throw new SaslException("Invalid message format"); throw new SaslException("No user name provided"); throw new SaslException("No password name provided"); NameCallback nameCallback = new NameCallback("User"); nameCallback.setName(user); PasswordCallback pcCallback = new PasswordCallback("Password", false); pcCallback.setPassword(passwd.toCharArray()); AuthorizeCallback acCallback = new AuthorizeCallback(user, authzId); handler.handle(cbList); if (!acCallback.isAuthorized()) { throw new SaslException("Authentication failed"); throw new SaslException("Invalid message format", eL); } catch (IOException eI) { throw new SaslException("Error validating the login", eI); } catch (UnsupportedCallbackException eU) { throw new SaslException("Error validating the login", eU);
@Override public void unregisterChannel(UUID channelId) { AuthenticatedChannelInfo channelInfo = mChannels.remove(channelId); if (channelInfo != null) { try { channelInfo.getSaslServer().dispose(); } catch (SaslException e) { LOG.warn("Failed to dispose sasl client for channel-Id: {}. Error: {}", channelId, e.getMessage()); } } }
@Override public final SaslException extraResponse() { final SaslException result = new SaslException(String.format(getLoggingLocale(), extraResponse$str())); final StackTraceElement[] st = result.getStackTrace(); result.setStackTrace(Arrays.copyOfRange(st, 1, st.length)); return result; } private static final String socketBufferTooSmall = "XNIO000300: Socket buffer is too small";
case SEND_CLIENT_FIRST_MESSAGE: if (challenge != null && challenge.length != 0) throw new SaslException("Expected empty challenge"); clientNonce = formatter.secureRandomString(); NameCallback nameCallback = new NameCallback("Name:"); ScramExtensionsCallback extensionsCallback = new ScramExtensionsCallback(); throw new SaslException("User name or extensions could not be obtained", e); this.serverFirstMessage = new ServerFirstMessage(challenge); if (!serverFirstMessage.nonce().startsWith(clientNonce)) throw new SaslException("Invalid server nonce: does not start with client nonce"); if (serverFirstMessage.iterations() < mechanism.minIterations()) throw new SaslException("Requested iterations " + serverFirstMessage.iterations() + " is less than the minimum " + mechanism.minIterations() + " for " + mechanism); PasswordCallback passwordCallback = new PasswordCallback("Password:", false); try { callbackHandler.handle(new Callback[]{passwordCallback}); } catch (Throwable e) { throw new SaslException("User name could not be obtained", e); ServerFinalMessage serverFinalMessage = new ServerFinalMessage(challenge); if (serverFinalMessage.error() != null) throw new SaslException("Sasl authentication using " + mechanism + " failed with error: " + serverFinalMessage.error()); handleServerFinalMessage(serverFinalMessage.serverSignature()); setState(State.COMPLETE);
private void generateSaltedPassword() throws SaslException { final PasswordCallback passwordCallback = new PasswordCallback("Password", false); try { callbacks.handle(new Callback[]{passwordCallback}); } catch (IOException e) { throw new SaslException("Missing callback fetch password", e); } catch (UnsupportedCallbackException e) { throw new SaslException("Missing callback fetch password", e); } final char[] pw = passwordCallback.getPassword(); if (pw == null) { throw new SaslException("Password can't be null"); } String password = new String(pw); saltedPassword = pbkdf2(password, salt, iterationCount); passwordCallback.clearPassword(); }
private String getUserName() throws SaslException { final NameCallback nameCallback = new NameCallback("Username"); try { callbacks.handle(new Callback[] { nameCallback }); } catch (IOException e) { throw new SaslException("Missing callback fetch username", e); } catch (UnsupportedCallbackException e) { throw new SaslException("Missing callback fetch username", e); } final String name = nameCallback.getName(); if (name == null || name.isEmpty()) { throw new SaslException("Missing username"); } return name; }
