Search in sources :

Example 51 with KerberosPrincipal

use of javax.security.auth.kerberos.KerberosPrincipal in project pac4j by pac4j.

the class SunJaasKerberosTicketValidator method internalInit.

@Override
protected void internalInit() {
    // then internalInit() runs lazily during the first validateTicket() call
    try {
        CommonHelper.assertNotNull("servicePrincipal must be specified", this.servicePrincipal);
        CommonHelper.assertNotNull("keyTab must be specified", this.keyTabLocation);
        String keyTabLocationAsString = this.keyTabLocation.getURL().toExternalForm();
        // As Java 6 accepts it with and without the prefix, we don't need to check for Java 7
        if (keyTabLocationAsString.startsWith("file:")) {
            keyTabLocationAsString = keyTabLocationAsString.substring(5);
        }
        LoginConfig loginConfig = new LoginConfig(keyTabLocationAsString, this.servicePrincipal, this.debug);
        Set<Principal> princ = new HashSet<>(1);
        princ.add(new KerberosPrincipal(this.servicePrincipal));
        Subject sub = new Subject(false, princ, new HashSet<>(), new HashSet<>());
        LoginContext lc = new LoginContext("", sub, null, loginConfig);
        lc.login();
        this.serviceSubject = lc.getSubject();
    } catch (final LoginException | IOException e) {
        throw new TechnicalException(e);
    }
}
Also used : KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) TechnicalException(org.pac4j.core.exception.TechnicalException) IOException(java.io.IOException) Subject(javax.security.auth.Subject) LoginContext(javax.security.auth.login.LoginContext) LoginException(javax.security.auth.login.LoginException) KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) Principal(java.security.Principal) HashSet(java.util.HashSet)

Example 52 with KerberosPrincipal

use of javax.security.auth.kerberos.KerberosPrincipal in project pac4j by pac4j.

the class KerberosTicketValidation method subject.

public Subject subject() {
    final Set<KerberosPrincipal> princs = new HashSet<>();
    princs.add(new KerberosPrincipal(servicePrincipal));
    return new Subject(false, princs, new HashSet<>(), new HashSet<>());
}
Also used : KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) Subject(javax.security.auth.Subject) HashSet(java.util.HashSet)

Example 53 with KerberosPrincipal

use of javax.security.auth.kerberos.KerberosPrincipal in project bookkeeper by apache.

the class TGTRefreshThread method getTGT.

// Initialize 'lastLogin' to do a login at first time
private synchronized KerberosTicket getTGT() {
    Set<KerberosTicket> tickets = container.getSubject().getPrivateCredentials(KerberosTicket.class);
    for (KerberosTicket ticket : tickets) {
        KerberosPrincipal server = ticket.getServer();
        if (server.getName().equals("krbtgt/" + server.getRealm() + "@" + server.getRealm())) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Client principal is \"" + ticket.getClient().getName() + "\".");
                LOG.debug("Server principal is \"" + ticket.getServer().getName() + "\".");
            }
            return ticket;
        }
    }
    return null;
}
Also used : KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) KerberosTicket(javax.security.auth.kerberos.KerberosTicket)

Example 54 with KerberosPrincipal

use of javax.security.auth.kerberos.KerberosPrincipal in project registry by hortonworks.

the class TestKerberosAuthenticationHandler method testInit.

@Test(timeout = 60000)
public void testInit() throws Exception {
    Assert.assertEquals(KerberosTestUtils.getKeytabFile(), handler.getKeytab());
    Set<KerberosPrincipal> principals = handler.getPrincipals();
    Principal expectedPrincipal = new KerberosPrincipal(KerberosTestUtils.getServerPrincipal());
    Assert.assertTrue(principals.contains(expectedPrincipal));
    Assert.assertEquals(1, principals.size());
}
Also used : KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) Principal(java.security.Principal) Test(org.junit.Test)

Example 55 with KerberosPrincipal

use of javax.security.auth.kerberos.KerberosPrincipal in project testcases by coheigea.

the class TokenPreAuthTest method unitTokenAuthGSSTest.

