use of javax.security.auth.callback.UnsupportedCallbackException in project spring-security by spring-projects.
the class JaasApiIntegrationFilterTests method onBeforeTests.
@BeforeEach
public void onBeforeTests() throws Exception {
this.filter = new JaasApiIntegrationFilter();
this.request = new MockHttpServletRequest();
this.response = new MockHttpServletResponse();
this.authenticatedSubject = new Subject();
this.authenticatedSubject.getPrincipals().add(() -> "principal");
this.authenticatedSubject.getPrivateCredentials().add("password");
this.authenticatedSubject.getPublicCredentials().add("username");
this.callbackHandler = (callbacks) -> {
for (Callback callback : callbacks) {
if (callback instanceof NameCallback) {
((NameCallback) callback).setName("user");
} else if (callback instanceof PasswordCallback) {
((PasswordCallback) callback).setPassword("password".toCharArray());
} else if (callback instanceof TextInputCallback) {
// ignore
} else {
throw new UnsupportedCallbackException(callback, "Unrecognized Callback " + callback);
}
}
};
this.testConfiguration = new Configuration() {
@Override
public void refresh() {
}
@Override
public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
return new AppConfigurationEntry[] { new AppConfigurationEntry(TestLoginModule.class.getName(), LoginModuleControlFlag.REQUIRED, new HashMap<>()) };
}
};
LoginContext ctx = new LoginContext("SubjectDoAsFilterTest", this.authenticatedSubject, this.callbackHandler, this.testConfiguration);
ctx.login();
this.token = new JaasAuthenticationToken("username", "password", AuthorityUtils.createAuthorityList("ROLE_ADMIN"), ctx);
// just in case someone forgot to clear the context
SecurityContextHolder.clearContext();
}
use of javax.security.auth.callback.UnsupportedCallbackException in project storm by apache.
the class ServerCallbackHandler method handle.
@Override
public void handle(Callback[] callbacks) throws UnsupportedCallbackException {
NameCallback nc = null;
PasswordCallback pc = null;
AuthorizeCallback ac = null;
for (Callback callback : callbacks) {
if (callback instanceof AuthorizeCallback) {
ac = (AuthorizeCallback) callback;
} else if (callback instanceof NameCallback) {
nc = (NameCallback) callback;
} else if (callback instanceof PasswordCallback) {
pc = (PasswordCallback) callback;
} else if (callback instanceof RealmCallback) {
// Ignored...
} else {
throw new UnsupportedCallbackException(callback, "Unrecognized SASL Callback");
}
}
String userName = "UNKNOWN";
if (nc != null) {
LOG.debug("handleNameCallback");
userName = nc.getDefaultName();
nc.setName(nc.getDefaultName());
}
if (pc != null) {
LOG.error("No password found for user: {}, validate klist matches jaas conf", userName);
}
if (ac != null) {
String authenticationId = ac.getAuthenticationID();
LOG.debug("Successfully authenticated client: authenticationID={} authorizationID= {}", authenticationId, ac.getAuthorizationID());
// if authorizationId is not set, set it to authenticationId.
if (ac.getAuthorizationID() == null) {
ac.setAuthorizedID(authenticationId);
}
// add the authNid as the real user in reqContext's subject which will be used during authorization.
if (!ac.getAuthenticationID().equals(ac.getAuthorizationID())) {
if (!impersonationAllowed) {
throw new IllegalArgumentException(ac.getAuthenticationID() + " attempting to impersonate " + ac.getAuthorizationID() + ". This is not allowed by this server.");
}
ReqContext.context().setRealPrincipal(new SaslTransportPlugin.User(ac.getAuthenticationID()));
} else {
ReqContext.context().setRealPrincipal(null);
}
ac.setAuthorized(true);
}
}
use of javax.security.auth.callback.UnsupportedCallbackException in project storm by apache.
the class SimpleSaslClientCallbackHandler method handle.
@Override
public void handle(Callback[] callbacks) throws UnsupportedCallbackException {
for (Callback c : callbacks) {
if (c instanceof NameCallback) {
NameCallback nc = (NameCallback) c;
nc.setName(username);
} else if (c instanceof PasswordCallback) {
PasswordCallback pc = (PasswordCallback) c;
if (password != null) {
pc.setPassword(password.toCharArray());
}
} else if (c instanceof AuthorizeCallback) {
AuthorizeCallback ac = (AuthorizeCallback) c;
String authid = ac.getAuthenticationID();
String authzid = ac.getAuthorizationID();
if (authid.equals(authzid)) {
ac.setAuthorized(true);
} else {
ac.setAuthorized(false);
}
if (ac.isAuthorized()) {
ac.setAuthorizedID(authzid);
}
} else if (c instanceof RealmCallback) {
RealmCallback rc = (RealmCallback) c;
((RealmCallback) c).setText(rc.getDefaultText());
} else {
throw new UnsupportedCallbackException(c);
}
}
}
use of javax.security.auth.callback.UnsupportedCallbackException in project kafka by apache.
the class ScramSaslClient method evaluateChallenge.
