Examples with KerberosTicket javax.security.auth.kerberos.KerberosTicket used on opensource projects

Search in sources :

Example 11 with KerberosTicket

use of javax.security.auth.kerberos.KerberosTicket in project jdk8u_jdk by JetBrains.

the class Krb5Util method getTicket.

/**
     * Retrieves the ticket corresponding to the client/server principal
     * pair from the Subject in the specified AccessControlContext.
     * If the ticket can not be found in the Subject, and if
     * useSubjectCredsOnly is false, then obtain ticket from
     * a LoginContext.
     */
static KerberosTicket getTicket(GSSCaller caller, String clientPrincipal, String serverPrincipal, AccessControlContext acc) throws LoginException {
    // Try to get ticket from acc's Subject
    Subject accSubj = Subject.getSubject(acc);
    KerberosTicket ticket = SubjectComber.find(accSubj, serverPrincipal, clientPrincipal, KerberosTicket.class);
    // Try to get ticket from Subject obtained from GSSUtil
    if (ticket == null && !GSSUtil.useSubjectCredsOnly(caller)) {
        Subject subject = GSSUtil.login(caller, GSSUtil.GSS_KRB5_MECH_OID);
        ticket = SubjectComber.find(subject, serverPrincipal, clientPrincipal, KerberosTicket.class);
    }
    return ticket;
}
Also used : KerberosTicket(javax.security.auth.kerberos.KerberosTicket) Subject(javax.security.auth.Subject)

Example 12 with KerberosTicket

use of javax.security.auth.kerberos.KerberosTicket in project jdk8u_jdk by JetBrains.

the class Krb5Util method getTicketFromSubjectAndTgs.

/**
     * Retrieve the service ticket for serverPrincipal from caller's Subject
     * or from Subject obtained by logging in, or if not found, via the
     * Ticket Granting Service using the TGT obtained from the Subject.
     *
     * Caller must have permission to:
     *    - access and update Subject's private credentials
     *    - create LoginContext
     *    - read the auth.login.defaultCallbackHandler security property
     *
     * NOTE: This method is used by JSSE Kerberos Cipher Suites
     */
public static KerberosTicket getTicketFromSubjectAndTgs(GSSCaller caller, String clientPrincipal, String serverPrincipal, String tgsPrincipal, AccessControlContext acc) throws LoginException, KrbException, IOException {
    // 1. Try to find service ticket in acc subject
    Subject accSubj = Subject.getSubject(acc);
    KerberosTicket ticket = SubjectComber.find(accSubj, serverPrincipal, clientPrincipal, KerberosTicket.class);
    if (ticket != null) {
        // found it
        return ticket;
    }
    Subject loginSubj = null;
    if (!GSSUtil.useSubjectCredsOnly(caller)) {
        // 2. Try to get ticket from login
        try {
            loginSubj = GSSUtil.login(caller, GSSUtil.GSS_KRB5_MECH_OID);
            ticket = SubjectComber.find(loginSubj, serverPrincipal, clientPrincipal, KerberosTicket.class);
            if (ticket != null) {
                // found it
                return ticket;
            }
        } catch (LoginException e) {
        // No login entry to use
        // ignore and continue
        }
    }
    // Service ticket not found in subject or login
    // Try to get TGT to acquire service ticket
    // 3. Try to get TGT from acc subject
    KerberosTicket tgt = SubjectComber.find(accSubj, tgsPrincipal, clientPrincipal, KerberosTicket.class);
    boolean fromAcc;
    if (tgt == null && loginSubj != null) {
        // 4. Try to get TGT from login subject
        tgt = SubjectComber.find(loginSubj, tgsPrincipal, clientPrincipal, KerberosTicket.class);
        fromAcc = false;
    } else {
        fromAcc = true;
    }
    // 5. Try to get service ticket using TGT
    if (tgt != null) {
        Credentials tgtCreds = ticketToCreds(tgt);
        Credentials serviceCreds = Credentials.acquireServiceCreds(serverPrincipal, tgtCreds);
        if (serviceCreds != null) {
            ticket = credsToTicket(serviceCreds);
            // Store service ticket in acc's Subject
            if (fromAcc && accSubj != null && !accSubj.isReadOnly()) {
                accSubj.getPrivateCredentials().add(ticket);
            }
        }
    }
    return ticket;
}
Also used : KerberosTicket(javax.security.auth.kerberos.KerberosTicket) LoginException(javax.security.auth.login.LoginException) Subject(javax.security.auth.Subject) Credentials(sun.security.krb5.Credentials)

