Search in sources :

Example 31 with GSSContext

use of org.ietf.jgss.GSSContext in project jdk8u_jdk by JetBrains.

the class MSOID method main.

public static void main(String[] args) throws Exception {
    // msoid.txt is a NegTokenInit packet sent from Internet Explorer to
    // IIS server on a test machine. No sensitive info included.
    byte[] header = Files.readAllBytes(Paths.get(System.getProperty("test.src"), "msoid.txt"));
    byte[] token = Base64.getMimeDecoder().decode(Arrays.copyOfRange(header, 10, header.length));
    GSSCredential cred = null;
    GSSContext ctx = GSSManager.getInstance().createContext(cred);
    try {
        ctx.acceptSecContext(token, 0, token.length);
        // and acceptor chooses another mech and goes on
        throw new Exception("Should fail");
    } catch (GSSException gsse) {
        // After the fix, GSS_KRB5_MECH_OID_MS is recognized but the token
        // cannot be accepted because we don't have any krb5 credential.
        gsse.printStackTrace();
        if (gsse.getMajor() != GSSException.NO_CRED) {
            throw gsse;
        }
        for (StackTraceElement st : gsse.getStackTrace()) {
            if (st.getClassName().startsWith("sun.security.jgss.krb5.")) {
                // Good, it is already in krb5 mech's hand.
                return;
            }
        }
        throw gsse;
    }
}
Also used : GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) GSSContext(org.ietf.jgss.GSSContext) GSSException(org.ietf.jgss.GSSException) Exception(java.lang.Exception)

Example 32 with GSSContext

use of org.ietf.jgss.GSSContext in project jdk8u_jdk by JetBrains.

the class KrbCredSubKey method main.

public static void main(String[] args) throws Exception {
    // We don't care about clock difference
    new FileOutputStream("krb5.conf").write("[libdefaults]\nclockskew=999999999".getBytes());
    System.setProperty("java.security.krb5.conf", "krb5.conf");
    Config.refresh();
    Subject subj = new Subject();
    KerberosPrincipal kp = new KerberosPrincipal(princ);
    KerberosKey kk = new KerberosKey(kp, key, EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, 0);
    subj.getPrincipals().add(kp);
    subj.getPrivateCredentials().add(kk);
    Subject.doAs(subj, new PrivilegedExceptionAction() {

        public Object run() throws Exception {
            GSSManager man = GSSManager.getInstance();
            GSSContext ctxt = man.createContext(man.createCredential(null, GSSCredential.INDEFINITE_LIFETIME, GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY));
            return ctxt.acceptSecContext(token, 0, token.length);
        }
    });
}
Also used : KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) KerberosKey(javax.security.auth.kerberos.KerberosKey) FileOutputStream(java.io.FileOutputStream) GSSManager(org.ietf.jgss.GSSManager) GSSContext(org.ietf.jgss.GSSContext) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) Subject(javax.security.auth.Subject)

Example 33 with GSSContext

use of org.ietf.jgss.GSSContext in project jdk8u_jdk by JetBrains.

the class Test5653 method main.

public static void main(String[] args) throws Exception {
    Oid oldOid = new Oid("1.3.6.1.5.6.2");
    new OneKDC(null).writeJAASConf();
    System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
    GSSManager m = GSSManager.getInstance();
    boolean found = false;
    // Test 1: the getMechsForName() method accepts it.
    for (Oid tmp : m.getMechsForName(oldOid)) {
        if (tmp.equals(GSSUtil.GSS_KRB5_MECH_OID)) {
            found = true;
            break;
        }
    }
    if (!found) {
        throw new Exception("Cannot found krb5 mech for old name type");
    }
    // Test 2: the createName() method accepts it.
    GSSName name = m.createName("server@host.rabbit.hole", oldOid);
    // Test 3: its getStringNameType() output is correct
    if (!name.getStringNameType().equals(GSSName.NT_HOSTBASED_SERVICE)) {
        throw new Exception("GSSName not correct name type");
    }
    // Test 4: everything still works.
    GSSContext c1 = m.createContext(name, GSSUtil.GSS_KRB5_MECH_OID, null, GSSContext.DEFAULT_LIFETIME);
    byte[] token = c1.initSecContext(new byte[0], 0, 0);
    Context s;
    s = Context.fromJAAS("server");
    s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
    s.x().acceptSecContext(token, 0, token.length);
}
Also used : GSSContext(org.ietf.jgss.GSSContext) GSSName(org.ietf.jgss.GSSName) GSSManager(org.ietf.jgss.GSSManager) GSSContext(org.ietf.jgss.GSSContext) Oid(org.ietf.jgss.Oid)

Example 34 with GSSContext

use of org.ietf.jgss.GSSContext in project voltdb by VoltDB.

the class HTTPClientInterface method spnegoLogin.

private String spnegoLogin(String encodedToken) {
    byte[] token = B64Code.decode(encodedToken);
    try {
        if (encodedToken == null || encodedToken.isEmpty()) {
            return null;
        }
        final Oid spnegoOid = new Oid("1.3.6.1.5.5.2");
        GSSManager manager = GSSManager.getInstance();
        GSSName name = manager.createName(m_servicePrincipal, null);
        GSSContext ctx = manager.createContext(name.canonicalize(spnegoOid), spnegoOid, null, GSSContext.INDEFINITE_LIFETIME);
        if (ctx == null) {
            m_rate_limited_log.log(EstTime.currentTimeMillis(), Level.ERROR, null, "Failed to establish security context for SPNEGO authentication");
            return null;
        }
        while (!ctx.isEstablished()) {
            token = ctx.acceptSecContext(token, 0, token.length);
        }
        if (ctx.isEstablished()) {
            if (ctx.getSrcName() == null) {
                m_rate_limited_log.log(EstTime.currentTimeMillis(), Level.ERROR, null, "Failed to read source name from established SPNEGO security context");
                return null;
            }
            String user = ctx.getSrcName().toString();
            if (m_log.isDebugEnabled()) {
                m_log.debug("established SPNEGO security context for " + user);
            }
            return user;
        }
        return null;
    } catch (GSSException e) {
        m_rate_limited_log.log(EstTime.currentTimeMillis(), Level.ERROR, e, "failed SPNEGO authentication");
        return null;
    }
}
Also used : GSSName(org.ietf.jgss.GSSName) GSSException(org.ietf.jgss.GSSException) GSSManager(org.ietf.jgss.GSSManager) GSSContext(org.ietf.jgss.GSSContext) Oid(org.ietf.jgss.Oid)

