Refine search
public byte[] getInitialResponse() throws SaslException { if (saslClient.hasInitialResponse()) { return saslClient.evaluateChallenge(EMPTY_TOKEN); } else { return EMPTY_TOKEN; } }
@Override public void dispose() throws IOException { if (!client.isComplete()) { onError(new SaslException("Client closed before SASL negotiation finished.")); } client.dispose(); }
@Override public boolean needsWrapping() { if (client.isComplete()) { String qop = (String) client.getNegotiatedProperty(Sasl.QOP); return (qop != null && (qop.equalsIgnoreCase("auth-int") || qop.equalsIgnoreCase("auth-conf"))); } else { return false; } }
logger.fine("SASL client " + sc.getMechanismName()); String mech = sc.getMechanismName(); String ir = null; if (sc.hasInitialResponse()) { byte[] ba = sc.evaluateChallenge(new byte[0]); if (ba.length > 0) { ba = BASE64EncoderStream.encode(ba); if (resp == 334) { byte[] ba = null; if (!sc.isComplete()) { ba = ASCIIUtility.getBytes(responseText(pr)); if (ba.length > 0) logger.fine("SASL challenge: " + ASCIIUtility.toString(ba, 0, ba.length) + " :"); ba = sc.evaluateChallenge(ba); return false; if (sc.isComplete() /*&& res.status == SUCCESS*/) { String qop = (String)sc.getNegotiatedProperty(Sasl.QOP); if (qop != null && (qop.equalsIgnoreCase("auth-int") || qop.equalsIgnoreCase("auth-conf"))) {
if (saslClient.hasInitialResponse()) { try { response = saslClient.evaluateChallenge(NO_BYTES); } catch (SaslException e) { log.tracef(e, "Mechanism failed (client): \"%s\"", saslClient.getMechanismName()); mechanisms.remove(saslClient.getMechanismName()); triedMechs.put(saslClient.getMechanismName(), log.authenticationExceptionIo(e)); safeDispose(saslClient); continue; connectionHandler.sendAuthRequest(id, saslClient.getMechanismName(), response); if (! connectionHandler.isOpen()) { safeDispose(saslClient); response = saslClient.evaluateChallenge(challenge); } catch (SaslException e) { log.tracef(e, "Mechanism failed (client): \"%s\"", saslClient.getMechanismName()); mechanisms.remove(saslClient.getMechanismName()); triedMechs.put(saslClient.getMechanismName(), log.authenticationExceptionIo(e)); safeDispose(saslClient); break; if (! saslClient.isComplete()) { try { response = saslClient.evaluateChallenge(challenge); } catch (SaslException e) { log.tracef(e, "Mechanism failed (client, possibly failed to verify server): \"%s\"", saslClient.getMechanismName()); mechanisms.remove(saslClient.getMechanismName()); triedMechs.put(saslClient.getMechanismName(), log.authenticationExceptionIo(e));
connection.getExecutor().execute(() -> { try { final boolean clientComplete = saslClient.isComplete(); if (clientComplete) { connection.handleException(new SaslException(saslClient.getMechanismName() + ": Received extra auth message after completion")); return; final byte[] challenge = Buffers.take(buffer, buffer.remaining()); try { response = saslClient.evaluateChallenge(challenge); } catch (Throwable e) { final String mechanismName = saslClient.getMechanismName(); client.debugf("Client authentication failed for mechanism %s: %s", mechanismName, e); failedMechs.put(mechanismName, e); connection.getExecutor().execute(() -> { try { final boolean clientComplete = saslClient.isComplete(); final byte[] challenge = Buffers.take(buffer, buffer.remaining()); if (!clientComplete) try { final byte[] response = saslClient.evaluateChallenge(challenge); if (response != null && response.length > 0) { connection.handleException(new SaslException(saslClient.getMechanismName() + ": Received extra auth message after completion")); saslDispose(saslClient); return; if (!saslClient.isComplete()) { connection.handleException(new SaslException(saslClient.getMechanismName() + ": Client not complete after processing auth complete message")); saslDispose(saslClient);
@Override public byte[] run() throws Exception { Map<String, String> props = new HashMap<>(); props.put("javax.security.sasl.server.authentication", "true"); saslClient = Sasl.createSaslClient(new String[]{NAME}, null, protocol, serverName, props, null); if (saslClient.hasInitialResponse()) { return saslClient.evaluateChallenge(new byte[0]); } return null; } });
if (saslResponse.hasToken()) { saslToken = saslResponse.getToken().toByteArray(); saslToken = saslClient.evaluateChallenge(saslToken); } else if (!serverIsDone) { throw new SaslException("Server challenge contains no token"); if (!saslClient.isComplete()) { throw new SaslException("Client is out of sync with server"); throw new SaslException("Client generated spurious response");
QuorumAuth.QUORUM_SERVER_SASL_DIGEST, LOG, "QuorumLearner"); if (sc.hasInitialResponse()) { responseToken = createSaslToken(new byte[0], sc, learnerLogin); QuorumAuth.Status qpStatus = QuorumAuth.Status .getStatus(authPacket.getStatus()); while (!sc.isComplete()) { switch (qpStatus) { case SUCCESS: throw new SaslException("Protocol error: attempting to send response after completion"); if (sc != null) { try { sc.dispose(); } catch (SaslException e) { LOG.error("SaslClient dispose() failed", e);
