivilegedAction action = new CreateContextPrivilegedAction (name, clientName, mech,_encryption,_signing,_delegation);
+ try {
+ _context = (GSSContext) Subject.doAs (subject,action);
+ }
+ catch (PrivilegedActionException e) {
+ throw new LdapException ("Problem performing token exchange with the server",LdapException.OTHER,"",e.getCause());
+ }
}
#endregion // Constructors
@@ -126,14 +123,7 @@ namespace Novell.Directory.Ldap.Security return TypeUtils.ToSByteArray (gssOutToken);
}
- sbyte [] token;
- try {
- ExchangeTokenPrivilegedAction action = new ExchangeTokenPrivilegedAction (Context, clientToken); - token = (sbyte []) Subject.doAs (_subject, action);
- }
- catch (PrivilegedActionException e) {
- throw new LdapException ("Problem performing token exchange with the server",LdapException.OTHER,"",e);
- }
+ sbyte [] token = Context.initSecContext (clientToken, 0, clientToken.Length);
if (Context.isEstablished ()) {
@@ -169,13 +159,8 @@ namespace Novell.Directory.Ldap.Security return buff;
}
- try {
- WrapPrivilegedAction action = new WrapPrivilegedAction (Context, outgoing, start, len, messageProp);
- return (byte []) Subject.doAs (_subject, action);
- }
- catch (PrivilegedActionException e) {
- throw new LdapException ("Problem performing GSS wrap",LdapException.OTHER,"",e);
- }
+ sbyte [] result = Context.wrap (TypeUtils.ToSByteArray (outgoing), start, len, messageProp);
+ return (byte []) TypeUtils.ToByteArray (result);
}
public byte [] Unwrap(byte [] incoming, int start, int len)
@@ -195,15 +180,18 @@ namespace Novell.Directory.Ldap.Security return buff;
}
- try {
- UnwrapPrivilegedAction action = new UnwrapPrivilegedAction (Context, incoming, start, len, messageProp);
- return (byte []) Subject.doAs (_subject, action);
- }
- catch (PrivilegedActionException e) {
- throw new LdapException("Problems unwrapping SASL buffer",LdapException.OTHER,"",e);
- }
+ sbyte [] result = Context.unwrap (TypeUtils.ToSByteArray (incoming), start, len, messageProp);
+ return (byte []) TypeUtils.ToByteArray (result);
}
#endregion // Methods
+
+ #region IDisposable Members
+
+ public void Dispose() {
+ Context.dispose();
+ }
+
+ #endregion
}
}
diff --git a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/SecureStream.cs b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/SecureStream.cs index 43508c33313..f9aa4e43aec 100644 --- a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/SecureStream.cs +++ b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/SecureStream.cs @@ -118,6 +118,11 @@ namespace Novell.Directory.Ldap.Security }
}
+ public override void Close() {
+ _stream.Close();
+ _helper.Dispose();
+ }
+
private int Fill()
{
int actual = ReadAll (_lenBuf, 4);
diff --git a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap/ChangeLog b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap/ChangeLog index 19c7e8dcf63..ab0f2a0ecda 100644 --- a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap/ChangeLog +++ b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap/ChangeLog @@ -1,3 +1,7 @@ +2005-11-06 Konstantin Triger <kostat@mainsoft.com> + + * LdapConnection.cs: TARGET_JVM: create GSSCredential only once, cleanup + 2005-11-03 Konstantin Triger <kostat@mainsoft.com> * LdapConnection.cs: TARGET_JVM: throw an exception if failed during diff --git a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap/LdapConnection.cs b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap/LdapConnection.cs index 87b3e5c819b..60964d721dd 100644 --- a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap/LdapConnection.cs +++ b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap/LdapConnection.cs @@ -1601,21 +1601,27 @@ namespace Novell.Directory.Ldap loginContext.login (); } - catch (LoginException e) { + catch (Exception e) { throw new LdapException ("Failed to create login security context", 80, "", e); } - Subject subject = loginContext.getSubject (); - - Krb5Helper krb5Helper = new Krb5Helper ("ldap@" + conn.Host, subject, authenticationTypes, SecurityMech); + Krb5Helper krb5Helper = null; + try { + krb5Helper = new Krb5Helper ("ldap@" + conn.Host, username, loginContext.getSubject (), authenticationTypes, SecurityMech); + } + finally { + loginContext.logout(); + } sbyte [] token = krb5Helper.ExchangeTokens (Krb5Helper.EmptyToken); for (;;) { LdapResponseQueue queue = Bind(LdapConnection.Ldap_V3, username, token, null, null, AuthenticationMech); LdapResponse res = (LdapResponse) queue.getResponse (); if (res.ResultCode != LdapException.SASL_BIND_IN_PROGRESS && - res.ResultCode != LdapException.SUCCESS) + res.ResultCode != LdapException.SUCCESS) { + krb5Helper.Dispose(); throw new LdapException(ExceptionMessages.CONNECTION_ERROR, res.ResultCode, res.ErrorMessage); + } Asn1OctetString serverSaslCreds = ((RfcBindResponse)res.Asn1Object.Response).ServerSaslCreds; token = serverSaslCreds != null ? serverSaslCreds.byteValue () : null; @@ -1635,7 +1641,7 @@ namespace Novell.Directory.Ldap } } - private string SecurityMech + static string SecurityMech { get { string securityMech = null; @@ -1650,7 +1656,7 @@ namespace Novell.Directory.Ldap } } - private string SecurityAppName + static string SecurityAppName { get { string securityAppName = null; @@ -1665,7 +1671,7 @@ namespace Novell.Directory.Ldap } } - private string AuthenticationMech + static string AuthenticationMech { get { string authenticationMech = null; |