Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Removed illegal reflection access in kerberos authentication #839

Merged
merged 45 commits into from
Oct 27, 2018
Merged

Removed illegal reflection access in kerberos authentication #839

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
45 commits
Select commit Hold shift + click to select a range
69fad37
tests cleanup
lilgreenbird Aug 30, 2018
893d09e
resolved conflict
lilgreenbird Aug 30, 2018
4a3e6f8
Merge branch 'dev' into dev
lilgreenbird Aug 30, 2018
ded037b
fixed typo
lilgreenbird Aug 30, 2018
7d79eea
fixes
lilgreenbird Aug 30, 2018
bdea814
fixes
lilgreenbird Aug 30, 2018
a50d513
fixed
lilgreenbird Aug 30, 2018
a640351
review comments
lilgreenbird Aug 31, 2018
524143d
review updates
lilgreenbird Sep 4, 2018
6837404
review update
lilgreenbird Sep 5, 2018
6b43e4c
more review changes
lilgreenbird Sep 12, 2018
f5a97de
more try-with-resources changes
lilgreenbird Sep 14, 2018
6b10eec
more
lilgreenbird Sep 17, 2018
e1038ba
spacing change only
lilgreenbird Sep 17, 2018
fad3cdb
use shared statement in Abstract test again, this will be removed in …
lilgreenbird Sep 18, 2018
b4060e6
try-with-resources for Stream types
lilgreenbird Sep 18, 2018
0fec0c8
Merge remote-tracking branch 'upstream/dev' into cleanup2
lilgreenbird Sep 21, 2018
49159d8
remove hardcoded table names
lilgreenbird Sep 24, 2018
2041c35
remove shared AE vars
lilgreenbird Sep 25, 2018
0d310e4
remove hardcoded table names
lilgreenbird Sep 27, 2018
e037a70
added comment on driver bug
lilgreenbird Sep 27, 2018
d05329e
add missing escape characters
lilgreenbird Sep 28, 2018
415c3ec
get rid of unnecessary bvtTestSetup
lilgreenbird Sep 28, 2018
8389701
more hardcode
lilgreenbird Sep 28, 2018
6eca59f
Merge branch 'dev' of https://github.com/Microsoft/mssql-jdbc into cl…
lilgreenbird Sep 28, 2018
9234af9
fixed issue with AE tests
lilgreenbird Sep 29, 2018
3bc3ec7
fixed issue with AE tests
lilgreenbird Sep 29, 2018
9b118f6
removed more hardcoded values and modified BatchExecutionWithBulkCopy…
lilgreenbird Oct 1, 2018
786c966
drop all tables after tests
lilgreenbird Oct 2, 2018
ba66968
format
lilgreenbird Oct 2, 2018
f230da5
remove unused imports
lilgreenbird Oct 2, 2018
2b44b56
cleanup procedures
lilgreenbird Oct 4, 2018
4880dbf
Merge branch 'dev' into cleanup2
cheenamalhotra Oct 5, 2018
b9507ca
resolve conflicts
lilgreenbird Oct 5, 2018
7e1c1e3
Fix compilation error
cheenamalhotra Oct 5, 2018
58052ba
fix merge errors
lilgreenbird Oct 5, 2018
6495313
merge conflicts
lilgreenbird Oct 5, 2018
df682a8
removed illegal reflection access
lilgreenbird Oct 19, 2018
71d8e56
Merge remote-tracking branch 'upstream/dev' into kerb
lilgreenbird Oct 19, 2018
0447d4e
removed junk file
lilgreenbird Oct 19, 2018
b91bd7d
add comments
lilgreenbird Oct 21, 2018
611ab2c
Update DNSKerberosLocator.java
lilgreenbird Oct 26, 2018
7c51214
Update KerbAuthentication.java
lilgreenbird Oct 26, 2018
0023b07
Update DNSKerberosLocator.java
lilgreenbird Oct 26, 2018
aa6e18e
Update DNSKerberosLocator.java
lilgreenbird Oct 26, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 5 additions & 40 deletions src/main/java/com/microsoft/sqlserver/jdbc/KerbAuthentication.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -251,7 +251,7 @@ private String enrichSpnWithRealm(String spn, boolean allowHostnameCanonicalizat
}
String dnsName = m.group(1);
String portOrInstance = m.group(2);
RealmValidator realmValidator = getRealmValidator(dnsName);
RealmValidator realmValidator = getRealmValidator();
String realm = findRealmFromHostname(realmValidator, dnsName);
if (realm == null && allowHostnameCanonicalization) {
// We failed, try with canonical host name to find a better match
Expand All @@ -277,50 +277,15 @@ private String enrichSpnWithRealm(String spn, boolean allowHostnameCanonicalizat
private static RealmValidator validator;

