Refine search
negotiationOid = new Oid(SPNEGO_OID); GSSManager manager = GSSManager.getInstance(); GSSName serverName = manager.createName(spn, GSSName.NT_HOSTBASED_SERVICE); GSSCredential myCred = null; if (username != null || loginContextName != null || (customLoginConfig != null && !customLoginConfig.isEmpty())) { if (ex.getMajor() == GSSException.BAD_MECH) { log.debug("GSSException BAD_MECH, retry with Kerberos MECH"); tryKerberos = true; negotiationOid = new Oid(KERBEROS_OID); gssContext = manager.createContext(serverName.canonicalize(negotiationOid), negotiationOid, null, GSSContext.DEFAULT_LIFETIME); gssContext.requestMutualAuth(true); if (spnegoGenerator != null && negotiationOid.toString().equals(KERBEROS_OID)) { token = spnegoGenerator.generateSpnegoDERObject(token); } catch (GSSException gsse) { log.error("generateToken", gsse); if (gsse.getMajor() == GSSException.DEFECTIVE_CREDENTIAL || gsse.getMajor() == GSSException.CREDENTIALS_EXPIRED)
/** * <p> * Create an ASN.1, DER encoded representation for the GSSUP OID mechanism. * </p> * * @return the DER encoded representation of the GSSUP OID. */ public static byte[] createGSSUPMechOID() { // kudos to org.ietf.jgss.Oid for the Oid utility need to strip the "oid:" part of the GSSUPMechOID first. byte[] retval = {}; try { Oid oid = new Oid(GSSUPMechOID.value.substring(4)); retval = oid.getDER(); } catch (GSSException e) { IIOPLogger.ROOT_LOGGER.caughtExceptionEncodingGSSUPMechOID(e); } return retval; }
private static boolean hasSpnegoSupport(GSSManager manager) throws GSSException { org.ietf.jgss.Oid spnego = new org.ietf.jgss.Oid("1.3.6.1.5.5.2"); org.ietf.jgss.Oid[] mechs = manager.getMechs(); for (Oid mech : mechs) { if (mech.equals(spnego)) { return true; } } return false; }
@Override public SSHPacket buildReq() throws UserAuthException { SSHPacket packet = super.buildReq() // the generic stuff .putUInt32(mechanismOids.size()); // number of OIDs we support for (Oid oid : mechanismOids) { try { packet.putString(oid.getDER()); } catch (GSSException e) { throw new UserAuthException("Mechanism OID could not be encoded: " + oid.toString(), e); } } return packet; }
GSSManager manager = GSSManager.getInstance(); try Oid krb5Oid = new Oid("1.3.6.1.5.5.2"); // http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html GSSName gssName = manager.createName(_targetName,null); GSSCredential serverCreds = manager.createCredential(gssName,GSSCredential.INDEFINITE_LIFETIME,krb5Oid,GSSCredential.ACCEPT_ONLY); GSSContext gContext = manager.createContext(serverCreds); while (!gContext.isEstablished()) authToken = gContext.acceptSecContext(authToken,0,authToken.length); if (gContext.isEstablished()) String clientName = gContext.getSrcName().toString(); String role = clientName.substring(clientName.indexOf('@') + 1); Subject subject = new Subject(); subject.getPrincipals().add(user);
if (usingNativeJgss) { try { GSSManager manager = GSSManager.getInstance(); Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2"); GSSName gssName = manager.createName(servicePrincipalName + "@" + serviceHostname, GSSName.NT_HOSTBASED_SERVICE); GSSCredential cred = manager.createCredential(gssName, GSSContext.INDEFINITE_LIFETIME, krb5Mechanism, GSSCredential.ACCEPT_ONLY); subject.getPrivateCredentials().add(cred); } catch (GSSException ex) { LOG.warn("Cannot add private credential to subject; clients authentication may fail", ex); return Subject.doAs(subject, (PrivilegedExceptionAction<SaslServer>) () -> Sasl.createSaslServer(saslMechanism, servicePrincipalName, serviceHostname, configs, saslServerCallbackHandler)); } catch (PrivilegedActionException e) {
@Override public String run() throws HttpAuthenticationException { GSSManager manager = GSSManager.getInstance(); GSSContext gssContext = null; String serverPrincipal = SecurityUtil.getPrincipalWithoutRealm(httpUGI.getUserName()); try { Oid kerberosMechOid = new Oid("1.2.840.113554.1.2.2"); Oid spnegoMechOid = new Oid("1.3.6.1.5.5.2"); Oid krb5PrincipalOid = new Oid("1.2.840.113554.1.2.2.1"); GSSName serverName = manager.createName(serverPrincipal, krb5PrincipalOid); GSSCredential serverCreds = manager.createCredential(serverName, GSSCredential.DEFAULT_LIFETIME, new Oid[]{kerberosMechOid, spnegoMechOid}, byte[] res = gssContext.acceptSecContext(inToken, 0, inToken.length); if(res != null) { outToken = Base64.getEncoder().encodeToString(res).replace("\n", ""); return SecurityUtil.getUserFromPrincipal(gssContext.getSrcName().toString()); } catch (GSSException e) { throw new HttpAuthenticationException("Kerberos authentication failed: ", e);
