Example 26 with GSSContext
use of org.ietf.jgss.GSSContext in project qpid-broker-j by apache.
the class KerberosUtilities method buildTokenWithinSubjectWithKerberosTicket.
private byte[] buildTokenWithinSubjectWithKerberosTicket(String clientPrincipalName, String targetServerPrincipalName) throws GSSException {
debug("Building token for client principal '{}' and server principal '{}'", clientPrincipalName, targetServerPrincipalName);
final GSSManager manager = GSSManager.getInstance();
final GSSName clientName = manager.createName(clientPrincipalName, GSSName.NT_USER_NAME);
final GSSCredential credential;
try {
credential = manager.createCredential(clientName, GSSCredential.DEFAULT_LIFETIME, new Oid("1.2.840.113554.1.2.2"), GSSCredential.INITIATE_ONLY);
} catch (GSSException e) {
debug("Failure to create credential for {}", clientName, e);
throw e;
}
debug("Client credential '{}'", credential);
final GSSName serverName = manager.createName(targetServerPrincipalName, GSSName.NT_USER_NAME);
final Oid spnegoMechOid = new Oid("1.3.6.1.5.5.2");
final GSSContext clientContext = manager.createContext(serverName.canonicalize(spnegoMechOid), spnegoMechOid, credential, GSSContext.DEFAULT_LIFETIME);
debug("Requesting ticket using initiator's credentials");
try {
clientContext.requestCredDeleg(true);
debug("Requesting ticket");
return clientContext.initSecContext(new byte[] {}, 0, 0);
} catch (GSSException e) {
debug("Failure to request token", e);
throw e;
} finally {
clientContext.dispose();
}
}
Also used :
GSSName(org.ietf.jgss.GSSName)
GSSException(org.ietf.jgss.GSSException)
GSSCredential(org.ietf.jgss.GSSCredential)
GSSManager(org.ietf.jgss.GSSManager)
GSSContext(org.ietf.jgss.GSSContext)
Oid(org.ietf.jgss.Oid)
Example 27 with GSSContext
use of org.ietf.jgss.GSSContext in project kylo by Teradata.
the class KerberosKeytabSPNegoScheme method generateToken.
@Override
public byte[] generateToken(byte[] input, String authServer, Credentials credentials) {
Set<Principal> principals = new HashSet<>();
principals.add(credentials.getUserPrincipal());
Subject subject = new Subject(false, principals, new HashSet<>(), new HashSet<>());
try {
LoginContext loginContext = new LoginContext("", subject, null, new KerberosConfiguration(credentials.getUserPrincipal().getName(), ((KerberosKeytabCredentials) credentials).getKeytab()));
loginContext.login();
Subject loggedInSubject = loginContext.getSubject();
return Subject.doAs(loggedInSubject, new PrivilegedExceptionAction<byte[]>() {
public byte[] run() throws UnknownHostException, ClassNotFoundException, GSSException, IllegalAccessException, NoSuchFieldException {
GSSManager gssManager = GSSManager.getInstance();
String servicePrincipal = KerberosUtil.getServicePrincipal("HTTP", authServer);
Oid serviceOid = KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL");
GSSName serviceName = gssManager.createName(servicePrincipal, serviceOid);
Oid mechOid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
GSSContext gssContext = gssManager.createContext(serviceName, mechOid, null, 0);
gssContext.requestCredDeleg(true);
gssContext.requestMutualAuth(true);
return gssContext.initSecContext(input, 0, input.length);
}
});
} catch (PrivilegedActionException | LoginException e) {
throw new RuntimeException(e);
}
}
Also used :
GSSName(org.ietf.jgss.GSSName)
UnknownHostException(java.net.UnknownHostException)
PrivilegedActionException(java.security.PrivilegedActionException)
Oid(org.ietf.jgss.Oid)
Subject(javax.security.auth.Subject)
LoginContext(javax.security.auth.login.LoginContext)
GSSException(org.ietf.jgss.GSSException)
GSSManager(org.ietf.jgss.GSSManager)
GSSContext(org.ietf.jgss.GSSContext)
LoginException(javax.security.auth.login.LoginException)
Principal(java.security.Principal)
HashSet(java.util.HashSet)
Example 28 with GSSContext
use of org.ietf.jgss.GSSContext in project blade by biezhi.
the class SpnegoLoginService method login.