private byte[] createSaslToken(final byte[] saslToken, boolean isInitial) throws SaslException { if (saslToken == null) throw new IllegalSaslStateException("Error authenticating with the Kafka Broker: received a `null` saslToken."); try { if (isInitial && !saslClient.hasInitialResponse()) return saslToken; else return Subject.doAs(subject, (PrivilegedExceptionAction<byte[]>) () -> saslClient.evaluateChallenge(saslToken)); } catch (PrivilegedActionException e) { String error = "An error: (" + e + ") occurred when evaluating SASL token received from the Kafka Broker."; KerberosError kerberosError = KerberosError.fromException(e); // Try to provide hints to use about what went wrong so they can fix their configuration. if (kerberosError == KerberosError.SERVER_NOT_FOUND) { error += " This may be caused by Java's being unable to resolve the Kafka Broker's" + " hostname correctly. You may want to try to adding" + " '-Dsun.net.spi.nameservice.provider.1=dns,sun' to your client's JVMFLAGS environment." + " Users must configure FQDN of kafka brokers when authenticating using SASL and" + " `socketChannel.socket().getInetAddress().getHostName()` must match the hostname in `principal/hostname@realm`"; } error += " Kafka Client will go to AUTHENTICATION_FAILED state."; //Unwrap the SaslException inside `PrivilegedActionException` Throwable cause = e.getCause(); // Treat transient Kerberos errors as non-fatal SaslExceptions that are processed as I/O exceptions // and all other failures as fatal SaslAuthenticationException. if (kerberosError != null && kerberosError.retriable()) throw new SaslException(error, cause); else throw new SaslAuthenticationException(error, cause); } }
private Command startAuth() throws SaslException { // destroy previous client. destroySaslClient(); this.saslClient = Sasl.createSaslClient(authInfo.getMechanisms(), null, "memcached", memcachedTCPSession.getRemoteSocketAddress().toString(), null, this.authInfo.getCallbackHandler()); byte[] response = saslClient.hasInitialResponse() ? saslClient.evaluateChallenge(EMPTY_BYTES) : EMPTY_BYTES; CountDownLatch latch = new CountDownLatch(1); Command command = this.commandFactory.createAuthStartCommand(saslClient.getMechanismName(), latch, response); if (!this.memcachedTCPSession.isClosed()) this.memcachedTCPSession.write(command); else { log.error("Authentication fail,because the connection has been closed"); throw new RuntimeException("Authentication fai,connection has been close"); } return command; }
@Override public void initialize() { try { SaslClient sc = Sasl.createSaslClient(mech, null, "memcached", serverName, props, cbh); byte[] response = buildResponse(sc); String mechanism = sc.getMechanismName(); prepareBuffer(mechanism, 0, response); } catch (SaslException e) { // XXX: Probably something saner can be done here. throw new RuntimeException("Can't make SASL go.", e); } }
public void initialize(ClientCnxn cnxn) throws SaslException { if (saslClient == null) { saslState = SaslState.FAILED; throw new SaslException("saslClient failed to initialize properly: it's null."); } if (saslState == SaslState.INITIAL) { if (saslClient.hasInitialResponse()) { sendSaslPacket(cnxn); } else { byte[] emptyToken = new byte[0]; sendSaslPacket(emptyToken, cnxn); } saslState = SaslState.INTERMEDIATE; } }
public byte[] evaluateChallenge(byte[] challenge) throws SaslException { return saslClient.evaluateChallenge(challenge); }
public boolean isComplete() { return saslClient.isComplete(); }
public byte[] evaluate(byte[] buf) throws SaslException { if (client != null) return client.evaluateChallenge(buf); else return server.evaluateResponse(buf); }
@Override public <CC extends ClientConnection> SaslMessage process(SaslChallengeContext<CC> context) throws Exception { final SaslClient saslClient = context.connection.getSaslClient(); if (saslClient.isComplete()) { handleSuccess(context); return null; } else { // server completed before client; so try once, fail otherwise evaluateChallenge(context.ugi, saslClient, context.challenge.getData().toByteArray()); // discard response if (saslClient.isComplete()) { handleSuccess(context); return null; } else { throw new SaslException("Server allegedly succeeded authentication, but client did not. Suspicious?"); } } } }
public boolean isComplete() { if (client != null) return client.isComplete(); else return server.isComplete(); }
if (!(saslClient.isComplete())) { try { saslToken = createSaslToken(serverToken); if (saslClient.isComplete()) { if ((serverToken == null) && (saslClient.getMechanismName().equals("GSSAPI"))) gotLastPacket = true; if (!saslClient.getMechanismName().equals("GSSAPI")) { gotLastPacket = true;
private static byte[] evaluateChallenge(final UserGroupInformation ugi, final SaslClient saslClient, final byte[] challengeBytes) throws SaslException { try { return ugi.doAs(new PrivilegedExceptionAction<byte[]>() { @Override public byte[] run() throws Exception { return saslClient.evaluateChallenge(challengeBytes); } }); } catch (final UndeclaredThrowableException e) { throw new SaslException( String.format("Unexpected failure (%s)", saslClient.getMechanismName()), e.getCause()); } catch (final IOException | InterruptedException e) { if (e instanceof SaslException) { throw (SaslException) e; } else { throw new SaslException( String.format("Unexpected failure (%s)", saslClient.getMechanismName()), e); } } }