Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8137174

NTLM impl should use doPrivileged when it reads system properties

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P4
    • Resolution: Fixed
    • Affects Version/s: 9
    • Fix Version/s: 9
    • Component/s: core-libs
    • Subcomponent:
    • Resolved In Build:
      b85
    • CPU:
      generic
    • OS:
      generic
    • Verification:
      Verified

      Backports

        Description

        The following permissions are required (security manager should be set) if HttpURLConnection tries to load a document which is protected with NTLM:

            permission java.util.PropertyPermission "ntlm.debug", "read";
            permission java.util.PropertyPermission "ntlm.version", "read";

        Without the permissions above, HttpURLConnection can't pass NTLM auth, and fails with 401 error:

        java.io.IOException: Server returned HTTP response code: 401 for URL: http://localhost:45104/test/
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1835)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1436)
        at NTLMAuthWithSM.main(NTLMAuthWithSM.java:62)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:519)
        at com.sun.javatest.regtest.agent.MainWrapper$MainThread.run(MainWrapper.java:92)
        at java.lang.Thread.run(Thread.java:746)

        The system properties above are read in the following classes:

        http://hg.openjdk.java.net/jdk9/dev/jdk/file/tip/src/java.base/share/classes/com/sun/security/ntlm/NTLM.java#l58

        ...
        private static final boolean DEBUG =
                    System.getProperty("ntlm.debug") != null;
        ...

        http://hg.openjdk.java.net/jdk9/dev/jdk/file/tip/src/java.base/unix/classes/sun/net/www/protocol/http/ntlm/NTLMAuthentication.java#l146

        ...
        client = new Client(System.getProperty("ntlm.version"), hostname,
                            username, ntdomain, password);
        ...

        Those permissions look unnecessary. They may be read in doPrivileged() blocks:

        http://cr.openjdk.java.net/~asmotrak/ntlm_auth_with_sm/webrev.00/

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                asmotrak Artem Smotrakov
                Reporter:
                asmotrak Artem Smotrakov
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: