create GSSCredential only once, cleanup

svn path=/trunk/mcs/; revision=52628
author: Konstantin Triger <kostat@mono-cvs.ximian.com> 2005-11-06 20:20:34 +0300
committer: Konstantin Triger <kostat@mono-cvs.ximian.com> 2005-11-06 20:20:34 +0300
commit: 74882de47240e96910f05430881fa1dabf92aec7 (patch)
tree: d21ca38da6dde02c0cdd95ae0408bfb34653583c /mcs/class/Novell.Directory.Ldap
parent: 46680c8d115fba7cbb4553c584ff490bc17b98a8 (diff)
6 files changed, 75 insertions, 51 deletions
diff --git a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/ChangeLog b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/ChangeLog
index 97267527548..cc77f724ea8 100644
--- a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/ChangeLog
+++ b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/ChangeLog
@@ -1,3 +1,8 @@
+2005-11-06  Konstantin Triger <kostat@mainsoft.com>
+
+	* SecureStream.cs, CreateContextPrivilegedAction.cs, Krb5Helper.cs:
+		create GSSCredential only once, cleanup
+
 2005-11-03  Konstantin Triger <kostat@mainsoft.com>
 
 	* CreateContextPrivilegedAction.cs: always require mutual auth;
diff --git a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/CreateContextPrivilegedAction.cs b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/CreateContextPrivilegedAction.cs
index e98fb9d4053..73b280f5581 100644
--- a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/CreateContextPrivilegedAction.cs
+++ b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/CreateContextPrivilegedAction.cs
@@ -44,15 +44,17 @@ namespace Novell.Directory.Ldap.Security
 		private readonly bool _signing;
 		private readonly bool _delegation;
 		private readonly string _name;
+		private readonly string _clientName;
 		private readonly string _mech;
 
 		#endregion //Fields
 
 		#region Constructors
 
-		public CreateContextPrivilegedAction(string name, string mech, bool encryption, bool signing, bool delegation)
+		public CreateContextPrivilegedAction(string name, string clientName, string mech, bool encryption, bool signing, bool delegation)
 		{
 			_name = name;
+			_clientName = clientName;
 			_mech = mech;
 			_encryption = encryption;
 			_signing = signing;
@@ -68,16 +70,30 @@ namespace Novell.Directory.Ldap.Security
 			try {				
 				Oid krb5Oid = new Oid (_mech);
 				GSSManager manager = GSSManager.getInstance ();
-				GSSName serverName = manager.createName (_name, GSSName__Finals.NT_HOSTBASED_SERVICE, krb5Oid);
-				GSSContext context = manager.createContext (serverName, krb5Oid, null, GSSContext__Finals.INDEFINITE_LIFETIME);
+				GSSName clientName = 
+					manager.createName(_clientName, GSSName__Finals.NT_USER_NAME);
+				GSSCredential clientCreds =
+					manager.createCredential(clientName,
+					GSSContext__Finals.INDEFINITE_LIFETIME,
+					krb5Oid,
+					GSSCredential__Finals.INITIATE_ONLY);
 
-				context.requestMutualAuth(true);  
-				context.requestConf (_encryption);
-				if (!_encryption || _signing)
-					context.requestInteg (!_encryption || _signing); 
-				context.requestCredDeleg (_delegation);
+//				try {
+					GSSName serverName = manager.createName (_name, GSSName__Finals.NT_HOSTBASED_SERVICE, krb5Oid);
+					GSSContext context = manager.createContext (serverName, krb5Oid, clientCreds, GSSContext__Finals.INDEFINITE_LIFETIME);
 
-				return context;
+					context.requestMutualAuth(true);  
+					context.requestConf (_encryption);
+					if (!_encryption || _signing)
+						context.requestInteg (!_encryption || _signing); 
+					context.requestCredDeleg (_delegation);
+
+					return context;
+//				}
+//				finally {
+//					// Calling this throws GSSException: Operation unavailable...
+//					clientCreds.dispose();
+//				}
 			}
 			catch (GSSException e) {
 				throw new PrivilegedActionException (e);
diff --git a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/Krb5Helper.cs b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/Krb5Helper.cs
index 41889337d15..65c037f6d7b 100644
--- a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/Krb5Helper.cs
+++ b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/Krb5Helper.cs
@@ -39,7 +39,7 @@ using org.ietf.jgss;
 
 namespace Novell.Directory.Ldap.Security
 {
-	internal class Krb5Helper
+	internal class Krb5Helper : IDisposable
 	{
 		enum QOP {
 			NO_PROTECTION = 1,
@@ -57,26 +57,23 @@ namespace Novell.Directory.Ldap.Security
 
 		private readonly GSSContext _context;
 
