Search in sources :

Example 1 with ExtendedGSSContext

use of com.sun.security.jgss.ExtendedGSSContext in project jdk8u_jdk by JetBrains.

the class NegotiatorImpl method init.

/**
     * Initialize the object, which includes:<ul>
     * <li>Find out what GSS mechanism to use from the system property
     * <code>http.negotiate.mechanism.oid</code>, defaults SPNEGO
     * <li>Creating the GSSName for the target host, "HTTP/"+hostname
     * <li>Creating GSSContext
     * <li>A first call to initSecContext</ul>
     */
private void init(HttpCallerInfo hci) throws GSSException {
    final Oid oid;
    if (hci.scheme.equalsIgnoreCase("Kerberos")) {
        // we can only use Kerberos mech when the scheme is kerberos
        oid = GSSUtil.GSS_KRB5_MECH_OID;
    } else {
        String pref = java.security.AccessController.doPrivileged(new java.security.PrivilegedAction<String>() {

            public String run() {
                return System.getProperty("http.auth.preference", "spnego");
            }
        });
        if (pref.equalsIgnoreCase("kerberos")) {
            oid = GSSUtil.GSS_KRB5_MECH_OID;
        } else {
            // currently there is no 3rd mech we can use
            oid = GSSUtil.GSS_SPNEGO_MECH_OID;
        }
    }
    GSSManagerImpl manager = new GSSManagerImpl(new HttpCaller(hci));
    // RFC 4559 4.1 uses uppercase service name "HTTP".
    // RFC 4120 6.2.1 demands the host be lowercase
    String peerName = "HTTP@" + hci.host.toLowerCase();
    GSSName serverName = manager.createName(peerName, GSSName.NT_HOSTBASED_SERVICE);
    context = manager.createContext(serverName, oid, null, GSSContext.DEFAULT_LIFETIME);
    // Always respect delegation policy in HTTP/SPNEGO.
    if (context instanceof ExtendedGSSContext) {
        ((ExtendedGSSContext) context).requestDelegPolicy(true);
    }
    oneToken = context.initSecContext(new byte[0], 0, 0);
}
Also used : GSSName(org.ietf.jgss.GSSName) ExtendedGSSContext(com.sun.security.jgss.ExtendedGSSContext) GSSManagerImpl(sun.security.jgss.GSSManagerImpl) HttpCaller(sun.security.jgss.HttpCaller) Oid(org.ietf.jgss.Oid)

Example 2 with ExtendedGSSContext

use of com.sun.security.jgss.ExtendedGSSContext in project jdk8u_jdk by JetBrains.

the class Context method status.

/**
     * Prints status of GSSContext and Subject
     * @throws java.lang.Exception
     */
public void status() throws Exception {
    System.out.println("STATUS OF " + name.toUpperCase());
    try {
        StringBuffer sb = new StringBuffer();
        if (x.getAnonymityState()) {
            sb.append("anon, ");
        }
        if (x.getConfState()) {
            sb.append("conf, ");
        }
        if (x.getCredDelegState()) {
            sb.append("deleg, ");
        }
        if (x.getIntegState()) {
            sb.append("integ, ");
        }
        if (x.getMutualAuthState()) {
            sb.append("mutual, ");
        }
        if (x.getReplayDetState()) {
            sb.append("rep det, ");
        }
        if (x.getSequenceDetState()) {
            sb.append("seq det, ");
        }
        if (x instanceof ExtendedGSSContext) {
            if (((ExtendedGSSContext) x).getDelegPolicyState()) {
                sb.append("deleg policy, ");
            }
        }
        System.out.println("Context status of " + name + ": " + sb.toString());
        System.out.println(x.getSrcName() + " -> " + x.getTargName());
    } catch (Exception e) {
        // Don't care
        ;
    }
    if (s != null) {
        System.out.println("====== START SUBJECT CONTENT =====");
        for (Principal p : s.getPrincipals()) {
            System.out.println("    Principal: " + p);
        }
        for (Object o : s.getPublicCredentials()) {
            System.out.println("    " + o.getClass());
            System.out.println("        " + o);
        }
        System.out.println("====== Private Credentials Set ======");
        for (Object o : s.getPrivateCredentials()) {
            System.out.println("    " + o.getClass());
            if (o instanceof KerberosTicket) {
                KerberosTicket kt = (KerberosTicket) o;
                System.out.println("        " + kt.getServer() + " for " + kt.getClient());
            } else if (o instanceof KerberosKey) {
                KerberosKey kk = (KerberosKey) o;
                System.out.print("        " + kk.getKeyType() + " " + kk.getVersionNumber() + " " + kk.getAlgorithm() + " ");
                for (byte b : kk.getEncoded()) {
                    System.out.printf("%02X", b & 0xff);
                }
                System.out.println();
            } else if (o instanceof Map) {
                Map map = (Map) o;
                for (Object k : map.keySet()) {
                    System.out.println("        " + k + ": " + map.get(k));
                }
            } else {
                System.out.println("        " + o);
            }
        }
        System.out.println("====== END SUBJECT CONTENT =====");
    }
    if (x != null && x instanceof ExtendedGSSContext) {
        if (x.isEstablished()) {
            ExtendedGSSContext ex = (ExtendedGSSContext) x;
            Key k = (Key) ex.inquireSecContext(InquireType.KRB5_GET_SESSION_KEY);
            if (k == null) {
                throw new Exception("Session key cannot be null");
            }
            System.out.println("Session key is: " + k);
            boolean[] flags = (boolean[]) ex.inquireSecContext(InquireType.KRB5_GET_TKT_FLAGS);
            if (flags == null) {
                throw new Exception("Ticket flags cannot be null");
            }
            System.out.println("Ticket flags is: " + Arrays.toString(flags));
            String authTime = (String) ex.inquireSecContext(InquireType.KRB5_GET_AUTHTIME);
            if (authTime == null) {
                throw new Exception("Auth time cannot be null");
            }
            System.out.println("AuthTime is: " + authTime);
            if (!x.isInitiator()) {
                AuthorizationDataEntry[] ad = (AuthorizationDataEntry[]) ex.inquireSecContext(InquireType.KRB5_GET_AUTHZ_DATA);
                System.out.println("AuthzData is: " + Arrays.toString(ad));
            }
        }
    }
}
Also used : ExtendedGSSContext(com.sun.security.jgss.ExtendedGSSContext) KerberosTicket(javax.security.auth.kerberos.KerberosTicket) AuthorizationDataEntry(com.sun.security.jgss.AuthorizationDataEntry) PrivilegedActionException(java.security.PrivilegedActionException) GSSException(org.ietf.jgss.GSSException) InvocationTargetException(java.lang.reflect.InvocationTargetException) KerberosKey(javax.security.auth.kerberos.KerberosKey) HashMap(java.util.HashMap) Map(java.util.Map) Principal(java.security.Principal) KerberosKey(javax.security.auth.kerberos.KerberosKey) Key(java.security.Key)

