Examples with KerberosTicket javax.security.auth.kerberos.KerberosTicket used on opensource projects

Example 26 with KerberosTicket

use of javax.security.auth.kerberos.KerberosTicket in project jstorm by alibaba.

the class AutoTGT method renew.

@Override
public void renew(Map<String, String> credentials, Map topologyConf) {
    KerberosTicket tgt = getTGT(credentials);
    if (tgt != null) {
        long refreshTime = getRefreshTime(tgt);
        long now = System.currentTimeMillis();
        if (now >= refreshTime) {
            try {
                LOG.info("Renewing TGT for " + tgt.getClient());
                tgt.refresh();
                saveTGT(tgt, credentials);
            } catch (RefreshFailedException e) {
                LOG.warn("Failed to refresh TGT", e);
            }
        }
    }
}

Example 27 with KerberosTicket

use of javax.security.auth.kerberos.KerberosTicket in project jstorm by alibaba.

the class AutoTGT method populateSubjectWithTGT.

private void populateSubjectWithTGT(Subject subject, Map<String, String> credentials) {
    KerberosTicket tgt = getTGT(credentials);
    if (tgt != null) {
        Set<Object> creds = subject.getPrivateCredentials();
        synchronized (creds) {
            Iterator<Object> iterator = creds.iterator();
            while (iterator.hasNext()) {
                Object o = iterator.next();
                if (o instanceof KerberosTicket) {
                    KerberosTicket t = (KerberosTicket) o;
                    iterator.remove();
                    try {
                        t.destroy();
                    } catch (DestroyFailedException e) {
                        LOG.warn("Failed to destory ticket ", e);
                    }
                }
            }
            creds.add(tgt);
        }
        subject.getPrincipals().add(tgt.getClient());
        kerbTicket.set(tgt);
    } else {
        LOG.info("No TGT found in credentials");
    }
}

Example 28 with KerberosTicket

use of javax.security.auth.kerberos.KerberosTicket in project jdk8u_jdk by JetBrains.

the class GSSUtil method populateCredentials.

/**
     * Populates the set credentials with elements from gssCredentials. At
     * the same time, it converts any subclasses of KerberosTicket
     * into KerberosTicket instances and any subclasses of KerberosKey into
     * KerberosKey instances. (It is not desirable to expose the customer
     * to sun.security.jgss.krb5.Krb5InitCredential which extends
     * KerberosTicket and sun.security.jgss.krb5.Kbr5AcceptCredential which
     * extends KerberosKey.)
     */
private static void populateCredentials(Set<Object> credentials, Set<?> gssCredentials) {
    Object cred;
    Iterator<?> elements = gssCredentials.iterator();
    while (elements.hasNext()) {
        cred = elements.next();
        // Retrieve the internal cred out of SpNegoCredElement
        if (cred instanceof SpNegoCredElement) {
            cred = ((SpNegoCredElement) cred).getInternalCred();
        }
        if (cred instanceof KerberosTicket) {
            if (!cred.getClass().getName().equals("javax.security.auth.kerberos.KerberosTicket")) {
                KerberosTicket tempTkt = (KerberosTicket) cred;
                cred = new KerberosTicket(tempTkt.getEncoded(), tempTkt.getClient(), tempTkt.getServer(), tempTkt.getSessionKey().getEncoded(), tempTkt.getSessionKeyType(), tempTkt.getFlags(), tempTkt.getAuthTime(), tempTkt.getStartTime(), tempTkt.getEndTime(), tempTkt.getRenewTill(), tempTkt.getClientAddresses());
            }
            credentials.add(cred);
        } else if (cred instanceof KerberosKey) {
            if (!cred.getClass().getName().equals("javax.security.auth.kerberos.KerberosKey")) {
                KerberosKey tempKey = (KerberosKey) cred;
                cred = new KerberosKey(tempKey.getPrincipal(), tempKey.getEncoded(), tempKey.getKeyType(), tempKey.getVersionNumber());
            }
            credentials.add(cred);
        } else {
            // Ignore non-KerberosTicket and non-KerberosKey elements
            debug("Skipped cred element: " + cred);
        }
    }
}

Example 29 with KerberosTicket

use of javax.security.auth.kerberos.KerberosTicket in project jdk8u_jdk by JetBrains.

the class KerberosClientKeyExchangeImpl method getServiceTicket.

