Refine search
negotiationOid = new Oid(SPNEGO_OID); gssContext = manager.createContext(useCanonicalHostname ? serverName.canonicalize(negotiationOid) : serverName, negotiationOid, myCred, GSSContext.DEFAULT_LIFETIME); gssContext.requestMutualAuth(true); gssContext.requestCredDeleg(true); } catch (GSSException ex) { log.error("generateToken", ex); negotiationOid = new Oid(KERBEROS_OID); gssContext = manager.createContext(serverName.canonicalize(negotiationOid), negotiationOid, null, GSSContext.DEFAULT_LIFETIME); gssContext.requestMutualAuth(true); gssContext.requestCredDeleg(true); token = gssContext.initSecContext(token, 0, token.length); if (token == null) { throw new SpnegoEngineException("GSS security context initialization failed"); if (spnegoGenerator != null && negotiationOid.toString().equals(KERBEROS_OID)) { token = spnegoGenerator.generateSpnegoDERObject(token); gssContext.dispose();
@Override public String run() throws HttpAuthenticationException { GSSManager manager = GSSManager.getInstance(); GSSContext gssContext = null; String serverPrincipal = getPrincipalWithoutRealm( try { Oid kerberosMechOid = new Oid("1.2.840.113554.1.2.2"); Oid spnegoMechOid = new Oid("1.3.6.1.5.5.2"); Oid krb5PrincipalOid = new Oid("1.2.840.113554.1.2.2.1"); GSSName serverName = manager.createName(serverPrincipal, krb5PrincipalOid); gssContext.acceptSecContext(inToken, 0, inToken.length); if (!gssContext.isEstablished()) { throw new HttpAuthenticationException("Kerberos authentication failed: " + "unable to establish context with the service ticket " + return getPrincipalWithoutRealmAndHost(gssContext.getSrcName().toString()); if (gssContext != null) { try { gssContext.dispose(); } catch (GSSException e) {
Session session = getSession(); context = doAs(session.getLoginContext().getSubject(), () -> { GSSContext result = GSS_MANAGER.createContext( GSS_MANAGER.createName(servicePrincipal, NT_HOSTBASED_SERVICE), SPNEGO_OID, session.getClientCredential(), INDEFINITE_LIFETIME); result.requestMutualAuth(true); result.requestConf(true); result.requestInteg(true); result.requestCredDeleg(false); return result; }); byte[] token = context.initSecContext(new byte[0], 0, 0); if (token == null) { throw new LoginException("No token generated from GSS context"); try { if (context != null) { context.dispose();
private Optional<Principal> authenticate(String token) { GSSContext context = doAs(loginContext.getSubject(), () -> gssManager.createContext(serverCredential)); try { byte[] inputToken = Base64.getDecoder().decode(token); context.acceptSecContext(inputToken, 0, inputToken.length); // We can't hold on to the GSS context because HTTP is stateless, so fail // if it can't be set up in a single challenge-response cycle if (context.isEstablished()) { return Optional.of(new KerberosPrincipal(context.getSrcName().toString())); } LOG.debug("Failed to establish GSS context for token %s", token); } catch (GSSException e) { // ignore and fail the authentication LOG.debug(e, "Authentication failed for token %s", token); } finally { try { context.dispose(); } catch (GSSException e) { // ignore } } return Optional.empty(); }
@Override public String run() throws Exception { // This Oid for Kerberos GSS-API mechanism. Oid mechOid = new Oid("1.2.840.113554.1.2.2"); // Oid for kerberos principal name Oid krb5PrincipalOid = new Oid("1.2.840.113554.1.2.2.1"); GSSManager manager = GSSManager.getInstance(); // GSS name for server GSSName serverName = manager.createName(serverPrincipal, krb5PrincipalOid); // Create a GSSContext for authentication with the service. // We're passing client credentials as null since we want them to be read from the Subject. GSSContext gssContext = manager.createContext(serverName, mechOid, null, GSSContext.DEFAULT_LIFETIME); gssContext.requestMutualAuth(false); // Establish context byte[] inToken = new byte[0]; byte[] outToken = gssContext.initSecContext(inToken, 0, inToken.length); gssContext.dispose(); // Base64 encoded and stringified token for server return new String(base64codec.encode(outToken)); } }