Example 13 with KerberosTicket

use of javax.security.auth.kerberos.KerberosTicket in project jdk8u_jdk by JetBrains.

the class KerberosClientKeyExchangeImpl method init.

/**
     * Creates an instance of KerberosClientKeyExchange consisting of the
     * Kerberos service ticket, authenticator and encrypted premaster secret.
     * Called by client handshaker.
     *
     * @param serverName name of server with which to do handshake;
     *             this is used to get the Kerberos service ticket
     * @param protocolVersion Maximum version supported by client (i.e,
     *          version it requested in client hello)
     * @param rand random number generator to use for generating pre-master
     *          secret
     */
@Override
public void init(String serverName, AccessControlContext acc, ProtocolVersion protocolVersion, SecureRandom rand) throws IOException {
    // Get service ticket
    KerberosTicket ticket = getServiceTicket(serverName, acc);
    encodedTicket = ticket.getEncoded();
    // Record the Kerberos principals
    peerPrincipal = ticket.getServer();
    localPrincipal = ticket.getClient();
    // Optional authenticator, encrypted using session key,
    // currently ignored
    // Generate premaster secret and encrypt it using session key
    EncryptionKey sessionKey = new EncryptionKey(ticket.getSessionKeyType(), ticket.getSessionKey().getEncoded());
    preMaster = new KerberosPreMasterSecret(protocolVersion, rand, sessionKey);
}
Also used : KerberosTicket(javax.security.auth.kerberos.KerberosTicket) EncryptionKey(sun.security.krb5.EncryptionKey)

Example 14 with KerberosTicket

use of javax.security.auth.kerberos.KerberosTicket in project hbase by apache.

the class TestSpnegoHttpServer method testAllowedClient.

@Test
public void testAllowedClient() throws Exception {
    // Create the subject for the client
    final Subject clientSubject = JaasKrbUtil.loginUsingKeytab(CLIENT_PRINCIPAL, clientKeytab);
    final Set<Principal> clientPrincipals = clientSubject.getPrincipals();
    // Make sure the subject has a principal
    assertFalse(clientPrincipals.isEmpty());
    // Get a TGT for the subject (might have many, different encryption types). The first should
    // be the default encryption type.
    Set<KerberosTicket> privateCredentials = clientSubject.getPrivateCredentials(KerberosTicket.class);
    assertFalse(privateCredentials.isEmpty());
    KerberosTicket tgt = privateCredentials.iterator().next();
    assertNotNull(tgt);
    // The name of the principal
    final String principalName = clientPrincipals.iterator().next().getName();
    // Run this code, logged in as the subject (the client)
    HttpResponse resp = Subject.doAs(clientSubject, new PrivilegedExceptionAction<HttpResponse>() {

