use of java.security.PrivilegedExceptionAction in project fabric8 by jboss-fuse.
the class ZooKeeperSaslClient method createSaslClient.
private synchronized SaslClient createSaslClient(final String servicePrincipal, final String loginContext) throws LoginException {
try {
if (login == null) {
if (LOG.isDebugEnabled()) {
LOG.debug("JAAS loginContext is: " + loginContext);
}
// note that the login object is static: it's shared amongst all zookeeper-related connections.
// createSaslClient() must be declared synchronized so that login is initialized only once.
login = new Login(loginContext, new ClientCallbackHandler(null));
login.startThreadIfNeeded();
}
Subject subject = login.getSubject();
SaslClient saslClient;
// if empty, use DIGEST-MD5; otherwise, use GSSAPI.
if (subject.getPrincipals().isEmpty()) {
// no principals: must not be GSSAPI: use DIGEST-MD5 mechanism instead.
LOG.info("Client will use DIGEST-MD5 as SASL mechanism.");
String[] mechs = { "DIGEST-MD5" };
String username = (String) (subject.getPublicCredentials().toArray()[0]);
String password = (String) (subject.getPrivateCredentials().toArray()[0]);
// "zk-sasl-md5" is a hard-wired 'domain' parameter shared with zookeeper server code (see ServerCnxnFactory.java)
saslClient = Sasl.createSaslClient(mechs, username, "zookeeper", "zk-sasl-md5", null, new ClientCallbackHandler(password));
return saslClient;
} else {
// GSSAPI.
boolean usingNativeJgss = Boolean.getBoolean("sun.security.jgss.native");
if (usingNativeJgss) {
// """
try {
GSSManager manager = GSSManager.getInstance();
Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
GSSCredential cred = manager.createCredential(null, GSSContext.DEFAULT_LIFETIME, krb5Mechanism, GSSCredential.INITIATE_ONLY);
subject.getPrivateCredentials().add(cred);
if (LOG.isDebugEnabled()) {
LOG.debug("Added private credential to subject: " + cred);
}
} catch (GSSException ex) {
LOG.warn("Cannot add private credential to subject; " + "authentication at the server may fail", ex);
}
}
final Object[] principals = subject.getPrincipals().toArray();
// determine client principal from subject.
final Principal clientPrincipal = (Principal) principals[0];
final KerberosName clientKerberosName = new KerberosName(clientPrincipal.getName());
// assume that server and client are in the same realm (by default; unless the system property
// "zookeeper.server.realm" is set).
String serverRealm = System.getProperty("zookeeper.server.realm", clientKerberosName.getRealm());
KerberosName serviceKerberosName = new KerberosName(servicePrincipal + "@" + serverRealm);
final String serviceName = serviceKerberosName.getServiceName();
final String serviceHostname = serviceKerberosName.getHostName();
final String clientPrincipalName = clientKerberosName.toString();
try {
saslClient = Subject.doAs(subject, new PrivilegedExceptionAction<SaslClient>() {
public SaslClient run() throws SaslException {
LOG.info("Client will use GSSAPI as SASL mechanism.");
String[] mechs = { "GSSAPI" };
LOG.debug("creating sasl client: client=" + clientPrincipalName + ";service=" + serviceName + ";serviceHostname=" + serviceHostname);
SaslClient saslClient = Sasl.createSaslClient(mechs, clientPrincipalName, serviceName, serviceHostname, null, new ClientCallbackHandler(null));
return saslClient;
}
});
return saslClient;
} catch (Exception e) {
LOG.error("Exception while trying to create SASL client", e);
e.printStackTrace();
return null;
}
}
} catch (LoginException e) {
// We throw LoginExceptions...
throw e;
} catch (Exception e) {
// ..but consume (with a log message) all other types of exceptions.
LOG.error("Exception while trying to create SASL client: " + e);
return null;
}
}
use of java.security.PrivilegedExceptionAction in project apache-kafka-on-k8s by banzaicloud.
the class SaslServerAuthenticator method createSaslServer.
private void createSaslServer(String mechanism) throws IOException {
this.saslMechanism = mechanism;
Subject subject = subjects.get(mechanism);
if (!ScramMechanism.isScram(mechanism))
callbackHandler = new SaslServerCallbackHandler(jaasContexts.get(mechanism));
else
callbackHandler = new ScramServerCallbackHandler(credentialCache.cache(mechanism, ScramCredential.class), tokenCache);
callbackHandler.configure(configs, Mode.SERVER, subject, saslMechanism);
if (mechanism.equals(SaslConfigs.GSSAPI_MECHANISM)) {
saslServer = createSaslKerberosServer(callbackHandler, configs, subject);
} else {
try {
saslServer = Subject.doAs(subject, new PrivilegedExceptionAction<SaslServer>() {
public SaslServer run() throws SaslException {
return Sasl.createSaslServer(saslMechanism, "kafka", serverAddress().getHostName(), configs, callbackHandler);
}
});
} catch (PrivilegedActionException e) {
throw new SaslException("Kafka Server failed to create a SaslServer to interact with a client during session authentication", e.getCause());
}
}
}
use of java.security.PrivilegedExceptionAction in project Bytecoder by mirkosertic.
the class FactoryURLClassLoader method findClass.
