Search in sources :

Example 71 with SaslException

use of javax.security.sasl.SaslException in project drill by apache.

the class PlainServer method evaluateResponse.

@Override
public byte[] evaluateResponse(byte[] response) throws SaslException {
    if (completed) {
        throw new IllegalStateException("PLAIN authentication already completed");
    }
    if (response == null) {
        throw new SaslException("Received null response");
    }
    final String payload = new String(response, StandardCharsets.UTF_8);
    // Separator defined in PlainClient is 0
    // three parts: [ authorizationID, authenticationID, password ]
    final String[] parts = payload.split(UTF_8_NULL, 3);
    if (parts.length != 3) {
        throw new SaslException("Received corrupt response. Expected 3 parts, but received " + parts.length);
    }
    String authorizationID = parts[0];
    final String authenticationID = parts[1];
    final String password = parts[2];
    if (authorizationID.isEmpty()) {
        authorizationID = authenticationID;
    }
    try {
        authenticator.authenticate(authenticationID, password);
    } catch (final UserAuthenticationException e) {
        throw new SaslException(e.getMessage());
    }
    if (!authorizationID.equals(authenticationID)) {
        throw new SaslException("Drill expects authorization ID and authentication ID to match. " + "Use inbound impersonation feature so one entity can act on behalf of another.");
    }
    this.authorizationID = authorizationID;
    completed = true;
    return null;
}
Also used : UserAuthenticationException(org.apache.drill.exec.rpc.user.security.UserAuthenticationException) SaslException(javax.security.sasl.SaslException)

Example 72 with SaslException

use of javax.security.sasl.SaslException in project drill by apache.

the class ServerAuthenticationHandler method handleSuccess.

private static <S extends ServerConnection<S>, T extends EnumLite> void handleSuccess(final SaslResponseContext<S, T> context, final SaslMessage.Builder challenge, final SaslServer saslServer) throws IOException {
    final S connection = context.connection;
    connection.changeHandlerTo(context.requestHandler);
    connection.finalizeSaslSession();
    // Check the negotiated property before sending the response back to client
    try {
        final String negotiatedQOP = saslServer.getNegotiatedProperty(Sasl.QOP).toString();
        final String expectedQOP = (connection.isEncryptionEnabled()) ? SaslProperties.QualityOfProtection.PRIVACY.getSaslQop() : SaslProperties.QualityOfProtection.AUTHENTICATION.getSaslQop();
        if (!(negotiatedQOP.equals(expectedQOP))) {
            throw new SaslException(String.format("Mismatch in negotiated QOP value: %s and Expected QOP value: %s", negotiatedQOP, expectedQOP));
        }
        // negotiated size of buffer
        if (connection.isEncryptionEnabled()) {
            final int negotiatedRawSendSize = Integer.parseInt(saslServer.getNegotiatedProperty(Sasl.RAW_SEND_SIZE).toString());
            if (negotiatedRawSendSize <= 0) {
                throw new SaslException(String.format("Negotiated rawSendSize: %d is invalid. Please check the configured " + "value of encryption.sasl.max_wrapped_size. It might be configured to a very small value.", negotiatedRawSendSize));
            }
            connection.setWrapSizeLimit(negotiatedRawSendSize);
        }
    } catch (IllegalStateException | NumberFormatException e) {
        throw new SaslException(String.format("Unexpected failure while retrieving negotiated property values (%s)", e.getMessage()), e);
    }
    if (logger.isTraceEnabled()) {
        logger.trace("Authenticated {} successfully using {} from {} with encryption context {}", saslServer.getAuthorizationID(), saslServer.getMechanismName(), connection.getRemoteAddress().toString(), connection.getEncryptionCtxtString());
    }
    // All checks have passed let's send the response back to client before adding handlers.
    context.sender.send(new Response(context.saslResponseType, challenge.build()));
    if (connection.isEncryptionEnabled()) {
        connection.addSecurityHandlers();
    } else {
        // Encryption is not required hence we don't need to hold on to saslServer object.
        connection.disposeSaslServer();
    }
}
Also used : Response(org.apache.drill.exec.rpc.Response) ByteString(com.google.protobuf.ByteString) SaslException(javax.security.sasl.SaslException)

Example 73 with SaslException

use of javax.security.sasl.SaslException in project drill by apache.

the class ServerAuthenticationHandler method handle.

