Refine search
@Override public String run() throws HttpAuthenticationException { GSSManager manager = GSSManager.getInstance(); GSSContext gssContext = null; String serverPrincipal = SecurityUtil.getPrincipalWithoutRealm(httpUGI.getUserName()); try { Oid kerberosMechOid = new Oid("1.2.840.113554.1.2.2"); Oid spnegoMechOid = new Oid("1.3.6.1.5.5.2"); Oid krb5PrincipalOid = new Oid("1.2.840.113554.1.2.2.1"); GSSName serverName = manager.createName(serverPrincipal, krb5PrincipalOid); GSSCredential serverCreds = manager.createCredential(serverName, GSSCredential.DEFAULT_LIFETIME, new Oid[]{kerberosMechOid, spnegoMechOid}, byte[] res = gssContext.acceptSecContext(inToken, 0, inToken.length); if(res != null) { outToken = Base64.getEncoder().encodeToString(res).replace("\n", ""); return SecurityUtil.getUserFromPrincipal(gssContext.getSrcName().toString()); } catch (GSSException e) { throw new HttpAuthenticationException("Kerberos authentication failed: ", e);
GSSManager manager = GSSManager.getInstance(); GSSName serverName = manager.createName("HTTP@" + server, GSSName.NT_HOSTBASED_SERVICE); manager.createContext(serverName.canonicalize(mechOid), mechOid, null, GSSContext.DEFAULT_LIFETIME); gssContext.requestMutualAuth(true); gssContext.requestCredDeleg(true); byte[] outToken = gssContext.initSecContext(inToken, 0, inToken.length); gssContext.dispose();
GSSContext createDelegatingGSSContext(final GSSManager manager, final Oid oid, final GSSName serverName, final GSSCredential gssCredential) throws GSSException { final GSSContext gssContext = manager.createContext(serverName.canonicalize(oid), oid, gssCredential, GSSContext.DEFAULT_LIFETIME); gssContext.requestMutualAuth(true); gssContext.requestCredDeleg(true); return gssContext; } }
public static String validateSecurityContext(Subject subject, final byte[] serviceTicket) throws GSSException { // Accept the context and return the client principal name. return Subject.doAs(subject, (PrivilegedAction<String>)() -> { try { // Identify the server that communications are being made // to. GSSManager manager = GSSManager.getInstance(); GSSContext context = manager.createContext((GSSCredential) null); context.acceptSecContext(serviceTicket, 0, serviceTicket.length); return context.getSrcName().toString(); } catch (Exception e) { log.error(Util.getMessage("Krb5TokenKerberosContextProcessingException"),e); return null; } }); }
byte[] token = (byte[]) Subject.doAs(subject, new PrivilegedExceptionAction() { @Override public Object run() throws PrivilegedActionException, GSSException { final GSSManager manager = GSSManager.getInstance(); GSSName gssName = manager.createName(principalName, GSSName.NT_USER_NAME, KRB5_MECH_OID); GSSCredential gssCred = manager.createCredential(gssName.canonicalize(KRB5_MECH_OID), GSSCredential.DEFAULT_LIFETIME, KRB5_MECH_OID, logger.logInformation(className, methodName, "Client TGT obtained: " + gssCred.toString()); GSSName gssServerName = manager.createName(servicePrincipal, GSSName.NT_USER_NAME); GSSContext clientContext = manager.createContext(gssServerName.canonicalize(SPNEGO_MECH_OID), SPNEGO_MECH_OID, gssCred, GSSContext.DEFAULT_LIFETIME); logger.logInformation(className, methodName, "Service ticket obtained: " + clientContext.toString()); token = clientContext.initSecContext(token, 0, token.length); clientContext.dispose(); return token;
try { handler.handle(new Callback[]{nameCallback, passwordCallback, credentialCallback}); Subject subject = new Subject(); subject.getPrincipals().add(new KerberosPrincipal(gssName.toString())); subject.getPrincipals().add(new NamePrincipal(nameCallback.getName()));
GSSManager manager = GSSManager.getInstance(); GSSName serverName = manager.createName(spn, serviceNameType); .createContext(serverName.canonicalize(oid), oid, delegatedCred, GSSContext.DEFAULT_LIFETIME); context.requestCredDeleg(isCredDelegationRequired(message)); return context.initSecContext(token, 0, token.length); return Subject.doAs(subject, new CreateServiceTicketAction(context, token)); } catch (PrivilegedActionException e) { if (e.getCause() instanceof GSSException) {
protected GSSContext createGSSContext() throws GSSException { Oid oid = new Oid("1.2.840.113554.1.2.2"); GSSManager gssManager = GSSManager.getInstance(); String spn = "bob@service.ws.apache.org"; GSSName gssService = gssManager.createName(spn, null); return gssManager.createContext(gssService.canonicalize(oid), oid, null, GSSContext.DEFAULT_LIFETIME); }
private Optional<Principal> authenticate(String token) { GSSContext context = doAs(loginContext.getSubject(), () -> gssManager.createContext(serverCredential)); try { byte[] inputToken = Base64.getDecoder().decode(token); context.acceptSecContext(inputToken, 0, inputToken.length); // We can't hold on to the GSS context because HTTP is stateless, so fail // if it can't be set up in a single challenge-response cycle if (context.isEstablished()) { return Optional.of(new KerberosPrincipal(context.getSrcName().toString())); } LOG.debug("Failed to establish GSS context for token %s", token); } catch (GSSException e) { // ignore and fail the authentication LOG.debug(e, "Authentication failed for token %s", token); } finally { try { context.dispose(); } catch (GSSException e) { // ignore } } return Optional.empty(); }
