Examples with ServicePermission javax.security.auth.kerberos.ServicePermission used on opensource projects

Example 1 with ServicePermission

use of javax.security.auth.kerberos.ServicePermission in project wildfly by wildfly.

the class SPNEGOLoginModuleTestCase method deployment.

/**
     * Creates {@link WebArchive}.
     *
     * @return
     */
@Deployment(name = "WEB", testable = false)
public static WebArchive deployment() {
    LOGGER.debug("Web deployment");
    final WebArchive war = createWebApp(WEBAPP_NAME, "web-spnego-authn.xml", "SPNEGO");
    war.addAsManifestResource(PermissionUtils.createPermissionsXmlAsset(// Permissions for PropagateIdentityServlet to get delegation credentials DelegationCredentialContext.getDelegCredential()
    new RuntimePermission("org.jboss.security.negotiation.getDelegCredential"), // Permissions for PropagateIdentityServlet to read properties
    new PropertyPermission(GSSTestConstants.PROPERTY_PORT, "read"), new PropertyPermission(GSSTestConstants.PROPERTY_PRINCIPAL, "read"), new PropertyPermission(GSSTestConstants.PROPERTY_PASSWORD, "read"), // Permissions for GSSTestClient to connect to GSSTestServer
    new SocketPermission(TestSuiteEnvironment.getServerAddress(), "resolve,connect"), // Permissions for GSSTestClient to initiate gss context
    new ServicePermission(GSSTestConstants.PRINCIPAL, "initiate"), new ServicePermission("krbtgt/JBOSS.ORG@JBOSS.ORG", "initiate")), "permissions.xml");
    return war;
}

Example 2 with ServicePermission

use of javax.security.auth.kerberos.ServicePermission in project jdk8u_jdk by JetBrains.

the class Krb5MechFactory method checkInitCredPermission.

public static void checkInitCredPermission(Krb5NameElement name) {
    SecurityManager sm = System.getSecurityManager();
    if (sm != null) {
        String realm = (name.getKrb5PrincipalName()).getRealmAsString();
        String tgsPrincipal = new String("krbtgt/" + realm + '@' + realm);
        ServicePermission perm = new ServicePermission(tgsPrincipal, "initiate");
        try {
            sm.checkPermission(perm);
        } catch (SecurityException e) {
            if (DEBUG) {
                System.out.println("Permission to initiate" + "kerberos init credential" + e.getMessage());
            }
            throw e;
        }
    }
}

Example 3 with ServicePermission

use of javax.security.auth.kerberos.ServicePermission in project jdk8u_jdk by JetBrains.

the class Krb5NameElement method getInstance.

/**
     * Instantiates a new Krb5NameElement object. Internally it stores the
     * information provided by the input parameters so that they may later
     * be used for output when a printable representaion of this name is
     * needed in GSS-API format rather than in Kerberos format.
     *
     */
static Krb5NameElement getInstance(String gssNameStr, Oid gssNameType) throws GSSException {
    /*
         * A null gssNameType implies that the mechanism default
         * Krb5MechFactory.NT_GSS_KRB5_PRINCIPAL be used.
         */
    if (gssNameType == null)
        gssNameType = Krb5MechFactory.NT_GSS_KRB5_PRINCIPAL;
    else if (!gssNameType.equals(GSSName.NT_USER_NAME) && !gssNameType.equals(GSSName.NT_HOSTBASED_SERVICE) && !gssNameType.equals(Krb5MechFactory.NT_GSS_KRB5_PRINCIPAL) && !gssNameType.equals(GSSName.NT_EXPORT_NAME))
        throw new GSSException(GSSException.BAD_NAMETYPE, -1, gssNameType.toString() + " is an unsupported nametype");
    PrincipalName principalName;
    try {
        if (gssNameType.equals(GSSName.NT_EXPORT_NAME) || gssNameType.equals(Krb5MechFactory.NT_GSS_KRB5_PRINCIPAL)) {
            principalName = new PrincipalName(gssNameStr, PrincipalName.KRB_NT_PRINCIPAL);
        } else {
            String[] components = getComponents(gssNameStr);
            if (gssNameType.equals(GSSName.NT_USER_NAME))
                principalName = new PrincipalName(gssNameStr, PrincipalName.KRB_NT_PRINCIPAL);
            else {
                String hostName = null;
                String service = components[0];
                if (components.length >= 2)
                    hostName = components[1];
                String principal = getHostBasedInstance(service, hostName);
                principalName = new PrincipalName(principal, PrincipalName.KRB_NT_SRV_HST);
            }
        }
    } catch (KrbException e) {
        throw new GSSException(GSSException.BAD_NAME, -1, e.getMessage());
    }
    if (principalName.isRealmDeduced() && !Realm.AUTODEDUCEREALM) {
        SecurityManager sm = System.getSecurityManager();
        if (sm != null) {
            try {
                sm.checkPermission(new ServicePermission("@" + principalName.getRealmAsString(), "-"));
            } catch (SecurityException se) {
                // Do not chain the actual exception to hide info
                throw new GSSException(GSSException.FAILURE);
            }
        }
    }
    return new Krb5NameElement(principalName, gssNameStr, gssNameType);
}