Example 35 with GSSContext

use of org.ietf.jgss.GSSContext in project voltdb by VoltDB.

the class ConnectionUtil method performAuthenticationHandShake.

private static final ByteBuffer performAuthenticationHandShake(final SocketChannel channel, final Subject subject, final String serviceName) throws IOException {
    try {
        String subjectPrincipal = subject.getPrincipals().iterator().next().getName();
        final Optional<DelegatePrincipal> delegate = getDelegate(subject);
        if (delegate.isPresent() && !subjectPrincipal.equals(serviceName)) {
            throw new IOException("Delegate authentication is not allowed for user " + delegate.get().getName());
        }
        Subject.doAs(subject, new PrivilegedAction<GSSContext>() {

            @Override
            public GSSContext run() {
                GSSContext context = null;
                try {
                    /*
                         * The standard type designation for kerberos v5 secure service context
                         */
                    final Oid krb5Oid = new Oid("1.2.840.113554.1.2.2");
                    /*
                         * The standard type designation for principal
                         */
                    final Oid krb5PrincipalNameType = new Oid("1.2.840.113554.1.2.2.1");
                    final GSSName serverName = m_gssManager.createName(serviceName, krb5PrincipalNameType);
                    context = m_gssManager.createContext(serverName, krb5Oid, null, GSSContext.INDEFINITE_LIFETIME);
                    context.requestMutualAuth(true);
                    context.requestConf(true);
                    context.requestInteg(true);
                    establishSecurityContext(channel, context, delegate);
                    context.dispose();
                    context = null;
                } catch (GSSException ex) {
                    throw new RuntimeException(ex);
                } catch (IOException ex) {
                    throw new RuntimeException(ex);
                } finally {
                    if (context != null)
                        try {
                            context.dispose();
                        } catch (Exception ignoreIt) {
                        }
                }
                return null;
            }
        });
    } catch (SecurityException ex) {
        // if we get here the authentication handshake failed.
        try {
            channel.close();
        } catch (Exception ignoreIt) {
        }
        // PriviledgedActionException is the first wrapper. The runtime from Throwables would be
        // the second wrapper
        Throwable cause = ex.getCause();
        if (cause != null && (cause instanceof RuntimeException) && cause.getCause() != null) {
            cause = cause.getCause();
        } else if (cause == null) {
            cause = ex;
        }
        if (cause instanceof IOException) {
            throw IOException.class.cast(cause);
        } else {
            throw new IOException("Authentication Handshake Failed", cause);
        }
    }
    ByteBuffer lengthBuffer = ByteBuffer.allocate(4);
    while (lengthBuffer.hasRemaining()) {
        if (channel.read(lengthBuffer) == -1) {
            channel.close();
            throw new EOFException();
        }
    }
    lengthBuffer.flip();
    int responseSize = lengthBuffer.getInt();
    ByteBuffer loginResponse = ByteBuffer.allocate(responseSize);
    while (loginResponse.hasRemaining()) {
        if (channel.read(loginResponse) == -1) {
            channel.close();
            throw new EOFException();
        }
    }
    loginResponse.flip();
    byte version = loginResponse.get();
    if (version != (byte) 0) {
        channel.close();
        throw new IOException("Encountered unexpected version for the login response message: " + version);
    }
    return loginResponse;
}
Also used : GSSName(org.ietf.jgss.GSSName) IOException(java.io.IOException) Oid(org.ietf.jgss.Oid) ByteBuffer(java.nio.ByteBuffer) IOException(java.io.IOException) GSSException(org.ietf.jgss.GSSException) EOFException(java.io.EOFException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) GSSException(org.ietf.jgss.GSSException) GSSContext(org.ietf.jgss.GSSContext) EOFException(java.io.EOFException)

Aggregations

GSSContext (org.ietf.jgss.GSSContext)53 GSSManager (org.ietf.jgss.GSSManager)36 GSSName (org.ietf.jgss.GSSName)35 Oid (org.ietf.jgss.Oid)34 GSSException (org.ietf.jgss.GSSException)28 GSSCredential (org.ietf.jgss.GSSCredential)23 Subject (javax.security.auth.Subject)19 PrivilegedActionException (java.security.PrivilegedActionException)13 LoginException (javax.security.auth.login.LoginException)12 IOException (java.io.IOException)10 LoginContext (javax.security.auth.login.LoginContext)8 Principal (java.security.Principal)5 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)5 AuthenticationException (org.apache.hadoop.security.authentication.client.AuthenticationException)5 Test (org.junit.Test)5 HttpServletRequest (javax.servlet.http.HttpServletRequest)4 HttpServletResponse (javax.servlet.http.HttpServletResponse)4 SecurityTest (org.apache.drill.categories.SecurityTest)3 SystemOptionManager (org.apache.drill.exec.server.options.SystemOptionManager)3 AuthenticationException (com.hortonworks.registries.auth.client.AuthenticationException)2