Search in sources :

Example 86 with UnsupportedCallbackException

use of javax.security.auth.callback.UnsupportedCallbackException in project spring-security by spring-projects.

the class JaasApiIntegrationFilterTests method onBeforeTests.

@BeforeEach
public void onBeforeTests() throws Exception {
    this.filter = new JaasApiIntegrationFilter();
    this.request = new MockHttpServletRequest();
    this.response = new MockHttpServletResponse();
    this.authenticatedSubject = new Subject();
    this.authenticatedSubject.getPrincipals().add(() -> "principal");
    this.authenticatedSubject.getPrivateCredentials().add("password");
    this.authenticatedSubject.getPublicCredentials().add("username");
    this.callbackHandler = (callbacks) -> {
        for (Callback callback : callbacks) {
            if (callback instanceof NameCallback) {
                ((NameCallback) callback).setName("user");
            } else if (callback instanceof PasswordCallback) {
                ((PasswordCallback) callback).setPassword("password".toCharArray());
            } else if (callback instanceof TextInputCallback) {
            // ignore
            } else {
                throw new UnsupportedCallbackException(callback, "Unrecognized Callback " + callback);
            }
        }
    };
    this.testConfiguration = new Configuration() {

        @Override
        public void refresh() {
        }

        @Override
        public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
            return new AppConfigurationEntry[] { new AppConfigurationEntry(TestLoginModule.class.getName(), LoginModuleControlFlag.REQUIRED, new HashMap<>()) };
        }
    };
    LoginContext ctx = new LoginContext("SubjectDoAsFilterTest", this.authenticatedSubject, this.callbackHandler, this.testConfiguration);
    ctx.login();
    this.token = new JaasAuthenticationToken("username", "password", AuthorityUtils.createAuthorityList("ROLE_ADMIN"), ctx);
    // just in case someone forgot to clear the context
    SecurityContextHolder.clearContext();
}
Also used : Configuration(javax.security.auth.login.Configuration) HashMap(java.util.HashMap) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) Subject(javax.security.auth.Subject) TextInputCallback(javax.security.auth.callback.TextInputCallback) AppConfigurationEntry(javax.security.auth.login.AppConfigurationEntry) TextInputCallback(javax.security.auth.callback.TextInputCallback) PasswordCallback(javax.security.auth.callback.PasswordCallback) NameCallback(javax.security.auth.callback.NameCallback) Callback(javax.security.auth.callback.Callback) NameCallback(javax.security.auth.callback.NameCallback) LoginContext(javax.security.auth.login.LoginContext) JaasAuthenticationToken(org.springframework.security.authentication.jaas.JaasAuthenticationToken) PasswordCallback(javax.security.auth.callback.PasswordCallback) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) BeforeEach(org.junit.jupiter.api.BeforeEach)

Example 87 with UnsupportedCallbackException

use of javax.security.auth.callback.UnsupportedCallbackException in project storm by apache.

the class ServerCallbackHandler method handle.

@Override
public void handle(Callback[] callbacks) throws UnsupportedCallbackException {
    NameCallback nc = null;
    PasswordCallback pc = null;
    AuthorizeCallback ac = null;
    for (Callback callback : callbacks) {
        if (callback instanceof AuthorizeCallback) {
            ac = (AuthorizeCallback) callback;
        } else if (callback instanceof NameCallback) {
            nc = (NameCallback) callback;
        } else if (callback instanceof PasswordCallback) {
            pc = (PasswordCallback) callback;
        } else if (callback instanceof RealmCallback) {
        // Ignored...
        } else {
            throw new UnsupportedCallbackException(callback, "Unrecognized SASL Callback");
        }
    }
    String userName = "UNKNOWN";
    if (nc != null) {
        LOG.debug("handleNameCallback");
        userName = nc.getDefaultName();
        nc.setName(nc.getDefaultName());
    }
    if (pc != null) {
        LOG.error("No password found for user: {}, validate klist matches jaas conf", userName);
    }
    if (ac != null) {
        String authenticationId = ac.getAuthenticationID();
        LOG.debug("Successfully authenticated client: authenticationID={}  authorizationID= {}", authenticationId, ac.getAuthorizationID());
        // if authorizationId is not set, set it to authenticationId.
        if (ac.getAuthorizationID() == null) {
            ac.setAuthorizedID(authenticationId);
        }
        // add the authNid as the real user in reqContext's subject which will be used during authorization.
        if (!ac.getAuthenticationID().equals(ac.getAuthorizationID())) {
            if (!impersonationAllowed) {
                throw new IllegalArgumentException(ac.getAuthenticationID() + " attempting to impersonate " + ac.getAuthorizationID() + ".  This is not allowed by this server.");
            }
            ReqContext.context().setRealPrincipal(new SaslTransportPlugin.User(ac.getAuthenticationID()));
        } else {
            ReqContext.context().setRealPrincipal(null);
        }
        ac.setAuthorized(true);
    }
}
Also used : NameCallback(javax.security.auth.callback.NameCallback) RealmCallback(javax.security.sasl.RealmCallback) PasswordCallback(javax.security.auth.callback.PasswordCallback) NameCallback(javax.security.auth.callback.NameCallback) AuthorizeCallback(javax.security.sasl.AuthorizeCallback) Callback(javax.security.auth.callback.Callback) PasswordCallback(javax.security.auth.callback.PasswordCallback) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) SaslTransportPlugin(org.apache.storm.security.auth.sasl.SaslTransportPlugin) AuthorizeCallback(javax.security.sasl.AuthorizeCallback) RealmCallback(javax.security.sasl.RealmCallback)