// Use the TokenAuthLoginModule in Kerby to log in to the KDC using a JWT token
@org.junit.Test
public void unitTokenAuthGSSTest() throws Exception {
    // 1. Get a TGT from the KDC for the client + create an armor cache
    KrbClient client = new KrbClient();
    client.setKdcHost("localhost");
    client.setKdcTcpPort(kerbyServer.getKdcPort());
    client.setAllowUdp(false);
    client.setKdcRealm(kerbyServer.getKdcSetting().getKdcRealm());
    client.init();
    TgtTicket tgt = client.requestTgt("alice@service.ws.apache.org", "alice");
    assertNotNull(tgt);
    // Write to cache
    Credential credential = new Credential(tgt);
    CredentialCache cCache = new CredentialCache();
    cCache.addCredential(credential);
    cCache.setPrimaryPrincipal(tgt.getClientPrincipal());
    File cCacheFile = File.createTempFile("krb5_alice@service.ws.apache.org", "cc");
    cCache.store(cCacheFile);
    // Now read in JAAS config + substitute in the armor cache file path value
    String basedir = System.getProperty("basedir");
    if (basedir == null) {
        basedir = new File(".").getCanonicalPath();
    }
    File f = new File(basedir + "/target/test-classes/kerberos/kerberos.jaas");
    FileInputStream inputStream = new FileInputStream(f);
    String content = IOUtils.toString(inputStream, "UTF-8");
    inputStream.close();
    content = content.replaceAll("armorCacheVal", cCacheFile.getPath());
    File f2 = new File(basedir + "/target/test-classes/kerberos/kerberos.jaas");
    FileOutputStream outputStream = new FileOutputStream(f2);
    IOUtils.write(content, outputStream, "UTF-8");
    outputStream.close();
    // 2. Create a JWT token using CXF
    JwtClaims claims = new JwtClaims();
    claims.setSubject("alice");
    claims.setIssuer("DoubleItSTSIssuer");
    claims.setIssuedAt(new Date().getTime() / 1000L);
    claims.setExpiryTime(new Date().getTime() + (60L + 1000L));
    String address = "krbtgt/service.ws.apache.org@service.ws.apache.org";
    claims.setAudiences(Collections.singletonList(address));
    KeyStore keystore = KeyStore.getInstance("JKS");
    keystore.load(Loader.getResourceAsStream("clientstore.jks"), "cspass".toCharArray());
    Properties signingProperties = new Properties();
    signingProperties.put(JoseConstants.RSSEC_SIGNATURE_ALGORITHM, SignatureAlgorithm.RS256.name());
    signingProperties.put(JoseConstants.RSSEC_KEY_STORE, keystore);
    signingProperties.put(JoseConstants.RSSEC_KEY_STORE_ALIAS, "myclientkey");
    signingProperties.put(JoseConstants.RSSEC_KEY_PSWD, "ckpass");
    JwsHeaders jwsHeaders = new JwsHeaders(signingProperties);
    JwsJwtCompactProducer jws = new JwsJwtCompactProducer(jwsHeaders, claims);
    JwsSignatureProvider sigProvider = JwsUtils.loadSignatureProvider(signingProperties, jwsHeaders);
    String signedToken = jws.signWith(sigProvider);
    // Store the JWT token in the token cache
    File tokenCache = new File(basedir + "/target/tokencache.txt");
    if (!tokenCache.exists()) {
        tokenCache.createNewFile();
    }
    TokenCache.writeToken(signedToken, tokenCache.getPath());
    // 3. Now log in using JAAS
    LoginContext loginContext = new LoginContext("aliceTokenAuth", new KerberosCallbackHandler());
    loginContext.login();
    Subject clientSubject = loginContext.getSubject();
    // Set<Principal> clientPrincipals = clientSubject.getPrincipals();
    // assertFalse(clientPrincipals.isEmpty());
    // Get the TGT
    Set<KerberosTicket> privateCredentials = clientSubject.getPrivateCredentials(KerberosTicket.class);
    assertFalse(privateCredentials.isEmpty());
    // Get the service ticket using GSS
    KerberosClientExceptionAction action = new KerberosClientExceptionAction(new KerberosPrincipal("alice@service.ws.apache.org"), "bob@service.ws.apache.org");
    byte[] ticket = (byte[]) Subject.doAs(clientSubject, action);
    assertNotNull(ticket);
    loginContext.logout();
    validateServiceTicket(ticket);
    cCacheFile.delete();
    tokenCache.delete();
}
Also used : TgtTicket(org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket) KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) GSSCredential(org.ietf.jgss.GSSCredential) Credential(org.apache.kerby.kerberos.kerb.ccache.Credential) KerberosTicket(javax.security.auth.kerberos.KerberosTicket) JwtClaims(org.apache.cxf.rs.security.jose.jwt.JwtClaims) KrbClient(org.apache.kerby.kerberos.kerb.client.KrbClient) Properties(java.util.Properties) KeyStore(java.security.KeyStore) FileInputStream(java.io.FileInputStream) Date(java.util.Date) Subject(javax.security.auth.Subject) JwsHeaders(org.apache.cxf.rs.security.jose.jws.JwsHeaders) JwsJwtCompactProducer(org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer) LoginContext(javax.security.auth.login.LoginContext) FileOutputStream(java.io.FileOutputStream) CredentialCache(org.apache.kerby.kerberos.kerb.ccache.CredentialCache) File(java.io.File) JwsSignatureProvider(org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider)

Aggregations

KerberosPrincipal (javax.security.auth.kerberos.KerberosPrincipal)71 Principal (java.security.Principal)36 Subject (javax.security.auth.Subject)31 HashSet (java.util.HashSet)21 LoginContext (javax.security.auth.login.LoginContext)20 Test (org.junit.Test)14 X500Principal (javax.security.auth.x500.X500Principal)13 KerberosTicket (javax.security.auth.kerberos.KerberosTicket)11 IOException (java.io.IOException)10 File (java.io.File)9 KerberosKey (javax.security.auth.kerberos.KerberosKey)9 PrivilegedActionException (java.security.PrivilegedActionException)8 StringTokenizer (java.util.StringTokenizer)6 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)3 ArrayList (java.util.ArrayList)3 Date (java.util.Date)3 HashMap (java.util.HashMap)3 Properties (java.util.Properties)3 CallbackHandler (javax.security.auth.callback.CallbackHandler)3 KeyTab (javax.security.auth.kerberos.KeyTab)3