public static String validateSecurityContext(Subject subject, final byte[] serviceTicket) throws GSSException { // Accept the context and return the client principal name. return Subject.doAs(subject, (PrivilegedAction<String>)() -> { try { // Identify the server that communications are being made // to. GSSManager manager = GSSManager.getInstance(); GSSContext context = manager.createContext((GSSCredential) null); context.acceptSecContext(serviceTicket, 0, serviceTicket.length); return context.getSrcName().toString(); } catch (Exception e) { log.error(Util.getMessage("Krb5TokenKerberosContextProcessingException"),e); return null; } }); }
GSSManager manager = GSSManager.getInstance(); try Oid krb5Oid = new Oid("1.3.6.1.5.5.2"); // http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html GSSName gssName = manager.createName(_targetName,null); GSSCredential serverCreds = manager.createCredential(gssName,GSSCredential.INDEFINITE_LIFETIME,krb5Oid,GSSCredential.ACCEPT_ONLY); GSSContext gContext = manager.createContext(serverCreds); while (!gContext.isEstablished()) authToken = gContext.acceptSecContext(authToken,0,authToken.length); if (gContext.isEstablished()) String clientName = gContext.getSrcName().toString(); String role = clientName.substring(clientName.indexOf('@') + 1); LOG.debug("Client Principal is: " + gContext.getSrcName()); LOG.debug("Server Principal is: " + gContext.getTargName()); LOG.debug("Client Default Role: " + role); Subject subject = new Subject(); subject.getPrincipals().add(user);
public byte[] run() throws UnknownHostException, ClassNotFoundException, GSSException, IllegalAccessException, NoSuchFieldException { GSSManager gssManager = GSSManager.getInstance(); String servicePrincipal = KerberosUtil.getServicePrincipal("HTTP", authServer); Oid serviceOid = KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL"); GSSName serviceName = gssManager.createName(servicePrincipal, serviceOid); Oid mechOid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID"); GSSContext gssContext = gssManager.createContext(serviceName, mechOid, null, 0); gssContext.requestCredDeleg(true); gssContext.requestMutualAuth(true); return gssContext.initSecContext(input, 0, input.length); }
@Override public Object run() { try { Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2"); Oid krb5PrincipalNameType = new Oid("1.2.840.113554.1.2.2.1"); final GSSManager manager = GSSManager.getInstance(); final GSSName clientName = manager.createName(clientPrincipalName, krb5PrincipalNameType); final GSSCredential clientCred = manager.createCredential(clientName, 8 * 3600, krb5Mechanism, GSSCredential.INITIATE_ONLY); final GSSName serverName = manager.createName(serverPrincipalName, krb5PrincipalNameType); final GSSContext context = manager.createContext(serverName, krb5Mechanism, clientCred, GSSContext.DEFAULT_LIFETIME); byte[] inToken = new byte[0]; byte[] outToken = context.initSecContext(inToken, 0, inToken.length); context.requestMutualAuth(true); outputToken.append(new String(Base64.getEncoder().encode(outToken))); context.dispose(); } catch (GSSException exception) { throw new FailedRequestException(exception.getMessage(), exception); } return null; } }
GSSManager manager = GSSManager.getInstance(); GSSCredential clientCreds = null; Oid[] desiredMechs = new Oid[1]; if (clientCredentials == null) { if (useSpnego && hasSpnegoSupport(manager)) { desiredMechs[0] = new Oid("1.3.6.1.5.5.2"); } else { desiredMechs[0] = new Oid("1.2.840.113554.1.2.2"); GSSName clientName = manager.createName(user, GSSName.NT_USER_NAME); clientCreds = manager.createCredential(clientName, 8 * 3600, desiredMechs, GSSCredential.INITIATE_ONLY); } else { desiredMechs[0] = new Oid("1.2.840.113554.1.2.2"); clientCreds = clientCredentials; GSSContext secContext = manager.createContext(serverName, desiredMechs[0], clientCreds, GSSContext.DEFAULT_LIFETIME); secContext.requestMutualAuth(true); outToken = secContext.initSecContext(inToken, 0, inToken.length); if (!secContext.isEstablished()) { int response = pgStream.receiveChar();
