Search in sources :

Example 1 with GSSCredential

use of org.ietf.jgss.GSSCredential in project jetty.project by eclipse.

the class SpnegoLoginService method login.

/**
     * username will be null since the credentials will contain all the relevant info
     */
@Override
public UserIdentity login(String username, Object credentials, ServletRequest request) {
    String encodedAuthToken = (String) credentials;
    byte[] authToken = B64Code.decode(encodedAuthToken);
    GSSManager manager = GSSManager.getInstance();
    try {
        // http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html
        Oid krb5Oid = new Oid("1.3.6.1.5.5.2");
        GSSName gssName = manager.createName(_targetName, null);
        GSSCredential serverCreds = manager.createCredential(gssName, GSSCredential.INDEFINITE_LIFETIME, krb5Oid, GSSCredential.ACCEPT_ONLY);
        GSSContext gContext = manager.createContext(serverCreds);
        if (gContext == null) {
            LOG.debug("SpnegoUserRealm: failed to establish GSSContext");
        } else {
            while (!gContext.isEstablished()) {
                authToken = gContext.acceptSecContext(authToken, 0, authToken.length);
            }
            if (gContext.isEstablished()) {
                String clientName = gContext.getSrcName().toString();
                String role = clientName.substring(clientName.indexOf('@') + 1);
                LOG.debug("SpnegoUserRealm: established a security context");
                LOG.debug("Client Principal is: " + gContext.getSrcName());
                LOG.debug("Server Principal is: " + gContext.getTargName());
                LOG.debug("Client Default Role: " + role);
                SpnegoUserPrincipal user = new SpnegoUserPrincipal(clientName, authToken);
                Subject subject = new Subject();
                subject.getPrincipals().add(user);
                return _identityService.newUserIdentity(subject, user, new String[] { role });
            }
        }
    } catch (GSSException gsse) {
        LOG.warn(gsse);
    }
    return null;
}
Also used : GSSName(org.ietf.jgss.GSSName) GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) GSSManager(org.ietf.jgss.GSSManager) GSSContext(org.ietf.jgss.GSSContext) Oid(org.ietf.jgss.Oid) Subject(javax.security.auth.Subject)

Example 2 with GSSCredential

use of org.ietf.jgss.GSSCredential in project tomcat by apache.

the class RealmBase method authenticate.

/**
     * {@inheritDoc}
     */
@Override
public Principal authenticate(GSSContext gssContext, boolean storeCreds) {
    if (gssContext.isEstablished()) {
        GSSName gssName = null;
        try {
            gssName = gssContext.getSrcName();
        } catch (GSSException e) {
            log.warn(sm.getString("realmBase.gssNameFail"), e);
        }
        if (gssName != null) {
            String name = gssName.toString();
            if (isStripRealmForGss()) {
                int i = name.indexOf('@');
                if (i > 0) {
                    // Zero so we don;t leave a zero length name
                    name = name.substring(0, i);
                }
            }
            GSSCredential gssCredential = null;
            if (storeCreds && gssContext.getCredDelegState()) {
                try {
                    gssCredential = gssContext.getDelegCred();
                } catch (GSSException e) {
                    if (log.isDebugEnabled()) {
                        log.debug(sm.getString("realmBase.delegatedCredentialFail", name), e);
                    }
                }
            }
            return getPrincipal(name, gssCredential);
        }
    } else {
        log.error(sm.getString("realmBase.gssContextNotEstablished"));
    }
    // Fail in all other cases
    return null;
}
Also used : GSSName(org.ietf.jgss.GSSName) GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint)

Example 3 with GSSCredential

use of org.ietf.jgss.GSSCredential in project OpenAM by OpenRock.

the class WindowsDesktopSSO method authenticateToken.

private void authenticateToken(final byte[] kerberosToken, final Set<String> trustedRealms) throws AuthLoginException, GSSException, Exception {
    debug.message("In authenticationToken ...");
    Subject.doAs(serviceSubject, new PrivilegedExceptionAction() {

        public Object run() throws Exception {
            GSSContext context = GSSManager.getInstance().createContext((GSSCredential) null);
            if (debug.messageEnabled()) {
                debug.message("Context created.");
            }
            byte[] outToken = context.acceptSecContext(kerberosToken, 0, kerberosToken.length);
            if (outToken != null) {
                if (debug.messageEnabled()) {
                    debug.message("Token returned from acceptSecContext: \n" + DerValue.printByteArray(outToken, 0, outToken.length));
                }
            }
            if (!context.isEstablished()) {
                debug.error("Cannot establish context !");
                throw new AuthLoginException(amAuthWindowsDesktopSSO, "context", null);
            } else {
                if (debug.messageEnabled()) {
                    debug.message("Context established !");
                }
                GSSName user = context.getSrcName();
                final String userPrincipalName = user.toString();
                // expected default behaviour.
                if (!trustedRealms.isEmpty()) {
                    boolean foundTrustedRealm = false;
                    for (final String trustedRealm : trustedRealms) {
                        if (isTokenTrusted(userPrincipalName, trustedRealm)) {
                            foundTrustedRealm = true;
                            break;
                        }
                    }
                    if (!foundTrustedRealm) {
                        debug.error("Kerberos token for " + userPrincipalName + " not trusted");
                        final String[] data = { userPrincipalName };
                        throw new AuthLoginException(amAuthWindowsDesktopSSO, "untrustedToken", data);
                    }
                }
                // perform the search.
                if (lookupUserInRealm) {
                    String org = getRequestOrg();
                    String userValue = getUserName(userPrincipalName);
                    String userName = searchUserAccount(userValue, org);
                    if (userName != null && !userName.isEmpty()) {
                        storeUsernamePasswd(userValue, null);
                    } else {
                        String[] data = { userValue, org };
                        debug.error("WindowsDesktopSSO.authenticateToken: " + ": Unable to find the user " + userValue);
                        throw new AuthLoginException(amAuthWindowsDesktopSSO, "notfound", data);
                    }
                }
                if (debug.messageEnabled()) {
                    debug.message("WindowsDesktopSSO.authenticateToken:" + "User authenticated: " + user.toString());
                }
                if (user != null) {
                    setPrincipal(userPrincipalName);
                }
            }
            context.dispose();
            return null;
        }
    });
}
Also used : GSSName(org.ietf.jgss.GSSName) GSSCredential(org.ietf.jgss.GSSCredential) GSSContext(org.ietf.jgss.GSSContext) AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) IdRepoException(com.sun.identity.idm.IdRepoException) PrivilegedActionException(java.security.PrivilegedActionException) GSSException(org.ietf.jgss.GSSException) AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException) SSOException(com.iplanet.sso.SSOException)