-		private readonly string _name;
-		private readonly Subject _subject;
-		private readonly string _mech;
-
 		#endregion // Fields
 
 		#region Constructors
 
-		public Krb5Helper(string name, Subject subject, AuthenticationTypes authenticationTypes, string mech)
+		public Krb5Helper(string name, string clientName, Subject subject, AuthenticationTypes authenticationTypes, string mech)
 		{
-			_name = name;
-			_subject = subject;
-			_mech = mech;
-
 			_encryption = (authenticationTypes & AuthenticationTypes.Sealing) != 0;
 			_signing = (authenticationTypes & AuthenticationTypes.Signing) != 0;
 			_delegation = (authenticationTypes & AuthenticationTypes.Delegation) != 0;
 
-			CreateContextPrivilegedAction action = new CreateContextPrivilegedAction (_name,_mech,_encryption,_signing,_delegation);
-			_context = (GSSContext) Subject.doAs (_subject,action);
+			CreateContextPrivilegedAction action = new CreateContextPrivilegedAction (name, clientName, mech,_encryption,_signing,_delegation);
+			try {
+				_context = (GSSContext) Subject.doAs (subject,action);
+			}
+			catch (PrivilegedActionException e) {
+				throw new LdapException ("Problem performing token exchange with the server",LdapException.OTHER,"",e.getCause()); 
+			}
 		}
 
 		#endregion // Constructors
@@ -126,14 +123,7 @@ namespace Novell.Directory.Ldap.Security
 				return TypeUtils.ToSByteArray (gssOutToken);
 			}
 
-			sbyte [] token;
-			try {
-				ExchangeTokenPrivilegedAction action = new ExchangeTokenPrivilegedAction (Context, clientToken);
-				token = (sbyte []) Subject.doAs (_subject, action);
-			} 
-			catch (PrivilegedActionException e) {
-				throw new LdapException ("Problem performing token exchange with the server",LdapException.OTHER,"",e); 
-			}
+			sbyte [] token = Context.initSecContext (clientToken, 0, clientToken.Length);
 
 			if (Context.isEstablished ()) {
 				
@@ -169,13 +159,8 @@ namespace Novell.Directory.Ldap.Security
 				return buff;
 			}
 
-			try {
-				WrapPrivilegedAction action = new WrapPrivilegedAction (Context, outgoing, start, len, messageProp);
-				return (byte []) Subject.doAs (_subject, action);				
-			} 
-			catch (PrivilegedActionException e) {
-				throw new LdapException ("Problem performing GSS wrap",LdapException.OTHER,"",e); 
-			}
+			sbyte [] result = Context.wrap (TypeUtils.ToSByteArray (outgoing), start, len, messageProp);
+			return (byte []) TypeUtils.ToByteArray (result);
 		}
 
 		public byte [] Unwrap(byte [] incoming, int start, int len) 
@@ -195,15 +180,18 @@ namespace Novell.Directory.Ldap.Security
 				return buff;
 			}
 
-			try {
-				UnwrapPrivilegedAction action = new UnwrapPrivilegedAction (Context, incoming, start, len, messageProp);
-				return (byte []) Subject.doAs (_subject, action);
-			} 
-			catch (PrivilegedActionException e) {
-				throw new LdapException("Problems unwrapping SASL buffer",LdapException.OTHER,"",e);
-			}
+			sbyte [] result = Context.unwrap (TypeUtils.ToSByteArray (incoming), start, len, messageProp);
+			return (byte []) TypeUtils.ToByteArray (result);
 		}
 