private String generateTicket() throws GSSException { final GSSManager manager = GSSManager.getInstance(); // Oid for kerberos principal name Oid krb5PrincipalOid = new Oid("1.2.840.113554.1.2.2.1"); Oid KERB_V5_OID = new Oid("1.2.840.113554.1.2.2"); final GSSName clientName = manager.createName(principal, krb5PrincipalOid); final GSSCredential clientCred = manager.createCredential(clientName, 8 * 3600, KERB_V5_OID, GSSCredential.INITIATE_ONLY); final GSSName serverName = manager.createName(principal, krb5PrincipalOid); final GSSContext context = manager.createContext(serverName, KERB_V5_OID, clientCred, GSSContext.DEFAULT_LIFETIME); context.requestMutualAuth(true); context.requestConf(false); context.requestInteg(true); final byte[] outToken = context.initSecContext(new byte[0], 0, 0); StringBuffer outputBuffer = new StringBuffer(); outputBuffer.append("Negotiate "); outputBuffer.append(Bytes.toString(Base64.getEncoder().encode(outToken))); System.out.print("Ticket is: " + outputBuffer); return outputBuffer.toString(); }
GSSManager manager = GSSManager.getInstance(); GSSName serverName = manager.createName("HTTP@" + server, GSSName.NT_HOSTBASED_SERVICE); manager.createContext(serverName.canonicalize(mechOid), mechOid, null, GSSContext.DEFAULT_LIFETIME); gssContext.requestMutualAuth(true); gssContext.requestCredDeleg(true); byte[] outToken = gssContext.initSecContext(inToken, 0, inToken.length); gssContext.dispose();
/** * Validate a service ticket */ public byte[] run() { try { GSSManager gssManager = GSSManager.getInstance(); Oid oid = new Oid("1.3.6.1.5.5.2"); GSSName gssService = gssManager.createName(serviceName, isUsernameServiceNameForm ? GSSName.NT_USER_NAME : GSSName.NT_HOSTBASED_SERVICE); secContext = gssManager.createContext(gssService, oid, null, GSSContext.DEFAULT_LIFETIME); return secContext.acceptSecContext(ticket, 0, ticket.length); } catch (GSSException e) { LOG.debug("Error in obtaining a Kerberos token", e); } return null; }
public Object run() throws Exception { Oid krb5Oid = new Oid("1.2.840.113554.1.2.2"); GSSManager manager = GSSManager.getInstance(); GSSName serverName = manager.createName(server, null); GSSContext context = manager.createContext(serverName, krb5Oid, null, GSSContext.DEFAULT_LIFETIME); context.requestMutualAuth(false); // Mutual authentication context.requestConf(false); // Will use confidentiality later context.requestInteg(true); // Will use integrity later context.requestCredDeleg(credentialDelegation); token = context.initSecContext(token, 0, token.length); Subject loginSubject = Subject.getSubject(acc); loginSubject.getPublicCredentials().add(context); loginSubject.getPublicCredentials().add(token);
Kerb5Context ( String host, String service, String name, int userLifetime, int contextLifetime, String realm ) throws GSSException { GSSManager manager = GSSManager.getInstance(); GSSCredential clientCreds = null; Oid mechOid = JGSS_KRB5_MECH_OID; if ( realm != null ) { this.serviceName = manager.createName(service + "/" + host + "@" + realm, JGSS_KRB5_NAME_OID, mechOid); } else { this.serviceName = manager.createName(service + "@" + host, GSSName.NT_HOSTBASED_SERVICE, mechOid); } if ( log.isDebugEnabled() ) { log.debug("Service name is " + this.serviceName); } if ( name != null ) { this.clientName = manager.createName(name, GSSName.NT_USER_NAME, mechOid); clientCreds = manager.createCredential(this.clientName, userLifetime, mechOid, GSSCredential.INITIATE_ONLY); } else { this.clientName = null; } this.gssContext = manager.createContext(this.serviceName, mechOid, clientCreds, contextLifetime); this.gssContext.requestAnonymity(false); this.gssContext.requestSequenceDet(false); this.gssContext.requestConf(false); this.gssContext.requestInteg(false); this.gssContext.requestReplayDet(false); // per spec these should be set this.gssContext.requestMutualAuth(true); this.gssContext.requestCredDeleg(true); }
