Example 6 with SaslClient
use of javax.security.sasl.SaslClient in project hadoop by apache.
the class TestFixKerberosTicketOrder method test.
@Test
public void test() throws Exception {
UserGroupInformation ugi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(clientPrincipal, keytabFile.getCanonicalPath());
ugi.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
SaslClient client = Sasl.createSaslClient(new String[] { AuthMethod.KERBEROS.getMechanismName() }, clientPrincipal, server1Protocol, host, props, null);
client.evaluateChallenge(new byte[0]);
client.dispose();
return null;
}
});
Subject subject = ugi.getSubject();
// move tgt to the last
for (KerberosTicket ticket : subject.getPrivateCredentials(KerberosTicket.class)) {
if (ticket.getServer().getName().startsWith("krbtgt")) {
subject.getPrivateCredentials().remove(ticket);
subject.getPrivateCredentials().add(ticket);
break;
}
}
// make sure the first ticket is not tgt
assertFalse("The first ticket is still tgt, " + "the implementation in jdk may have been changed, " + "please reconsider the problem in HADOOP-13433", subject.getPrivateCredentials().stream().filter(c -> c instanceof KerberosTicket).map(c -> ((KerberosTicket) c).getServer().getName()).findFirst().get().startsWith("krbtgt"));
// should fail as we send a service ticket instead of tgt to KDC.
intercept(SaslException.class, () -> ugi.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
SaslClient client = Sasl.createSaslClient(new String[] { AuthMethod.KERBEROS.getMechanismName() }, clientPrincipal, server2Protocol, host, props, null);
client.evaluateChallenge(new byte[0]);
client.dispose();
return null;
}
}));
ugi.fixKerberosTicketOrder();
// check if TGT is the first ticket after the fix.
assertTrue("The first ticket is not tgt", subject.getPrivateCredentials().stream().filter(c -> c instanceof KerberosTicket).map(c -> ((KerberosTicket) c).getServer().getName()).findFirst().get().startsWith("krbtgt"));
// make sure we can still get new service ticket after the fix.
ugi.doAs(new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
SaslClient client = Sasl.createSaslClient(new String[] { AuthMethod.KERBEROS.getMechanismName() }, clientPrincipal, server2Protocol, host, props, null);
client.evaluateChallenge(new byte[0]);
client.dispose();
return null;
}
});
assertTrue("No service ticket for " + server2Protocol + " found", subject.getPrivateCredentials(KerberosTicket.class).stream().filter(t -> t.getServer().getName().startsWith(server2Protocol)).findAny().isPresent());
}
Also used :
KerberosSecurityTestcase(org.apache.hadoop.minikdc.KerberosSecurityTestcase)
Assert.assertTrue(org.junit.Assert.assertTrue)
HashMap(java.util.HashMap)
Test(org.junit.Test)
KerberosTicket(javax.security.auth.kerberos.KerberosTicket)
PrivilegedExceptionAction(java.security.PrivilegedExceptionAction)
SaslException(javax.security.sasl.SaslException)
File(java.io.File)
Subject(javax.security.auth.Subject)
SaslClient(javax.security.sasl.SaslClient)
QualityOfProtection(org.apache.hadoop.security.SaslRpcServer.QualityOfProtection)
AuthMethod(org.apache.hadoop.security.SaslRpcServer.AuthMethod)
Assert.assertFalse(org.junit.Assert.assertFalse)
Map(java.util.Map)
Configuration(org.apache.hadoop.conf.Configuration)
AuthenticationMethod(org.apache.hadoop.security.UserGroupInformation.AuthenticationMethod)
LambdaTestUtils.intercept(org.apache.hadoop.test.LambdaTestUtils.intercept)
Sasl(javax.security.sasl.Sasl)
Before(org.junit.Before)
KerberosTicket(javax.security.auth.kerberos.KerberosTicket)
PrivilegedExceptionAction(java.security.PrivilegedExceptionAction)
SaslException(javax.security.sasl.SaslException)
Subject(javax.security.auth.Subject)
SaslClient(javax.security.sasl.SaslClient)
Test(org.junit.Test)
Example 7 with SaslClient
use of javax.security.sasl.SaslClient in project hadoop by apache.
