use of javax.security.auth.login.LoginException in project jetty.project by eclipse.
the class LdapLoginModule method login.
/**
* since ldap uses a context bind for valid authentication checking, we override login()
* <p>
* if credentials are not available from the users context or if we are forcing the binding check
* then we try a binding authentication check, otherwise if we have the users encoded password then
* we can try authentication via that mechanic
*
* @return true if authenticated, false otherwise
* @throws LoginException if unable to login
*/
public boolean login() throws LoginException {
try {
if (getCallbackHandler() == null) {
throw new LoginException("No callback handler");
}
Callback[] callbacks = configureCallbacks();
getCallbackHandler().handle(callbacks);
String webUserName = ((NameCallback) callbacks[0]).getName();
Object webCredential = ((ObjectCallback) callbacks[1]).getObject();
if (webUserName == null || webCredential == null) {
setAuthenticated(false);
return isAuthenticated();
}
boolean authed = false;
if (_forceBindingLogin) {
authed = bindingLogin(webUserName, webCredential);
} else {
// This sets read and the credential
UserInfo userInfo = getUserInfo(webUserName);
if (userInfo == null) {
setAuthenticated(false);
return false;
}
setCurrentUser(new JAASUserInfo(userInfo));
if (webCredential instanceof String)
authed = credentialLogin(Credential.getCredential((String) webCredential));
else
authed = credentialLogin(webCredential);
}
//only fetch roles if authenticated
if (authed)
getCurrentUser().fetchRoles();
return authed;
} catch (UnsupportedCallbackException e) {
throw new LoginException("Error obtaining callback information.");
} catch (IOException e) {
if (_debug) {
e.printStackTrace();
}
throw new LoginException("IO Error performing login.");
} catch (Exception e) {
if (_debug) {
e.printStackTrace();
}
throw new LoginException("Error obtaining user info.");
}
}
use of javax.security.auth.login.LoginException in project storm by apache.
the class KerberosSaslTransportPlugin method getServerTransportFactory.
public TTransportFactory getServerTransportFactory() throws IOException {
//create an authentication callback handler
CallbackHandler server_callback_handler = new ServerCallbackHandler(login_conf, storm_conf);
//login our principal
Subject subject = null;
try {
//specify a configuration object to be used
Configuration.setConfiguration(login_conf);
//now login
Login login = new Login(AuthUtils.LOGIN_CONTEXT_SERVER, server_callback_handler);
subject = login.getSubject();
login.startThreadIfNeeded();
} catch (LoginException ex) {
LOG.error("Server failed to login in principal:" + ex, ex);
throw new RuntimeException(ex);
}
//check the credential of our principal
if (subject.getPrivateCredentials(KerberosTicket.class).isEmpty()) {
throw new RuntimeException("Fail to verify user principal with section \"" + AuthUtils.LOGIN_CONTEXT_SERVER + "\" in login configuration file " + login_conf);
}
String principal = AuthUtils.get(login_conf, AuthUtils.LOGIN_CONTEXT_SERVER, "principal");
LOG.debug("principal:" + principal);
KerberosName serviceKerberosName = new KerberosName(principal);
String serviceName = serviceKerberosName.getServiceName();
String hostName = serviceKerberosName.getHostName();
Map<String, String> props = new TreeMap<String, String>();
props.put(Sasl.QOP, "auth");
props.put(Sasl.SERVER_AUTH, "false");
//create a transport factory that will invoke our auth callback for digest
TSaslServerTransport.Factory factory = new TSaslServerTransport.Factory();
factory.addServerDefinition(KERBEROS, serviceName, hostName, props, server_callback_handler);
//create a wrap transport factory so that we could apply user credential during connections
TUGIAssumingTransportFactory wrapFactory = new TUGIAssumingTransportFactory(factory, subject);
LOG.info("SASL GSSAPI transport factory will be used");
return wrapFactory;
}
use of javax.security.auth.login.LoginException in project cas by apereo.
the class DefaultAccountStateHandler method handlePolicyAttributes.
/**
* Maps boolean attribute values to their corresponding exception.
* This handles ad-hoc password policies.
*
* @param response the authentication response.
*/
protected void handlePolicyAttributes(final AuthenticationResponse response) {
final Collection<LdapAttribute> attrs = response.getLdapEntry().getAttributes();
for (final LdapAttribute attr : attrs) {
if (this.attributesToErrorMap.containsKey(attr.getName()) && Boolean.parseBoolean(attr.getStringValue())) {
final Class<LoginException> clazz = this.attributesToErrorMap.get(attr.getName());
final LoginException ex = (LoginException) ClassUtils.newInstance(clazz);
if (ex != null) {
throw Throwables.propagate(ex);
}
}
}
}
use of javax.security.auth.login.LoginException in project hadoop by apache.
the class TestSecureRMRegistryOperations method startRMRegistryOperations.
/**
* Create the RM registry operations as the current user
* @return the service
* @throws LoginException
* @throws FileNotFoundException
*/
public RMRegistryOperationsService startRMRegistryOperations() throws LoginException, IOException, InterruptedException {
// kerberos
secureConf.set(KEY_REGISTRY_CLIENT_AUTH, REGISTRY_CLIENT_AUTH_KERBEROS);
secureConf.set(KEY_REGISTRY_CLIENT_JAAS_CONTEXT, ZOOKEEPER_CLIENT_CONTEXT);
RMRegistryOperationsService registryOperations = zookeeperUGI.doAs(new PrivilegedExceptionAction<RMRegistryOperationsService>() {
@Override
public RMRegistryOperationsService run() throws Exception {
RMRegistryOperationsService operations = new RMRegistryOperationsService("rmregistry", secureZK);
addToTeardown(operations);
operations.init(secureConf);
LOG.info(operations.bindingDiagnosticDetails());
operations.start();
return operations;
}
});
return registryOperations;
}
use of javax.security.auth.login.LoginException in project hadoop by apache.
the class UserGroupInformation method loginUserFromKeytab.
/**
* Log a user in from a keytab file. Loads a user identity from a keytab
* file and logs them in. They become the currently logged-in user.
* @param user the principal name to load from the keytab
* @param path the path to the keytab file
* @throws IOException
* @throws KerberosAuthException if it's a kerberos login exception.
*/
@InterfaceAudience.Public
@InterfaceStability.Evolving
public static synchronized void loginUserFromKeytab(String user, String path) throws IOException {
if (!isSecurityEnabled())
return;
keytabFile = path;
keytabPrincipal = user;
Subject subject = new Subject();
LoginContext login;
long start = 0;
try {
login = newLoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, subject, new HadoopConfiguration());
start = Time.now();
login.login();
metrics.loginSuccess.add(Time.now() - start);
loginUser = new UserGroupInformation(subject, false);
loginUser.setLogin(login);
loginUser.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
} catch (LoginException le) {
if (start > 0) {
metrics.loginFailure.add(Time.now() - start);
}
KerberosAuthException kae = new KerberosAuthException(LOGIN_FAILURE, le);
kae.setUser(user);
kae.setKeytabFile(path);
throw kae;
}
LOG.info("Login successful for user " + keytabPrincipal + " using keytab file " + keytabFile);
}
Aggregations