use of javax.security.auth.kerberos.KerberosPrincipal in project pac4j by pac4j.
the class SunJaasKerberosTicketValidator method internalInit.
@Override
protected void internalInit() {
// then internalInit() runs lazily during the first validateTicket() call
try {
CommonHelper.assertNotNull("servicePrincipal must be specified", this.servicePrincipal);
CommonHelper.assertNotNull("keyTab must be specified", this.keyTabLocation);
String keyTabLocationAsString = this.keyTabLocation.getURL().toExternalForm();
// As Java 6 accepts it with and without the prefix, we don't need to check for Java 7
if (keyTabLocationAsString.startsWith("file:")) {
keyTabLocationAsString = keyTabLocationAsString.substring(5);
}
LoginConfig loginConfig = new LoginConfig(keyTabLocationAsString, this.servicePrincipal, this.debug);
Set<Principal> princ = new HashSet<>(1);
princ.add(new KerberosPrincipal(this.servicePrincipal));
Subject sub = new Subject(false, princ, new HashSet<>(), new HashSet<>());
LoginContext lc = new LoginContext("", sub, null, loginConfig);
lc.login();
this.serviceSubject = lc.getSubject();
} catch (final LoginException | IOException e) {
throw new TechnicalException(e);
}
}
use of javax.security.auth.kerberos.KerberosPrincipal in project pac4j by pac4j.
the class KerberosTicketValidation method subject.
public Subject subject() {
final Set<KerberosPrincipal> princs = new HashSet<>();
princs.add(new KerberosPrincipal(servicePrincipal));
return new Subject(false, princs, new HashSet<>(), new HashSet<>());
}
use of javax.security.auth.kerberos.KerberosPrincipal in project bookkeeper by apache.
the class TGTRefreshThread method getTGT.
// Initialize 'lastLogin' to do a login at first time
private synchronized KerberosTicket getTGT() {
Set<KerberosTicket> tickets = container.getSubject().getPrivateCredentials(KerberosTicket.class);
for (KerberosTicket ticket : tickets) {
KerberosPrincipal server = ticket.getServer();
if (server.getName().equals("krbtgt/" + server.getRealm() + "@" + server.getRealm())) {
if (LOG.isDebugEnabled()) {
LOG.debug("Client principal is \"" + ticket.getClient().getName() + "\".");
LOG.debug("Server principal is \"" + ticket.getServer().getName() + "\".");
}
return ticket;
}
}
return null;
}
use of javax.security.auth.kerberos.KerberosPrincipal in project registry by hortonworks.
the class TestKerberosAuthenticationHandler method testInit.
@Test(timeout = 60000)
public void testInit() throws Exception {
Assert.assertEquals(KerberosTestUtils.getKeytabFile(), handler.getKeytab());
Set<KerberosPrincipal> principals = handler.getPrincipals();
Principal expectedPrincipal = new KerberosPrincipal(KerberosTestUtils.getServerPrincipal());
Assert.assertTrue(principals.contains(expectedPrincipal));
Assert.assertEquals(1, principals.size());
}
use of javax.security.auth.kerberos.KerberosPrincipal in project testcases by coheigea.
the class TokenPreAuthTest method unitTokenAuthGSSTest.
// Use the TokenAuthLoginModule in Kerby to log in to the KDC using a JWT token
@org.junit.Test
public void unitTokenAuthGSSTest() throws Exception {
// 1. Get a TGT from the KDC for the client + create an armor cache
KrbClient client = new KrbClient();
client.setKdcHost("localhost");
client.setKdcTcpPort(kerbyServer.getKdcPort());
client.setAllowUdp(false);
client.setKdcRealm(kerbyServer.getKdcSetting().getKdcRealm());
client.init();
TgtTicket tgt = client.requestTgt("alice@service.ws.apache.org", "alice");
assertNotNull(tgt);
// Write to cache
Credential credential = new Credential(tgt);
CredentialCache cCache = new CredentialCache();
cCache.addCredential(credential);
cCache.setPrimaryPrincipal(tgt.getClientPrincipal());
File cCacheFile = File.createTempFile("krb5_alice@service.ws.apache.org", "cc");
cCache.store(cCacheFile);
// Now read in JAAS config + substitute in the armor cache file path value
String basedir = System.getProperty("basedir");
if (basedir == null) {
basedir = new File(".").getCanonicalPath();
}
File f = new File(basedir + "/target/test-classes/kerberos/kerberos.jaas");
FileInputStream inputStream = new FileInputStream(f);
String content = IOUtils.toString(inputStream, "UTF-8");
inputStream.close();
content = content.replaceAll("armorCacheVal", cCacheFile.getPath());
File f2 = new File(basedir + "/target/test-classes/kerberos/kerberos.jaas");
FileOutputStream outputStream = new FileOutputStream(f2);
IOUtils.write(content, outputStream, "UTF-8");
outputStream.close();
// 2. Create a JWT token using CXF
JwtClaims claims = new JwtClaims();
claims.setSubject("alice");
claims.setIssuer("DoubleItSTSIssuer");
claims.setIssuedAt(new Date().getTime() / 1000L);
claims.setExpiryTime(new Date().getTime() + (60L + 1000L));
String address = "krbtgt/service.ws.apache.org@service.ws.apache.org";
claims.setAudiences(Collections.singletonList(address));
KeyStore keystore = KeyStore.getInstance("JKS");
keystore.load(Loader.getResourceAsStream("clientstore.jks"), "cspass".toCharArray());
Properties signingProperties = new Properties();
signingProperties.put(JoseConstants.RSSEC_SIGNATURE_ALGORITHM, SignatureAlgorithm.RS256.name());
signingProperties.put(JoseConstants.RSSEC_KEY_STORE, keystore);
signingProperties.put(JoseConstants.RSSEC_KEY_STORE_ALIAS, "myclientkey");
signingProperties.put(JoseConstants.RSSEC_KEY_PSWD, "ckpass");
JwsHeaders jwsHeaders = new JwsHeaders(signingProperties);
JwsJwtCompactProducer jws = new JwsJwtCompactProducer(jwsHeaders, claims);
JwsSignatureProvider sigProvider = JwsUtils.loadSignatureProvider(signingProperties, jwsHeaders);
String signedToken = jws.signWith(sigProvider);
// Store the JWT token in the token cache
File tokenCache = new File(basedir + "/target/tokencache.txt");
if (!tokenCache.exists()) {
tokenCache.createNewFile();
}
TokenCache.writeToken(signedToken, tokenCache.getPath());
// 3. Now log in using JAAS
LoginContext loginContext = new LoginContext("aliceTokenAuth", new KerberosCallbackHandler());
loginContext.login();
Subject clientSubject = loginContext.getSubject();
// Set<Principal> clientPrincipals = clientSubject.getPrincipals();
// assertFalse(clientPrincipals.isEmpty());
// Get the TGT
Set<KerberosTicket> privateCredentials = clientSubject.getPrivateCredentials(KerberosTicket.class);
assertFalse(privateCredentials.isEmpty());
// Get the service ticket using GSS
KerberosClientExceptionAction action = new KerberosClientExceptionAction(new KerberosPrincipal("alice@service.ws.apache.org"), "bob@service.ws.apache.org");
byte[] ticket = (byte[]) Subject.doAs(clientSubject, action);
assertNotNull(ticket);
loginContext.logout();
validateServiceTicket(ticket);
cCacheFile.delete();
tokenCache.delete();
}
Aggregations