use of com.sun.security.jgss.ExtendedGSSContext in project jdk8u_jdk by JetBrains.
the class NegotiatorImpl method init.
/**
* Initialize the object, which includes:<ul>
* <li>Find out what GSS mechanism to use from the system property
* <code>http.negotiate.mechanism.oid</code>, defaults SPNEGO
* <li>Creating the GSSName for the target host, "HTTP/"+hostname
* <li>Creating GSSContext
* <li>A first call to initSecContext</ul>
*/
private void init(HttpCallerInfo hci) throws GSSException {
final Oid oid;
if (hci.scheme.equalsIgnoreCase("Kerberos")) {
// we can only use Kerberos mech when the scheme is kerberos
oid = GSSUtil.GSS_KRB5_MECH_OID;
} else {
String pref = java.security.AccessController.doPrivileged(new java.security.PrivilegedAction<String>() {
public String run() {
return System.getProperty("http.auth.preference", "spnego");
}
});
if (pref.equalsIgnoreCase("kerberos")) {
oid = GSSUtil.GSS_KRB5_MECH_OID;
} else {
// currently there is no 3rd mech we can use
oid = GSSUtil.GSS_SPNEGO_MECH_OID;
}
}
GSSManagerImpl manager = new GSSManagerImpl(new HttpCaller(hci));
// RFC 4559 4.1 uses uppercase service name "HTTP".
// RFC 4120 6.2.1 demands the host be lowercase
String peerName = "HTTP@" + hci.host.toLowerCase();
GSSName serverName = manager.createName(peerName, GSSName.NT_HOSTBASED_SERVICE);
context = manager.createContext(serverName, oid, null, GSSContext.DEFAULT_LIFETIME);
// Always respect delegation policy in HTTP/SPNEGO.
if (context instanceof ExtendedGSSContext) {
((ExtendedGSSContext) context).requestDelegPolicy(true);
}
oneToken = context.initSecContext(new byte[0], 0, 0);
}
use of com.sun.security.jgss.ExtendedGSSContext in project jdk8u_jdk by JetBrains.
the class Context method status.
/**
* Prints status of GSSContext and Subject
* @throws java.lang.Exception
*/
public void status() throws Exception {
System.out.println("STATUS OF " + name.toUpperCase());
try {
StringBuffer sb = new StringBuffer();
if (x.getAnonymityState()) {
sb.append("anon, ");
}
if (x.getConfState()) {
sb.append("conf, ");
}
if (x.getCredDelegState()) {
sb.append("deleg, ");
}
if (x.getIntegState()) {
sb.append("integ, ");
}
if (x.getMutualAuthState()) {
sb.append("mutual, ");
}
if (x.getReplayDetState()) {
sb.append("rep det, ");
}
if (x.getSequenceDetState()) {
sb.append("seq det, ");
}
if (x instanceof ExtendedGSSContext) {
if (((ExtendedGSSContext) x).getDelegPolicyState()) {
sb.append("deleg policy, ");
}
}
System.out.println("Context status of " + name + ": " + sb.toString());
System.out.println(x.getSrcName() + " -> " + x.getTargName());
} catch (Exception e) {
// Don't care
;
}
if (s != null) {
System.out.println("====== START SUBJECT CONTENT =====");
for (Principal p : s.getPrincipals()) {
System.out.println(" Principal: " + p);
}
for (Object o : s.getPublicCredentials()) {
System.out.println(" " + o.getClass());
System.out.println(" " + o);
}
System.out.println("====== Private Credentials Set ======");
for (Object o : s.getPrivateCredentials()) {
System.out.println(" " + o.getClass());
if (o instanceof KerberosTicket) {
KerberosTicket kt = (KerberosTicket) o;
System.out.println(" " + kt.getServer() + " for " + kt.getClient());
} else if (o instanceof KerberosKey) {
KerberosKey kk = (KerberosKey) o;
System.out.print(" " + kk.getKeyType() + " " + kk.getVersionNumber() + " " + kk.getAlgorithm() + " ");
for (byte b : kk.getEncoded()) {
System.out.printf("%02X", b & 0xff);
}
System.out.println();
} else if (o instanceof Map) {
Map map = (Map) o;
for (Object k : map.keySet()) {
System.out.println(" " + k + ": " + map.get(k));
}
} else {
System.out.println(" " + o);
}
}
System.out.println("====== END SUBJECT CONTENT =====");
}
if (x != null && x instanceof ExtendedGSSContext) {
if (x.isEstablished()) {
ExtendedGSSContext ex = (ExtendedGSSContext) x;
Key k = (Key) ex.inquireSecContext(InquireType.KRB5_GET_SESSION_KEY);
if (k == null) {
throw new Exception("Session key cannot be null");
}
System.out.println("Session key is: " + k);
boolean[] flags = (boolean[]) ex.inquireSecContext(InquireType.KRB5_GET_TKT_FLAGS);
if (flags == null) {
throw new Exception("Ticket flags cannot be null");
}
System.out.println("Ticket flags is: " + Arrays.toString(flags));
String authTime = (String) ex.inquireSecContext(InquireType.KRB5_GET_AUTHTIME);
if (authTime == null) {
throw new Exception("Auth time cannot be null");
}
System.out.println("AuthTime is: " + authTime);
if (!x.isInitiator()) {
AuthorizationDataEntry[] ad = (AuthorizationDataEntry[]) ex.inquireSecContext(InquireType.KRB5_GET_AUTHZ_DATA);
System.out.println("AuthzData is: " + Arrays.toString(ad));
}
}
}
}
use of com.sun.security.jgss.ExtendedGSSContext in project jdk8u_jdk by JetBrains.
the class OkAsDelegate method go.
void go(boolean forwardable, boolean requestDelegState, boolean requestDelegPolicyState, boolean delegState, boolean delegPolicyState, boolean delegated) throws Exception {
OneKDC kdc = new OneKDC(null);
kdc.setOption(KDC.Option.OK_AS_DELEGATE, System.getProperty("test.kdc.policy.ok-as-delegate"));
kdc.writeJAASConf();
if (!forwardable) {
// The default OneKDC always includes "forwardable = true"
// in krb5.conf, override it.
KDC.saveConfig(OneKDC.KRB5_CONF, kdc, "default_keytab_name = " + OneKDC.KTAB);
Config.refresh();
}
Context c, s;
c = Context.fromJAAS("client");
s = Context.fromJAAS("com.sun.security.jgss.krb5.accept");
Oid mech = GSSUtil.GSS_KRB5_MECH_OID;
if (System.getProperty("test.spnego") != null) {
mech = GSSUtil.GSS_SPNEGO_MECH_OID;
}
c.startAsClient(OneKDC.SERVER, mech);
ExtendedGSSContext cx = (ExtendedGSSContext) c.x();
cx.requestCredDeleg(requestDelegState);
cx.requestDelegPolicy(requestDelegPolicyState);
s.startAsServer(mech);
ExtendedGSSContext sx = (ExtendedGSSContext) s.x();
Context.handshake(c, s);
if (cx.getCredDelegState() != delegState) {
throw new Exception("Initiator cred state error");
}
if (sx.getCredDelegState() != delegState) {
throw new Exception("Acceptor cred state error");
}
if (cx.getDelegPolicyState() != delegPolicyState) {
throw new Exception("Initiator cred policy state error");
}
GSSCredential cred = null;
try {
cred = s.x().getDelegCred();
} catch (GSSException e) {
// leave cred as null
}
if (delegated != (cred != null)) {
throw new Exception("get cred error");
}
}
Aggregations