Example 16 with SaslServer
use of javax.security.sasl.SaslServer in project hadoop by apache.
the class TestSaslRPC method runNegotiation.
private void runNegotiation(CallbackHandler clientCbh, CallbackHandler serverCbh) throws SaslException {
String mechanism = AuthMethod.PLAIN.getMechanismName();
SaslClient saslClient = Sasl.createSaslClient(new String[] { mechanism }, null, null, null, null, clientCbh);
assertNotNull(saslClient);
SaslServer saslServer = Sasl.createSaslServer(mechanism, null, "localhost", null, serverCbh);
assertNotNull("failed to find PLAIN server", saslServer);
byte[] response = saslClient.evaluateChallenge(new byte[0]);
assertNotNull(response);
assertTrue(saslClient.isComplete());
response = saslServer.evaluateResponse(response);
assertNull(response);
assertTrue(saslServer.isComplete());
assertNotNull(saslServer.getAuthorizationID());
}
Also used :
SaslServer(javax.security.sasl.SaslServer)
SaslClient(javax.security.sasl.SaslClient)
Example 17 with SaslServer
use of javax.security.sasl.SaslServer in project hadoop by apache.
the class SaslRpcServer method create.
@InterfaceAudience.Private
@InterfaceStability.Unstable
public SaslServer create(final Connection connection, final Map<String, ?> saslProperties, SecretManager<TokenIdentifier> secretManager) throws IOException, InterruptedException {
UserGroupInformation ugi = null;
final CallbackHandler callback;
switch(authMethod) {
case TOKEN:
{
callback = new SaslDigestCallbackHandler(secretManager, connection);
break;
}
case KERBEROS:
{
ugi = UserGroupInformation.getCurrentUser();
if (serverId.isEmpty()) {
throw new AccessControlException("Kerberos principal name does NOT have the expected " + "hostname part: " + ugi.getUserName());
}
callback = new SaslGssCallbackHandler();
break;
}
default:
// we should never be able to get here
throw new AccessControlException("Server does not support SASL " + authMethod);
}
final SaslServer saslServer;
if (ugi != null) {
saslServer = ugi.doAs(new PrivilegedExceptionAction<SaslServer>() {
@Override
public SaslServer run() throws SaslException {
return saslFactory.createSaslServer(mechanism, protocol, serverId, saslProperties, callback);
}
});
} else {
saslServer = saslFactory.createSaslServer(mechanism, protocol, serverId, saslProperties, callback);
}
if (saslServer == null) {
throw new AccessControlException("Unable to find SASL server implementation for " + mechanism);
}
if (LOG.isDebugEnabled()) {
LOG.debug("Created SASL server with mechanism = " + mechanism);
}
return saslServer;
}
Also used :
CallbackHandler(javax.security.auth.callback.CallbackHandler)
SaslServer(javax.security.sasl.SaslServer)
PrivilegedExceptionAction(java.security.PrivilegedExceptionAction)
Example 18 with SaslServer
use of javax.security.sasl.SaslServer in project jdk8u_jdk by JetBrains.
the class SampleCallbackHandler method main.
public static void main(String[] args) throws Exception {
Map<String, String> props = new TreeMap<String, String>();
props.put(Sasl.QOP, "auth");
// client
SaslClient client = Sasl.createSaslClient(new String[] { DIGEST_MD5 }, "user1", "xmpp", "127.0.0.1", props, authCallbackHandler);
if (client == null) {
throw new Exception("Unable to find client implementation for: " + DIGEST_MD5);
}
byte[] response = client.hasInitialResponse() ? client.evaluateChallenge(EMPTY) : EMPTY;
logger.info("initial: " + new String(response));
// server
byte[] challenge = null;
SaslServer server = Sasl.createSaslServer(DIGEST_MD5, "xmpp", "127.0.0.1", props, authCallbackHandler);
if (server == null) {
throw new Exception("Unable to find server implementation for: " + DIGEST_MD5);
}
if (!client.isComplete() || !server.isComplete()) {
challenge = server.evaluateResponse(response);
logger.info("challenge: " + new String(challenge));
if (challenge != null) {
response = client.evaluateChallenge(challenge);
}
}
String challengeString = new String(challenge, "UTF-8").toLowerCase();
if (challengeString.indexOf("\"md5-sess\"") > 0 || challengeString.indexOf("\"utf-8\"") > 0) {
throw new Exception("The challenge string's charset and " + "algorithm values must not be enclosed within quotes");
}
client.dispose();
server.dispose();
}
Also used :
SaslServer(javax.security.sasl.SaslServer)
TreeMap(java.util.TreeMap)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
IOException(java.io.IOException)
SaslException(javax.security.sasl.SaslException)
SaslClient(javax.security.sasl.SaslClient)
Example 19 with SaslServer
use of javax.security.sasl.SaslServer in project jdk8u_jdk by JetBrains.
