Search in sources :

Example 56 with GSSCredential

use of org.ietf.jgss.GSSCredential in project cxf by apache.

the class JAXRSIntermediaryPortTypeImpl method doubleIt.

public int doubleIt(int numberToDouble) {
    URL wsdl = JAXRSIntermediaryPortTypeImpl.class.getResource("DoubleIt.wsdl");
    Service service = Service.create(wsdl, SERVICE_QNAME);
    QName portQName = new QName(NAMESPACE, "DoubleItTransportSAML2Port");
    DoubleItPortType transportPort = service.getPort(portQName, DoubleItPortType.class);
    try {
        updateAddressPort(transportPort, KerberosDelegationTokenTest.PORT);
    } catch (Exception ex) {
        ex.printStackTrace();
    }
    // Retrieve delegated credential + set it on the outbound message
    SecurityContext securityContext = PhaseInterceptorChain.getCurrentMessage().get(SecurityContext.class);
    if (securityContext instanceof KerberosSecurityContext) {
        KerberosSecurityContext ksc = (KerberosSecurityContext) securityContext;
        try {
            GSSCredential delegatedCredential = ksc.getGSSContext().getDelegCred();
            Map<String, Object> context = ((BindingProvider) transportPort).getRequestContext();
            context.put(SecurityConstants.DELEGATED_CREDENTIAL, delegatedCredential);
        } catch (GSSException e) {
            e.printStackTrace();
        }
    }
    return transportPort.doubleIt(numberToDouble);
}
Also used : KerberosSecurityContext(org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter.KerberosSecurityContext) QName(javax.xml.namespace.QName) WebService(javax.jws.WebService) Service(javax.xml.ws.Service) BindingProvider(javax.xml.ws.BindingProvider) URL(java.net.URL) GSSException(org.ietf.jgss.GSSException) GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) SecurityContext(org.apache.cxf.security.SecurityContext) KerberosSecurityContext(org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter.KerberosSecurityContext) DoubleItPortType(org.example.contract.doubleit.DoubleItPortType)

Example 57 with GSSCredential

use of org.ietf.jgss.GSSCredential in project apache-kafka-on-k8s by banzaicloud.

the class SaslServerAuthenticator method createSaslKerberosServer.

private SaslServer createSaslKerberosServer(final AuthCallbackHandler saslServerCallbackHandler, final Map<String, ?> configs, Subject subject) throws IOException {
    // server is using a JAAS-authenticated subject: determine service principal name and hostname from kafka server's subject.
    final String servicePrincipal = SaslClientAuthenticator.firstPrincipal(subject);
    KerberosName kerberosName;
    try {
        kerberosName = KerberosName.parse(servicePrincipal);
    } catch (IllegalArgumentException e) {
        throw new KafkaException("Principal has name with unexpected format " + servicePrincipal);
    }
    final String servicePrincipalName = kerberosName.serviceName();
    final String serviceHostname = kerberosName.hostName();
    LOG.debug("Creating SaslServer for {} with mechanism {}", kerberosName, saslMechanism);
    // As described in http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-features.html:
    // "To enable Java GSS to delegate to the native GSS library and its list of native mechanisms,
    // set the system property "sun.security.jgss.native" to true"
    // "In addition, when performing operations as a particular Subject, for example, Subject.doAs(...)
    // or Subject.doAsPrivileged(...), the to-be-used GSSCredential should be added to Subject's
    // private credential set. Otherwise, the GSS operations will fail since no credential is found."
    boolean usingNativeJgss = Boolean.getBoolean("sun.security.jgss.native");
    if (usingNativeJgss) {
        try {
            GSSManager manager = GSSManager.getInstance();
            // This Oid is used to represent the Kerberos version 5 GSS-API mechanism. It is defined in
            // RFC 1964.
            Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
            GSSName gssName = manager.createName(servicePrincipalName + "@" + serviceHostname, GSSName.NT_HOSTBASED_SERVICE);
            GSSCredential cred = manager.createCredential(gssName, GSSContext.INDEFINITE_LIFETIME, krb5Mechanism, GSSCredential.ACCEPT_ONLY);
            subject.getPrivateCredentials().add(cred);
        } catch (GSSException ex) {
            LOG.warn("Cannot add private credential to subject; clients authentication may fail", ex);
        }
    }
    try {
        return Subject.doAs(subject, new PrivilegedExceptionAction<SaslServer>() {

