use of org.ietf.jgss.GSSContext in project jdk8u_jdk by JetBrains.
the class MSOID method main.
public static void main(String[] args) throws Exception {
// msoid.txt is a NegTokenInit packet sent from Internet Explorer to
// IIS server on a test machine. No sensitive info included.
byte[] header = Files.readAllBytes(Paths.get(System.getProperty("test.src"), "msoid.txt"));
byte[] token = Base64.getMimeDecoder().decode(Arrays.copyOfRange(header, 10, header.length));
GSSCredential cred = null;
GSSContext ctx = GSSManager.getInstance().createContext(cred);
try {
ctx.acceptSecContext(token, 0, token.length);
// and acceptor chooses another mech and goes on
throw new Exception("Should fail");
} catch (GSSException gsse) {
// After the fix, GSS_KRB5_MECH_OID_MS is recognized but the token
// cannot be accepted because we don't have any krb5 credential.
gsse.printStackTrace();
if (gsse.getMajor() != GSSException.NO_CRED) {
throw gsse;
}
for (StackTraceElement st : gsse.getStackTrace()) {
if (st.getClassName().startsWith("sun.security.jgss.krb5.")) {
// Good, it is already in krb5 mech's hand.
return;
}
}
throw gsse;
}
}
use of org.ietf.jgss.GSSContext in project jdk8u_jdk by JetBrains.
the class KrbCredSubKey method main.
public static void main(String[] args) throws Exception {
// We don't care about clock difference
new FileOutputStream("krb5.conf").write("[libdefaults]\nclockskew=999999999".getBytes());
System.setProperty("java.security.krb5.conf", "krb5.conf");
Config.refresh();
Subject subj = new Subject();
KerberosPrincipal kp = new KerberosPrincipal(princ);
KerberosKey kk = new KerberosKey(kp, key, EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, 0);
subj.getPrincipals().add(kp);
subj.getPrivateCredentials().add(kk);
Subject.doAs(subj, new PrivilegedExceptionAction() {
public Object run() throws Exception {
GSSManager man = GSSManager.getInstance();
GSSContext ctxt = man.createContext(man.createCredential(null, GSSCredential.INDEFINITE_LIFETIME, GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY));
return ctxt.acceptSecContext(token, 0, token.length);
}
});
}
use of org.ietf.jgss.GSSContext in project jdk8u_jdk by JetBrains.
the class Test5653 method main.
public static void main(String[] args) throws Exception {
Oid oldOid = new Oid("1.3.6.1.5.6.2");
new OneKDC(null).writeJAASConf();
System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
GSSManager m = GSSManager.getInstance();
boolean found = false;
// Test 1: the getMechsForName() method accepts it.
for (Oid tmp : m.getMechsForName(oldOid)) {
if (tmp.equals(GSSUtil.GSS_KRB5_MECH_OID)) {
found = true;
break;
}
}
if (!found) {
throw new Exception("Cannot found krb5 mech for old name type");
}
// Test 2: the createName() method accepts it.
GSSName name = m.createName("server@host.rabbit.hole", oldOid);
// Test 3: its getStringNameType() output is correct
if (!name.getStringNameType().equals(GSSName.NT_HOSTBASED_SERVICE)) {
throw new Exception("GSSName not correct name type");
}
// Test 4: everything still works.
GSSContext c1 = m.createContext(name, GSSUtil.GSS_KRB5_MECH_OID, null, GSSContext.DEFAULT_LIFETIME);
byte[] token = c1.initSecContext(new byte[0], 0, 0);
Context s;
s = Context.fromJAAS("server");
s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
s.x().acceptSecContext(token, 0, token.length);
}
use of org.ietf.jgss.GSSContext in project voltdb by VoltDB.
the class HTTPClientInterface method spnegoLogin.
