use of javax.security.sasl.SaslException in project drill by apache.
the class PlainServer method evaluateResponse.
@Override
public byte[] evaluateResponse(byte[] response) throws SaslException {
if (completed) {
throw new IllegalStateException("PLAIN authentication already completed");
}
if (response == null) {
throw new SaslException("Received null response");
}
final String payload = new String(response, StandardCharsets.UTF_8);
// Separator defined in PlainClient is 0
// three parts: [ authorizationID, authenticationID, password ]
final String[] parts = payload.split(UTF_8_NULL, 3);
if (parts.length != 3) {
throw new SaslException("Received corrupt response. Expected 3 parts, but received " + parts.length);
}
String authorizationID = parts[0];
final String authenticationID = parts[1];
final String password = parts[2];
if (authorizationID.isEmpty()) {
authorizationID = authenticationID;
}
try {
authenticator.authenticate(authenticationID, password);
} catch (final UserAuthenticationException e) {
throw new SaslException(e.getMessage());
}
if (!authorizationID.equals(authenticationID)) {
throw new SaslException("Drill expects authorization ID and authentication ID to match. " + "Use inbound impersonation feature so one entity can act on behalf of another.");
}
this.authorizationID = authorizationID;
completed = true;
return null;
}
use of javax.security.sasl.SaslException in project drill by apache.
the class ServerAuthenticationHandler method handleSuccess.
private static <S extends ServerConnection<S>, T extends EnumLite> void handleSuccess(final SaslResponseContext<S, T> context, final SaslMessage.Builder challenge, final SaslServer saslServer) throws IOException {
final S connection = context.connection;
connection.changeHandlerTo(context.requestHandler);
connection.finalizeSaslSession();
// Check the negotiated property before sending the response back to client
try {
final String negotiatedQOP = saslServer.getNegotiatedProperty(Sasl.QOP).toString();
final String expectedQOP = (connection.isEncryptionEnabled()) ? SaslProperties.QualityOfProtection.PRIVACY.getSaslQop() : SaslProperties.QualityOfProtection.AUTHENTICATION.getSaslQop();
if (!(negotiatedQOP.equals(expectedQOP))) {
throw new SaslException(String.format("Mismatch in negotiated QOP value: %s and Expected QOP value: %s", negotiatedQOP, expectedQOP));
}
// negotiated size of buffer
if (connection.isEncryptionEnabled()) {
final int negotiatedRawSendSize = Integer.parseInt(saslServer.getNegotiatedProperty(Sasl.RAW_SEND_SIZE).toString());
if (negotiatedRawSendSize <= 0) {
throw new SaslException(String.format("Negotiated rawSendSize: %d is invalid. Please check the configured " + "value of encryption.sasl.max_wrapped_size. It might be configured to a very small value.", negotiatedRawSendSize));
}
connection.setWrapSizeLimit(negotiatedRawSendSize);
}
} catch (IllegalStateException | NumberFormatException e) {
throw new SaslException(String.format("Unexpected failure while retrieving negotiated property values (%s)", e.getMessage()), e);
}
if (logger.isTraceEnabled()) {
logger.trace("Authenticated {} successfully using {} from {} with encryption context {}", saslServer.getAuthorizationID(), saslServer.getMechanismName(), connection.getRemoteAddress().toString(), connection.getEncryptionCtxtString());
}
// All checks have passed let's send the response back to client before adding handlers.
context.sender.send(new Response(context.saslResponseType, challenge.build()));
if (connection.isEncryptionEnabled()) {
connection.addSecurityHandlers();
} else {
// Encryption is not required hence we don't need to hold on to saslServer object.
connection.disposeSaslServer();
}
}
use of javax.security.sasl.SaslException in project drill by apache.
the class ServerAuthenticationHandler method handle.