Example 4 with GSSCredential

use of org.ietf.jgss.GSSCredential in project jdk8u_jdk by JetBrains.

the class ServiceCredsCombination method check.

/**
     * Checks the correct bound
     * @param a get a creds for this principal, null for default one
     * @param b expected name, null for still unbound, "NOCRED" for no creds
     * @param objs princs, keys and keytabs in the subject
     */
private static void check(final String a, String b, Object... objs) throws Exception {
    Subject subj = new Subject();
    for (Object obj : objs) {
        if (obj instanceof KerberosPrincipal) {
            subj.getPrincipals().add((KerberosPrincipal) obj);
        } else if (obj instanceof KerberosKey || obj instanceof KeyTab) {
            subj.getPrivateCredentials().add(obj);
        }
    }
    final GSSManager man = GSSManager.getInstance();
    try {
        String result = Subject.doAs(subj, new PrivilegedExceptionAction<String>() {

            @Override
            public String run() throws GSSException {
                GSSCredential cred = man.createCredential(a == null ? null : man.createName(r(a), null), GSSCredential.INDEFINITE_LIFETIME, GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY);
                GSSName name = cred.getName();
                return name == null ? null : name.toString();
            }
        });
        if (!Objects.equals(result, r(b))) {
            throw new Exception("Check failed: getInstance(" + a + ") has name " + result + ", not " + b);
        }
    } catch (PrivilegedActionException e) {
        if (!"NOCRED".equals(b)) {
            throw new Exception("Check failed: getInstance(" + a + ") is null " + ", but not one with name " + b);
        }
    }
}
Also used : KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) GSSName(org.ietf.jgss.GSSName) PrivilegedActionException(java.security.PrivilegedActionException) Subject(javax.security.auth.Subject) PrivilegedActionException(java.security.PrivilegedActionException) GSSException(org.ietf.jgss.GSSException) KerberosKey(javax.security.auth.kerberos.KerberosKey) GSSException(org.ietf.jgss.GSSException) KeyTab(javax.security.auth.kerberos.KeyTab) GSSCredential(org.ietf.jgss.GSSCredential) GSSManager(org.ietf.jgss.GSSManager)

Example 5 with GSSCredential

use of org.ietf.jgss.GSSCredential in project jdk8u_jdk by JetBrains.

the class MechTokenMissing method main.

public static void main(String[] args) throws Exception {
    GSSCredential cred = null;
    GSSContext ctx = GSSManager.getInstance().createContext(cred);
    String var = /*0000*/
    "60 1C 06 06 2B 06 01 05 05 02 A0 12 30 10 A0 0E " + /*0010*/
    "30 0C 06 0A 2B 06 01 04 01 82 37 02 02 0A ";
    byte[] token = new byte[var.length() / 3];
    for (int i = 0; i < token.length; i++) {
        token[i] = Integer.valueOf(var.substring(3 * i, 3 * i + 2), 16).byteValue();
    }
    try {
        ctx.acceptSecContext(token, 0, token.length);
    } catch (GSSException gsse) {
        System.out.println("Expected exception: " + gsse);
    }
}
Also used : GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) GSSContext(org.ietf.jgss.GSSContext)

Aggregations

GSSCredential (org.ietf.jgss.GSSCredential)65 GSSManager (org.ietf.jgss.GSSManager)38 Oid (org.ietf.jgss.Oid)36 GSSName (org.ietf.jgss.GSSName)34 GSSException (org.ietf.jgss.GSSException)33 GSSContext (org.ietf.jgss.GSSContext)28 Subject (javax.security.auth.Subject)22 PrivilegedActionException (java.security.PrivilegedActionException)19 Principal (java.security.Principal)18 IOException (java.io.IOException)9 LoginContext (javax.security.auth.login.LoginContext)9 LoginException (javax.security.auth.login.LoginException)9 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)8 KerberosCredentials (org.apache.http.auth.KerberosCredentials)7 KerberosTicket (javax.security.auth.kerberos.KerberosTicket)6 SaslException (javax.security.sasl.SaslException)6 SPNegoSchemeFactory (org.apache.http.impl.auth.SPNegoSchemeFactory)4 BasicCredentialsProvider (org.apache.http.impl.client.BasicCredentialsProvider)4 Test (org.junit.Test)4 ExtendedGSSContext (com.sun.security.jgss.ExtendedGSSContext)3