Subject.doAs(serviceSubject, new ValidateServiceTicketAction(gssContext, serviceTicket)); GSSName srcName = gssContext.getSrcName(); if (srcName == null) { throw ExceptionUtils.toNotAuthorizedException(null, getFaultResponse()); String complexUserName = srcName.toString(); m.put(SecurityContext.class, createSecurityContext(simpleUserName, complexUserName, gssContext)); if (!gssContext.getCredDelegState()) { gssContext.dispose(); gssContext = null;
@Override protected void onConnection(Transport.Connection conn) throws Exception { GSSName gssService = manager.createName(serverPrincipal, GSSName.NT_USER_NAME); Oid oid = new Oid(AppUtil.JGSS_KERBEROS_OID); manager.createCredential(gssService, GSSCredential.DEFAULT_LIFETIME, oid, GSSCredential.ACCEPT_ONLY); this.context = manager.createContext(credentials); } else { this.context = manager.createContext(gssService.canonicalize(oid), oid, null, GSSContext.DEFAULT_LIFETIME); while (!context.isEstablished()) { token = conn.recvToken(); token = context.acceptSecContext(token, 0, token.length); if (token != null) { conn.sendToken(token); context.dispose();
private byte[] getToken(String spn, Oid oid) throws GSSException, LoginException { LoginContext lc = buildLoginContext(); lc.login(); Subject subject = lc.getSubject(); GSSManager manager = GSSManager.getInstance(); GSSName serverName = manager.createName(spn, null); // 2nd oid GSSContext context = manager .createContext(serverName.canonicalize(oid), oid, null, GSSContext.DEFAULT_LIFETIME); final byte[] token = new byte[0]; try { return Subject.doAs(subject, new CreateServiceTicketAction(context, token)); } catch (PrivilegedActionException e) { if (e.getCause() instanceof GSSException) { throw (GSSException) e.getCause(); } log.error("initSecContext", e); return null; } }
GSSContextCredential gssCred = (GSSContextCredential) credential; try { user = new KerberosPrincipal(gssCred.getGssContext().getSrcName().toString()); } catch (GSSException e) { return null; addInetPrincipal(supplemental.getSubject().getPrincipals());
Key searchSessionKey(Subject subject) throws GSSException{ MIEName src = new MIEName(gssContext.getSrcName().export()); MIEName targ = new MIEName(gssContext.getTargName().export()); Iterator iter = subject.getPrivateCredentials(KerberosTicket.class).iterator(); while (iter.hasNext()) { KerberosTicket ticket = (KerberosTicket) iter.next(); MIEName client = new MIEName(gssContext.getMech(), ticket.getClient().getName()); MIEName server = new MIEName(gssContext.getMech(), ticket.getServer().getName()); if(src.equals(client)&&targ.equals(server)){ return ticket.getSessionKey(); } } return null; } public void dispose() throws GSSException {
Message message) throws GSSException, LoginException { GSSManager manager = GSSManager.getInstance(); GSSName serverName = manager.createName(spn, serviceNameType); .createContext(serverName.canonicalize(oid), oid, delegatedCred, GSSContext.DEFAULT_LIFETIME); context.requestCredDeleg(isCredDelegationRequired(message));
protected Subject createSubject() throws GSSException { Set<KerberosPrincipal> principals = Collections.singleton(new KerberosPrincipal(context.getSrcName().toString())); return new Subject(false, principals, Collections.emptySet(), Collections.emptySet()); } }
switch (state) { case ACCEPTOR_STATE: assert gssContext.isEstablished() == false; byte[] response = gssContext.acceptSecContext(message, 0, message.length); if (gssContext.isEstablished()) { Oid actualMech = gssContext.getMech(); saslGssapi.tracef("Negotiated mechanism %s", actualMech); if (KERBEROS_V5.equals(actualMech) == false) { throw saslGssapi.mechNegotiatedMechanismWasNotKerberosV5().toSaslException(); String targetName = gssContext.getTargName().toString(); String[] targetNameParts = targetName.split("[/@]"); boundServerName = targetNameParts.length > 1 ? targetNameParts[1] : targetName; authenticationId = gssContext.getSrcName().toString(); } catch (GSSException e) { throw saslGssapi.mechUnableToDeterminePeerName(e).toSaslException();
public String getClientPrincipal() { String principal = ""; try { Oid krb5Oid = new Oid(KRB5MechOID.value.substring(4)); GSSManager gssManager = GSSManager.getInstance(); if (clientCreds == null) { clientCreds = gssManager.createCredential(null, GSSCredential.INDEFINITE_LIFETIME, krb5Oid, GSSCredential.INITIATE_ONLY); } principal = clientCreds.getName().toString(); } catch (Exception e) { logger.error("Error getting created principal: "+e); } return principal; }
Principal getPrincipal() { if (!isEstablished()) { throw new IllegalStateException("No established GSSContext to use for the Principal."); } if (principal == null) { try { principal = new KerberosPrincipal(gssContext.getSrcName().toString()); } catch (GSSException e) { throw new IllegalStateException("Unable to create Principal", e); } } return principal; }
GSSContext createGSSContext( final GSSManager manager, final Oid oid, final GSSName serverName, final GSSCredential gssCredential) throws GSSException { final GSSContext gssContext = manager.createContext(serverName.canonicalize(oid), oid, gssCredential, GSSContext.DEFAULT_LIFETIME); gssContext.requestMutualAuth(true); return gssContext; } /**