Search in sources :

Example 66 with PrivilegedActionException

use of java.security.PrivilegedActionException in project kafka by apache.

the class SaslServerAuthenticator method createSaslKerberosServer.

private SaslServer createSaslKerberosServer(final AuthCallbackHandler saslServerCallbackHandler, final Map<String, ?> configs) throws IOException {
    // server is using a JAAS-authenticated subject: determine service principal name and hostname from kafka server's subject.
    final Principal servicePrincipal = subject.getPrincipals().iterator().next();
    KerberosName kerberosName;
    try {
        kerberosName = KerberosName.parse(servicePrincipal.getName());
    } catch (IllegalArgumentException e) {
        throw new KafkaException("Principal has name with unexpected format " + servicePrincipal);
    }
    final String servicePrincipalName = kerberosName.serviceName();
    final String serviceHostname = kerberosName.hostName();
    LOG.debug("Creating SaslServer for {} with mechanism {}", kerberosName, saslMechanism);
    // As described in http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-features.html:
    // "To enable Java GSS to delegate to the native GSS library and its list of native mechanisms,
    // set the system property "sun.security.jgss.native" to true"
    // "In addition, when performing operations as a particular Subject, for example, Subject.doAs(...)
    // or Subject.doAsPrivileged(...), the to-be-used GSSCredential should be added to Subject's
    // private credential set. Otherwise, the GSS operations will fail since no credential is found."
    boolean usingNativeJgss = Boolean.getBoolean("sun.security.jgss.native");
    if (usingNativeJgss) {
        try {
            GSSManager manager = GSSManager.getInstance();
            // This Oid is used to represent the Kerberos version 5 GSS-API mechanism. It is defined in
            // RFC 1964.
            Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
            GSSName gssName = manager.createName(servicePrincipalName + "@" + serviceHostname, GSSName.NT_HOSTBASED_SERVICE);
            GSSCredential cred = manager.createCredential(gssName, GSSContext.INDEFINITE_LIFETIME, krb5Mechanism, GSSCredential.ACCEPT_ONLY);
            subject.getPrivateCredentials().add(cred);
        } catch (GSSException ex) {
            LOG.warn("Cannot add private credential to subject; clients authentication may fail", ex);
        }
    }
    try {
        return Subject.doAs(subject, new PrivilegedExceptionAction<SaslServer>() {

            public SaslServer run() throws SaslException {
                return Sasl.createSaslServer(saslMechanism, servicePrincipalName, serviceHostname, configs, saslServerCallbackHandler);
            }
        });
    } catch (PrivilegedActionException e) {
        throw new SaslException("Kafka Server failed to create a SaslServer to interact with a client during session authentication", e.getCause());
    }
}
Also used : GSSName(org.ietf.jgss.GSSName) PrivilegedActionException(java.security.PrivilegedActionException) SaslServer(javax.security.sasl.SaslServer) KerberosName(org.apache.kafka.common.security.kerberos.KerberosName) Oid(org.ietf.jgss.Oid) SaslException(javax.security.sasl.SaslException) GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) GSSManager(org.ietf.jgss.GSSManager) KafkaException(org.apache.kafka.common.KafkaException) Principal(java.security.Principal) KafkaPrincipal(org.apache.kafka.common.security.auth.KafkaPrincipal)

Example 67 with PrivilegedActionException

use of java.security.PrivilegedActionException in project kafka by apache.

the class SaslServerAuthenticator method createSaslServer.

private void createSaslServer(String mechanism) throws IOException {
    this.saslMechanism = mechanism;
    if (!ScramMechanism.isScram(mechanism))
        callbackHandler = new SaslServerCallbackHandler(jaasContext, kerberosNamer);
    else
        callbackHandler = new ScramServerCallbackHandler(credentialCache.cache(mechanism, ScramCredential.class));
    callbackHandler.configure(configs, Mode.SERVER, subject, saslMechanism);
    if (mechanism.equals(SaslConfigs.GSSAPI_MECHANISM)) {
        if (subject.getPrincipals().isEmpty())
            throw new IllegalArgumentException("subject must have at least one principal");
        saslServer = createSaslKerberosServer(callbackHandler, configs);
    } else {
        try {
            saslServer = Subject.doAs(subject, new PrivilegedExceptionAction<SaslServer>() {

                public SaslServer run() throws SaslException {
                    return Sasl.createSaslServer(saslMechanism, "kafka", host, configs, callbackHandler);
                }
            });
        } catch (PrivilegedActionException e) {
            throw new SaslException("Kafka Server failed to create a SaslServer to interact with a client during session authentication", e.getCause());
        }
    }
}
Also used : ScramCredential(org.apache.kafka.common.security.scram.ScramCredential) ScramServerCallbackHandler(org.apache.kafka.common.security.scram.ScramServerCallbackHandler) PrivilegedActionException(java.security.PrivilegedActionException) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) SaslException(javax.security.sasl.SaslException)

Example 68 with PrivilegedActionException

use of java.security.PrivilegedActionException in project tomcat by apache.

the class JspServlet method init.

