@Override public Response intercept(Chain chain) throws IOException { // eagerly send authentication if possible try { return chain.proceed(authenticate(chain.request())); } catch (ClientException ignored) { return chain.proceed(chain.request()); } }
private static String makeServicePrincipal(String serviceName, String hostName, boolean useCanonicalHostname) { String serviceHostName = hostName; if (useCanonicalHostname) { serviceHostName = canonicalizeServiceHostName(hostName); } return format("%s@%s", serviceName, serviceHostName.toLowerCase(Locale.US)); }
private synchronized Session getSession() throws LoginException, GSSException { if ((clientSession == null) || clientSession.needsRefresh()) { clientSession = createSession(); } return clientSession; }
private Request authenticate(Request request) { String hostName = request.url().host(); String principal = makeServicePrincipal(remoteServiceName, hostName, useCanonicalHostname); byte[] token = generateToken(principal); String credential = format("%s %s", NEGOTIATE, Base64.getEncoder().encodeToString(token)); return request.newBuilder() .header(AUTHORIZATION, credential) .build(); }
Session session = getSession(); context = doAs(session.getLoginContext().getSubject(), () -> { GSSContext result = GSS_MANAGER.createContext( GSS_MANAGER.createName(servicePrincipal, NT_HOSTBASED_SERVICE),
public static void setupKerberos( OkHttpClient.Builder clientBuilder, String remoteServiceName, boolean useCanonicalHostname, Optional<String> principal, Optional<File> kerberosConfig, Optional<File> keytab, Optional<File> credentialCache) { SpnegoHandler handler = new SpnegoHandler( remoteServiceName, useCanonicalHostname, principal, kerberosConfig, keytab, credentialCache); clientBuilder.addInterceptor(handler); clientBuilder.authenticator(handler); } }
Subject subject = loginContext.getSubject(); Principal clientPrincipal = subject.getPrincipals().iterator().next(); GSSCredential clientCredential = doAs(subject, () -> GSS_MANAGER.createCredential( GSS_MANAGER.createName(clientPrincipal.getName(), NT_USER_NAME), DEFAULT_LIFETIME,
@Override public Request authenticate(Route route, Response response) { // skip if we already tried or were not asked for Kerberos if (response.request().headers(AUTHORIZATION).stream().anyMatch(SpnegoHandler::isNegotiate) || response.headers(WWW_AUTHENTICATE).stream().noneMatch(SpnegoHandler::isNegotiate)) { return null; } return authenticate(response.request()); }