Examples with AuthorizeCallback javax.security.sasl.AuthorizeCallback used on opensource projects

Example 21 with AuthorizeCallback

use of javax.security.sasl.AuthorizeCallback in project alluxio by Alluxio.

the class PlainSaslServerCallbackHandler method handle.

@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
    String username = null;
    String password = null;
    AuthorizeCallback ac = null;
    for (Callback callback : callbacks) {
        if (callback instanceof NameCallback) {
            NameCallback nc = (NameCallback) callback;
            username = nc.getName();
        } else if (callback instanceof PasswordCallback) {
            PasswordCallback pc = (PasswordCallback) callback;
            password = new String(pc.getPassword());
        } else if (callback instanceof AuthorizeCallback) {
            ac = (AuthorizeCallback) callback;
        } else {
            throw new UnsupportedCallbackException(callback, "Unsupport callback");
        }
    }
    mAuthenticationProvider.authenticate(username, password);
    if (ac != null) {
        ac.setAuthorized(true);
        // After verification succeeds, a user with this authz id will be set to a Threadlocal.
        AuthenticatedClientUser.set(ac.getAuthorizedID());
        mCallback.run();
    }
}

Example 22 with AuthorizeCallback

use of javax.security.sasl.AuthorizeCallback in project jdk8u_jdk by JetBrains.

the class SaslGSS method main.

public static void main(String[] args) throws Exception {
    String name = "host." + OneKDC.REALM.toLowerCase(Locale.US);
    new OneKDC(null).writeJAASConf();
    System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
    // Client in JGSS so that it can control wrap privacy mode
    GSSManager m = GSSManager.getInstance();
    GSSContext sc = m.createContext(m.createName(OneKDC.SERVER, GSSUtil.NT_GSS_KRB5_PRINCIPAL), GSSUtil.GSS_KRB5_MECH_OID, null, GSSContext.DEFAULT_LIFETIME);
    sc.requestMutualAuth(false);
    // Server in SASL
    final HashMap props = new HashMap();
    props.put(Sasl.QOP, "auth-conf");
    SaslServer ss = Sasl.createSaslServer("GSSAPI", "server", name, props, new CallbackHandler() {

        public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
            for (Callback cb : callbacks) {
                if (cb instanceof RealmCallback) {
                    ((RealmCallback) cb).setText(OneKDC.REALM);
                } else if (cb instanceof AuthorizeCallback) {
                    ((AuthorizeCallback) cb).setAuthorized(true);
                }
            }
        }
    });
    ByteArrayOutputStream bout = new ByteArrayOutputStream();
    PrintStream oldErr = System.err;
    System.setErr(new PrintStream(bout));
    Logger.getLogger("javax.security.sasl").setLevel(Level.ALL);
    Handler h = new ConsoleHandler();
    h.setLevel(Level.ALL);
    Logger.getLogger("javax.security.sasl").addHandler(h);
    byte[] token = new byte[0];
    try {
        // Handshake
        token = sc.initSecContext(token, 0, token.length);
        token = ss.evaluateResponse(token);
        token = sc.unwrap(token, 0, token.length, new MessageProp(0, false));
        token[0] = (byte) (((token[0] & 4) != 0) ? 4 : 2);
        token = sc.wrap(token, 0, token.length, new MessageProp(0, false));
        ss.evaluateResponse(token);
    } finally {
        System.setErr(oldErr);
    }
    // Talk
    // 1. Client sends a auth-int message
    byte[] hello = "hello".getBytes();
    MessageProp qop = new MessageProp(0, false);
    token = sc.wrap(hello, 0, hello.length, qop);
    // 2. Server accepts it anyway
    ss.unwrap(token, 0, token.length);
    // 3. Server sends a message
    token = ss.wrap(hello, 0, hello.length);
    // 4. Client accepts, should be auth-conf
    sc.unwrap(token, 0, token.length, qop);
    if (!qop.getPrivacy()) {
        throw new Exception();
    }
    for (String s : bout.toString().split("\\n")) {
        if (s.contains("KRB5SRV04") && s.contains("NULL")) {
            return;
        }
    }
    System.out.println("=======================");
    System.out.println(bout.toString());
    System.out.println("=======================");
    throw new Exception("Haven't seen KRB5SRV04 with NULL");
}

Example 23 with AuthorizeCallback

use of javax.security.sasl.AuthorizeCallback in project JGroups by belaban.

the class SimpleAuthorizingCallbackHandler method handle.