if (subject.getPrincipals().isEmpty()) { String username = (String) (subject.getPublicCredentials() .toArray()[0]); String password = (String) (subject.getPrivateCredentials() .toArray()[0]); GSSManager manager = GSSManager.getInstance(); Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2"); GSSCredential cred = manager.createCredential(null, GSSContext.DEFAULT_LIFETIME, krb5Mechanism, GSSCredential.INITIATE_ONLY);
public Object run() { try { Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2"); Oid krb5PrincipalNameType = new Oid("1.2.840.113554.1.2.2.1"); final GSSManager manager = GSSManager.getInstance(); final GSSName clientName = manager.createName(clientPrincipalName, krb5PrincipalNameType); final GSSCredential clientCred = manager.createCredential(clientName, 8 * 3600, krb5Mechanism, GSSCredential.INITIATE_ONLY); final GSSName serverName = manager.createName(serverPrincipalName, krb5PrincipalNameType); final GSSContext context = manager.createContext(serverName, krb5Mechanism, clientCred, GSSContext.DEFAULT_LIFETIME); byte[] inToken = new byte[0]; // since byte[] outToken = context.initSecContext(inToken, 0, inToken.length); outputToken.append(new String(Base64.encodeBytes(outToken,Base64.DONT_BREAK_LINES))); context.dispose(); } catch (GSSException exception) { throw new RuntimeException(exception.getMessage()); } return null; } }
GSSManager manager = GSSManager.getInstance(); GSSCredential clientCreds = null; Oid[] desiredMechs = new Oid[1]; if (clientCredentials == null) { if (useSpnego && hasSpnegoSupport(manager)) { desiredMechs[0] = new Oid("1.3.6.1.5.5.2"); } else { desiredMechs[0] = new Oid("1.2.840.113554.1.2.2"); GSSName clientName = manager.createName(user, GSSName.NT_USER_NAME); clientCreds = manager.createCredential(clientName, 8 * 3600, desiredMechs, GSSCredential.INITIATE_ONLY); } else { desiredMechs[0] = new Oid("1.2.840.113554.1.2.2"); clientCreds = clientCredentials; GSSContext secContext = manager.createContext(serverName, desiredMechs[0], clientCreds, GSSContext.DEFAULT_LIFETIME); secContext.requestMutualAuth(true); outToken = secContext.initSecContext(inToken, 0, inToken.length); if (!secContext.isEstablished()) { int response = pgStream.receiveChar();
protected GSSContext createGSSContext() throws GSSException { Oid oid = new Oid("1.2.840.113554.1.2.2"); GSSManager gssManager = GSSManager.getInstance(); String spn = "bob@service.ws.apache.org"; GSSName gssService = gssManager.createName(spn, null); return gssManager.createContext(gssService.canonicalize(oid), oid, null, GSSContext.DEFAULT_LIFETIME); }
/** * Obtain a service ticket */ public byte[] run() { try { GSSManager gssManager = GSSManager.getInstance(); Oid oid = new Oid("1.3.6.1.5.5.2"); GSSName gssService = gssManager.createName(serviceName, isUsernameServiceNameForm ? GSSName.NT_USER_NAME : GSSName.NT_HOSTBASED_SERVICE); secContext = gssManager.createContext(gssService, oid, null, GSSContext.DEFAULT_LIFETIME); secContext.requestMutualAuth(mutualAuth); secContext.requestCredDeleg(Boolean.FALSE); byte[] token = new byte[0]; return secContext.initSecContext(token, 0, token.length); } catch (GSSException e) { LOG.debug("Error in obtaining a Kerberos token", e); } return null; }
private String generateTicket() throws GSSException { final GSSManager manager = GSSManager.getInstance(); // Oid for kerberos principal name Oid krb5PrincipalOid = new Oid("1.2.840.113554.1.2.2.1"); Oid KERB_V5_OID = new Oid("1.2.840.113554.1.2.2"); final GSSName clientName = manager.createName(principal, krb5PrincipalOid); final GSSCredential clientCred = manager.createCredential(clientName, 8 * 3600, KERB_V5_OID, GSSCredential.INITIATE_ONLY); final GSSName serverName = manager.createName(principal, krb5PrincipalOid); final GSSContext context = manager.createContext(serverName, KERB_V5_OID, clientCred, GSSContext.DEFAULT_LIFETIME); context.requestMutualAuth(true); context.requestConf(false); context.requestInteg(true); final byte[] outToken = context.initSecContext(new byte[0], 0, 0); StringBuffer outputBuffer = new StringBuffer(); outputBuffer.append("Negotiate "); outputBuffer.append(Bytes.toString(Base64.getEncoder().encode(outToken))); System.out.print("Ticket is: " + outputBuffer); return outputBuffer.toString(); }
