boolean isEstablished() { return gssContext != null ? gssContext.isEstablished() : false; }
private Optional<Principal> authenticate(String token) { GSSContext context = doAs(loginContext.getSubject(), () -> gssManager.createContext(serverCredential)); try { byte[] inputToken = Base64.getDecoder().decode(token); context.acceptSecContext(inputToken, 0, inputToken.length); // We can't hold on to the GSS context because HTTP is stateless, so fail // if it can't be set up in a single challenge-response cycle if (context.isEstablished()) { return Optional.of(new KerberosPrincipal(context.getSrcName().toString())); } LOG.debug("Failed to establish GSS context for token %s", token); } catch (GSSException e) { // ignore and fail the authentication LOG.debug(e, "Authentication failed for token %s", token); } finally { try { context.dispose(); } catch (GSSException e) { // ignore } } return Optional.empty(); }
protected byte[] evaluateMessage(final int state, final byte[] challenge) throws SaslException { switch (state) { case ST_INITIAL_CHALLENGE: { assert gssContext.isEstablished() == false; if ((challenge != null) && (challenge.length != 0)) { throw saslGs2.mechInitialChallengeMustBeEmpty().toSaslException(); byte[] response = initSecContext(gssContext, NO_BYTES, 0, 0); assert gssContext.isEstablished() == false; setNegotiationState(ST_CHALLENGE_RESPONSE); return modifyInitialContextToken(response); assert gssContext.isEstablished() == false; try { byte[] response = initSecContext(gssContext, challenge, 0, challenge.length); if (gssContext.isEstablished()) { if (!gssContext.getMutualAuthState()) { throw saslGs2.mechMutualAuthenticationNotEnabled().toSaslException();
if (!gssContext.isEstablished()) { throw new HttpAuthenticationException("Kerberos authentication failed: " + "unable to establish context with the service ticket " +
@Override public void handle(Message cmd, SSHPacket buf) throws UserAuthException, TransportException { if (cmd == Message.USERAUTH_60) { handleContextInitialization(buf); } else if (cmd == Message.USERAUTH_INFO_RESPONSE) { byte[] token = handleTokenFromServer(buf); if (!secContext.isEstablished()) { log.debug("Sending token"); sendToken(token); } else { if (secContext.getIntegState()) { log.debug("Per-message integrity protection available: finalizing authentication with message integrity code"); params.getTransport().write(new SSHPacket(Message.USERAUTH_GSSAPI_MIC).putString(generateMIC())); } else { log.debug("Per-message integrity protection unavailable: finalizing authentication"); params.getTransport().write(new SSHPacket(Message.USERAUTH_GSSAPI_EXCHANGE_COMPLETE)); } } } else { super.handle(cmd, buf); } } }
); if (!gssContext.isEstablished()) { response.setStatus(HttpServletResponse.SC_UNAUTHORIZED); log.trace("SPNEGO in progress");
gssContext.acceptSecContext(inToken, 0, inToken.length); if (!gssContext.isEstablished()) { throw new HttpAuthenticationException("Kerberos authentication failed: " + "unable to establish context with the service ticket " +
assert gssContext.isEstablished() == false; if (message.length > 0) { throw saslGssapi.mechInitialChallengeMustBeEmpty().toSaslException(); if (gssContext.isEstablished()) { saslGssapi.trace("GSSContext established, transitioning to negotiate security layer."); setNegotiationState(SECURITY_LAYER_NEGOTIATION_STATE); assert gssContext.isEstablished() == false; if (gssContext.isEstablished()) { saslGssapi.trace("GSSContext established, transitioning to negotiate security layer."); setNegotiationState(SECURITY_LAYER_NEGOTIATION_STATE); assert gssContext.isEstablished();
if (!secContext.isEstablished()) { int response = pgStream.receiveChar();
if (gssContext != null && gssContext.isEstablished()) { identityCache = createIdentityCache(identityCache, storageScope, true); if (gssContext.isEstablished()) { // no more tokens are needed from the peer final GSSCredential gssCredential;
public GSSContext run() { try { GSSManager manager = GSSManager.getInstance(); GSSName peerName = manager.createName(servicePrincipalName, GSSName.NT_HOSTBASED_SERVICE); GSSContext context = manager.createContext(peerName, null, null, GSSContext.DEFAULT_LIFETIME); // Loop while the context is still not established while (!context.isEstablished()) { context.initSecContext(socket.getInputStream(), socket.getOutputStream()); } return context; } catch (Exception e) { log.error("Unable to authenticate client against Kerberos", e); return null; } } });
assert gssContext.isEstablished() == false; if (message == null || message.length == 0) { throw saslGs2.mechClientRefusesToInitiateAuthentication().toSaslException(); if (gssContext.isEstablished()) { Oid actualMechanism = gssContext.getMech(); if (! mechanism.equals(actualMechanism)) { assert gssContext.isEstablished() == false; try { byte[] response = gssContext.acceptSecContext(message, 0, message.length); if (gssContext.isEstablished()) { Oid actualMechanism = gssContext.getMech(); if (! mechanism.equals(actualMechanism)) {
if (!secContext.isEstablished()) { int response = pgStream.ReceiveChar();
switch (state) { case ACCEPTOR_STATE: assert gssContext.isEstablished() == false; if (gssContext.isEstablished()) { Oid actualMech = gssContext.getMech(); saslGssapi.tracef("Negotiated mechanism %s", actualMech);
if (gssContext.isEstablished())
while (!gContext.isEstablished()) if (gContext.isEstablished())
/** * Whether a connection has been established (at the service side) */ public boolean isEstablished() { if (secContext == null) { return false; } return secContext.isEstablished(); }
/** * Whether a connection has been established (at the service side) */ public boolean isEstablished() { if (secContext == null) { return false; } return secContext.isEstablished(); }
/** * * * @return */ public boolean isEstablished() { return context.isEstablished(); }
private void checkDone() throws Exception { done = context.isEstablished(); if (done) { context.dispose(); context = null; } }