the class SaslGSS method main.
public static void main(String[] args) throws Exception {
String name = "host." + OneKDC.REALM.toLowerCase(Locale.US);
new OneKDC(null).writeJAASConf();
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
// Client in JGSS so that it can control wrap privacy mode
GSSManager m = GSSManager.getInstance();
GSSContext sc = m.createContext(m.createName(OneKDC.SERVER, GSSUtil.NT_GSS_KRB5_PRINCIPAL), GSSUtil.GSS_KRB5_MECH_OID, null, GSSContext.DEFAULT_LIFETIME);
sc.requestMutualAuth(false);
// Server in SASL
final HashMap props = new HashMap();
props.put(Sasl.QOP, "auth-conf");
SaslServer ss = Sasl.createSaslServer("GSSAPI", "server", name, props, new CallbackHandler() {
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
for (Callback cb : callbacks) {
if (cb instanceof RealmCallback) {
((RealmCallback) cb).setText(OneKDC.REALM);
} else if (cb instanceof AuthorizeCallback) {
((AuthorizeCallback) cb).setAuthorized(true);
}
}
}
});
ByteArrayOutputStream bout = new ByteArrayOutputStream();
PrintStream oldErr = System.err;
System.setErr(new PrintStream(bout));
Logger.getLogger("javax.security.sasl").setLevel(Level.ALL);
Handler h = new ConsoleHandler();
h.setLevel(Level.ALL);
Logger.getLogger("javax.security.sasl").addHandler(h);
byte[] token = new byte[0];
try {
// Handshake
token = sc.initSecContext(token, 0, token.length);
token = ss.evaluateResponse(token);
token = sc.unwrap(token, 0, token.length, new MessageProp(0, false));
token[0] = (byte) (((token[0] & 4) != 0) ? 4 : 2);
token = sc.wrap(token, 0, token.length, new MessageProp(0, false));
ss.evaluateResponse(token);
} finally {
System.setErr(oldErr);
}
// Talk
// 1. Client sends a auth-int message
byte[] hello = "hello".getBytes();
MessageProp qop = new MessageProp(0, false);
token = sc.wrap(hello, 0, hello.length, qop);
// 2. Server accepts it anyway
ss.unwrap(token, 0, token.length);
// 3. Server sends a message
token = ss.wrap(hello, 0, hello.length);
// 4. Client accepts, should be auth-conf
sc.unwrap(token, 0, token.length, qop);
if (!qop.getPrivacy()) {
throw new Exception();
}
for (String s : bout.toString().split("\\n")) {
if (s.contains("KRB5SRV04") && s.contains("NULL")) {
return;
}
}
System.out.println("=======================");
System.out.println(bout.toString());
System.out.println("=======================");
throw new Exception("Haven't seen KRB5SRV04 with NULL");
}
Also used :
PrintStream(java.io.PrintStream)
CallbackHandler(javax.security.auth.callback.CallbackHandler)
HashMap(java.util.HashMap)
SaslServer(javax.security.sasl.SaslServer)
CallbackHandler(javax.security.auth.callback.CallbackHandler)
ConsoleHandler(java.util.logging.ConsoleHandler)
Handler(java.util.logging.Handler)
IOException(java.io.IOException)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
ConsoleHandler(java.util.logging.ConsoleHandler)
AuthorizeCallback(javax.security.sasl.AuthorizeCallback)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
IOException(java.io.IOException)
RealmCallback(javax.security.sasl.RealmCallback)
AuthorizeCallback(javax.security.sasl.AuthorizeCallback)
Callback(javax.security.auth.callback.Callback)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
RealmCallback(javax.security.sasl.RealmCallback)
Example 20 with SaslServer
use of javax.security.sasl.SaslServer in project bookkeeper by apache.