// Similar to sun.security.jgss.krb5.Krb5InitCredenetial/Krb5Context
private static KerberosTicket getServiceTicket(String serverName, final AccessControlContext acc) throws IOException {
    if ("localhost".equals(serverName) || "localhost.localdomain".equals(serverName)) {
        if (debug != null && Debug.isOn("handshake")) {
            System.out.println("Get the local hostname");
        }
        String localHost = java.security.AccessController.doPrivileged(new java.security.PrivilegedAction<String>() {

            public String run() {
                try {
                    return InetAddress.getLocalHost().getHostName();
                } catch (java.net.UnknownHostException e) {
                    if (debug != null && Debug.isOn("handshake")) {
                        System.out.println("Warning," + " cannot get the local hostname: " + e.getMessage());
                    }
                    return null;
                }
            }
        });
        if (localHost != null) {
            serverName = localHost;
        }
    }
    // Resolve serverName (possibly in IP addr form) to Kerberos principal
    // name for service with hostname
    String serviceName = "host/" + serverName;
    PrincipalName principal;
    try {
        principal = new PrincipalName(serviceName, PrincipalName.KRB_NT_SRV_HST);
    } catch (SecurityException se) {
        throw se;
    } catch (Exception e) {
        IOException ioe = new IOException("Invalid service principal" + " name: " + serviceName);
        ioe.initCause(e);
        throw ioe;
    }
    String realm = principal.getRealmAsString();
    final String serverPrincipal = principal.toString();
    final String tgsPrincipal = "krbtgt/" + realm + "@" + realm;
    // use default
    final String clientPrincipal = null;
    // check permission to obtain a service ticket to initiate a
    // context with the "host" service
    SecurityManager sm = System.getSecurityManager();
    if (sm != null) {
        sm.checkPermission(new ServicePermission(serverPrincipal, "initiate"), acc);
    }
    try {
        KerberosTicket ticket = AccessController.doPrivileged(new PrivilegedExceptionAction<KerberosTicket>() {

            public KerberosTicket run() throws Exception {
                return Krb5Util.getTicketFromSubjectAndTgs(GSSCaller.CALLER_SSL_CLIENT, clientPrincipal, serverPrincipal, tgsPrincipal, acc);
            }
        });
        if (ticket == null) {
            throw new IOException("Failed to find any kerberos service" + " ticket for " + serverPrincipal);
        }
        return ticket;
    } catch (PrivilegedActionException e) {
        IOException ioe = new IOException("Attempt to obtain kerberos service ticket for " + serverPrincipal + " failed!");
        ioe.initCause(e);
        throw ioe;
    }
}

Example 30 with KerberosTicket

use of javax.security.auth.kerberos.KerberosTicket in project jdk8u_jdk by JetBrains.

the class KerberosHashEqualsTest method check.