static byte[] getGSSToken(String systemName, Object gssCredential) throws Exception { GSSManager manager = (GSSManager)AS400.getGSSManager(); if(manager == null) { manager = GSSManager.getInstance(); } else { if (Trace.traceOn_) Trace.log(Trace.DIAGNOSTIC, "Using custom GSS manager: '" + manager + "'"); } if (Trace.isTraceOn()) { Oid[] mechs = manager.getMechs(); Trace.log(Trace.DIAGNOSTIC, "GSS number of mechs available: ", mechs.length); for (int i = 0; i < mechs.length; ++i) Trace.log(Trace.DIAGNOSTIC, mechs[i].toString()); } Oid krb5Mech = new Oid("1.2.840.113554.1.2.2"); GSSName serverName = manager.createName("krbsvr400@" + systemName, GSSName.NT_HOSTBASED_SERVICE, krb5Mech); GSSCredential credential = (GSSCredential)gssCredential; GSSContext context = manager.createContext(serverName, krb5Mech, credential, GSSCredential.DEFAULT_LIFETIME); return context.initSecContext(new byte[0], 0, 0); } }
/** * Validate a service ticket */ public byte[] run() { try { GSSManager gssManager = GSSManager.getInstance(); Oid oid = new Oid("1.3.6.1.5.5.2"); GSSName gssService = gssManager.createName(serviceName, isUsernameServiceNameForm ? GSSName.NT_USER_NAME : GSSName.NT_HOSTBASED_SERVICE); secContext = gssManager.createContext(gssService, oid, null, GSSContext.DEFAULT_LIFETIME); return secContext.acceptSecContext(ticket, 0, ticket.length); } catch (GSSException e) { LOG.debug("Error in obtaining a Kerberos token", e); } return null; }
public Object run() throws Exception { Oid krb5Oid = new Oid("1.2.840.113554.1.2.2"); GSSManager manager = GSSManager.getInstance(); GSSName serverName = manager.createName(server, null); GSSContext context = manager.createContext(serverName, krb5Oid, null, GSSContext.DEFAULT_LIFETIME); context.requestMutualAuth(false); // Mutual authentication context.requestConf(false); // Will use confidentiality later context.requestInteg(true); // Will use integrity later context.requestCredDeleg(credentialDelegation); Subject loginSubject = Subject.getSubject(acc); loginSubject.getPublicCredentials().add(context); loginSubject.getPublicCredentials().add(token);
@Override public String run() throws Exception { // This Oid for Kerberos GSS-API mechanism. Oid mechOid = new Oid("1.2.840.113554.1.2.2"); // Oid for kerberos principal name Oid krb5PrincipalOid = new Oid("1.2.840.113554.1.2.2.1"); GSSManager manager = GSSManager.getInstance(); // GSS name for server GSSName serverName = manager.createName(serverPrincipal, krb5PrincipalOid); // Create a GSSContext for authentication with the service. // We're passing client credentials as null since we want them to be read from the Subject. GSSContext gssContext = manager.createContext(serverName, mechOid, null, GSSContext.DEFAULT_LIFETIME); gssContext.requestMutualAuth(false); // Establish context byte[] inToken = new byte[0]; byte[] outToken = gssContext.initSecContext(inToken, 0, inToken.length); gssContext.dispose(); // Base64 encoded and stringified token for server return new String(base64codec.encode(outToken)); } }
GSSContext context = null; try { GSSManager manager = GSSManager.getInstance(); Oid krb5oid = new Oid("1.2.840.113554.1.2.2"); GSSCredential serverCreds = manager.createCredential(null/* use name from login context*/, GSSCredential.DEFAULT_LIFETIME, krb5oid, context = manager.createContext(serverCreds); securityContext.token = context.acceptSecContext(token, 0, token.length); if (context.isEstablished()) { securityContext.principal = context.getSrcName().toString(); LOGGER.debug("Authenticated user: " + securityContext.principal); if (!context.getCredDelegState()) { context.dispose(); } catch (GSSException e) { LOGGER.debug("KerberosHelper.acceptSecurityContext " + e + ' ' + e.getMessage());
private GSSCredential getGSSCredential(final String userName) throws GSSException { Oid krb5Mechanism = new Oid(GSSAPI_OID); GSSManager manager = GSSManager.getInstance(); GSSName name = manager.createName(userName, GSSName.NT_USER_NAME); return manager.createCredential(name, GSSCredential.INDEFINITE_LIFETIME, krb5Mechanism, GSSCredential.INITIATE_ONLY); }
public Object run() { Object result; GSSContext context = null; try { GSSManager manager = GSSManager.getInstance(); GSSName serverName = manager.createName(protocol + '@' + host, GSSName.NT_HOSTBASED_SERVICE); // Kerberos v5 OID Oid krb5Oid = new Oid("1.2.840.113554.1.2.2"); context = manager.createContext(serverName, krb5Oid, delegatedCredentials, GSSContext.DEFAULT_LIFETIME); //context.requestMutualAuth(true); // TODO: used by IIS to pass token to Exchange ? context.requestCredDeleg(true); result = context.initSecContext(token, 0, token.length); } catch (GSSException e) { result = e; } finally { if (context != null) { try { context.dispose(); } catch (GSSException e) { LOGGER.debug("KerberosHelper.internalInitSecContext " + e + ' ' + e.getMessage()); } } } return result; } });