@Override
public void handle(S connection, int rpcType, ByteBuf pBody, ByteBuf dBody, ResponseSender sender) throws RpcException {
    final String remoteAddress = connection.getRemoteAddress().toString();
    // exchange involves server "challenges" and client "responses" (initiated by client)
    if (saslRequestTypeValue == rpcType) {
        final SaslMessage saslResponse;
        try {
            saslResponse = SaslMessage.PARSER.parseFrom(new ByteBufInputStream(pBody));
        } catch (final InvalidProtocolBufferException e) {
            handleAuthFailure(connection, sender, e, saslResponseType);
            return;
        }
        logger.trace("Received SASL message {} from {}", saslResponse.getStatus(), remoteAddress);
        final SaslResponseProcessor processor = RESPONSE_PROCESSORS.get(saslResponse.getStatus());
        if (processor == null) {
            logger.info("Unknown message type from client from {}. Will stop authentication.", remoteAddress);
            handleAuthFailure(connection, sender, new SaslException("Received unexpected message"), saslResponseType);
            return;
        }
        final SaslResponseContext<S, T> context = new SaslResponseContext<>(saslResponse, connection, sender, requestHandler, saslResponseType);
        try {
            processor.process(context);
        } catch (final Exception e) {
            handleAuthFailure(connection, sender, e, saslResponseType);
        }
    } else {
        // drop connection
        throw new RpcException(String.format("Request of type %d is not allowed without authentication. Client on %s must authenticate " + "before making requests. Connection dropped. [Details: %s]", rpcType, remoteAddress, connection.getEncryptionCtxtString()));
    }
}
Also used : RpcException(org.apache.drill.exec.rpc.RpcException) InvalidProtocolBufferException(com.google.protobuf.InvalidProtocolBufferException) SaslMessage(org.apache.drill.exec.proto.UserBitShared.SaslMessage) ByteString(com.google.protobuf.ByteString) ByteBufInputStream(io.netty.buffer.ByteBufInputStream) SaslException(javax.security.sasl.SaslException) InvalidProtocolBufferException(com.google.protobuf.InvalidProtocolBufferException) RpcException(org.apache.drill.exec.rpc.RpcException) IOException(java.io.IOException) SaslException(javax.security.sasl.SaslException) UndeclaredThrowableException(java.lang.reflect.UndeclaredThrowableException)

Example 74 with SaslException

use of javax.security.sasl.SaslException in project jdk8u_jdk by JetBrains.

the class SaslInputStream method close.

public void close() throws IOException {
    SaslException save = null;
    try {
        // Dispose of SaslClient's state
        sc.dispose();
    } catch (SaslException e) {
        // Save exception for throwing after closing 'in'
        save = e;
    }
    // Close underlying input stream
    in.close();
    if (save != null) {
        throw save;
    }
}
Also used : SaslException(javax.security.sasl.SaslException)

Example 75 with SaslException

use of javax.security.sasl.SaslException in project zookeeper by apache.

the class ZooKeeperServer method processSasl.

private Record processSasl(ByteBuffer incomingBuffer, ServerCnxn cnxn) throws IOException {
    LOG.debug("Responding to client SASL token.");
    GetSASLRequest clientTokenRecord = new GetSASLRequest();
    ByteBufferInputStream.byteBuffer2Record(incomingBuffer, clientTokenRecord);
    byte[] clientToken = clientTokenRecord.getToken();
    LOG.debug("Size of client SASL token: " + clientToken.length);
    byte[] responseToken = null;
    try {
        ZooKeeperSaslServer saslServer = cnxn.zooKeeperSaslServer;
        try {
            // note that clientToken might be empty (clientToken.length == 0):
            // if using the DIGEST-MD5 mechanism, clientToken will be empty at the beginning of the
            // SASL negotiation process.
            responseToken = saslServer.evaluateResponse(clientToken);
            if (saslServer.isComplete()) {
                String authorizationID = saslServer.getAuthorizationID();
                LOG.info("adding SASL authorization for authorizationID: " + authorizationID);
                cnxn.addAuthInfo(new Id("sasl", authorizationID));
                if (System.getProperty("zookeeper.superUser") != null && authorizationID.equals(System.getProperty("zookeeper.superUser"))) {
                    cnxn.addAuthInfo(new Id("super", ""));
                }
            }
        } catch (SaslException e) {
            LOG.warn("Client failed to SASL authenticate: " + e, e);
            if ((System.getProperty("zookeeper.allowSaslFailedClients") != null) && (System.getProperty("zookeeper.allowSaslFailedClients").equals("true"))) {
                LOG.warn("Maintaining client connection despite SASL authentication failure.");
            } else {
                LOG.warn("Closing client connection due to SASL authentication failure.");
                cnxn.close();
            }
        }
    } catch (NullPointerException e) {
        LOG.error("cnxn.saslServer is null: cnxn object did not initialize its saslServer properly.");
    }
    if (responseToken != null) {
        LOG.debug("Size of server SASL response: " + responseToken.length);
    }
    // wrap SASL response token to client inside a Response object.
    return new SetSASLResponse(responseToken);
}
Also used : SetSASLResponse(org.apache.zookeeper.proto.SetSASLResponse) Id(org.apache.zookeeper.data.Id) SaslException(javax.security.sasl.SaslException) GetSASLRequest(org.apache.zookeeper.proto.GetSASLRequest)

Aggregations

SaslException (javax.security.sasl.SaslException)75 IOException (java.io.IOException)24 NameCallback (javax.security.auth.callback.NameCallback)11 UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)11 SaslClient (javax.security.sasl.SaslClient)7 PrivilegedActionException (java.security.PrivilegedActionException)6 Callback (javax.security.auth.callback.Callback)6 PasswordCallback (javax.security.auth.callback.PasswordCallback)6 LoginException (javax.security.auth.login.LoginException)6 SaslServer (javax.security.sasl.SaslServer)6 UndeclaredThrowableException (java.lang.reflect.UndeclaredThrowableException)5 InvalidKeyException (java.security.InvalidKeyException)5 AuthorizeCallback (javax.security.sasl.AuthorizeCallback)5 RpcException (org.apache.drill.exec.rpc.RpcException)5 GSSException (org.ietf.jgss.GSSException)5 DataOutputStream (java.io.DataOutputStream)4 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)4 Principal (java.security.Principal)4 CallbackHandler (javax.security.auth.callback.CallbackHandler)4 GSSCredential (org.ietf.jgss.GSSCredential)4