/**
* Finds and loads the class with the specified name from the URL search
* path. Any URLs referring to JAR files are loaded and opened as needed
* until the class is found.
*
* @param name the name of the class
* @return the resulting class
* @exception ClassNotFoundException if the class could not be found,
* or if the loader is closed.
* @exception NullPointerException if {@code name} is {@code null}.
*/
protected Class<?> findClass(final String name) throws ClassNotFoundException {
final Class<?> result;
try {
result = AccessController.doPrivileged(new PrivilegedExceptionAction<>() {
public Class<?> run() throws ClassNotFoundException {
String path = name.replace('.', '/').concat(".class");
Resource res = ucp.getResource(path, false);
if (res != null) {
try {
return defineClass(name, res);
} catch (IOException e) {
throw new ClassNotFoundException(name, e);
}
} else {
return null;
}
}
}, acc);
} catch (java.security.PrivilegedActionException pae) {
throw (ClassNotFoundException) pae.getException();
}
if (result == null) {
throw new ClassNotFoundException(name);
}
return result;
}
use of java.security.PrivilegedExceptionAction in project Bytecoder by mirkosertic.
the class Calendar method readObject.
/**
* Reconstitutes this object from a stream (i.e., deserialize it).
*/
private void readObject(ObjectInputStream stream) throws IOException, ClassNotFoundException {
final ObjectInputStream input = stream;
input.defaultReadObject();
stamp = new int[FIELD_COUNT];
// streamed out anymore. We expect 'time' to be correct.
if (serialVersionOnStream >= 2) {
isTimeSet = true;
if (fields == null) {
fields = new int[FIELD_COUNT];
}
if (isSet == null) {
isSet = new boolean[FIELD_COUNT];
}
} else if (serialVersionOnStream >= 0) {
for (int i = 0; i < FIELD_COUNT; ++i) {
stamp[i] = isSet[i] ? COMPUTED : UNSET;
}
}
serialVersionOnStream = currentSerialVersion;
// If there's a ZoneInfo object, use it for zone.
ZoneInfo zi = null;
try {
zi = AccessController.doPrivileged(new PrivilegedExceptionAction<>() {
@Override
public ZoneInfo run() throws Exception {
return (ZoneInfo) input.readObject();
}
}, CalendarAccessControlContext.INSTANCE);
} catch (PrivilegedActionException pae) {
Exception e = pae.getException();
if (!(e instanceof OptionalDataException)) {
if (e instanceof RuntimeException) {
throw (RuntimeException) e;
} else if (e instanceof IOException) {
throw (IOException) e;
} else if (e instanceof ClassNotFoundException) {
throw (ClassNotFoundException) e;
}
throw new RuntimeException(e);
}
}
if (zi != null) {
zone = zi;
}
// implementation as much as possible.
if (zone instanceof SimpleTimeZone) {
String id = zone.getID();
TimeZone tz = TimeZone.getTimeZone(id);
if (tz != null && tz.hasSameRules(zone) && tz.getID().equals(id)) {
zone = tz;
}
}
}
use of java.security.PrivilegedExceptionAction in project jackrabbit-oak by apache.
the class AbstractLoginModule method getRoot.
/**
* Tries to obtain a {@code Root} object from the callback handler using
* a new RepositoryCallback and keeps the value as private field.
* If the callback handler isn't able to handle the RepositoryCallback
* this method returns {@code null}.
*
* @return The {@code Root} associated with this {@code LoginModule} or
* {@code null}.
*/
@CheckForNull
protected Root getRoot() {
if (root == null && callbackHandler != null) {
try {
final RepositoryCallback rcb = new RepositoryCallback();
callbackHandler.handle(new Callback[] { rcb });
final ContentRepository repository = rcb.getContentRepository();
if (repository != null) {
systemSession = Subject.doAs(SystemSubject.INSTANCE, new PrivilegedExceptionAction<ContentSession>() {
@Override
public ContentSession run() throws LoginException, NoSuchWorkspaceException {
return repository.login(null, rcb.getWorkspaceName());
}
});
root = systemSession.getLatestRoot();
} else {
log.debug("Unable to retrieve the Root via RepositoryCallback; ContentRepository not available.");
}
} catch (UnsupportedCallbackException | PrivilegedActionException | IOException e) {
log.debug(e.getMessage());
}
}
return root;
}
Aggregations