void check() throws Exception {
    // The key part:
    // new KerberosKey(principal, bytes, keyType, version)
    KerberosKey k1, k2;
    KerberosPrincipal CLIENT = new KerberosPrincipal("client");
    KerberosPrincipal SERVER = new KerberosPrincipal("server");
    byte[] PASS = "pass".getBytes();
    k1 = new KerberosKey(CLIENT, PASS, 1, 1);
    k2 = new KerberosKey(CLIENT, PASS, 1, 1);
    // me is me
    checkSame(k1, k1);
    // same
    checkSame(k1, k2);
    // A destroyed key doesn't equal to any key
    k2.destroy();
    checkNotSame(k1, k2);
    checkNotSame(k2, k1);
    k1.destroy();
    // even if they are both destroyed
    checkNotSame(k1, k2);
    checkNotSame(k2, k1);
    checkSame(k2, k2);
    // a little difference means not equal
    k1 = new KerberosKey(CLIENT, PASS, 1, 1);
    k2 = new KerberosKey(SERVER, PASS, 1, 1);
    // Different principal name
    checkNotSame(k1, k2);
    k2 = new KerberosKey(CLIENT, "ssap".getBytes(), 1, 1);
    // Different password
    checkNotSame(k1, k2);
    k2 = new KerberosKey(CLIENT, PASS, 2, 1);
    // Different keytype
    checkNotSame(k1, k2);
    k2 = new KerberosKey(CLIENT, PASS, 1, 2);
    // Different version
    checkNotSame(k1, k2);
    k2 = new KerberosKey(null, PASS, 1, 2);
    // null is not non-null
    checkNotSame(k1, k2);
    k1 = new KerberosKey(null, PASS, 1, 2);
    // null is null
    checkSame(k1, k2);
    checkNotSame(k1, "Another Object");
    // The ticket part:
    // new KerberosTicket(asn1 bytes, client, server, session key, type, flags,
    //      auth, start, end, renewUntil times, address)
    KerberosTicket t1, t2;
    byte[] ASN1 = "asn1".getBytes();
    boolean[] FORWARDABLE = new boolean[] { true, true };
    boolean[] ALLTRUE = new boolean[] { true, true, true, true, true, true, true, true, true, true };
    Date D0 = new Date(0);
    t1 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, D0, null);
    t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, D0, null);
    checkSame(t1, t1);
    checkSame(t1, t2);
    // destroyed tickets doesn't equal to each other
    t1.destroy();
    checkNotSame(t1, t2);
    checkNotSame(t2, t1);
    t2.destroy();
    // even if they are both destroyed
    checkNotSame(t1, t2);
    checkNotSame(t2, t1);
    // unless they are the same object
    checkSame(t2, t2);
    // a little difference means not equal
    t1 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, D0, null);
    t2 = new KerberosTicket("asn11".getBytes(), CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, D0, null);
    // Different ASN1 encoding
    checkNotSame(t1, t2);
    t2 = new KerberosTicket(ASN1, new KerberosPrincipal("client1"), SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, D0, null);
    // Different client
    checkNotSame(t1, t2);
    t2 = new KerberosTicket(ASN1, CLIENT, new KerberosPrincipal("server1"), PASS, 1, FORWARDABLE, D0, D0, D0, D0, null);
    // Different server
    checkNotSame(t1, t2);
    t2 = new KerberosTicket(ASN1, CLIENT, SERVER, "pass1".getBytes(), 1, FORWARDABLE, D0, D0, D0, D0, null);
    // Different session key
    checkNotSame(t1, t2);
    t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 2, FORWARDABLE, D0, D0, D0, D0, null);
    // Different key type
    checkNotSame(t1, t2);
    t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, new boolean[] { true, false }, D0, D0, D0, D0, null);
    // Different flags, not FORWARDABLE
    checkNotSame(t1, t2);
    t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, new Date(1), D0, D0, D0, null);
    // Different authtime
    checkNotSame(t1, t2);
    t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, new Date(1), D0, D0, null);
    // Different starttime
    checkNotSame(t1, t2);
    t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, new Date(1), D0, null);
    // Different endtime
    checkNotSame(t1, t2);
    t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, D0, new InetAddress[2]);
    // Different client addresses
    checkNotSame(t1, t2);
    t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, new Date(1), null);
    t1 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, FORWARDABLE, D0, D0, D0, new Date(2), null);
    // renewtill is ignored when RENEWABLE ticket flag is not set.
    checkSame(t1, t2);
    t2 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, ALLTRUE, D0, D0, D0, new Date(1), null);
    t1 = new KerberosTicket(ASN1, CLIENT, SERVER, PASS, 1, ALLTRUE, D0, D0, D0, new Date(2), null);
    // renewtill is used when RENEWABLE is set.
    checkNotSame(t1, t2);
    checkNotSame(t1, "Another Object");
    System.out.println("Good!");
}