@Override
public byte[] evaluateChallenge(byte[] challenge) throws SaslException {
try {
switch(state) {
case SEND_CLIENT_FIRST_MESSAGE:
if (challenge != null && challenge.length != 0)
throw new SaslException("Expected empty challenge");
clientNonce = formatter.secureRandomString();
NameCallback nameCallback = new NameCallback("Name:");
ScramExtensionsCallback extensionsCallback = new ScramExtensionsCallback();
try {
callbackHandler.handle(new Callback[] { nameCallback });
try {
callbackHandler.handle(new Callback[] { extensionsCallback });
} catch (UnsupportedCallbackException e) {
log.debug("Extensions callback is not supported by client callback handler {}, no extensions will be added", callbackHandler);
}
} catch (Throwable e) {
throw new SaslException("User name or extensions could not be obtained", e);
}
String username = nameCallback.getName();
String saslName = ScramFormatter.saslName(username);
Map<String, String> extensions = extensionsCallback.extensions();
this.clientFirstMessage = new ScramMessages.ClientFirstMessage(saslName, clientNonce, extensions);
setState(State.RECEIVE_SERVER_FIRST_MESSAGE);
return clientFirstMessage.toBytes();
case RECEIVE_SERVER_FIRST_MESSAGE:
this.serverFirstMessage = new ServerFirstMessage(challenge);
if (!serverFirstMessage.nonce().startsWith(clientNonce))
throw new SaslException("Invalid server nonce: does not start with client nonce");
if (serverFirstMessage.iterations() < mechanism.minIterations())
throw new SaslException("Requested iterations " + serverFirstMessage.iterations() + " is less than the minimum " + mechanism.minIterations() + " for " + mechanism);
PasswordCallback passwordCallback = new PasswordCallback("Password:", false);
try {
callbackHandler.handle(new Callback[] { passwordCallback });
} catch (Throwable e) {
throw new SaslException("User name could not be obtained", e);
}
this.clientFinalMessage = handleServerFirstMessage(passwordCallback.getPassword());
setState(State.RECEIVE_SERVER_FINAL_MESSAGE);
return clientFinalMessage.toBytes();
case RECEIVE_SERVER_FINAL_MESSAGE:
ServerFinalMessage serverFinalMessage = new ServerFinalMessage(challenge);
if (serverFinalMessage.error() != null)
throw new SaslException("Sasl authentication using " + mechanism + " failed with error: " + serverFinalMessage.error());
handleServerFinalMessage(serverFinalMessage.serverSignature());
setState(State.COMPLETE);
return null;
default:
throw new IllegalSaslStateException("Unexpected challenge in Sasl client state " + state);
}
} catch (SaslException e) {
setState(State.FAILED);
throw e;
}
}
use of javax.security.auth.callback.UnsupportedCallbackException in project kafka by apache.
the class OAuthBearerSaslServerTest method throwsAuthenticationExceptionOnInvalidExtensions.
/**
* If the callback handler handles the `OAuthBearerExtensionsValidatorCallback`
* and finds an invalid extension, SaslServer should throw an authentication exception
*/
@Test
public void throwsAuthenticationExceptionOnInvalidExtensions() {
OAuthBearerUnsecuredValidatorCallbackHandler invalidHandler = new OAuthBearerUnsecuredValidatorCallbackHandler() {
@Override
public void handle(Callback[] callbacks) throws UnsupportedCallbackException {
for (Callback callback : callbacks) {
if (callback instanceof OAuthBearerValidatorCallback) {
OAuthBearerValidatorCallback validationCallback = (OAuthBearerValidatorCallback) callback;
validationCallback.token(new OAuthBearerTokenMock());
} else if (callback instanceof OAuthBearerExtensionsValidatorCallback) {
OAuthBearerExtensionsValidatorCallback extensionsCallback = (OAuthBearerExtensionsValidatorCallback) callback;
extensionsCallback.error("firstKey", "is not valid");
extensionsCallback.error("secondKey", "is not valid either");
} else
throw new UnsupportedCallbackException(callback);
}
}
};
saslServer = new OAuthBearerSaslServer(invalidHandler);
Map<String, String> customExtensions = new HashMap<>();
customExtensions.put("firstKey", "value");
customExtensions.put("secondKey", "value");
assertThrows(SaslAuthenticationException.class, () -> saslServer.evaluateResponse(clientInitialResponse(null, false, customExtensions)));
}
Aggregations