/**
* username will be null since the credentials will contain all the relevant info
*/
@Override
public UserIdentity login(String username, Object credentials, ServletRequest request) {
String encodedAuthToken = (String) credentials;
byte[] authToken = B64Code.decode(encodedAuthToken);
GSSManager manager = GSSManager.getInstance();
try {
// http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html
Oid krb5Oid = new Oid("1.3.6.1.5.5.2");
GSSName gssName = manager.createName(_targetName, null);
GSSCredential serverCreds = manager.createCredential(gssName, GSSCredential.INDEFINITE_LIFETIME, krb5Oid, GSSCredential.ACCEPT_ONLY);
GSSContext gContext = manager.createContext(serverCreds);
if (gContext == null) {
LOG.debug("SpnegoUserRealm: failed to establish GSSContext");
} else {
while (!gContext.isEstablished()) {
authToken = gContext.acceptSecContext(authToken, 0, authToken.length);
}
if (gContext.isEstablished()) {
String clientName = gContext.getSrcName().toString();
String role = clientName.substring(clientName.indexOf('@') + 1);
LOG.debug("SpnegoUserRealm: established a security context");
LOG.debug("Client Principal is: " + gContext.getSrcName());
LOG.debug("Server Principal is: " + gContext.getTargName());
LOG.debug("Client Default Role: " + role);
SpnegoUserPrincipal user = new SpnegoUserPrincipal(clientName, authToken);
Subject subject = new Subject();
subject.getPrincipals().add(user);
return _identityService.newUserIdentity(subject, user, new String[] { role });
}
}
} catch (GSSException gsse) {
LOG.warn(gsse);
}
return null;
}
Also used :
GSSName(org.ietf.jgss.GSSName)
GSSException(org.ietf.jgss.GSSException)
GSSCredential(org.ietf.jgss.GSSCredential)
GSSManager(org.ietf.jgss.GSSManager)
GSSContext(org.ietf.jgss.GSSContext)
Oid(org.ietf.jgss.Oid)
Subject(javax.security.auth.Subject)
Example 29 with GSSContext
use of org.ietf.jgss.GSSContext in project hadoop by apache.
the class KerberosAuthenticationHandler method runWithPrincipal.
private AuthenticationToken runWithPrincipal(String serverPrincipal, byte[] clientToken, Base64 base64, HttpServletResponse response) throws IOException, AuthenticationException, ClassNotFoundException, GSSException, IllegalAccessException, NoSuchFieldException {
GSSContext gssContext = null;
GSSCredential gssCreds = null;
AuthenticationToken token = null;
try {
LOG.trace("SPNEGO initiated with server principal [{}]", serverPrincipal);
gssCreds = this.gssManager.createCredential(this.gssManager.createName(serverPrincipal, KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL")), GSSCredential.INDEFINITE_LIFETIME, new Oid[] { KerberosUtil.getOidInstance("GSS_SPNEGO_MECH_OID"), KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID") }, GSSCredential.ACCEPT_ONLY);
gssContext = this.gssManager.createContext(gssCreds);
byte[] serverToken = gssContext.acceptSecContext(clientToken, 0, clientToken.length);
if (serverToken != null && serverToken.length > 0) {
String authenticate = base64.encodeToString(serverToken);
response.setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, KerberosAuthenticator.NEGOTIATE + " " + authenticate);
}
if (!gssContext.isEstablished()) {
response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
LOG.trace("SPNEGO in progress");
} else {
String clientPrincipal = gssContext.getSrcName().toString();
KerberosName kerberosName = new KerberosName(clientPrincipal);
String userName = kerberosName.getShortName();
token = new AuthenticationToken(userName, clientPrincipal, getType());
response.setStatus(HttpServletResponse.SC_OK);
LOG.trace("SPNEGO completed for client principal [{}]", clientPrincipal);
}
} finally {
if (gssContext != null) {
gssContext.dispose();
}
if (gssCreds != null) {
gssCreds.dispose();
}
}
return token;
}
Also used :
GSSCredential(org.ietf.jgss.GSSCredential)
GSSContext(org.ietf.jgss.GSSContext)
Oid(org.ietf.jgss.Oid)
KerberosName(org.apache.hadoop.security.authentication.util.KerberosName)
Example 30 with GSSContext
use of org.ietf.jgss.GSSContext in project hadoop by apache.
the class KerberosAuthenticator method doSpnegoSequence.
