Search in sources :

Example 1 with KerberosCredentials

use of org.apache.http.auth.KerberosCredentials in project hbase by apache.

the class TestProxyUserSpnegoHttpServer method testProxy.

public void testProxy(String clientPrincipal, String doAs, int responseCode, String statusLine) throws Exception {
    // Create the subject for the client
    final Subject clientSubject = JaasKrbUtil.loginUsingKeytab(WHEEL_PRINCIPAL, wheelKeytab);
    final Set<Principal> clientPrincipals = clientSubject.getPrincipals();
    // Make sure the subject has a principal
    assertFalse(clientPrincipals.isEmpty());
    // Get a TGT for the subject (might have many, different encryption types). The first should
    // be the default encryption type.
    Set<KerberosTicket> privateCredentials = clientSubject.getPrivateCredentials(KerberosTicket.class);
    assertFalse(privateCredentials.isEmpty());
    KerberosTicket tgt = privateCredentials.iterator().next();
    assertNotNull(tgt);
    // The name of the principal
    final String principalName = clientPrincipals.iterator().next().getName();
    // Run this code, logged in as the subject (the client)
    HttpResponse resp = Subject.doAs(clientSubject, new PrivilegedExceptionAction<HttpResponse>() {

        @Override
        public HttpResponse run() throws Exception {
            // Logs in with Kerberos via GSS
            GSSManager gssManager = GSSManager.getInstance();
            // jGSS Kerberos login constant
            Oid oid = new Oid("1.2.840.113554.1.2.2");
            GSSName gssClient = gssManager.createName(principalName, GSSName.NT_USER_NAME);
            GSSCredential credential = gssManager.createCredential(gssClient, GSSCredential.DEFAULT_LIFETIME, oid, GSSCredential.INITIATE_ONLY);
            HttpClientContext context = HttpClientContext.create();
            Lookup<AuthSchemeProvider> authRegistry = RegistryBuilder.<AuthSchemeProvider>create().register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true, true)).build();
            HttpClient client = HttpClients.custom().setDefaultAuthSchemeRegistry(authRegistry).build();
            BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider();
            credentialsProvider.setCredentials(AuthScope.ANY, new KerberosCredentials(credential));
            URL url = new URL(getServerURL(server), "/echo?doAs=" + doAs + "&a=b");
            context.setTargetHost(new HttpHost(url.getHost(), url.getPort()));
            context.setCredentialsProvider(credentialsProvider);
            context.setAuthSchemeRegistry(authRegistry);
            HttpGet get = new HttpGet(url.toURI());
            return client.execute(get, context);
        }
    });
    assertNotNull(resp);
    assertEquals(responseCode, resp.getStatusLine().getStatusCode());
    if (responseCode == HttpURLConnection.HTTP_OK) {
        assertTrue(EntityUtils.toString(resp.getEntity()).trim().contains("a:b"));
    } else {
        assertTrue(resp.getStatusLine().toString().contains(statusLine) || EntityUtils.toString(resp.getEntity()).contains(statusLine));
    }
}
Also used : GSSName(org.ietf.jgss.GSSName) BasicCredentialsProvider(org.apache.http.impl.client.BasicCredentialsProvider) KerberosTicket(javax.security.auth.kerberos.KerberosTicket) HttpGet(org.apache.http.client.methods.HttpGet) KerberosCredentials(org.apache.http.auth.KerberosCredentials) HttpResponse(org.apache.http.HttpResponse) HttpClientContext(org.apache.http.client.protocol.HttpClientContext) Oid(org.ietf.jgss.Oid) SPNegoSchemeFactory(org.apache.http.impl.auth.SPNegoSchemeFactory) Subject(javax.security.auth.Subject) KrbException(org.apache.kerby.kerberos.kerb.KrbException) URL(java.net.URL) GSSCredential(org.ietf.jgss.GSSCredential) HttpHost(org.apache.http.HttpHost) GSSManager(org.ietf.jgss.GSSManager) HttpClient(org.apache.http.client.HttpClient) Lookup(org.apache.http.config.Lookup) Principal(java.security.Principal)

Example 2 with KerberosCredentials

use of org.apache.http.auth.KerberosCredentials in project jmeter by apache.

the class DelegatingSPNegoScheme method generateGSSToken.

@Override
protected byte[] generateGSSToken(final byte[] input, final Oid oid, final String authServer, final Credentials credentials) throws GSSException {
    final GSSManager manager = getManager();
    final GSSName serverName = manager.createName("HTTP@" + authServer, GSSName.NT_HOSTBASED_SERVICE);
    final GSSCredential gssCredential;
    if (credentials instanceof KerberosCredentials) {
        gssCredential = ((KerberosCredentials) credentials).getGSSCredential();
    } else {
        gssCredential = null;
    }
    final GSSContext gssContext = createDelegatingGSSContext(manager, oid, serverName, gssCredential);
    try {
        if (input != null) {
            return gssContext.initSecContext(input, 0, input.length);
        } else {
            return gssContext.initSecContext(new byte[] {}, 0, 0);
        }
    } finally {
        gssContext.dispose();
    }
}
Also used : GSSName(org.ietf.jgss.GSSName) GSSCredential(org.ietf.jgss.GSSCredential) GSSManager(org.ietf.jgss.GSSManager) GSSContext(org.ietf.jgss.GSSContext) KerberosCredentials(org.apache.http.auth.KerberosCredentials)

Example 3 with KerberosCredentials

use of org.apache.http.auth.KerberosCredentials in project jmeter by apache.

the class DelegatingKerberosScheme method generateGSSToken.

@Override
protected byte[] generateGSSToken(final byte[] input, final Oid oid, final String authServer, final Credentials credentials) throws GSSException {
    final GSSManager manager = getManager();
    final GSSName serverName = manager.createName("HTTP@" + authServer, GSSName.NT_HOSTBASED_SERVICE);
    final GSSCredential gssCredential;
    if (credentials instanceof KerberosCredentials) {
        gssCredential = ((KerberosCredentials) credentials).getGSSCredential();
    } else {
        gssCredential = null;
    }
    final GSSContext gssContext = createDelegatingGSSContext(manager, oid, serverName, gssCredential);
    try {
        if (input != null) {
            return gssContext.initSecContext(input, 0, input.length);
        } else {
            return gssContext.initSecContext(new byte[] {}, 0, 0);
        }
    } finally {
        gssContext.dispose();
    }
}
Also used : GSSName(org.ietf.jgss.GSSName) GSSCredential(org.ietf.jgss.GSSCredential) GSSManager(org.ietf.jgss.GSSManager) GSSContext(org.ietf.jgss.GSSContext) KerberosCredentials(org.apache.http.auth.KerberosCredentials)

Example 4 with KerberosCredentials

use of org.apache.http.auth.KerberosCredentials in project hbase by apache.

the class TestThriftSpnegoHttpFallbackServer method createHttpClient.

private CloseableHttpClient createHttpClient() throws Exception {
    final Subject clientSubject = JaasKrbUtil.loginUsingKeytab(clientPrincipal, clientKeytab);
    final Set<Principal> clientPrincipals = clientSubject.getPrincipals();
    // Make sure the subject has a principal
    assertFalse("Found no client principals in the clientSubject.", clientPrincipals.isEmpty());
    // Get a TGT for the subject (might have many, different encryption types). The first should
    // be the default encryption type.
    Set<KerberosTicket> privateCredentials = clientSubject.getPrivateCredentials(KerberosTicket.class);
    assertFalse("Found no private credentials in the clientSubject.", privateCredentials.isEmpty());
    KerberosTicket tgt = privateCredentials.iterator().next();
    assertNotNull("No kerberos ticket found.", tgt);
    // The name of the principal
    final String clientPrincipalName = clientPrincipals.iterator().next().getName();
    return Subject.doAs(clientSubject, (PrivilegedExceptionAction<CloseableHttpClient>) () -> {
        // Logs in with Kerberos via GSS
        GSSManager gssManager = GSSManager.getInstance();
        // jGSS Kerberos login constant
        Oid oid = new Oid("1.2.840.113554.1.2.2");
        GSSName gssClient = gssManager.createName(clientPrincipalName, GSSName.NT_USER_NAME);
        GSSCredential credential = gssManager.createCredential(gssClient, GSSCredential.DEFAULT_LIFETIME, oid, GSSCredential.INITIATE_ONLY);
        Lookup<AuthSchemeProvider> authRegistry = RegistryBuilder.<AuthSchemeProvider>create().register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true, true)).build();
        BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider();
        credentialsProvider.setCredentials(AuthScope.ANY, new KerberosCredentials(credential));
        return HttpClients.custom().setDefaultAuthSchemeRegistry(authRegistry).setDefaultCredentialsProvider(credentialsProvider).build();
    });
}
Also used : CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient) GSSName(org.ietf.jgss.GSSName) BasicCredentialsProvider(org.apache.http.impl.client.BasicCredentialsProvider) KerberosTicket(javax.security.auth.kerberos.KerberosTicket) KerberosCredentials(org.apache.http.auth.KerberosCredentials) Oid(org.ietf.jgss.Oid) SPNegoSchemeFactory(org.apache.http.impl.auth.SPNegoSchemeFactory) Subject(javax.security.auth.Subject) GSSCredential(org.ietf.jgss.GSSCredential) GSSManager(org.ietf.jgss.GSSManager) Lookup(org.apache.http.config.Lookup) Principal(java.security.Principal)