            public SaslServer run() throws SaslException {
                return Sasl.createSaslServer(saslMechanism, servicePrincipalName, serviceHostname, configs, saslServerCallbackHandler);
            }
        });
    } catch (PrivilegedActionException e) {
        throw new SaslException("Kafka Server failed to create a SaslServer to interact with a client during session authentication", e.getCause());
    }
}
Also used : GSSName(org.ietf.jgss.GSSName) PrivilegedActionException(java.security.PrivilegedActionException) SaslServer(javax.security.sasl.SaslServer) KerberosName(org.apache.kafka.common.security.kerberos.KerberosName) Oid(org.ietf.jgss.Oid) SaslException(javax.security.sasl.SaslException) GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) GSSManager(org.ietf.jgss.GSSManager) KafkaException(org.apache.kafka.common.KafkaException)

Example 58 with GSSCredential

use of org.ietf.jgss.GSSCredential in project presto by prestodb.

the class SpnegoHandler method createSession.

private Session createSession() throws LoginException, GSSException {
    // TODO: do we need to call logout() on the LoginContext?
    LoginContext loginContext = new LoginContext("", null, null, new Configuration() {

        @Override
        public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
            ImmutableMap.Builder<String, String> options = ImmutableMap.builder();
            options.put("refreshKrb5Config", "true");
            options.put("doNotPrompt", "true");
            options.put("useKeyTab", "true");
            if (getBoolean("presto.client.debugKerberos")) {
                options.put("debug", "true");
            }
            keytab.ifPresent(file -> options.put("keyTab", file.getAbsolutePath()));
            credentialCache.ifPresent(file -> {
                options.put("ticketCache", file.getAbsolutePath());
                options.put("useTicketCache", "true");
                options.put("renewTGT", "true");
            });
            principal.ifPresent(value -> options.put("principal", value));
            return new AppConfigurationEntry[] { new AppConfigurationEntry(Krb5LoginModule.class.getName(), REQUIRED, options.build()) };
        }
    });
    loginContext.login();
    Subject subject = loginContext.getSubject();
    Principal clientPrincipal = subject.getPrincipals().iterator().next();
    GSSCredential clientCredential = doAs(subject, () -> GSS_MANAGER.createCredential(GSS_MANAGER.createName(clientPrincipal.getName(), NT_USER_NAME), DEFAULT_LIFETIME, KERBEROS_OID, INITIATE_ONLY));
    return new Session(loginContext, clientCredential);
}
Also used : LoginException(javax.security.auth.login.LoginException) AppConfigurationEntry(javax.security.auth.login.AppConfigurationEntry) Authenticator(okhttp3.Authenticator) AUTHORIZATION(com.google.common.net.HttpHeaders.AUTHORIZATION) Throwables.throwIfUnchecked(com.google.common.base.Throwables.throwIfUnchecked) LoginContext(javax.security.auth.login.LoginContext) Duration(io.airlift.units.Duration) WWW_AUTHENTICATE(com.google.common.net.HttpHeaders.WWW_AUTHENTICATE) Route(okhttp3.Route) InetAddress(java.net.InetAddress) REQUIRED(javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag.REQUIRED) Locale(java.util.Locale) Objects.requireNonNull(java.util.Objects.requireNonNull) Response(okhttp3.Response) INDEFINITE_LIFETIME(org.ietf.jgss.GSSContext.INDEFINITE_LIFETIME) INITIATE_ONLY(org.ietf.jgss.GSSCredential.INITIATE_ONLY) Krb5LoginModule(com.sun.security.auth.module.Krb5LoginModule) NT_USER_NAME(org.ietf.jgss.GSSName.NT_USER_NAME) Splitter(com.google.common.base.Splitter) Configuration(javax.security.auth.login.Configuration) DEFAULT_LIFETIME(org.ietf.jgss.GSSCredential.DEFAULT_LIFETIME) GSSContext(org.ietf.jgss.GSSContext) GSSCredential(org.ietf.jgss.GSSCredential) Interceptor(okhttp3.Interceptor) Request(okhttp3.Request) PrivilegedActionException(java.security.PrivilegedActionException) ImmutableMap(com.google.common.collect.ImmutableMap) Oid(org.ietf.jgss.Oid) IOException(java.io.IOException) GSSException(org.ietf.jgss.GSSException) GuardedBy(javax.annotation.concurrent.GuardedBy) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) CharMatcher.whitespace(com.google.common.base.CharMatcher.whitespace) UnknownHostException(java.net.UnknownHostException) Throwables.throwIfInstanceOf(com.google.common.base.Throwables.throwIfInstanceOf) Boolean.getBoolean(java.lang.Boolean.getBoolean) Subject(javax.security.auth.Subject) File(java.io.File) String.format(java.lang.String.format) GSSManager(org.ietf.jgss.GSSManager) Base64(java.util.Base64) Principal(java.security.Principal) NT_HOSTBASED_SERVICE(org.ietf.jgss.GSSName.NT_HOSTBASED_SERVICE) Optional(java.util.Optional) SECONDS(java.util.concurrent.TimeUnit.SECONDS) AppConfigurationEntry(javax.security.auth.login.AppConfigurationEntry) LoginContext(javax.security.auth.login.LoginContext) Configuration(javax.security.auth.login.Configuration) GSSCredential(org.ietf.jgss.GSSCredential) Subject(javax.security.auth.Subject) Principal(java.security.Principal)

