Search in sources :

Example 51 with GSSCredential

use of org.ietf.jgss.GSSCredential in project tigervnc by TigerVNC.

the class GSSContextKrb5 method create.

public void create(String user, String host) throws JSchException {
    try {
        // RFC 1964
        Oid krb5 = new Oid("1.2.840.113554.1.2.2");
        // Kerberos Principal Name Form
        Oid principalName = new Oid("1.2.840.113554.1.2.2.1");
        GSSManager mgr = GSSManager.getInstance();
        GSSCredential crd = null;
        /*
      try{
        GSSName _user=mgr.createName(user, principalName);
        crd=mgr.createCredential(_user,
                                 GSSCredential.DEFAULT_LIFETIME,
                                 krb5,
                                 GSSCredential.INITIATE_ONLY);
      }
      catch(GSSException crdex){
      }
      */
        String cname = host;
        try {
            cname = InetAddress.getByName(cname).getCanonicalHostName();
        } catch (UnknownHostException e) {
        }
        GSSName _host = mgr.createName("host/" + cname, principalName);
        context = mgr.createContext(_host, krb5, crd, GSSContext.DEFAULT_LIFETIME);
        // RFC4462  3.4.  GSS-API Session
        // 
        // When calling GSS_Init_sec_context(), the client MUST set
        // integ_req_flag to "true" to request that per-message integrity
        // protection be supported for this context.  In addition,
        // deleg_req_flag MAY be set to "true" to request access delegation, if
        // requested by the user.
        // 
        // Since the user authentication process by its nature authenticates
        // only the client, the setting of mutual_req_flag is not needed for
        // this process.  This flag SHOULD be set to "false".
        // TODO: OpenSSH's sshd does accepts 'false' for mutual_req_flag
        // context.requestMutualAuth(false);
        context.requestMutualAuth(true);
        context.requestConf(true);
        // for MIC
        context.requestInteg(true);
        context.requestCredDeleg(true);
        context.requestAnonymity(false);
        return;
    } catch (GSSException ex) {
        throw new JSchException(ex.toString());
    }
}
Also used : JSchException(com.jcraft.jsch.JSchException) GSSName(org.ietf.jgss.GSSName) UnknownHostException(java.net.UnknownHostException) GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) GSSManager(org.ietf.jgss.GSSManager) Oid(org.ietf.jgss.Oid)

Example 52 with GSSCredential

use of org.ietf.jgss.GSSCredential in project cxf by apache.

the class AbstractSpnegoAuthSupplier method getToken.

/**
 * Create and return a service ticket token for a given service principal
 * name
 *
 * @param authPolicy
 * @param spn
 * @return service ticket token
 * @throws GSSException
 * @throws LoginException
 */
private byte[] getToken(AuthorizationPolicy authPolicy, String spn, Oid oid, Message message) throws GSSException, LoginException {
    GSSCredential delegatedCred = (GSSCredential) message.getContextualProperty(GSSCredential.class.getName());
    Subject subject = null;
    if (authPolicy != null && delegatedCred == null) {
        String contextName = authPolicy.getAuthorization();
        if (contextName == null) {
            contextName = "";
        }
        if (!(StringUtils.isEmpty(authPolicy.getUserName()) && StringUtils.isEmpty(contextName) && loginConfig == null)) {
            CallbackHandler callbackHandler = getUsernamePasswordHandler(authPolicy.getUserName(), authPolicy.getPassword());
            LoginContext lc = new LoginContext(contextName, null, callbackHandler, loginConfig);
            lc.login();
            subject = lc.getSubject();
        }
    }
    GSSManager manager = GSSManager.getInstance();
    GSSName serverName = manager.createName(spn, serviceNameType);
    GSSContext context = manager.createContext(serverName.canonicalize(oid), oid, delegatedCred, GSSContext.DEFAULT_LIFETIME);
    context.requestCredDeleg(isCredDelegationRequired(message));
    // If the delegated cred is not null then we only need the context to
    // immediately return a ticket based on this credential without attempting
    // to log on again
    final byte[] token = new byte[0];
    if (delegatedCred != null) {
        return context.initSecContext(token, 0, token.length);
    }
    decorateSubject(subject);
    try {
        return Subject.doAs(subject, new CreateServiceTicketAction(context, token));
    } catch (PrivilegedActionException e) {
        if (e.getCause() instanceof GSSException) {
            throw (GSSException) e.getCause();
        }
        LOG.log(Level.SEVERE, "initSecContext", e);
        return null;
    }
}
Also used : GSSName(org.ietf.jgss.GSSName) NamePasswordCallbackHandler(org.apache.cxf.interceptor.security.NamePasswordCallbackHandler) CallbackHandler(javax.security.auth.callback.CallbackHandler) LoginContext(javax.security.auth.login.LoginContext) GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) PrivilegedActionException(java.security.PrivilegedActionException) GSSManager(org.ietf.jgss.GSSManager) GSSContext(org.ietf.jgss.GSSContext) Subject(javax.security.auth.Subject)