Example 88 with UnsupportedCallbackException

use of javax.security.auth.callback.UnsupportedCallbackException in project storm by apache.

the class SimpleSaslClientCallbackHandler method handle.

@Override
public void handle(Callback[] callbacks) throws UnsupportedCallbackException {
    for (Callback c : callbacks) {
        if (c instanceof NameCallback) {
            NameCallback nc = (NameCallback) c;
            nc.setName(username);
        } else if (c instanceof PasswordCallback) {
            PasswordCallback pc = (PasswordCallback) c;
            if (password != null) {
                pc.setPassword(password.toCharArray());
            }
        } else if (c instanceof AuthorizeCallback) {
            AuthorizeCallback ac = (AuthorizeCallback) c;
            String authid = ac.getAuthenticationID();
            String authzid = ac.getAuthorizationID();
            if (authid.equals(authzid)) {
                ac.setAuthorized(true);
            } else {
                ac.setAuthorized(false);
            }
            if (ac.isAuthorized()) {
                ac.setAuthorizedID(authzid);
            }
        } else if (c instanceof RealmCallback) {
            RealmCallback rc = (RealmCallback) c;
            ((RealmCallback) c).setText(rc.getDefaultText());
        } else {
            throw new UnsupportedCallbackException(c);
        }
    }
}
Also used : RealmCallback(javax.security.sasl.RealmCallback) PasswordCallback(javax.security.auth.callback.PasswordCallback) NameCallback(javax.security.auth.callback.NameCallback) AuthorizeCallback(javax.security.sasl.AuthorizeCallback) Callback(javax.security.auth.callback.Callback) NameCallback(javax.security.auth.callback.NameCallback) PasswordCallback(javax.security.auth.callback.PasswordCallback) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) AuthorizeCallback(javax.security.sasl.AuthorizeCallback) RealmCallback(javax.security.sasl.RealmCallback)

Example 89 with UnsupportedCallbackException

use of javax.security.auth.callback.UnsupportedCallbackException in project kafka by apache.

the class ScramSaslClient method evaluateChallenge.

@Override
public byte[] evaluateChallenge(byte[] challenge) throws SaslException {
    try {
        switch(state) {
            case SEND_CLIENT_FIRST_MESSAGE:
                if (challenge != null && challenge.length != 0)
                    throw new SaslException("Expected empty challenge");
                clientNonce = formatter.secureRandomString();
                NameCallback nameCallback = new NameCallback("Name:");
                ScramExtensionsCallback extensionsCallback = new ScramExtensionsCallback();
                try {
                    callbackHandler.handle(new Callback[] { nameCallback });
                    try {
                        callbackHandler.handle(new Callback[] { extensionsCallback });
                    } catch (UnsupportedCallbackException e) {
                        log.debug("Extensions callback is not supported by client callback handler {}, no extensions will be added", callbackHandler);
                    }
                } catch (Throwable e) {
                    throw new SaslException("User name or extensions could not be obtained", e);
                }
                String username = nameCallback.getName();
                String saslName = ScramFormatter.saslName(username);
                Map<String, String> extensions = extensionsCallback.extensions();
                this.clientFirstMessage = new ScramMessages.ClientFirstMessage(saslName, clientNonce, extensions);
                setState(State.RECEIVE_SERVER_FIRST_MESSAGE);
                return clientFirstMessage.toBytes();
            case RECEIVE_SERVER_FIRST_MESSAGE:
                this.serverFirstMessage = new ServerFirstMessage(challenge);
                if (!serverFirstMessage.nonce().startsWith(clientNonce))
                    throw new SaslException("Invalid server nonce: does not start with client nonce");
                if (serverFirstMessage.iterations() < mechanism.minIterations())
                    throw new SaslException("Requested iterations " + serverFirstMessage.iterations() + " is less than the minimum " + mechanism.minIterations() + " for " + mechanism);
                PasswordCallback passwordCallback = new PasswordCallback("Password:", false);
                try {
                    callbackHandler.handle(new Callback[] { passwordCallback });
                } catch (Throwable e) {
                    throw new SaslException("User name could not be obtained", e);
                }
                this.clientFinalMessage = handleServerFirstMessage(passwordCallback.getPassword());
                setState(State.RECEIVE_SERVER_FINAL_MESSAGE);
                return clientFinalMessage.toBytes();
            case RECEIVE_SERVER_FINAL_MESSAGE:
                ServerFinalMessage serverFinalMessage = new ServerFinalMessage(challenge);
                if (serverFinalMessage.error() != null)
                    throw new SaslException("Sasl authentication using " + mechanism + " failed with error: " + serverFinalMessage.error());
                handleServerFinalMessage(serverFinalMessage.serverSignature());
                setState(State.COMPLETE);
                return null;
            default:
                throw new IllegalSaslStateException("Unexpected challenge in Sasl client state " + state);
        }
    } catch (SaslException e) {
        setState(State.FAILED);
        throw e;
    }
}
Also used : IllegalSaslStateException(org.apache.kafka.common.errors.IllegalSaslStateException) SaslException(javax.security.sasl.SaslException) NameCallback(javax.security.auth.callback.NameCallback) ScramExtensionsCallback(org.apache.kafka.common.security.scram.ScramExtensionsCallback) ServerFinalMessage(org.apache.kafka.common.security.scram.internals.ScramMessages.ServerFinalMessage) PasswordCallback(javax.security.auth.callback.PasswordCallback) ServerFirstMessage(org.apache.kafka.common.security.scram.internals.ScramMessages.ServerFirstMessage) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)