/*
     * Initializes this JspServlet.
     */
@Override
public void init(ServletConfig config) throws ServletException {
    super.init(config);
    this.config = config;
    this.context = config.getServletContext();
    // Initialize the JSP Runtime Context
    // Check for a custom Options implementation
    String engineOptionsName = config.getInitParameter("engineOptionsClass");
    if (Constants.IS_SECURITY_ENABLED && engineOptionsName != null) {
        log.info(Localizer.getMessage("jsp.info.ignoreSetting", "engineOptionsClass", engineOptionsName));
        engineOptionsName = null;
    }
    if (engineOptionsName != null) {
        // Instantiate the indicated Options implementation
        try {
            ClassLoader loader = Thread.currentThread().getContextClassLoader();
            Class<?> engineOptionsClass = loader.loadClass(engineOptionsName);
            Class<?>[] ctorSig = { ServletConfig.class, ServletContext.class };
            Constructor<?> ctor = engineOptionsClass.getConstructor(ctorSig);
            Object[] args = { config, context };
            options = (Options) ctor.newInstance(args);
        } catch (Throwable e) {
            e = ExceptionUtils.unwrapInvocationTargetException(e);
            ExceptionUtils.handleThrowable(e);
            // Need to localize this.
            log.warn("Failed to load engineOptionsClass", e);
            // Use the default Options implementation
            options = new EmbeddedServletOptions(config, context);
        }
    } else {
        // Use the default Options implementation
        options = new EmbeddedServletOptions(config, context);
    }
    rctxt = new JspRuntimeContext(context, options);
    if (config.getInitParameter("jspFile") != null) {
        jspFile = config.getInitParameter("jspFile");
        try {
            if (null == context.getResource(jspFile)) {
                return;
            }
        } catch (MalformedURLException e) {
            throw new ServletException("cannot locate jsp file", e);
        }
        try {
            if (SecurityUtil.isPackageProtectionEnabled()) {
                AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() {

                    @Override
                    public Object run() throws IOException, ServletException {
                        serviceJspFile(null, null, jspFile, true);
                        return null;
                    }
                });
            } else {
                serviceJspFile(null, null, jspFile, true);
            }
        } catch (IOException e) {
            throw new ServletException("Could not precompile jsp: " + jspFile, e);
        } catch (PrivilegedActionException e) {
            Throwable t = e.getCause();
            if (t instanceof ServletException)
                throw (ServletException) t;
            throw new ServletException("Could not precompile jsp: " + jspFile, e);
        }
    }
    if (log.isDebugEnabled()) {
        log.debug(Localizer.getMessage("jsp.message.scratch.dir.is", options.getScratchDir().toString()));
        log.debug(Localizer.getMessage("jsp.message.dont.modify.servlets"));
    }
}
Also used : MalformedURLException(java.net.MalformedURLException) PrivilegedActionException(java.security.PrivilegedActionException) IOException(java.io.IOException) ServletException(javax.servlet.ServletException) JspRuntimeContext(org.apache.jasper.compiler.JspRuntimeContext) EmbeddedServletOptions(org.apache.jasper.EmbeddedServletOptions)

Example 69 with PrivilegedActionException

use of java.security.PrivilegedActionException in project hive by apache.

the class TSubjectAssumingTransport method open.

@Override
public void open() throws TTransportException {
    try {
        AccessControlContext context = AccessController.getContext();
        Subject subject = Subject.getSubject(context);
        Subject.doAs(subject, new PrivilegedExceptionAction<Void>() {

            public Void run() {
                try {
                    wrapped.open();
                } catch (TTransportException tte) {
                    // more time in our catch clause to get back the TTE. (ugh)
                    throw new RuntimeException(tte);
                }
                return null;
            }
        });
    } catch (PrivilegedActionException ioe) {
        throw new RuntimeException("Received an ioe we never threw!", ioe);
    } catch (RuntimeException rte) {
        if (rte.getCause() instanceof TTransportException) {
            throw (TTransportException) rte.getCause();
        } else {
            throw rte;
        }
    }
}
Also used : AccessControlContext(java.security.AccessControlContext) PrivilegedActionException(java.security.PrivilegedActionException) TTransportException(org.apache.thrift.transport.TTransportException) Subject(javax.security.auth.Subject)

Example 70 with PrivilegedActionException

use of java.security.PrivilegedActionException in project zookeeper by apache.

the class ZooKeeperSaslServer method createSaslServer.