/**
* Implements the SPNEGO authentication sequence interaction using the current default principal
* in the Kerberos cache (normally set via kinit).
*
* @param token the authentication token being used for the user.
*
* @throws IOException if an IO error occurred.
* @throws AuthenticationException if an authentication error occurred.
*/
private void doSpnegoSequence(AuthenticatedURL.Token token) throws IOException, AuthenticationException {
try {
AccessControlContext context = AccessController.getContext();
Subject subject = Subject.getSubject(context);
if (subject == null || (!KerberosUtil.hasKerberosKeyTab(subject) && !KerberosUtil.hasKerberosTicket(subject))) {
LOG.debug("No subject in context, logging in");
subject = new Subject();
LoginContext login = new LoginContext("", subject, null, new KerberosConfiguration());
login.login();
}
if (LOG.isDebugEnabled()) {
LOG.debug("Using subject: " + subject);
}
Subject.doAs(subject, new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
GSSContext gssContext = null;
try {
GSSManager gssManager = GSSManager.getInstance();
String servicePrincipal = KerberosUtil.getServicePrincipal("HTTP", KerberosAuthenticator.this.url.getHost());
Oid oid = KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL");
GSSName serviceName = gssManager.createName(servicePrincipal, oid);
oid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
gssContext = gssManager.createContext(serviceName, oid, null, GSSContext.DEFAULT_LIFETIME);
gssContext.requestCredDeleg(true);
gssContext.requestMutualAuth(true);
byte[] inToken = new byte[0];
byte[] outToken;
boolean established = false;
// Loop while the context is still not established
while (!established) {
outToken = gssContext.initSecContext(inToken, 0, inToken.length);
if (outToken != null) {
sendToken(outToken);
}
if (!gssContext.isEstablished()) {
inToken = readToken();
} else {
established = true;
}
}
} finally {
if (gssContext != null) {
gssContext.dispose();
gssContext = null;
}
}
return null;
}
});
} catch (PrivilegedActionException ex) {
if (ex.getException() instanceof IOException) {
throw (IOException) ex.getException();
} else {
throw new AuthenticationException(ex.getException());
}
} catch (LoginException ex) {
throw new AuthenticationException(ex);
}
AuthenticatedURL.extractToken(conn, token);
}
Also used :
GSSName(org.ietf.jgss.GSSName)
PrivilegedActionException(java.security.PrivilegedActionException)
Oid(org.ietf.jgss.Oid)
IOException(java.io.IOException)
Subject(javax.security.auth.Subject)
LoginException(javax.security.auth.login.LoginException)
PrivilegedActionException(java.security.PrivilegedActionException)
IOException(java.io.IOException)
LoginContext(javax.security.auth.login.LoginContext)
AccessControlContext(java.security.AccessControlContext)
GSSContext(org.ietf.jgss.GSSContext)
GSSManager(org.ietf.jgss.GSSManager)
LoginException(javax.security.auth.login.LoginException)
Aggregations
GSSContext (org.ietf.jgss.GSSContext)53
GSSManager (org.ietf.jgss.GSSManager)36
GSSName (org.ietf.jgss.GSSName)35
Oid (org.ietf.jgss.Oid)34
GSSException (org.ietf.jgss.GSSException)28
GSSCredential (org.ietf.jgss.GSSCredential)23
Subject (javax.security.auth.Subject)19
PrivilegedActionException (java.security.PrivilegedActionException)13
LoginException (javax.security.auth.login.LoginException)12
IOException (java.io.IOException)10
LoginContext (javax.security.auth.login.LoginContext)8
Principal (java.security.Principal)5
PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)5
AuthenticationException (org.apache.hadoop.security.authentication.client.AuthenticationException)5
Test (org.junit.Test)5
HttpServletRequest (javax.servlet.http.HttpServletRequest)4
HttpServletResponse (javax.servlet.http.HttpServletResponse)4
SecurityTest (org.apache.drill.categories.SecurityTest)3
SystemOptionManager (org.apache.drill.exec.server.options.SystemOptionManager)3
AuthenticationException (com.hortonworks.registries.auth.client.AuthenticationException)2