GSSContext context = null; try { GSSManager manager = GSSManager.getInstance(); Oid krb5oid = new Oid("1.2.840.113554.1.2.2"); GSSCredential serverCreds = manager.createCredential(null/* use name from login context*/, GSSCredential.DEFAULT_LIFETIME, krb5oid, context = manager.createContext(serverCreds); securityContext.token = context.acceptSecContext(token, 0, token.length); if (context.isEstablished()) { securityContext.principal = context.getSrcName().toString(); LOGGER.debug("Authenticated user: " + securityContext.principal); if (!context.getCredDelegState()) { LOGGER.debug("Credentials can not be delegated"); } else { securityContext.clientCredential = context.getDelegCred(); if (context != null) { try { context.dispose(); } catch (GSSException e) { LOGGER.debug("KerberosHelper.acceptSecurityContext " + e + ' ' + e.getMessage());
if (gssContext != null && gssContext.isEstablished()) { identityCache = createIdentityCache(identityCache, storageScope, true); gssContext = gssManager.createContext(serviceGssCredential); Subject subject = new Subject(true, Collections.emptySet(), Collections.emptySet(), kerberosTicket != null ? Collections.singleton(kerberosTicket) : Collections.emptySet()); responseToken = Subject.doAs(subject, (PrivilegedExceptionAction<byte[]>) () -> finalGssContext.acceptSecContext(decodedValue, 0, decodedValue.length)); } catch (PrivilegedActionException e) { httpSpnego.trace("Call to acceptSecContext failed.", e.getCause()); if (gssContext.isEstablished()) { // no more tokens are needed from the peer final GSSCredential gssCredential; gssCredential = gssContext.getCredDelegState() ? gssContext.getDelegCred() : null; } catch (GSSException e) { httpSpnego.trace("Unable to access delegated credential despite being delegated.", e);
GSSManager manager = GSSManager.getInstance(); GSSName serverName = manager.createName(spn, serviceNameType); .createContext(serverName.canonicalize(oid), oid, delegatedCred, GSSContext.DEFAULT_LIFETIME); context.requestCredDeleg(isCredDelegationRequired(message)); return context.initSecContext(token, 0, token.length); return Subject.doAs(subject, new CreateServiceTicketAction(context, token)); } catch (PrivilegedActionException e) { if (e.getCause() instanceof GSSException) {
public Object run() { Object result; GSSContext context = null; try { GSSManager manager = GSSManager.getInstance(); GSSName serverName = manager.createName(protocol + '@' + host, GSSName.NT_HOSTBASED_SERVICE); // Kerberos v5 OID Oid krb5Oid = new Oid("1.2.840.113554.1.2.2"); context = manager.createContext(serverName, krb5Oid, delegatedCredentials, GSSContext.DEFAULT_LIFETIME); //context.requestMutualAuth(true); // TODO: used by IIS to pass token to Exchange ? context.requestCredDeleg(true); result = context.initSecContext(token, 0, token.length); } catch (GSSException e) { result = e; } finally { if (context != null) { try { context.dispose(); } catch (GSSException e) { LOGGER.debug("KerberosHelper.internalInitSecContext " + e + ' ' + e.getMessage()); } } } return result; } });
final Oid spnegoOid = new Oid("1.3.6.1.5.5.2"); GSSName serviceName = gssmgr.createName(this.spn, GSSName.NT_USER_NAME); GSSCredential serviceCredentials = gssmgr.createCredential(serviceName, GSSCredential.INDEFINITE_LIFETIME, spnegoOid, GSSCredential.ACCEPT_ONLY); GSSContext gssContext = gssmgr.createContext(serviceCredentials); gssContext.acceptSecContext(this.ticket, 0, this.ticket.length); String clientName = gssContext.getSrcName().toString(); gssContext.dispose();