Example 59 with GSSCredential

use of org.ietf.jgss.GSSCredential in project kafka by apache.

the class SaslChannelBuilder method maybeAddNativeGssapiCredentials.

// As described in http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-features.html:
// "To enable Java GSS to delegate to the native GSS library and its list of native mechanisms,
// set the system property "sun.security.jgss.native" to true"
// "In addition, when performing operations as a particular Subject, for example, Subject.doAs(...)
// or Subject.doAsPrivileged(...), the to-be-used GSSCredential should be added to Subject's
// private credential set. Otherwise, the GSS operations will fail since no credential is found."
private void maybeAddNativeGssapiCredentials(Subject subject) {
    boolean usingNativeJgss = Boolean.getBoolean(GSS_NATIVE_PROP);
    if (usingNativeJgss && subject.getPrivateCredentials(GSSCredential.class).isEmpty()) {
        final String servicePrincipal = SaslClientAuthenticator.firstPrincipal(subject);
        KerberosName kerberosName;
        try {
            kerberosName = KerberosName.parse(servicePrincipal);
        } catch (IllegalArgumentException e) {
            throw new KafkaException("Principal has name with unexpected format " + servicePrincipal);
        }
        final String servicePrincipalName = kerberosName.serviceName();
        final String serviceHostname = kerberosName.hostName();
        try {
            GSSManager manager = gssManager();
            // This Oid is used to represent the Kerberos version 5 GSS-API mechanism. It is defined in
            // RFC 1964.
            Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
            GSSName gssName = manager.createName(servicePrincipalName + "@" + serviceHostname, GSSName.NT_HOSTBASED_SERVICE);
            GSSCredential cred = manager.createCredential(gssName, GSSContext.INDEFINITE_LIFETIME, krb5Mechanism, GSSCredential.ACCEPT_ONLY);
            subject.getPrivateCredentials().add(cred);
            log.info("Configured native GSSAPI private credentials for {}@{}", serviceHostname, serviceHostname);
        } catch (GSSException ex) {
            log.warn("Cannot add private credential to subject; clients authentication may fail", ex);
        }
    }
}
Also used : GSSName(org.ietf.jgss.GSSName) GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) GSSManager(org.ietf.jgss.GSSManager) KafkaException(org.apache.kafka.common.KafkaException) KerberosName(org.apache.kafka.common.security.kerberos.KerberosName) Oid(org.ietf.jgss.Oid)