Example 53 with GSSCredential

use of org.ietf.jgss.GSSCredential in project cxf by apache.

the class KerberosClient method requestSecurityToken.

public SecurityToken requestSecurityToken() throws Exception {
    // See if we have a delegated Credential to use
    Message message = PhaseInterceptorChain.getCurrentMessage();
    GSSCredential delegatedCredential = null;
    if (message != null && useDelegatedCredential) {
        Object obj = message.getContextualProperty(SecurityConstants.DELEGATED_CREDENTIAL);
        if (obj instanceof GSSCredential) {
            delegatedCredential = (GSSCredential) obj;
        }
    }
    if (LOG.isLoggable(Level.FINE)) {
        LOG.fine("Requesting Kerberos ticket for " + serviceName + " using JAAS Login Module: " + getContextName());
    }
    KerberosSecurity bst = createKerberosSecurity();
    bst.retrieveServiceTicket(getContextName(), callbackHandler, serviceName, isUsernameServiceNameForm, requestCredentialDelegation, delegatedCredential);
    bst.addWSUNamespace();
    bst.setID(wssConfig.getIdAllocator().createSecureId("BST-", bst));
    bst.addWSUNamespace();
    SecurityToken token = new SecurityToken(bst.getID());
    token.setToken(bst.getElement());
    token.setWsuId(bst.getID());
    SecretKey secretKey = bst.getSecretKey();
    if (secretKey != null) {
        token.setKey(secretKey);
        token.setSecret(secretKey.getEncoded());
    }
    String sha1 = XMLUtils.encodeToString(KeyUtils.generateDigest(bst.getToken()));
    token.setSHA1(sha1);
    token.setTokenType(bst.getValueType());
    return token;
}
Also used : SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken) KerberosSecurity(org.apache.wss4j.dom.message.token.KerberosSecurity) SecretKey(javax.crypto.SecretKey) Message(org.apache.cxf.message.Message) GSSCredential(org.ietf.jgss.GSSCredential)

Example 54 with GSSCredential

use of org.ietf.jgss.GSSCredential in project qpid-broker-j by apache.

the class SpnegoAuthenticator method doAuthenticate.

private AuthenticationResult doAuthenticate(final Subject subject, final byte[] negotiateToken) {
    GSSContext context = null;
    try {
        final int credentialLifetime;
        if (String.valueOf(System.getProperty(StandardSystemProperty.JAVA_VENDOR.key())).toUpperCase().contains("IBM")) {
            credentialLifetime = GSSCredential.INDEFINITE_LIFETIME;
        } else {
            credentialLifetime = GSSCredential.DEFAULT_LIFETIME;
        }
        final GSSManager manager = GSSManager.getInstance();
        final PrivilegedExceptionAction<GSSCredential> credentialsAction = () -> manager.createCredential(null, credentialLifetime, new Oid("1.3.6.1.5.5.2"), GSSCredential.ACCEPT_ONLY);
        final GSSContext gssContext = manager.createContext(Subject.doAs(subject, credentialsAction));
        context = gssContext;
        final PrivilegedExceptionAction<byte[]> acceptAction = () -> gssContext.acceptSecContext(negotiateToken, 0, negotiateToken.length);
        final byte[] outToken = Subject.doAs(subject, acceptAction);
        if (outToken == null) {
            LOGGER.debug("Ticket validation failed");
            return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR);
        }
        final PrivilegedAction<String> authenticationAction = () -> {
            if (gssContext.isEstablished()) {
                GSSName gssName = null;
                try {
                    gssName = gssContext.getSrcName();
                } catch (final GSSException e) {
                    LOGGER.error("Unable to get src name from gss context", e);
                }
                if (gssName != null) {
                    return stripRealmNameIfRequired(gssName.toString());
                }
            }
            return null;
        };
        final String principalName = Subject.doAs(subject, authenticationAction);
        if (principalName != null) {
            TokenCarryingPrincipal principal = new TokenCarryingPrincipal() {

                private Map<String, String> _tokens = Collections.singletonMap(RESPONSE_AUTH_HEADER_NAME, NEGOTIATE_PREFIX + Base64.getEncoder().encodeToString(outToken));

                @Override
                public Map<String, String> getTokens() {
                    return _tokens;
                }

                @Override
                public ConfiguredObject<?> getOrigin() {
                    return _kerberosProvider;
                }

                @Override
                public String getName() {
                    return principalName;
                }

                @Override
                public boolean equals(final Object o) {
                    if (this == o) {
                        return true;
                    }
                    if (!(o instanceof TokenCarryingPrincipal)) {
                        return false;
                    }
                    final TokenCarryingPrincipal that = (TokenCarryingPrincipal) o;
                    if (!getName().equals(that.getName())) {
                        return false;
                    }
                    if (!getTokens().equals(that.getTokens())) {
                        return false;
                    }
                    return getOrigin() != null ? getOrigin().equals(that.getOrigin()) : that.getOrigin() == null;
                }