@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
    List<Callback> responseCallbacks = new LinkedList<>();
    String remotePrincipal = null;
    boolean remotePrincipalFound = false;
    for (Callback current : callbacks) {
        if (current instanceof AuthorizeCallback) {
            responseCallbacks.add(current);
        } else if (current instanceof NameCallback) {
            NameCallback nameCallback = (NameCallback) current;
            remotePrincipal = nameCallback.getDefaultName();
            if (remotePrincipal != null) {
                // server
                remotePrincipalFound = credentials.containsKey(remotePrincipal);
            } else {
                // client, we need to respond
                responseCallbacks.add(current);
            }
        } else if (current instanceof PasswordCallback) {
            responseCallbacks.add(current);
        } else if (current instanceof RealmCallback) {
            String realmLocal = ((RealmCallback) current).getDefaultText();
            if (realmLocal != null && !this.realm.equals(realmLocal)) {
                throw new IOException("Invalid realm " + realmLocal);
            }
            responseCallbacks.add(current);
        } else {
            throw new UnsupportedCallbackException(current);
        }
    }
    for (Callback current : responseCallbacks) {
        if (current instanceof NameCallback) {
            ((NameCallback) current).setName(localPrincipal);
        } else if (current instanceof AuthorizeCallback) {
            AuthorizeCallback acb = (AuthorizeCallback) current;
            String authenticationId = acb.getAuthenticationID();
            String authorizationId = acb.getAuthorizationID();
            acb.setAuthorized(authenticationId.equals(authorizationId));
            if (role != null) {
                String principalRoleNames = roles.getProperty(acb.getAuthorizationID());
                List<String> principalRoles = (List<String>) (principalRoleNames != null ? Arrays.asList(principalRoleNames.split("\\s*,\\s*")) : Collections.emptyList());
                if (!principalRoles.contains(role)) {
                    throw new IOException("Unauthorized user " + authorizationId);
                }
            }
        } else if (current instanceof PasswordCallback) {
            String password;
            if (remotePrincipal == null) {
                // client, send our password
                password = credentials.getProperty(localPrincipal);
            } else if (remotePrincipalFound) {
                // server, validate incoming password
                password = credentials.getProperty(remotePrincipal);
            } else {
                throw new IOException("Unauthorized user " + remotePrincipal);
            }
            ((PasswordCallback) current).setPassword(password.toCharArray());
        } else if (current instanceof RealmCallback) {
            ((RealmCallback) current).setText(realm);
        }
    }
}

Example 24 with AuthorizeCallback

use of javax.security.sasl.AuthorizeCallback in project accumulo by apache.

the class SaslServerDigestCallbackHandler method handle.

@Override
public void handle(Callback[] callbacks) throws InvalidToken, UnsupportedCallbackException {
    NameCallback nc = null;
    PasswordCallback pc = null;
    AuthorizeCallback ac = null;
    for (Callback callback : callbacks) {
        if (callback instanceof AuthorizeCallback) {
            ac = (AuthorizeCallback) callback;
        } else if (callback instanceof NameCallback) {
            nc = (NameCallback) callback;
        } else if (callback instanceof PasswordCallback) {
            pc = (PasswordCallback) callback;
        } else if (callback instanceof RealmCallback) {
            // realm is ignored
            continue;
        } else {
            throw new UnsupportedCallbackException(callback, "Unrecognized SASL DIGEST-MD5 Callback");
        }
    }
    if (pc != null) {
        AuthenticationTokenIdentifier tokenIdentifier = getIdentifier(nc.getDefaultName(), secretManager);
        char[] password = getPassword(secretManager, tokenIdentifier);
        UserGroupInformation user = null;
        user = tokenIdentifier.getUser();
        // Set the principal since we already deserialized the token identifier
        UGIAssumingProcessor.getRpcPrincipalThreadLocal().set(user.getUserName());
        log.trace("SASL server DIGEST-MD5 callback: setting password for client: {}", tokenIdentifier.getUser());
        pc.setPassword(password);
    }
    if (ac != null) {
        String authid = ac.getAuthenticationID();
        String authzid = ac.getAuthorizationID();
        if (authid.equals(authzid)) {
            ac.setAuthorized(true);
        } else {
            ac.setAuthorized(false);
        }
        if (ac.isAuthorized()) {
            String username = getIdentifier(authzid, secretManager).getUser().getUserName();
            log.trace("SASL server DIGEST-MD5 callback: setting canonicalized client ID: {}", username);
            ac.setAuthorizedID(authzid);
        }
    }
}

Example 25 with AuthorizeCallback

use of javax.security.sasl.AuthorizeCallback in project storm by apache.

the class ClientCallbackHandler method handle.

/**
 * This method is invoked by SASL for authentication challenges.
 *
 * @param callbacks a collection of challenge callbacks
 */
@Override
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
    for (Callback c : callbacks) {
        if (c instanceof NameCallback) {
            LOG.debug("name callback");
        } else if (c instanceof PasswordCallback) {
            LOG.debug("password callback");
            LOG.warn("Could not login: the client is being asked for a password, but the " + " client code does not currently support obtaining a password from the user." + " Make sure that the client is configured to use a ticket cache (using" + " the JAAS configuration setting 'useTicketCache=true)' and restart the client. If" + " you still get this message after that, the TGT in the ticket cache has expired and must" + " be manually refreshed. To do so, first determine if you are using a password or a" + " keytab. If the former, run kinit in a Unix shell in the environment of the user who" + " is running this client using the command" + " 'kinit <princ>' (where <princ> is the name of the client's Kerberos principal)." + " If the latter, do" + " 'kinit -k -t <keytab> <princ>' (where <princ> is the name of the Kerberos principal, and" + " <keytab> is the location of the keytab file). After manually refreshing your cache," + " restart this client. If you continue to see this message after manually refreshing" + " your cache, ensure that your KDC host's clock is in sync with this host's clock.");
        } else if (c instanceof AuthorizeCallback) {
            LOG.debug("authorization callback");
            AuthorizeCallback ac = (AuthorizeCallback) c;
            String authid = ac.getAuthenticationID();
            String authzid = ac.getAuthorizationID();
            if (authid.equals(authzid)) {
                ac.setAuthorized(true);
            } else {
                ac.setAuthorized(false);
            }
            if (ac.isAuthorized()) {
                ac.setAuthorizedID(authzid);
            }
        } else {
            throw new UnsupportedCallbackException(c);
        }
    }
}