Example 60 with GSSCredential

use of org.ietf.jgss.GSSCredential in project zeppelin by apache.

the class KerberosRealm method runWithPrincipal.

private AuthenticationToken runWithPrincipal(String serverPrincipal, byte[] clientToken, Base64 base64, HttpServletResponse response) throws IOException, GSSException {
    GSSContext gssContext = null;
    GSSCredential gssCreds = null;
    AuthenticationToken token = null;
    try {
        LOG.trace("SPNEGO initiated with server principal [{}]", serverPrincipal);
        gssCreds = this.gssManager.createCredential(this.gssManager.createName(serverPrincipal, KerberosUtil.NT_GSS_KRB5_PRINCIPAL_OID), GSSCredential.INDEFINITE_LIFETIME, new Oid[] { KerberosUtil.GSS_SPNEGO_MECH_OID, KerberosUtil.GSS_KRB5_MECH_OID }, GSSCredential.ACCEPT_ONLY);
        gssContext = this.gssManager.createContext(gssCreds);
        byte[] serverToken = gssContext.acceptSecContext(clientToken, 0, clientToken.length);
        if (serverToken != null && serverToken.length > 0) {
            String authenticate = base64.encodeToString(serverToken);
            response.setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, KerberosAuthenticator.NEGOTIATE + " " + authenticate);
        }
        if (!gssContext.isEstablished()) {
            response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
            LOG.trace("SPNEGO in progress");
        } else {
            String clientPrincipal = gssContext.getSrcName().toString();
            KerberosName kerberosName = new KerberosName(clientPrincipal);
            String userName = kerberosName.getShortName();
            token = new AuthenticationToken(userName, clientPrincipal, TYPE);
            response.setStatus(HttpServletResponse.SC_OK);
            LOG.trace("SPNEGO completed for client principal [{}]", clientPrincipal);
        }
    } finally {
        if (gssContext != null) {
            gssContext.dispose();
        }
        if (gssCreds != null) {
            gssCreds.dispose();
        }
    }
    return token;
}
Also used : AuthenticationToken(org.apache.hadoop.security.authentication.server.AuthenticationToken) GSSCredential(org.ietf.jgss.GSSCredential) GSSContext(org.ietf.jgss.GSSContext) Oid(org.ietf.jgss.Oid)

Aggregations

GSSCredential (org.ietf.jgss.GSSCredential)65 GSSManager (org.ietf.jgss.GSSManager)38 Oid (org.ietf.jgss.Oid)36 GSSName (org.ietf.jgss.GSSName)34 GSSException (org.ietf.jgss.GSSException)33 GSSContext (org.ietf.jgss.GSSContext)28 Subject (javax.security.auth.Subject)22 PrivilegedActionException (java.security.PrivilegedActionException)19 Principal (java.security.Principal)18 IOException (java.io.IOException)9 LoginContext (javax.security.auth.login.LoginContext)9 LoginException (javax.security.auth.login.LoginException)9 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)8 KerberosCredentials (org.apache.http.auth.KerberosCredentials)7 KerberosTicket (javax.security.auth.kerberos.KerberosTicket)6 SaslException (javax.security.sasl.SaslException)6 SPNegoSchemeFactory (org.apache.http.impl.auth.SPNegoSchemeFactory)4 BasicCredentialsProvider (org.apache.http.impl.client.BasicCredentialsProvider)4 Test (org.junit.Test)4 ExtendedGSSContext (com.sun.security.jgss.ExtendedGSSContext)3