the class SaslServerState method createSaslServer.
private SaslServer createSaslServer(final Subject subject, ServerConfiguration serverConfiguration) throws SaslException, IOException {
SaslServerCallbackHandler callbackHandler = new SaslServerCallbackHandler(Configuration.getConfiguration(), serverConfiguration);
if (subject.getPrincipals().size() > 0) {
try {
final Object[] principals = subject.getPrincipals().toArray();
final Principal servicePrincipal = (Principal) principals[0];
if (LOG.isDebugEnabled()) {
LOG.debug("Authentication will use SASL/JAAS/Kerberos, servicePrincipal is {}", servicePrincipal);
}
final String servicePrincipalNameAndHostname = servicePrincipal.getName();
int indexOf = servicePrincipalNameAndHostname.indexOf("/");
final String serviceHostnameAndKerbDomain = servicePrincipalNameAndHostname.substring(indexOf + 1, servicePrincipalNameAndHostname.length());
int indexOfAt = serviceHostnameAndKerbDomain.indexOf("@");
final String servicePrincipalName, serviceHostname;
if (indexOf > 0) {
servicePrincipalName = servicePrincipalNameAndHostname.substring(0, indexOf);
serviceHostname = serviceHostnameAndKerbDomain.substring(0, indexOfAt);
} else {
servicePrincipalName = servicePrincipalNameAndHostname.substring(0, indexOfAt);
serviceHostname = null;
}
try {
return Subject.doAs(subject, new PrivilegedExceptionAction<SaslServer>() {
@Override
public SaslServer run() {
try {
SaslServer saslServer;
saslServer = Sasl.createSaslServer("GSSAPI", servicePrincipalName, serviceHostname, null, callbackHandler);
return saslServer;
} catch (SaslException e) {
throw new RuntimeException(e);
}
}
});
} catch (PrivilegedActionException e) {
throw new SaslException("error on GSSAPI boot", e.getCause());
}
} catch (IndexOutOfBoundsException e) {
throw new SaslException("error on GSSAPI boot", e);
}
} else {
if (LOG.isDebugEnabled()) {
LOG.debug("Authentication will use SASL/JAAS/DIGEST-MD5");
}
return Sasl.createSaslServer("DIGEST-MD5", SaslConstants.SASL_BOOKKEEPER_PROTOCOL, SaslConstants.SASL_MD5_DUMMY_HOSTNAME, null, callbackHandler);
}
}
Also used :
PrivilegedActionException(java.security.PrivilegedActionException)
SaslServer(javax.security.sasl.SaslServer)
SaslException(javax.security.sasl.SaslException)
Principal(java.security.Principal)
Aggregations
SaslServer (javax.security.sasl.SaslServer)27
SaslException (javax.security.sasl.SaslException)12
IOException (java.io.IOException)8
PrivilegedActionException (java.security.PrivilegedActionException)7
UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)6
Principal (java.security.Principal)5
DefaultKafkaPrincipalBuilder (org.apache.kafka.common.security.authenticator.DefaultKafkaPrincipalBuilder)5
KerberosName (org.apache.kafka.common.security.kerberos.KerberosName)4
TSaslServerTransport (org.apache.thrift.transport.TSaslServerTransport)4
InetSocketAddress (java.net.InetSocketAddress)3
HashMap (java.util.HashMap)3
Callback (javax.security.auth.callback.Callback)3
LoginException (javax.security.auth.login.LoginException)3
AuthorizeCallback (javax.security.sasl.AuthorizeCallback)3
KerberosShortNamer (org.apache.kafka.common.security.kerberos.KerberosShortNamer)3
GSSCredential (org.ietf.jgss.GSSCredential)3
GSSException (org.ietf.jgss.GSSException)3
GSSManager (org.ietf.jgss.GSSManager)3
GSSName (org.ietf.jgss.GSSName)3
Oid (org.ietf.jgss.Oid)3