Example 4 with ServicePermission

use of javax.security.auth.kerberos.ServicePermission in project jdk8u_jdk by JetBrains.

the class Krb5Util method checkServicePermission.

// Perform the Service Permission check using the specified
// <code>target</code> and <code>action</code>
static void checkServicePermission(String target, String action) {
    SecurityManager sm = System.getSecurityManager();
    if (sm != null) {
        SunNativeProvider.debug("Checking ServicePermission(" + target + ", " + action + ")");
        ServicePermission perm = new ServicePermission(target, action);
        sm.checkPermission(perm);
    }
}

Example 5 with ServicePermission

use of javax.security.auth.kerberos.ServicePermission in project jdk8u_jdk by JetBrains.

the class KerberosClientKeyExchangeImpl method getServiceTicket.

// Similar to sun.security.jgss.krb5.Krb5InitCredenetial/Krb5Context
private static KerberosTicket getServiceTicket(String serverName, final AccessControlContext acc) throws IOException {
    if ("localhost".equals(serverName) || "localhost.localdomain".equals(serverName)) {
        if (debug != null && Debug.isOn("handshake")) {
            System.out.println("Get the local hostname");
        }
        String localHost = java.security.AccessController.doPrivileged(new java.security.PrivilegedAction<String>() {

            public String run() {
                try {
                    return InetAddress.getLocalHost().getHostName();
                } catch (java.net.UnknownHostException e) {
                    if (debug != null && Debug.isOn("handshake")) {
                        System.out.println("Warning," + " cannot get the local hostname: " + e.getMessage());
                    }
                    return null;
                }
            }
        });
        if (localHost != null) {
            serverName = localHost;
        }
    }
    // Resolve serverName (possibly in IP addr form) to Kerberos principal
    // name for service with hostname
    String serviceName = "host/" + serverName;
    PrincipalName principal;
    try {
        principal = new PrincipalName(serviceName, PrincipalName.KRB_NT_SRV_HST);
    } catch (SecurityException se) {
        throw se;
    } catch (Exception e) {
        IOException ioe = new IOException("Invalid service principal" + " name: " + serviceName);
        ioe.initCause(e);
        throw ioe;
    }
    String realm = principal.getRealmAsString();
    final String serverPrincipal = principal.toString();
    final String tgsPrincipal = "krbtgt/" + realm + "@" + realm;
    // use default
    final String clientPrincipal = null;
    // check permission to obtain a service ticket to initiate a
    // context with the "host" service
    SecurityManager sm = System.getSecurityManager();
    if (sm != null) {
        sm.checkPermission(new ServicePermission(serverPrincipal, "initiate"), acc);
    }
    try {
        KerberosTicket ticket = AccessController.doPrivileged(new PrivilegedExceptionAction<KerberosTicket>() {

            public KerberosTicket run() throws Exception {
                return Krb5Util.getTicketFromSubjectAndTgs(GSSCaller.CALLER_SSL_CLIENT, clientPrincipal, serverPrincipal, tgsPrincipal, acc);
            }
        });
        if (ticket == null) {
            throw new IOException("Failed to find any kerberos service" + " ticket for " + serverPrincipal);
        }
        return ticket;
    } catch (PrivilegedActionException e) {
        IOException ioe = new IOException("Attempt to obtain kerberos service ticket for " + serverPrincipal + " failed!");
        ioe.initCause(e);
        throw ioe;
    }
}