        @Override
        public HttpResponse run() throws Exception {
            // Logs in with Kerberos via GSS
            GSSManager gssManager = GSSManager.getInstance();
            // jGSS Kerberos login constant
            Oid oid = new Oid("1.2.840.113554.1.2.2");
            GSSName gssClient = gssManager.createName(principalName, GSSName.NT_USER_NAME);
            GSSCredential credential = gssManager.createCredential(gssClient, GSSCredential.DEFAULT_LIFETIME, oid, GSSCredential.INITIATE_ONLY);
            HttpClientContext context = HttpClientContext.create();
            Lookup<AuthSchemeProvider> authRegistry = RegistryBuilder.<AuthSchemeProvider>create().register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true, true)).build();
            HttpClient client = HttpClients.custom().setDefaultAuthSchemeRegistry(authRegistry).build();
            BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider();
            credentialsProvider.setCredentials(AuthScope.ANY, new KerberosCredentials(credential));
            URL url = new URL(getServerURL(server), "/echo?a=b");
            context.setTargetHost(new HttpHost(url.getHost(), url.getPort()));
            context.setCredentialsProvider(credentialsProvider);
            context.setAuthSchemeRegistry(authRegistry);
            HttpGet get = new HttpGet(url.toURI());
            return client.execute(get, context);
        }
    });
    assertNotNull(resp);
    assertEquals(HttpURLConnection.HTTP_OK, resp.getStatusLine().getStatusCode());
    assertEquals("a:b", EntityUtils.toString(resp.getEntity()).trim());
}
Also used : GSSName(org.ietf.jgss.GSSName) BasicCredentialsProvider(org.apache.http.impl.client.BasicCredentialsProvider) KerberosTicket(javax.security.auth.kerberos.KerberosTicket) HttpGet(org.apache.http.client.methods.HttpGet) KerberosCredentials(org.apache.http.auth.KerberosCredentials) HttpResponse(org.apache.http.HttpResponse) HttpClientContext(org.apache.http.client.protocol.HttpClientContext) Oid(org.ietf.jgss.Oid) SPNegoSchemeFactory(org.apache.http.impl.auth.SPNegoSchemeFactory) Subject(javax.security.auth.Subject) KrbException(org.apache.kerby.kerberos.kerb.KrbException) IOException(java.io.IOException) URL(java.net.URL) GSSCredential(org.ietf.jgss.GSSCredential) HttpHost(org.apache.http.HttpHost) GSSManager(org.ietf.jgss.GSSManager) HttpClient(org.apache.http.client.HttpClient) Lookup(org.apache.http.config.Lookup) Principal(java.security.Principal) Test(org.junit.Test)

Example 15 with KerberosTicket

use of javax.security.auth.kerberos.KerberosTicket in project storm by apache.

the class AutoTGT method clearCredentials.

public static void clearCredentials(Subject subject, KerberosTicket tgt) {
    Set<Object> creds = subject.getPrivateCredentials();
    synchronized (creds) {
        Iterator<Object> iterator = creds.iterator();
        while (iterator.hasNext()) {
            Object o = iterator.next();
            if (o instanceof KerberosTicket) {
                KerberosTicket t = (KerberosTicket) o;
                iterator.remove();
                try {
                    t.destroy();
                } catch (DestroyFailedException e) {
                    LOG.warn("Failed to destory ticket ", e);
                }
            }
        }
        if (tgt != null) {
            creds.add(tgt);
        }
    }
}
Also used : DestroyFailedException(javax.security.auth.DestroyFailedException) KerberosTicket(javax.security.auth.kerberos.KerberosTicket)

Aggregations

KerberosTicket (javax.security.auth.kerberos.KerberosTicket)35 Subject (javax.security.auth.Subject)13 Principal (java.security.Principal)7 KerberosPrincipal (javax.security.auth.kerberos.KerberosPrincipal)7 Test (org.junit.Test)7 DestroyFailedException (javax.security.auth.DestroyFailedException)6 RefreshFailedException (javax.security.auth.RefreshFailedException)6 LoginException (javax.security.auth.login.LoginException)6 HashMap (java.util.HashMap)4 LoginContext (javax.security.auth.login.LoginContext)4 IOException (java.io.IOException)3 Date (java.util.Date)3 KerberosKey (javax.security.auth.kerberos.KerberosKey)3 AbstractKerberosITest (org.apache.directory.server.kerberos.kdc.AbstractKerberosITest)3 ByteArrayInputStream (java.io.ByteArrayInputStream)2 ObjectInputStream (java.io.ObjectInputStream)2 InetAddress (java.net.InetAddress)2 PrivilegedActionException (java.security.PrivilegedActionException)2 Map (java.util.Map)2 Configuration (javax.security.auth.login.Configuration)2
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial