Example 16 with GSSContext
use of org.ietf.jgss.GSSContext in project orientdb by orientechnologies.
the class OKerberosCredentialInterceptor method getServiceTicket.
private String getServiceTicket(final Subject subject, final String principal, final String servicePrincipalName) {
try {
GSSManager manager = GSSManager.getInstance();
GSSName serviceName = manager.createName(servicePrincipalName, GSSName.NT_USER_NAME);
Oid krb5Oid = new Oid("1.2.840.113554.1.2.2");
// Initiator.
final GSSContext context = manager.createContext(serviceName, krb5Oid, null, GSSContext.DEFAULT_LIFETIME);
if (context != null) {
// http://docs.oracle.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html
// When performing operations as a particular Subject, e.g. Subject.doAs(...) or Subject.doAsPrivileged(...),
// the to-be-used GSSCredential should be added to Subject's private credential set. Otherwise,
// the GSS operations will fail since no credential is found.
boolean useNativeJgss = Boolean.getBoolean("sun.security.jgss.native");
if (useNativeJgss) {
OLogManager.instance().info(this, "getServiceTicket() Using Native JGSS");
try {
GSSName clientName = manager.createName(principal, GSSName.NT_USER_NAME);
// null: indicates using the default principal.
GSSCredential cred = manager.createCredential(clientName, GSSContext.DEFAULT_LIFETIME, krb5Oid, GSSCredential.INITIATE_ONLY);
subject.getPrivateCredentials().add(cred);
} catch (GSSException gssEx) {
OLogManager.instance().error(this, "getServiceTicket() Use Native JGSS GSSException", gssEx);
}
}
// The GSS context initiation has to be performed as a privileged action.
byte[] serviceTicket = Subject.doAs(subject, new PrivilegedAction<byte[]>() {
public byte[] run() {
try {
byte[] token = new byte[0];
// This is a one pass context initialisation.
context.requestMutualAuth(false);
context.requestCredDeleg(false);
return context.initSecContext(token, 0, token.length);
} catch (Exception inner) {
OLogManager.instance().debug(this, "getServiceTicket() doAs() Exception", inner);
}
return null;
}
});
if (serviceTicket != null)
return OBase64Utils.encodeBytes(serviceTicket);
context.dispose();
} else {
OLogManager.instance().debug(this, "getServiceTicket() GSSContext is null!");
}
} catch (Exception ex) {
OLogManager.instance().error(this, "getServiceTicket() Exception", ex);
}
return null;
}
Also used :
GSSName(org.ietf.jgss.GSSName)
GSSException(org.ietf.jgss.GSSException)
GSSCredential(org.ietf.jgss.GSSCredential)
GSSManager(org.ietf.jgss.GSSManager)
GSSContext(org.ietf.jgss.GSSContext)
Oid(org.ietf.jgss.Oid)
OSecurityException(com.orientechnologies.orient.core.exception.OSecurityException)
LoginException(javax.security.auth.login.LoginException)
URISyntaxException(java.net.URISyntaxException)
GSSException(org.ietf.jgss.GSSException)
Example 17 with GSSContext
use of org.ietf.jgss.GSSContext in project undertow by undertow-io.
the class SpnegoAuthenticationTestCase method testSpnegoSuccess.
@Test
public void testSpnegoSuccess() throws Exception {
final TestHttpClient client = new TestHttpClient();
HttpGet get = new HttpGet(DefaultServer.getDefaultServerURL());
HttpResponse result = client.execute(get);
assertEquals(StatusCodes.UNAUTHORIZED, result.getStatusLine().getStatusCode());
Header[] values = result.getHeaders(WWW_AUTHENTICATE.toString());
String header = getAuthHeader(NEGOTIATE, values);
assertEquals(NEGOTIATE.toString(), header);
HttpClientUtils.readResponse(result);
Subject clientSubject = login("jduke", "theduke".toCharArray());
Subject.doAs(clientSubject, new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
GSSManager gssManager = GSSManager.getInstance();
GSSName serverName = gssManager.createName("HTTP/" + DefaultServer.getDefaultServerAddress().getHostString(), null);
GSSContext context = gssManager.createContext(serverName, SPNEGO, null, GSSContext.DEFAULT_LIFETIME);
byte[] token = new byte[0];
boolean gotOur200 = false;
while (!context.isEstablished()) {
token = context.initSecContext(token, 0, token.length);
if (token != null && token.length > 0) {
HttpGet get = new HttpGet(DefaultServer.getDefaultServerURL());
get.addHeader(AUTHORIZATION.toString(), NEGOTIATE + " " + FlexBase64.encodeString(token, false));
HttpResponse result = client.execute(get);
Header[] headers = result.getHeaders(WWW_AUTHENTICATE.toString());
if (headers.length > 0) {
String header = getAuthHeader(NEGOTIATE, headers);
byte[] headerBytes = header.getBytes(StandardCharsets.US_ASCII);
// FlexBase64.decode() returns byte buffer, which can contain backend array of greater size.
// when on such ByteBuffer is called array(), it returns the underlying byte array including the 0 bytes
// at the end, which makes the token invalid. => using Base64 mime decoder, which returnes directly properly sized byte[].
token = Base64.getMimeDecoder().decode(ArrayUtils.subarray(headerBytes, NEGOTIATE.toString().length() + 1, headerBytes.length));
}
if (result.getStatusLine().getStatusCode() == StatusCodes.OK) {
Header[] values = result.getHeaders("ProcessedBy");
assertEquals(1, values.length);
assertEquals("ResponseHandler", values[0].getValue());
HttpClientUtils.readResponse(result);
assertSingleNotificationType(EventType.AUTHENTICATED);
gotOur200 = true;
} else if (result.getStatusLine().getStatusCode() == StatusCodes.UNAUTHORIZED) {
assertTrue("We did get a header.", headers.length > 0);
HttpClientUtils.readResponse(result);
} else {
fail(String.format("Unexpected status code %d", result.getStatusLine().getStatusCode()));
}
}
}
assertTrue(gotOur200);
assertTrue(context.isEstablished());
return null;
}
});
}
Also used :
GSSName(org.ietf.jgss.GSSName)
HttpGet(org.apache.http.client.methods.HttpGet)
HttpResponse(org.apache.http.HttpResponse)
Subject(javax.security.auth.Subject)
GeneralSecurityException(java.security.GeneralSecurityException)
TestHttpClient(io.undertow.testutils.TestHttpClient)
Header(org.apache.http.Header)
GSSManager(org.ietf.jgss.GSSManager)
GSSContext(org.ietf.jgss.GSSContext)
Test(org.junit.Test)
Example 18 with GSSContext
use of org.ietf.jgss.GSSContext in project jmeter by apache.
the class DelegatingSPNegoScheme method createDelegatingGSSContext.
GSSContext createDelegatingGSSContext(final GSSManager manager, final Oid oid, final GSSName serverName, final GSSCredential gssCredential) throws GSSException {
final GSSContext gssContext = manager.createContext(serverName.canonicalize(oid), oid, gssCredential, GSSContext.DEFAULT_LIFETIME);
gssContext.requestMutualAuth(true);
gssContext.requestCredDeleg(true);
return gssContext;
}
Also used :
GSSContext(org.ietf.jgss.GSSContext)
Example 19 with GSSContext
use of org.ietf.jgss.GSSContext in project jmeter by apache.
the class DelegatingSPNegoScheme method generateGSSToken.
@Override
protected byte[] generateGSSToken(final byte[] input, final Oid oid, final String authServer, final Credentials credentials) throws GSSException {
final GSSManager manager = getManager();
final GSSName serverName = manager.createName("HTTP@" + authServer, GSSName.NT_HOSTBASED_SERVICE);
final GSSCredential gssCredential;
if (credentials instanceof KerberosCredentials) {
gssCredential = ((KerberosCredentials) credentials).getGSSCredential();
} else {
gssCredential = null;
}
final GSSContext gssContext = createDelegatingGSSContext(manager, oid, serverName, gssCredential);
try {
if (input != null) {
return gssContext.initSecContext(input, 0, input.length);
} else {
return gssContext.initSecContext(new byte[] {}, 0, 0);
}
} finally {
gssContext.dispose();
}
}
Also used :
GSSName(org.ietf.jgss.GSSName)
GSSCredential(org.ietf.jgss.GSSCredential)
GSSManager(org.ietf.jgss.GSSManager)
GSSContext(org.ietf.jgss.GSSContext)
KerberosCredentials(org.apache.http.auth.KerberosCredentials)
Example 20 with GSSContext
use of org.ietf.jgss.GSSContext in project jmeter by apache.
the class DelegatingKerberosScheme method generateGSSToken.
@Override
protected byte[] generateGSSToken(final byte[] input, final Oid oid, final String authServer, final Credentials credentials) throws GSSException {
final GSSManager manager = getManager();
final GSSName serverName = manager.createName("HTTP@" + authServer, GSSName.NT_HOSTBASED_SERVICE);
final GSSCredential gssCredential;
if (credentials instanceof KerberosCredentials) {
gssCredential = ((KerberosCredentials) credentials).getGSSCredential();
} else {
gssCredential = null;
}
final GSSContext gssContext = createDelegatingGSSContext(manager, oid, serverName, gssCredential);
try {
if (input != null) {
return gssContext.initSecContext(input, 0, input.length);
} else {
return gssContext.initSecContext(new byte[] {}, 0, 0);
}
} finally {
gssContext.dispose();
}
}
Also used :
GSSName(org.ietf.jgss.GSSName)
GSSCredential(org.ietf.jgss.GSSCredential)
GSSManager(org.ietf.jgss.GSSManager)
GSSContext(org.ietf.jgss.GSSContext)
KerberosCredentials(org.apache.http.auth.KerberosCredentials)
Aggregations
GSSContext (org.ietf.jgss.GSSContext)53
GSSManager (org.ietf.jgss.GSSManager)36
GSSName (org.ietf.jgss.GSSName)35
Oid (org.ietf.jgss.Oid)34
GSSException (org.ietf.jgss.GSSException)28
GSSCredential (org.ietf.jgss.GSSCredential)23
Subject (javax.security.auth.Subject)19
PrivilegedActionException (java.security.PrivilegedActionException)13
LoginException (javax.security.auth.login.LoginException)12
IOException (java.io.IOException)10
LoginContext (javax.security.auth.login.LoginContext)8
Principal (java.security.Principal)5
PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)5
AuthenticationException (org.apache.hadoop.security.authentication.client.AuthenticationException)5
Test (org.junit.Test)5
HttpServletRequest (javax.servlet.http.HttpServletRequest)4
HttpServletResponse (javax.servlet.http.HttpServletResponse)4
SecurityTest (org.apache.drill.categories.SecurityTest)3
SystemOptionManager (org.apache.drill.exec.server.options.SystemOptionManager)3
AuthenticationException (com.hortonworks.registries.auth.client.AuthenticationException)2