 		#endregion // Methods
+
+		#region IDisposable Members
+
+		public void Dispose() {
+			Context.dispose();
+		}
+
+		#endregion
 	}
 }
diff --git a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/SecureStream.cs b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/SecureStream.cs
index 43508c33313..f9aa4e43aec 100644
--- a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/SecureStream.cs
+++ b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap.Security.jvm/SecureStream.cs
@@ -118,6 +118,11 @@ namespace Novell.Directory.Ldap.Security
 			}		
 		}
 
+		public override void Close() {
+			_stream.Close();
+			_helper.Dispose();
+		}
+
 		private int Fill()
 		{
 			int actual = ReadAll (_lenBuf, 4);
diff --git a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap/ChangeLog b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap/ChangeLog
index 19c7e8dcf63..ab0f2a0ecda 100644
--- a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap/ChangeLog
+++ b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap/ChangeLog
@@ -1,3 +1,7 @@
+2005-11-06 Konstantin Triger <kostat@mainsoft.com>
+
+        * LdapConnection.cs: TARGET_JVM: create GSSCredential only once, cleanup
+
 2005-11-03 Konstantin Triger <kostat@mainsoft.com>
 
 	* LdapConnection.cs: TARGET_JVM: throw an exception if failed during
diff --git a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap/LdapConnection.cs b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap/LdapConnection.cs
index 87b3e5c819b..60964d721dd 100644
--- a/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap/LdapConnection.cs
+++ b/mcs/class/Novell.Directory.Ldap/Novell.Directory.Ldap/LdapConnection.cs
@@ -1601,21 +1601,27 @@ namespace Novell.Directory.Ldap
 
 					loginContext.login ();
 				}
-				catch (LoginException e) {
+				catch (Exception e) {
 					throw new LdapException ("Failed to create login security context", 80, "", e);
 				}
 
-				Subject subject = loginContext.getSubject ();
-
-				Krb5Helper krb5Helper = new Krb5Helper ("ldap@" + conn.Host, subject, authenticationTypes, SecurityMech);
+				Krb5Helper krb5Helper = null;
+				try {
+					krb5Helper = new Krb5Helper ("ldap@" + conn.Host, username, loginContext.getSubject (), authenticationTypes, SecurityMech);
+				}
+				finally {
+					loginContext.logout();
+				}
 				sbyte [] token = krb5Helper.ExchangeTokens (Krb5Helper.EmptyToken);
 
 				for (;;) {
 					LdapResponseQueue queue = Bind(LdapConnection.Ldap_V3, username, token, null, null, AuthenticationMech);
 					LdapResponse res = (LdapResponse) queue.getResponse ();
 					if (res.ResultCode != LdapException.SASL_BIND_IN_PROGRESS &&
-						res.ResultCode != LdapException.SUCCESS)
+						res.ResultCode != LdapException.SUCCESS) {
+						krb5Helper.Dispose();
 						throw new LdapException(ExceptionMessages.CONNECTION_ERROR, res.ResultCode, res.ErrorMessage);
+					}
 					Asn1OctetString serverSaslCreds = ((RfcBindResponse)res.Asn1Object.Response).ServerSaslCreds;
 					token = serverSaslCreds != null ? serverSaslCreds.byteValue () : null;
 
@@ -1635,7 +1641,7 @@ namespace Novell.Directory.Ldap
 			}		
 		}
 
-		private string SecurityMech
+		static string SecurityMech
 		{
 			get {
 				string securityMech = null;
@@ -1650,7 +1656,7 @@ namespace Novell.Directory.Ldap
 			}
 		}
 
-		private string SecurityAppName
+		static string SecurityAppName
 		{
 			get {
 				string securityAppName = null; 
@@ -1665,7 +1671,7 @@ namespace Novell.Directory.Ldap
 			}
 		}
 
-		private string AuthenticationMech
+		static string AuthenticationMech
 		{
 			get {
 				string authenticationMech = null;
author	Konstantin Triger <kostat@mono-cvs.ximian.com>	2005-11-06 20:20:34 +0300
committer	Konstantin Triger <kostat@mono-cvs.ximian.com>	2005-11-06 20:20:34 +0300
commit	74882de47240e96910f05430881fa1dabf92aec7 (patch)
tree	d21ca38da6dde02c0cdd95ae0408bfb34653583c /mcs/class/Novell.Directory.Ldap
parent	46680c8d115fba7cbb4553c584ff490bc17b98a8 (diff)