@Override
public void handle(S connection, int rpcType, ByteBuf pBody, ByteBuf dBody, ResponseSender sender) throws RpcException {
final String remoteAddress = connection.getRemoteAddress().toString();
// exchange involves server "challenges" and client "responses" (initiated by client)
if (saslRequestTypeValue == rpcType) {
final SaslMessage saslResponse;
try {
saslResponse = SaslMessage.PARSER.parseFrom(new ByteBufInputStream(pBody));
} catch (final InvalidProtocolBufferException e) {
handleAuthFailure(connection, sender, e, saslResponseType);
return;
}
logger.trace("Received SASL message {} from {}", saslResponse.getStatus(), remoteAddress);
final SaslResponseProcessor processor = RESPONSE_PROCESSORS.get(saslResponse.getStatus());
if (processor == null) {
logger.info("Unknown message type from client from {}. Will stop authentication.", remoteAddress);
handleAuthFailure(connection, sender, new SaslException("Received unexpected message"), saslResponseType);
return;
}
final SaslResponseContext<S, T> context = new SaslResponseContext<>(saslResponse, connection, sender, requestHandler, saslResponseType);
try {
processor.process(context);
} catch (final Exception e) {
handleAuthFailure(connection, sender, e, saslResponseType);
}
} else {
// drop connection
throw new RpcException(String.format("Request of type %d is not allowed without authentication. Client on %s must authenticate " + "before making requests. Connection dropped. [Details: %s]", rpcType, remoteAddress, connection.getEncryptionCtxtString()));
}
}
use of javax.security.sasl.SaslException in project jdk8u_jdk by JetBrains.
the class SaslInputStream method close.
public void close() throws IOException {
SaslException save = null;
try {
// Dispose of SaslClient's state
sc.dispose();
} catch (SaslException e) {
// Save exception for throwing after closing 'in'
save = e;
}
// Close underlying input stream
in.close();
if (save != null) {
throw save;
}
}
use of javax.security.sasl.SaslException in project zookeeper by apache.
the class ZooKeeperServer method processSasl.
private Record processSasl(ByteBuffer incomingBuffer, ServerCnxn cnxn) throws IOException {
LOG.debug("Responding to client SASL token.");
GetSASLRequest clientTokenRecord = new GetSASLRequest();
ByteBufferInputStream.byteBuffer2Record(incomingBuffer, clientTokenRecord);
byte[] clientToken = clientTokenRecord.getToken();
LOG.debug("Size of client SASL token: " + clientToken.length);
byte[] responseToken = null;
try {
ZooKeeperSaslServer saslServer = cnxn.zooKeeperSaslServer;
try {
// note that clientToken might be empty (clientToken.length == 0):
// if using the DIGEST-MD5 mechanism, clientToken will be empty at the beginning of the
// SASL negotiation process.
responseToken = saslServer.evaluateResponse(clientToken);
if (saslServer.isComplete()) {
String authorizationID = saslServer.getAuthorizationID();
LOG.info("adding SASL authorization for authorizationID: " + authorizationID);
cnxn.addAuthInfo(new Id("sasl", authorizationID));
if (System.getProperty("zookeeper.superUser") != null && authorizationID.equals(System.getProperty("zookeeper.superUser"))) {
cnxn.addAuthInfo(new Id("super", ""));
}
}
} catch (SaslException e) {
LOG.warn("Client failed to SASL authenticate: " + e, e);
if ((System.getProperty("zookeeper.allowSaslFailedClients") != null) && (System.getProperty("zookeeper.allowSaslFailedClients").equals("true"))) {
LOG.warn("Maintaining client connection despite SASL authentication failure.");
} else {
LOG.warn("Closing client connection due to SASL authentication failure.");
cnxn.close();
}
}
} catch (NullPointerException e) {
LOG.error("cnxn.saslServer is null: cnxn object did not initialize its saslServer properly.");
}
if (responseToken != null) {
LOG.debug("Size of server SASL response: " + responseToken.length);
}
// wrap SASL response token to client inside a Response object.
return new SetSASLResponse(responseToken);
}
Aggregations