the class TestSaslRPC method runNegotiation.
private void runNegotiation(CallbackHandler clientCbh, CallbackHandler serverCbh) throws SaslException {
String mechanism = AuthMethod.PLAIN.getMechanismName();
SaslClient saslClient = Sasl.createSaslClient(new String[] { mechanism }, null, null, null, null, clientCbh);
assertNotNull(saslClient);
SaslServer saslServer = Sasl.createSaslServer(mechanism, null, "localhost", null, serverCbh);
assertNotNull("failed to find PLAIN server", saslServer);
byte[] response = saslClient.evaluateChallenge(new byte[0]);
assertNotNull(response);
assertTrue(saslClient.isComplete());
response = saslServer.evaluateResponse(response);
assertNull(response);
assertTrue(saslServer.isComplete());
assertNotNull(saslServer.getAuthorizationID());
}
Also used :
SaslServer(javax.security.sasl.SaslServer)
SaslClient(javax.security.sasl.SaslClient)
Example 8 with SaslClient
use of javax.security.sasl.SaslClient in project mongo-java-driver by mongodb.
the class GSSAPIAuthenticator method createSaslClient.
@Override
protected SaslClient createSaslClient(final ServerAddress serverAddress) {
MongoCredential credential = getCredential();
try {
Map<String, Object> saslClientProperties = getCredential().getMechanismProperty(JAVA_SASL_CLIENT_PROPERTIES_KEY, null);
if (saslClientProperties == null) {
saslClientProperties = new HashMap<String, Object>();
saslClientProperties.put(Sasl.MAX_BUFFER, "0");
saslClientProperties.put(Sasl.CREDENTIALS, getGSSCredential(credential.getUserName()));
}
SaslClient saslClient = Sasl.createSaslClient(new String[] { GSSAPI.getMechanismName() }, credential.getUserName(), credential.getMechanismProperty(SERVICE_NAME_KEY, SERVICE_NAME_DEFAULT_VALUE), getHostName(serverAddress), saslClientProperties, null);
if (saslClient == null) {
throw new MongoSecurityException(credential, String.format("No platform support for %s mechanism", GSSAPI));
}
return saslClient;
} catch (SaslException e) {
throw new MongoSecurityException(credential, "Exception initializing SASL client", e);
} catch (GSSException e) {
throw new MongoSecurityException(credential, "Exception initializing GSSAPI credentials", e);
} catch (UnknownHostException e) {
throw new MongoSecurityException(credential, "Unable to canonicalize host name + " + serverAddress);
}
}
Also used :
MongoSecurityException(com.mongodb.MongoSecurityException)
GSSException(org.ietf.jgss.GSSException)
UnknownHostException(java.net.UnknownHostException)
MongoCredential(com.mongodb.MongoCredential)
SaslException(javax.security.sasl.SaslException)
SaslClient(javax.security.sasl.SaslClient)
Example 9 with SaslClient
use of javax.security.sasl.SaslClient in project jdk8u_jdk by JetBrains.
the class SampleCallbackHandler method main.
public static void main(String[] args) throws Exception {
Map<String, String> props = new TreeMap<String, String>();
props.put(Sasl.QOP, "auth");
// client
SaslClient client = Sasl.createSaslClient(new String[] { DIGEST_MD5 }, "user1", "xmpp", "127.0.0.1", props, authCallbackHandler);
if (client == null) {
throw new Exception("Unable to find client implementation for: " + DIGEST_MD5);
}
byte[] response = client.hasInitialResponse() ? client.evaluateChallenge(EMPTY) : EMPTY;
logger.info("initial: " + new String(response));
// server
byte[] challenge = null;
SaslServer server = Sasl.createSaslServer(DIGEST_MD5, "xmpp", "127.0.0.1", props, authCallbackHandler);
if (server == null) {
throw new Exception("Unable to find server implementation for: " + DIGEST_MD5);
}
if (!client.isComplete() || !server.isComplete()) {
challenge = server.evaluateResponse(response);
logger.info("challenge: " + new String(challenge));
if (challenge != null) {
response = client.evaluateChallenge(challenge);
}
}
String challengeString = new String(challenge, "UTF-8").toLowerCase();
if (challengeString.indexOf("\"md5-sess\"") > 0 || challengeString.indexOf("\"utf-8\"") > 0) {
throw new Exception("The challenge string's charset and " + "algorithm values must not be enclosed within quotes");
}
client.dispose();
server.dispose();
}
Also used :
SaslServer(javax.security.sasl.SaslServer)
TreeMap(java.util.TreeMap)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
IOException(java.io.IOException)
SaslException(javax.security.sasl.SaslException)
SaslClient(javax.security.sasl.SaslClient)
Example 10 with SaslClient
use of javax.security.sasl.SaslClient in project drill by apache.
the class KerberosFactory method createSaslClient.