tokens = new String(response, "UTF-8").split("\u0000"); } catch (UnsupportedEncodingException e) { throw new SaslException("UTF-8 encoding not supported", e); throw new SaslException("Invalid SASL/PLAIN response: expected 3 tokens, got " + tokens.length); String authorizationIdFromClient = tokens[0]; String username = tokens[1]; throw new SaslException("Authentication failed: username not specified"); throw new SaslException("Authentication failed: password not specified"); NameCallback nameCallback = new NameCallback("username", username); PlainAuthenticateCallback authenticateCallback = new PlainAuthenticateCallback(password.toCharArray()); try { callbackHandler.handle(new Callback[]{nameCallback, authenticateCallback}); } catch (Throwable e) { throw new SaslAuthenticationException("Authentication failed: credentials for user could not be verified", e);
private SaslExtensions retrieveCustomExtensions() throws SaslException { SaslExtensionsCallback extensionsCallback = new SaslExtensionsCallback(); try { callbackHandler().handle(new Callback[] {extensionsCallback}); } catch (UnsupportedCallbackException e) { log.debug("Extensions callback is not supported by client callback handler {}, no extensions will be added", callbackHandler()); } catch (Exception e) { throw new SaslException("SASL extensions could not be obtained", e); } return extensionsCallback.extensions(); }
} catch (SaslException sex) { logger.log(Level.FINE, "Failed to create SASL client", sex); throw new UnsupportedOperationException(sex.getMessage(), sex); logger.fine("SASL client " + sc.getMechanismName()); args.writeAtom(sc.getMechanismName()); if (pr.hasCapability("SASL-IR") && sc.hasInitialResponse()) { String irs; byte[] ba = sc.evaluateChallenge(new byte[0]);
protected void handleNameCallback(NameCallback nc) throws IOException { String user_name = nc.getDefaultName(); jid = BareJID.bareJIDInstanceNS(user_name, domain); nc.setName(jid.toString()); if (log.isLoggable(Level.FINEST)) { log.log(Level.FINEST, "NameCallback: {0}", user_name); } try { String pwd = repo.getPassword(jid); if (pwd == null) throw new SaslException("User " + jid + " not found."); byte[] buffer = Base64.decode(pwd); this.salt = new byte[20]; this.saltedPassword = new byte[20]; System.arraycopy(buffer, 0, salt, 0, salt.length); System.arraycopy(buffer, salt.length, saltedPassword, 0, saltedPassword.length); } catch (Exception e) { this.salt = null; this.saltedPassword = null; log.log(Level.FINE, "Can't retrieve users salted password.", e); } }
public byte[] evaluateMessage(final SaslStateContext context, final byte[] message) throws SaslException { if (message != null && message.length > 0) { throw new SaslException("Invalid challenge received from server"); } NameCallback nameCallback = new NameCallback("Authentication name"); handleCallbacks(nameCallback); String name = nameCallback.getName(); if (name == null) { throw new SaslException("Authentication name is missing"); } if (name.length() > 255) { throw new SaslException("Authentication name string is too long"); } if (name.isEmpty()) { throw new SaslException("Authentication name is empty"); } context.negotiationComplete(); return name == null ? NO_BYTES : name.getBytes(Charsets.UTF_8); } };
QuorumAuth.QUORUM_SERVER_SASL_DIGEST, LOG, "QuorumLearner"); if (sc.hasInitialResponse()) { responseToken = createSaslToken(new byte[0], sc, learnerLogin); QuorumAuth.Status qpStatus = QuorumAuth.Status .getStatus(authPacket.getStatus()); while (!sc.isComplete()) { switch (qpStatus) { case SUCCESS: throw new SaslException("Protocol error: attempting to send response after completion"); break; case ERROR: throw new SaslException( "Authentication failed against server addr: " + sock.getRemoteSocketAddress()); default: LOG.warn("Unknown status:{}!", qpStatus); throw new SaslException( "Authentication failed against server addr: " + sock.getRemoteSocketAddress());
connection.getExecutor().execute(() -> { try { final boolean clientComplete = saslClient.isComplete(); if (clientComplete) { connection.handleException(new SaslException(saslClient.getMechanismName() + ": Received extra auth message after completion")); return; final byte[] response = saslClient.evaluateChallenge(challenge); if (response != null && response.length > 0) { connection.handleException(new SaslException(saslClient.getMechanismName() + ": Received extra auth message after completion")); saslDispose(saslClient); return; if (!saslClient.isComplete()) { connection.handleException(new SaslException(saslClient.getMechanismName() + ": Client not complete after processing auth complete message")); saslDispose(saslClient); return; final String mechanismName = saslClient.getMechanismName(); client.debugf("Client received authentication rejected for mechanism %s", mechanismName); failedMechs.put(mechanismName, new SaslException(mechanismName + ": Server rejected authentication")); saslDispose(saslClient); sendCapRequest(serverName);
