use of org.ietf.jgss.GSSCredential in project tigervnc by TigerVNC.
the class GSSContextKrb5 method create.
public void create(String user, String host) throws JSchException {
try {
// RFC 1964
Oid krb5 = new Oid("1.2.840.113554.1.2.2");
// Kerberos Principal Name Form
Oid principalName = new Oid("1.2.840.113554.1.2.2.1");
GSSManager mgr = GSSManager.getInstance();
GSSCredential crd = null;
/*
try{
GSSName _user=mgr.createName(user, principalName);
crd=mgr.createCredential(_user,
GSSCredential.DEFAULT_LIFETIME,
krb5,
GSSCredential.INITIATE_ONLY);
}
catch(GSSException crdex){
}
*/
String cname = host;
try {
cname = InetAddress.getByName(cname).getCanonicalHostName();
} catch (UnknownHostException e) {
}
GSSName _host = mgr.createName("host/" + cname, principalName);
context = mgr.createContext(_host, krb5, crd, GSSContext.DEFAULT_LIFETIME);
// RFC4462 3.4. GSS-API Session
//
// When calling GSS_Init_sec_context(), the client MUST set
// integ_req_flag to "true" to request that per-message integrity
// protection be supported for this context. In addition,
// deleg_req_flag MAY be set to "true" to request access delegation, if
// requested by the user.
//
// Since the user authentication process by its nature authenticates
// only the client, the setting of mutual_req_flag is not needed for
// this process. This flag SHOULD be set to "false".
// TODO: OpenSSH's sshd does accepts 'false' for mutual_req_flag
// context.requestMutualAuth(false);
context.requestMutualAuth(true);
context.requestConf(true);
// for MIC
context.requestInteg(true);
context.requestCredDeleg(true);
context.requestAnonymity(false);
return;
} catch (GSSException ex) {
throw new JSchException(ex.toString());
}
}
use of org.ietf.jgss.GSSCredential in project cxf by apache.
the class AbstractSpnegoAuthSupplier method getToken.
/**
* Create and return a service ticket token for a given service principal
* name
*
* @param authPolicy
* @param spn
* @return service ticket token
* @throws GSSException
* @throws LoginException
*/
private byte[] getToken(AuthorizationPolicy authPolicy, String spn, Oid oid, Message message) throws GSSException, LoginException {
GSSCredential delegatedCred = (GSSCredential) message.getContextualProperty(GSSCredential.class.getName());
Subject subject = null;
if (authPolicy != null && delegatedCred == null) {
String contextName = authPolicy.getAuthorization();
if (contextName == null) {
contextName = "";
}
if (!(StringUtils.isEmpty(authPolicy.getUserName()) && StringUtils.isEmpty(contextName) && loginConfig == null)) {
CallbackHandler callbackHandler = getUsernamePasswordHandler(authPolicy.getUserName(), authPolicy.getPassword());
LoginContext lc = new LoginContext(contextName, null, callbackHandler, loginConfig);
lc.login();
subject = lc.getSubject();
}
}
GSSManager manager = GSSManager.getInstance();
GSSName serverName = manager.createName(spn, serviceNameType);
GSSContext context = manager.createContext(serverName.canonicalize(oid), oid, delegatedCred, GSSContext.DEFAULT_LIFETIME);
context.requestCredDeleg(isCredDelegationRequired(message));
// If the delegated cred is not null then we only need the context to
// immediately return a ticket based on this credential without attempting
// to log on again
final byte[] token = new byte[0];
if (delegatedCred != null) {
return context.initSecContext(token, 0, token.length);
}
decorateSubject(subject);
try {
return Subject.doAs(subject, new CreateServiceTicketAction(context, token));
} catch (PrivilegedActionException e) {
if (e.getCause() instanceof GSSException) {
throw (GSSException) e.getCause();
}
LOG.log(Level.SEVERE, "initSecContext", e);
return null;
}
}
use of org.ietf.jgss.GSSCredential in project cxf by apache.
the class KerberosClient method requestSecurityToken.
public SecurityToken requestSecurityToken() throws Exception {
// See if we have a delegated Credential to use
Message message = PhaseInterceptorChain.getCurrentMessage();
GSSCredential delegatedCredential = null;
if (message != null && useDelegatedCredential) {
Object obj = message.getContextualProperty(SecurityConstants.DELEGATED_CREDENTIAL);
if (obj instanceof GSSCredential) {
delegatedCredential = (GSSCredential) obj;
}
}
if (LOG.isLoggable(Level.FINE)) {
LOG.fine("Requesting Kerberos ticket for " + serviceName + " using JAAS Login Module: " + getContextName());
}
KerberosSecurity bst = createKerberosSecurity();
bst.retrieveServiceTicket(getContextName(), callbackHandler, serviceName, isUsernameServiceNameForm, requestCredentialDelegation, delegatedCredential);
bst.addWSUNamespace();
bst.setID(wssConfig.getIdAllocator().createSecureId("BST-", bst));
bst.addWSUNamespace();
SecurityToken token = new SecurityToken(bst.getID());
token.setToken(bst.getElement());
token.setWsuId(bst.getID());
SecretKey secretKey = bst.getSecretKey();
if (secretKey != null) {
token.setKey(secretKey);
token.setSecret(secretKey.getEncoded());
}
String sha1 = XMLUtils.encodeToString(KeyUtils.generateDigest(bst.getToken()));
token.setSHA1(sha1);
token.setTokenType(bst.getValueType());
return token;
}
use of org.ietf.jgss.GSSCredential in project qpid-broker-j by apache.