private String spnegoLogin(String encodedToken) {
byte[] token = B64Code.decode(encodedToken);
try {
if (encodedToken == null || encodedToken.isEmpty()) {
return null;
}
final Oid spnegoOid = new Oid("1.3.6.1.5.5.2");
GSSManager manager = GSSManager.getInstance();
GSSName name = manager.createName(m_servicePrincipal, null);
GSSContext ctx = manager.createContext(name.canonicalize(spnegoOid), spnegoOid, null, GSSContext.INDEFINITE_LIFETIME);
if (ctx == null) {
m_rate_limited_log.log(EstTime.currentTimeMillis(), Level.ERROR, null, "Failed to establish security context for SPNEGO authentication");
return null;
}
while (!ctx.isEstablished()) {
token = ctx.acceptSecContext(token, 0, token.length);
}
if (ctx.isEstablished()) {
if (ctx.getSrcName() == null) {
m_rate_limited_log.log(EstTime.currentTimeMillis(), Level.ERROR, null, "Failed to read source name from established SPNEGO security context");
return null;
}
String user = ctx.getSrcName().toString();
if (m_log.isDebugEnabled()) {
m_log.debug("established SPNEGO security context for " + user);
}
return user;
}
return null;
} catch (GSSException e) {
m_rate_limited_log.log(EstTime.currentTimeMillis(), Level.ERROR, e, "failed SPNEGO authentication");
return null;
}
}
use of org.ietf.jgss.GSSContext in project voltdb by VoltDB.
the class ConnectionUtil method performAuthenticationHandShake.
private static final ByteBuffer performAuthenticationHandShake(final SocketChannel channel, final Subject subject, final String serviceName) throws IOException {
try {
String subjectPrincipal = subject.getPrincipals().iterator().next().getName();
final Optional<DelegatePrincipal> delegate = getDelegate(subject);
if (delegate.isPresent() && !subjectPrincipal.equals(serviceName)) {
throw new IOException("Delegate authentication is not allowed for user " + delegate.get().getName());
}
Subject.doAs(subject, new PrivilegedAction<GSSContext>() {
@Override
public GSSContext run() {
GSSContext context = null;
try {
/*
* The standard type designation for kerberos v5 secure service context
*/
final Oid krb5Oid = new Oid("1.2.840.113554.1.2.2");
/*
* The standard type designation for principal
*/
final Oid krb5PrincipalNameType = new Oid("1.2.840.113554.1.2.2.1");
final GSSName serverName = m_gssManager.createName(serviceName, krb5PrincipalNameType);
context = m_gssManager.createContext(serverName, krb5Oid, null, GSSContext.INDEFINITE_LIFETIME);
context.requestMutualAuth(true);
context.requestConf(true);
context.requestInteg(true);
establishSecurityContext(channel, context, delegate);
context.dispose();
context = null;
} catch (GSSException ex) {
throw new RuntimeException(ex);
} catch (IOException ex) {
throw new RuntimeException(ex);
} finally {
if (context != null)
try {
context.dispose();
} catch (Exception ignoreIt) {
}
}
return null;
}
});
} catch (SecurityException ex) {
// if we get here the authentication handshake failed.
try {
channel.close();
} catch (Exception ignoreIt) {
}
// PriviledgedActionException is the first wrapper. The runtime from Throwables would be
// the second wrapper
Throwable cause = ex.getCause();
if (cause != null && (cause instanceof RuntimeException) && cause.getCause() != null) {
cause = cause.getCause();
} else if (cause == null) {
cause = ex;
}
if (cause instanceof IOException) {
throw IOException.class.cast(cause);
} else {
throw new IOException("Authentication Handshake Failed", cause);
}
}
ByteBuffer lengthBuffer = ByteBuffer.allocate(4);
while (lengthBuffer.hasRemaining()) {
if (channel.read(lengthBuffer) == -1) {
channel.close();
throw new EOFException();
}
}
lengthBuffer.flip();
int responseSize = lengthBuffer.getInt();
ByteBuffer loginResponse = ByteBuffer.allocate(responseSize);
while (loginResponse.hasRemaining()) {
if (channel.read(loginResponse) == -1) {
channel.close();
throw new EOFException();
}
}
loginResponse.flip();
byte version = loginResponse.get();
if (version != (byte) 0) {
channel.close();
throw new IOException("Encountered unexpected version for the login response message: " + version);
}
return loginResponse;
}
Aggregations