Example 3 with ExtendedGSSContext

use of com.sun.security.jgss.ExtendedGSSContext in project jdk8u_jdk by JetBrains.

the class OkAsDelegate method go.

void go(boolean forwardable, boolean requestDelegState, boolean requestDelegPolicyState, boolean delegState, boolean delegPolicyState, boolean delegated) throws Exception {
    OneKDC kdc = new OneKDC(null);
    kdc.setOption(KDC.Option.OK_AS_DELEGATE, System.getProperty("test.kdc.policy.ok-as-delegate"));
    kdc.writeJAASConf();
    if (!forwardable) {
        // The default OneKDC always includes "forwardable = true"
        // in krb5.conf, override it.
        KDC.saveConfig(OneKDC.KRB5_CONF, kdc, "default_keytab_name = " + OneKDC.KTAB);
        Config.refresh();
    }
    Context c, s;
    c = Context.fromJAAS("client");
    s = Context.fromJAAS("com.sun.security.jgss.krb5.accept");
    Oid mech = GSSUtil.GSS_KRB5_MECH_OID;
    if (System.getProperty("test.spnego") != null) {
        mech = GSSUtil.GSS_SPNEGO_MECH_OID;
    }
    c.startAsClient(OneKDC.SERVER, mech);
    ExtendedGSSContext cx = (ExtendedGSSContext) c.x();
    cx.requestCredDeleg(requestDelegState);
    cx.requestDelegPolicy(requestDelegPolicyState);
    s.startAsServer(mech);
    ExtendedGSSContext sx = (ExtendedGSSContext) s.x();
    Context.handshake(c, s);
    if (cx.getCredDelegState() != delegState) {
        throw new Exception("Initiator cred state error");
    }
    if (sx.getCredDelegState() != delegState) {
        throw new Exception("Acceptor cred state error");
    }
    if (cx.getDelegPolicyState() != delegPolicyState) {
        throw new Exception("Initiator cred policy state error");
    }
    GSSCredential cred = null;
    try {
        cred = s.x().getDelegCred();
    } catch (GSSException e) {
    // leave cred as null
    }
    if (delegated != (cred != null)) {
        throw new Exception("get cred error");
    }
}
Also used : ExtendedGSSContext(com.sun.security.jgss.ExtendedGSSContext) ExtendedGSSContext(com.sun.security.jgss.ExtendedGSSContext) GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) Oid(org.ietf.jgss.Oid) GSSException(org.ietf.jgss.GSSException)

Aggregations

ExtendedGSSContext (com.sun.security.jgss.ExtendedGSSContext)3 GSSException (org.ietf.jgss.GSSException)2 Oid (org.ietf.jgss.Oid)2 AuthorizationDataEntry (com.sun.security.jgss.AuthorizationDataEntry)1 InvocationTargetException (java.lang.reflect.InvocationTargetException)1 Key (java.security.Key)1 Principal (java.security.Principal)1 PrivilegedActionException (java.security.PrivilegedActionException)1 HashMap (java.util.HashMap)1 Map (java.util.Map)1 KerberosKey (javax.security.auth.kerberos.KerberosKey)1 KerberosTicket (javax.security.auth.kerberos.KerberosTicket)1 GSSCredential (org.ietf.jgss.GSSCredential)1 GSSName (org.ietf.jgss.GSSName)1 GSSManagerImpl (sun.security.jgss.GSSManagerImpl)1 HttpCaller (sun.security.jgss.HttpCaller)1