/**
* Find a suitable way of validating a REALM for given JVM.
* Get validator to validate REALM for given JVM.
*
* @param hostnameToTest
* an example hostname we are gonna use to test our realm validator.
* @return a not null realm Validator.
* @return a not null realm validator.
*/
static RealmValidator getRealmValidator(String hostnameToTest) {
static RealmValidator getRealmValidator() {
if (validator != null) {
return validator;
}
// JVM Specific, here Sun/Oracle JVM
try {
Class<?> clz = Class.forName("sun.security.krb5.Config");
Method getInstance = clz.getMethod("getInstance", new Class[0]);
final Method getKDCList = clz.getMethod("getKDCList", new Class[] {String.class});
final Object instance = getInstance.invoke(null);
RealmValidator oracleRealmValidator = new RealmValidator() {

@Override
public boolean isRealmValid(String realm) {
try {
Object ret = getKDCList.invoke(instance, realm);
return ret != null;
} catch (Exception err) {
return false;
}
}
};
validator = oracleRealmValidator;
// As explained here: https://github.com/Microsoft/mssql-jdbc/pull/40#issuecomment-281509304
// The default Oracle Resolution mechanism is not bulletproof
// If it resolves a non-existing name, drop it.
if (!validator.isRealmValid("this.might.not.exist." + hostnameToTest)) {
// Our realm validator is well working, return it
authLogger.fine("Kerberos Realm Validator: Using Built-in Oracle Realm Validation method.");
return oracleRealmValidator;
}
authLogger
.fine("Kerberos Realm Validator: Detected buggy Oracle Realm Validator, using DNSKerberosLocator.");
} catch (ReflectiveOperationException notTheRightJVMException) {
// Ignored, we simply are not using the right JVM
authLogger.fine("Kerberos Realm Validator: No Oracle Realm Validator Available, using DNSKerberosLocator.");
}
// No implementation found, default one, not any realm is valid

validator = new RealmValidator() {
@Override
public boolean isRealmValid(String realm) {
Expand Down
6 changes: 4 additions & 2 deletions src/main/java/com/microsoft/sqlserver/jdbc/dns/DNSKerberosLocator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@
import javax.naming.NameNotFoundException;
import javax.naming.NamingException;


/**
* Represents a DNS Kerberos Locator
*/
Expand All @@ -18,7 +17,9 @@ public final class DNSKerberosLocator {
private DNSKerberosLocator() {}

/**
* Returns whether a realm is valid.
* Returns whether a realm is valid by retrieving the KDC list in DNS SRV records.
* This will only work if DNS lookup is setup properly or the realms are properly defined in krb5 config file.
* Otherwise this will fail since the realm cannot be found.
*
* @param realmName
* the realm to test
Expand All @@ -37,6 +38,7 @@ public static boolean isRealmValid(String realmName) throws NamingException {
Set<DNSRecordSRV> records = DNSUtilities.findSrvRecords("_kerberos._udp." + realmName);
return !records.isEmpty();
} catch (NameNotFoundException wrongDomainException) {
// config error - domain controller cannot be located via DNS
return false;
}
}
Expand Down
26 changes: 0 additions & 26 deletions src/test/java/com/microsoft/sqlserver/jdbc/dns/DNSRealmsTest.java
View file
Open in desktop

This file was deleted.