Example 5 with KerberosCredentials

use of org.apache.http.auth.KerberosCredentials in project hbase by apache.

the class TestThriftSpnegoHttpServer method createHttpClient.

private CloseableHttpClient createHttpClient() throws Exception {
    final Subject clientSubject = JaasKrbUtil.loginUsingKeytab(clientPrincipal, clientKeytab);
    final Set<Principal> clientPrincipals = clientSubject.getPrincipals();
    // Make sure the subject has a principal
    assertFalse("Found no client principals in the clientSubject.", clientPrincipals.isEmpty());
    // Get a TGT for the subject (might have many, different encryption types). The first should
    // be the default encryption type.
    Set<KerberosTicket> privateCredentials = clientSubject.getPrivateCredentials(KerberosTicket.class);
    assertFalse("Found no private credentials in the clientSubject.", privateCredentials.isEmpty());
    KerberosTicket tgt = privateCredentials.iterator().next();
    assertNotNull("No kerberos ticket found.", tgt);
    // The name of the principal
    final String clientPrincipalName = clientPrincipals.iterator().next().getName();
    return Subject.doAs(clientSubject, (PrivilegedExceptionAction<CloseableHttpClient>) () -> {
        // Logs in with Kerberos via GSS
        GSSManager gssManager = GSSManager.getInstance();
        // jGSS Kerberos login constant
        Oid oid = new Oid("1.2.840.113554.1.2.2");
        GSSName gssClient = gssManager.createName(clientPrincipalName, GSSName.NT_USER_NAME);
        GSSCredential credential = gssManager.createCredential(gssClient, GSSCredential.DEFAULT_LIFETIME, oid, GSSCredential.INITIATE_ONLY);
        Lookup<AuthSchemeProvider> authRegistry = RegistryBuilder.<AuthSchemeProvider>create().register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true, true)).build();
        BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider();
        credentialsProvider.setCredentials(AuthScope.ANY, new KerberosCredentials(credential));
        return HttpClients.custom().setDefaultAuthSchemeRegistry(authRegistry).setDefaultCredentialsProvider(credentialsProvider).build();
    });
}
Also used : CloseableHttpClient(org.apache.http.impl.client.CloseableHttpClient) GSSName(org.ietf.jgss.GSSName) BasicCredentialsProvider(org.apache.http.impl.client.BasicCredentialsProvider) KerberosTicket(javax.security.auth.kerberos.KerberosTicket) KerberosCredentials(org.apache.http.auth.KerberosCredentials) Oid(org.ietf.jgss.Oid) SPNegoSchemeFactory(org.apache.http.impl.auth.SPNegoSchemeFactory) Subject(javax.security.auth.Subject) GSSCredential(org.ietf.jgss.GSSCredential) GSSManager(org.ietf.jgss.GSSManager) Lookup(org.apache.http.config.Lookup) Principal(java.security.Principal)

Aggregations

KerberosCredentials (org.apache.http.auth.KerberosCredentials)9 GSSCredential (org.ietf.jgss.GSSCredential)8 GSSManager (org.ietf.jgss.GSSManager)8 GSSName (org.ietf.jgss.GSSName)8 SPNegoSchemeFactory (org.apache.http.impl.auth.SPNegoSchemeFactory)6 BasicCredentialsProvider (org.apache.http.impl.client.BasicCredentialsProvider)6 Subject (javax.security.auth.Subject)5 Oid (org.ietf.jgss.Oid)5 Principal (java.security.Principal)4 KerberosTicket (javax.security.auth.kerberos.KerberosTicket)4 Lookup (org.apache.http.config.Lookup)4 URL (java.net.URL)2 HttpHost (org.apache.http.HttpHost)2 HttpResponse (org.apache.http.HttpResponse)2 HttpClient (org.apache.http.client.HttpClient)2 HttpGet (org.apache.http.client.methods.HttpGet)2 HttpClientContext (org.apache.http.client.protocol.HttpClientContext)2 CloseableHttpClient (org.apache.http.impl.client.CloseableHttpClient)2 KrbException (org.apache.kerby.kerberos.kerb.KrbException)2 GSSContext (org.ietf.jgss.GSSContext)2