Example 90 with UnsupportedCallbackException

use of javax.security.auth.callback.UnsupportedCallbackException in project kafka by apache.

the class OAuthBearerSaslServerTest method throwsAuthenticationExceptionOnInvalidExtensions.

/**
 * If the callback handler handles the `OAuthBearerExtensionsValidatorCallback`
 *  and finds an invalid extension, SaslServer should throw an authentication exception
 */
@Test
public void throwsAuthenticationExceptionOnInvalidExtensions() {
    OAuthBearerUnsecuredValidatorCallbackHandler invalidHandler = new OAuthBearerUnsecuredValidatorCallbackHandler() {

        @Override
        public void handle(Callback[] callbacks) throws UnsupportedCallbackException {
            for (Callback callback : callbacks) {
                if (callback instanceof OAuthBearerValidatorCallback) {
                    OAuthBearerValidatorCallback validationCallback = (OAuthBearerValidatorCallback) callback;
                    validationCallback.token(new OAuthBearerTokenMock());
                } else if (callback instanceof OAuthBearerExtensionsValidatorCallback) {
                    OAuthBearerExtensionsValidatorCallback extensionsCallback = (OAuthBearerExtensionsValidatorCallback) callback;
                    extensionsCallback.error("firstKey", "is not valid");
                    extensionsCallback.error("secondKey", "is not valid either");
                } else
                    throw new UnsupportedCallbackException(callback);
            }
        }
    };
    saslServer = new OAuthBearerSaslServer(invalidHandler);
    Map<String, String> customExtensions = new HashMap<>();
    customExtensions.put("firstKey", "value");
    customExtensions.put("secondKey", "value");
    assertThrows(SaslAuthenticationException.class, () -> saslServer.evaluateResponse(clientInitialResponse(null, false, customExtensions)));
}
Also used : OAuthBearerUnsecuredValidatorCallbackHandler(org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerUnsecuredValidatorCallbackHandler) OAuthBearerTokenMock(org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenMock) OAuthBearerTokenCallback(org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback) OAuthBearerValidatorCallback(org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback) OAuthBearerExtensionsValidatorCallback(org.apache.kafka.common.security.oauthbearer.OAuthBearerExtensionsValidatorCallback) Callback(javax.security.auth.callback.Callback) HashMap(java.util.HashMap) OAuthBearerValidatorCallback(org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback) OAuthBearerExtensionsValidatorCallback(org.apache.kafka.common.security.oauthbearer.OAuthBearerExtensionsValidatorCallback) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) Test(org.junit.jupiter.api.Test)

Aggregations

UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)332 Callback (javax.security.auth.callback.Callback)213 IOException (java.io.IOException)201 NameCallback (javax.security.auth.callback.NameCallback)182 PasswordCallback (javax.security.auth.callback.PasswordCallback)177 LoginException (javax.security.auth.login.LoginException)89 CallbackHandler (javax.security.auth.callback.CallbackHandler)63 FailedLoginException (javax.security.auth.login.FailedLoginException)45 LoginContext (javax.security.auth.login.LoginContext)43 Subject (javax.security.auth.Subject)36 Principal (java.security.Principal)34 AuthorizeCallback (javax.security.sasl.AuthorizeCallback)31 RealmCallback (javax.security.sasl.RealmCallback)27 HttpServletRequest (javax.servlet.http.HttpServletRequest)27 HashMap (java.util.HashMap)23 CallerPrincipalCallback (javax.security.auth.message.callback.CallerPrincipalCallback)23 Test (org.junit.Test)21 GroupPrincipalCallback (javax.security.auth.message.callback.GroupPrincipalCallback)20 SaslException (javax.security.sasl.SaslException)19 AuthException (javax.security.auth.message.AuthException)18