private SaslServer createSaslServer(final Login login) {
    synchronized (login) {
        Subject subject = login.getSubject();
        if (subject != null) {
            // server is using a JAAS-authenticated subject: determine service principal name and hostname from zk server's subject.
            if (subject.getPrincipals().size() > 0) {
                try {
                    final Object[] principals = subject.getPrincipals().toArray();
                    final Principal servicePrincipal = (Principal) principals[0];
                    // e.g. servicePrincipalNameAndHostname := "zookeeper/myhost.foo.com@FOO.COM"
                    final String servicePrincipalNameAndHostname = servicePrincipal.getName();
                    int indexOf = servicePrincipalNameAndHostname.indexOf("/");
                    // e.g. serviceHostnameAndKerbDomain := "myhost.foo.com@FOO.COM"
                    final String serviceHostnameAndKerbDomain = servicePrincipalNameAndHostname.substring(indexOf + 1, servicePrincipalNameAndHostname.length());
                    int indexOfAt = serviceHostnameAndKerbDomain.indexOf("@");
                    // Handle Kerberos Service as well as User Principal Names
                    final String servicePrincipalName, serviceHostname;
                    if (indexOf > 0) {
                        // e.g. servicePrincipalName := "zookeeper"
                        servicePrincipalName = servicePrincipalNameAndHostname.substring(0, indexOf);
                        // e.g. serviceHostname := "myhost.foo.com"
                        serviceHostname = serviceHostnameAndKerbDomain.substring(0, indexOfAt);
                    } else {
                        servicePrincipalName = servicePrincipalNameAndHostname.substring(0, indexOfAt);
                        serviceHostname = null;
                    }
                    // TODO: should depend on zoo.cfg specified mechs, but if subject is non-null, it can be assumed to be GSSAPI.
                    final String mech = "GSSAPI";
                    LOG.debug("serviceHostname is '" + serviceHostname + "'");
                    LOG.debug("servicePrincipalName is '" + servicePrincipalName + "'");
                    LOG.debug("SASL mechanism(mech) is '" + mech + "'");
                    boolean usingNativeJgss = Boolean.getBoolean("sun.security.jgss.native");
                    if (usingNativeJgss) {
                        // """
                        try {
                            GSSManager manager = GSSManager.getInstance();
                            Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
                            GSSName gssName = manager.createName(servicePrincipalName + "@" + serviceHostname, GSSName.NT_HOSTBASED_SERVICE);
                            GSSCredential cred = manager.createCredential(gssName, GSSContext.DEFAULT_LIFETIME, krb5Mechanism, GSSCredential.ACCEPT_ONLY);
                            subject.getPrivateCredentials().add(cred);
                            if (LOG.isDebugEnabled()) {
                                LOG.debug("Added private credential to subject: " + cred);
                            }
                        } catch (GSSException ex) {
                            LOG.warn("Cannot add private credential to subject; " + "clients authentication may fail", ex);
                        }
                    }
                    try {
                        return Subject.doAs(subject, new PrivilegedExceptionAction<SaslServer>() {

                            public SaslServer run() {
                                try {
                                    SaslServer saslServer;
                                    saslServer = Sasl.createSaslServer(mech, servicePrincipalName, serviceHostname, null, login.callbackHandler);
                                    return saslServer;
                                } catch (SaslException e) {
                                    LOG.error("Zookeeper Server failed to create a SaslServer to interact with a client during session initiation: " + e);
                                    e.printStackTrace();
                                    return null;
                                }
                            }
                        });
                    } catch (PrivilegedActionException e) {
                        // TODO: exit server at this point(?)
                        LOG.error("Zookeeper Quorum member experienced a PrivilegedActionException exception while creating a SaslServer using a JAAS principal context:" + e);
                        e.printStackTrace();
                    }
                } catch (IndexOutOfBoundsException e) {
                    LOG.error("server principal name/hostname determination error: ", e);
                }
            } else {
                // TODO: use 'authMech=' value in zoo.cfg.
                try {
                    SaslServer saslServer = Sasl.createSaslServer("DIGEST-MD5", "zookeeper", "zk-sasl-md5", null, login.callbackHandler);
                    return saslServer;
                } catch (SaslException e) {
                    LOG.error("Zookeeper Quorum member failed to create a SaslServer to interact with a client during session initiation", e);
                }
            }
        }
    }
    LOG.error("failed to create saslServer object.");
    return null;
}
Also used : GSSName(org.ietf.jgss.GSSName) PrivilegedActionException(java.security.PrivilegedActionException) SaslServer(javax.security.sasl.SaslServer) Oid(org.ietf.jgss.Oid) SaslException(javax.security.sasl.SaslException) Subject(javax.security.auth.Subject) GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) GSSManager(org.ietf.jgss.GSSManager) Principal(java.security.Principal)

Aggregations

PrivilegedActionException (java.security.PrivilegedActionException)135 IOException (java.io.IOException)58 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)56 Subject (javax.security.auth.Subject)23 LoginContext (javax.security.auth.login.LoginContext)14 LoginException (javax.security.auth.login.LoginException)12 InvocationTargetException (java.lang.reflect.InvocationTargetException)11 Method (java.lang.reflect.Method)11 URISyntaxException (java.net.URISyntaxException)11 HashSet (java.util.HashSet)11 ServletException (javax.servlet.ServletException)11 AccessControlContext (java.security.AccessControlContext)10 Principal (java.security.Principal)9 GSSException (org.ietf.jgss.GSSException)9 Field (java.lang.reflect.Field)8 SolrServerException (org.apache.solr.client.solrj.SolrServerException)7 GSSManager (org.ietf.jgss.GSSManager)7 MalformedURLException (java.net.MalformedURLException)6 ArrayList (java.util.ArrayList)6 YardException (org.apache.stanbol.entityhub.servicesapi.yard.YardException)6