private byte[] createSaslToken(final byte[] saslToken, boolean isInitial) throws SaslException { if (saslToken == null) throw new IllegalSaslStateException("Error authenticating with the Kafka Broker: received a `null` saslToken."); try { if (isInitial && !saslClient.hasInitialResponse()) return saslToken; else return Subject.doAs(subject, (PrivilegedExceptionAction<byte[]>) () -> saslClient.evaluateChallenge(saslToken)); } catch (PrivilegedActionException e) { String error = "An error: (" + e + ") occurred when evaluating SASL token received from the Kafka Broker."; KerberosError kerberosError = KerberosError.fromException(e); // Try to provide hints to use about what went wrong so they can fix their configuration. if (kerberosError == KerberosError.SERVER_NOT_FOUND) { error += " This may be caused by Java's being unable to resolve the Kafka Broker's" + " hostname correctly. You may want to try to adding" + " '-Dsun.net.spi.nameservice.provider.1=dns,sun' to your client's JVMFLAGS environment." + " Users must configure FQDN of kafka brokers when authenticating using SASL and" + " `socketChannel.socket().getInetAddress().getHostName()` must match the hostname in `principal/hostname@realm`"; } error += " Kafka Client will go to AUTHENTICATION_FAILED state."; //Unwrap the SaslException inside `PrivilegedActionException` Throwable cause = e.getCause(); // Treat transient Kerberos errors as non-fatal SaslExceptions that are processed as I/O exceptions // and all other failures as fatal SaslAuthenticationException. if (kerberosError != null && kerberosError.retriable()) throw new SaslException(error, cause); else throw new SaslAuthenticationException(error, cause); } }
if (saslResponse.hasToken()) { saslToken = saslResponse.getToken().toByteArray(); saslToken = saslClient.evaluateChallenge(saslToken); } else if (!serverIsDone) { throw new SaslException("Server challenge contains no token"); if (!saslClient.isComplete()) { throw new SaslException("Client is out of sync with server"); throw new SaslException("Client generated spurious response");
connection.handleException(new SaslException("Authentication failed: the server presented no authentication mechanisms")); } else { connection.handleException((SaslException) e); } else { connection.handleException(new SaslException(e.getMessage(), e)); connection.handleException(new SaslException(b.toString())); } else { connection.handleException(allMechanismsFailed()); final String mechanismName = saslClient.getMechanismName(); client.tracef("Client initiating authentication using mechanism %s", mechanismName); final byte[] response; try { response = usedSaslClient.hasInitialResponse() ? usedSaslClient.evaluateChallenge(EMPTY_BYTES) : null; } catch (Throwable e) { client.tracef("Client authentication failed: %s", e);
private void handleCallbackError(Exception e) throws SaslException { String msg = String.format("%s: %s", INTERNAL_ERROR_ON_SERVER, e.getMessage()); log.debug(msg, e); throw new SaslException(msg); }
@Override public void dispose() throws IOException { if (!client.isComplete()) { onError(new SaslException("Client closed before SASL negotiation finished.")); } client.dispose(); }
public void initialize(ClientCnxn cnxn) throws SaslException { if (saslClient == null) { saslState = SaslState.FAILED; throw new SaslException("saslClient failed to initialize properly: it's null."); } if (saslState == SaslState.INITIAL) { if (saslClient.hasInitialResponse()) { sendSaslPacket(cnxn); } else { byte[] emptyToken = new byte[0]; sendSaslPacket(emptyToken, cnxn); } saslState = SaslState.INTERMEDIATE; } }
@Override public <CC extends ClientConnection> SaslMessage process(SaslChallengeContext<CC> context) throws Exception { final SaslClient saslClient = context.connection.getSaslClient(); if (saslClient.isComplete()) { handleSuccess(context); return null; } else { // server completed before client; so try once, fail otherwise evaluateChallenge(context.ugi, saslClient, context.challenge.getData().toByteArray()); // discard response if (saslClient.isComplete()) { handleSuccess(context); return null; } else { throw new SaslException("Server allegedly succeeded authentication, but client did not. Suspicious?"); } } } }