@Override
public SaslClient createSaslClient(final UserGroupInformation ugi, final Map<String, ?> properties) throws SaslException {
final String servicePrincipal = getServicePrincipal(properties);
final String[] parts = KerberosUtil.splitPrincipalIntoParts(servicePrincipal);
final String serviceName = parts[0];
final String serviceHostName = parts[1];
final String qopValue = properties.containsKey(Sasl.QOP) ? properties.get(Sasl.QOP).toString() : "auth";
// ignore parts[2]; GSSAPI gets the realm info from the ticket
try {
final SaslClient saslClient = ugi.doAs(new PrivilegedExceptionAction<SaslClient>() {
@Override
public SaslClient run() throws Exception {
return FastSaslClientFactory.getInstance().createSaslClient(new String[] { KerberosUtil.KERBEROS_SASL_NAME }, null, /** authorization ID */
serviceName, serviceHostName, properties, new CallbackHandler() {
@Override
public void handle(final Callback[] callbacks) throws IOException, UnsupportedCallbackException {
throw new UnsupportedCallbackException(callbacks[0]);
}
});
}
});
logger.debug("GSSAPI SaslClient created to authenticate to {} running on {} with QOP value {}", serviceName, serviceHostName, qopValue);
return saslClient;
} catch (final UndeclaredThrowableException e) {
logger.debug("Authentication failed.", e);
throw new SaslException(String.format("Unexpected failure trying to authenticate to %s using GSSAPI with QOP %s", serviceHostName, qopValue), e.getCause());
} catch (final IOException | InterruptedException e) {
logger.debug("Authentication failed.", e);
if (e instanceof SaslException) {
throw (SaslException) e;
}
throw new SaslException(String.format("Unexpected failure trying to authenticate to %s using GSSAPI with QOP %s", serviceHostName, qopValue), e);
}
}
Also used :
CallbackHandler(javax.security.auth.callback.CallbackHandler)
IOException(java.io.IOException)
SaslException(javax.security.sasl.SaslException)
LoginException(javax.security.auth.login.LoginException)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
SaslException(javax.security.sasl.SaslException)
IOException(java.io.IOException)
UndeclaredThrowableException(java.lang.reflect.UndeclaredThrowableException)
InvocationTargetException(java.lang.reflect.InvocationTargetException)
SaslClient(javax.security.sasl.SaslClient)
UndeclaredThrowableException(java.lang.reflect.UndeclaredThrowableException)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
Aggregations
SaslClient (javax.security.sasl.SaslClient)12
SaslException (javax.security.sasl.SaslException)9
IOException (java.io.IOException)8
RpcException (org.apache.drill.exec.rpc.RpcException)5
UndeclaredThrowableException (java.lang.reflect.UndeclaredThrowableException)3
UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)3
ByteString (com.google.protobuf.ByteString)2
PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)2
HashMap (java.util.HashMap)2
Subject (javax.security.auth.Subject)2
CallbackHandler (javax.security.auth.callback.CallbackHandler)2
LoginException (javax.security.auth.login.LoginException)2
SaslServer (javax.security.sasl.SaslServer)2
GSSException (org.ietf.jgss.GSSException)2
AbstractCheckedFuture (com.google.common.util.concurrent.AbstractCheckedFuture)1
MongoCredential (com.mongodb.MongoCredential)1
MongoSecurityException (com.mongodb.MongoSecurityException)1
CRLFInputStream (gnu.inet.util.CRLFInputStream)1
CRLFOutputStream (gnu.inet.util.CRLFOutputStream)1
LineInputStream (gnu.inet.util.LineInputStream)1