                @Override
                public int hashCode() {
                    int result = getName().hashCode();
                    result = 31 * result + (getOrigin() != null ? getOrigin().hashCode() : 0);
                    result = 31 * result + getTokens().hashCode();
                    return result;
                }
            };
            return new AuthenticationResult(principal);
        }
        return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR);
    } catch (GSSException e) {
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Ticket validation failed", e);
        }
        return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, e);
    } catch (PrivilegedActionException e) {
        final Exception cause = e.getException();
        if (cause instanceof GSSException) {
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Service login failed", e);
            }
        } else {
            LOGGER.error("Service login failed", e);
        }
        return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, e);
    } finally {
        if (context != null) {
            try {
                context.dispose();
            } catch (GSSException e) {
            // Ignore
            }
        }
    }
}
Also used : GSSName(org.ietf.jgss.GSSName) PrivilegedActionException(java.security.PrivilegedActionException) Oid(org.ietf.jgss.Oid) TokenCarryingPrincipal(org.apache.qpid.server.security.TokenCarryingPrincipal) LoginException(javax.security.auth.login.LoginException) PrivilegedActionException(java.security.PrivilegedActionException) GSSException(org.ietf.jgss.GSSException) AuthenticationResult(org.apache.qpid.server.security.auth.AuthenticationResult) GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) GSSContext(org.ietf.jgss.GSSContext) GSSManager(org.ietf.jgss.GSSManager) ConfiguredObject(org.apache.qpid.server.model.ConfiguredObject) Map(java.util.Map)

Example 55 with GSSCredential

use of org.ietf.jgss.GSSCredential in project cxf by apache.

the class IntermediaryPortTypeImpl method doubleIt.

public int doubleIt(int numberToDouble) {
    Principal pr = wsc.getUserPrincipal();
    Assert.assertNotNull("Principal must not be null", pr);
    Assert.assertNotNull("Principal.getName() must not return null", pr.getName());
    URL wsdl = IntermediaryPortTypeImpl.class.getResource("DoubleIt.wsdl");
    Service service = Service.create(wsdl, SERVICE_QNAME);
    QName portQName = new QName(NAMESPACE, "DoubleItTransportSAML2Port");
    DoubleItPortType transportPort = service.getPort(portQName, DoubleItPortType.class);
    try {
        updateAddressPort(transportPort, KerberosDelegationTokenTest.PORT);
    } catch (Exception ex) {
        ex.printStackTrace();
    }
    // Retrieve delegated credential + set it on the outbound message
    MessageContext messageContext = wsc.getMessageContext();
    GSSCredential delegatedCredential = (GSSCredential) messageContext.get(SecurityConstants.DELEGATED_CREDENTIAL);
    Map<String, Object> context = ((BindingProvider) transportPort).getRequestContext();
    context.put(SecurityConstants.DELEGATED_CREDENTIAL, delegatedCredential);
    STSClient stsClient = (STSClient) context.get(SecurityConstants.STS_CLIENT);
    if (stsClient != null) {
        String location = stsClient.getWsdlLocation();
        if (location.contains("8443")) {
            stsClient.setWsdlLocation(location.replace("8443", KerberosDelegationTokenTest.STSPORT));
        }
    }
    return transportPort.doubleIt(numberToDouble);
}
Also used : QName(javax.xml.namespace.QName) WebService(javax.jws.WebService) Service(javax.xml.ws.Service) BindingProvider(javax.xml.ws.BindingProvider) URL(java.net.URL) STSClient(org.apache.cxf.ws.security.trust.STSClient) GSSCredential(org.ietf.jgss.GSSCredential) DoubleItPortType(org.example.contract.doubleit.DoubleItPortType) MessageContext(javax.xml.ws.handler.MessageContext) Principal(java.security.Principal)

Aggregations

GSSCredential (org.ietf.jgss.GSSCredential)65 GSSManager (org.ietf.jgss.GSSManager)38 Oid (org.ietf.jgss.Oid)36 GSSName (org.ietf.jgss.GSSName)34 GSSException (org.ietf.jgss.GSSException)33 GSSContext (org.ietf.jgss.GSSContext)28 Subject (javax.security.auth.Subject)22 PrivilegedActionException (java.security.PrivilegedActionException)19 Principal (java.security.Principal)18 IOException (java.io.IOException)9 LoginContext (javax.security.auth.login.LoginContext)9 LoginException (javax.security.auth.login.LoginException)9 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)8 KerberosCredentials (org.apache.http.auth.KerberosCredentials)7 KerberosTicket (javax.security.auth.kerberos.KerberosTicket)6 SaslException (javax.security.sasl.SaslException)6 SPNegoSchemeFactory (org.apache.http.impl.auth.SPNegoSchemeFactory)4 BasicCredentialsProvider (org.apache.http.impl.client.BasicCredentialsProvider)4 Test (org.junit.Test)4 ExtendedGSSContext (com.sun.security.jgss.ExtendedGSSContext)3