the class SpnegoAuthenticator method doAuthenticate.
private AuthenticationResult doAuthenticate(final Subject subject, final byte[] negotiateToken) {
GSSContext context = null;
try {
final int credentialLifetime;
if (String.valueOf(System.getProperty(StandardSystemProperty.JAVA_VENDOR.key())).toUpperCase().contains("IBM")) {
credentialLifetime = GSSCredential.INDEFINITE_LIFETIME;
} else {
credentialLifetime = GSSCredential.DEFAULT_LIFETIME;
}
final GSSManager manager = GSSManager.getInstance();
final PrivilegedExceptionAction<GSSCredential> credentialsAction = () -> manager.createCredential(null, credentialLifetime, new Oid("1.3.6.1.5.5.2"), GSSCredential.ACCEPT_ONLY);
final GSSContext gssContext = manager.createContext(Subject.doAs(subject, credentialsAction));
context = gssContext;
final PrivilegedExceptionAction<byte[]> acceptAction = () -> gssContext.acceptSecContext(negotiateToken, 0, negotiateToken.length);
final byte[] outToken = Subject.doAs(subject, acceptAction);
if (outToken == null) {
LOGGER.debug("Ticket validation failed");
return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR);
}
final PrivilegedAction<String> authenticationAction = () -> {
if (gssContext.isEstablished()) {
GSSName gssName = null;
try {
gssName = gssContext.getSrcName();
} catch (final GSSException e) {
LOGGER.error("Unable to get src name from gss context", e);
}
if (gssName != null) {
return stripRealmNameIfRequired(gssName.toString());
}
}
return null;
};
final String principalName = Subject.doAs(subject, authenticationAction);
if (principalName != null) {
TokenCarryingPrincipal principal = new TokenCarryingPrincipal() {
private Map<String, String> _tokens = Collections.singletonMap(RESPONSE_AUTH_HEADER_NAME, NEGOTIATE_PREFIX + Base64.getEncoder().encodeToString(outToken));
@Override
public Map<String, String> getTokens() {
return _tokens;
}
@Override
public ConfiguredObject<?> getOrigin() {
return _kerberosProvider;
}
@Override
public String getName() {
return principalName;
}
@Override
public boolean equals(final Object o) {
if (this == o) {
return true;
}
if (!(o instanceof TokenCarryingPrincipal)) {
return false;
}
final TokenCarryingPrincipal that = (TokenCarryingPrincipal) o;
if (!getName().equals(that.getName())) {
return false;
}
if (!getTokens().equals(that.getTokens())) {
return false;
}
return getOrigin() != null ? getOrigin().equals(that.getOrigin()) : that.getOrigin() == null;
}
@Override
public int hashCode() {
int result = getName().hashCode();
result = 31 * result + (getOrigin() != null ? getOrigin().hashCode() : 0);
result = 31 * result + getTokens().hashCode();
return result;
}
};
return new AuthenticationResult(principal);
}
return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR);
} catch (GSSException e) {
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("Ticket validation failed", e);
}
return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, e);
} catch (PrivilegedActionException e) {
final Exception cause = e.getException();
if (cause instanceof GSSException) {
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("Service login failed", e);
}
} else {
LOGGER.error("Service login failed", e);
}
return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, e);
} finally {
if (context != null) {
try {
context.dispose();
} catch (GSSException e) {
// Ignore
}
}
}
}
use of org.ietf.jgss.GSSCredential in project cxf by apache.
the class IntermediaryPortTypeImpl method doubleIt.
public int doubleIt(int numberToDouble) {
Principal pr = wsc.getUserPrincipal();
Assert.assertNotNull("Principal must not be null", pr);
Assert.assertNotNull("Principal.getName() must not return null", pr.getName());
URL wsdl = IntermediaryPortTypeImpl.class.getResource("DoubleIt.wsdl");
Service service = Service.create(wsdl, SERVICE_QNAME);
QName portQName = new QName(NAMESPACE, "DoubleItTransportSAML2Port");
DoubleItPortType transportPort = service.getPort(portQName, DoubleItPortType.class);
try {
updateAddressPort(transportPort, KerberosDelegationTokenTest.PORT);
} catch (Exception ex) {
ex.printStackTrace();
}
// Retrieve delegated credential + set it on the outbound message
MessageContext messageContext = wsc.getMessageContext();
GSSCredential delegatedCredential = (GSSCredential) messageContext.get(SecurityConstants.DELEGATED_CREDENTIAL);
Map<String, Object> context = ((BindingProvider) transportPort).getRequestContext();
context.put(SecurityConstants.DELEGATED_CREDENTIAL, delegatedCredential);
STSClient stsClient = (STSClient) context.get(SecurityConstants.STS_CLIENT);
if (stsClient != null) {
String location = stsClient.getWsdlLocation();
if (location.contains("8443")) {
stsClient.setWsdlLocation(location.replace("8443", KerberosDelegationTokenTest.STSPORT));
}
}
return transportPort.doubleIt(numberToDouble);
}
Aggregations