Examples with GSSCredential org.ietf.jgss.GSSCredential used on opensource projects

Example 6 with GSSCredential

use of org.ietf.jgss.GSSCredential in project jdk8u_jdk by JetBrains.

the class Context method impersonate.

public Context impersonate(final String someone) throws Exception {
    try {
        GSSCredential creds = Subject.doAs(s, new PrivilegedExceptionAction<GSSCredential>() {

            @Override
            public GSSCredential run() throws Exception {
                GSSManager m = GSSManager.getInstance();
                GSSName other = m.createName(someone, GSSName.NT_USER_NAME);
                if (Context.this.cred == null) {
                    Context.this.cred = m.createCredential(GSSCredential.INITIATE_ONLY);
                }
                return ((ExtendedGSSCredential) Context.this.cred).impersonate(other);
            }
        });
        Context out = new Context();
        out.s = s;
        out.cred = creds;
        out.name = name + " as " + out.cred.getName().toString();
        return out;
    } catch (PrivilegedActionException pae) {
        Exception e = pae.getException();
        if (e instanceof InvocationTargetException) {
            throw (Exception) ((InvocationTargetException) e).getTargetException();
        } else {
            throw e;
        }
    }
}

Example 7 with GSSCredential

use of org.ietf.jgss.GSSCredential in project jdk8u_jdk by JetBrains.

the class ServiceCredsCombination method check.

/**
     * Checks the correct bound
     * @param a get a creds for this principal, null for default one
     * @param b expected name, null for still unbound, "NOCRED" for no creds
     * @param objs princs, keys and keytabs in the subject
     */
private static void check(final String a, String b, Object... objs) throws Exception {
    Subject subj = new Subject();
    for (Object obj : objs) {
        if (obj instanceof KerberosPrincipal) {
            subj.getPrincipals().add((KerberosPrincipal) obj);
        } else if (obj instanceof KerberosKey || obj instanceof KeyTab) {
            subj.getPrivateCredentials().add(obj);
        }
    }
    final GSSManager man = GSSManager.getInstance();
    try {
        String result = Subject.doAs(subj, new PrivilegedExceptionAction<String>() {

            @Override
            public String run() throws GSSException {
                GSSCredential cred = man.createCredential(a == null ? null : man.createName(r(a), null), GSSCredential.INDEFINITE_LIFETIME, GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY);
                GSSName name = cred.getName();
                return name == null ? null : name.toString();
            }
        });
        if (!Objects.equals(result, r(b))) {
            throw new Exception("Check failed: getInstance(" + a + ") has name " + result + ", not " + b);
        }
    } catch (PrivilegedActionException e) {
        if (!"NOCRED".equals(b)) {
            throw new Exception("Check failed: getInstance(" + a + ") is null " + ", but not one with name " + b);
        }
    }
}

Example 8 with GSSCredential

use of org.ietf.jgss.GSSCredential in project jdk8u_jdk by JetBrains.

the class MechTokenMissing method main.

public static void main(String[] args) throws Exception {
    GSSCredential cred = null;
    GSSContext ctx = GSSManager.getInstance().createContext(cred);
    String var = /*0000*/
    "60 1C 06 06 2B 06 01 05 05 02 A0 12 30 10 A0 0E " + /*0010*/
    "30 0C 06 0A 2B 06 01 04 01 82 37 02 02 0A ";
    byte[] token = new byte[var.length() / 3];
    for (int i = 0; i < token.length; i++) {
        token[i] = Integer.valueOf(var.substring(3 * i, 3 * i + 2), 16).byteValue();
    }
    try {
        ctx.acceptSecContext(token, 0, token.length);
    } catch (GSSException gsse) {
        System.out.println("Expected exception: " + gsse);
    }
}

Example 9 with GSSCredential

use of org.ietf.jgss.GSSCredential in project OpenAM by OpenRock.

the class WindowsDesktopSSO method authenticateToken.

private void authenticateToken(final byte[] kerberosToken, final Set<String> trustedRealms) throws AuthLoginException, GSSException, Exception {
    debug.message("In authenticationToken ...");
    Subject.doAs(serviceSubject, new PrivilegedExceptionAction() {

        public Object run() throws Exception {
            GSSContext context = GSSManager.getInstance().createContext((GSSCredential) null);
            if (debug.messageEnabled()) {
                debug.message("Context created.");
            }
            byte[] outToken = context.acceptSecContext(kerberosToken, 0, kerberosToken.length);
            if (outToken != null) {
                if (debug.messageEnabled()) {
                    debug.message("Token returned from acceptSecContext: \n" + DerValue.printByteArray(outToken, 0, outToken.length));
                }
            }
            if (!context.isEstablished()) {
                debug.error("Cannot establish context !");
                throw new AuthLoginException(amAuthWindowsDesktopSSO, "context", null);
            } else {
                if (debug.messageEnabled()) {
                    debug.message("Context established !");
                }
                GSSName user = context.getSrcName();
                final String userPrincipalName = user.toString();
                // expected default behaviour.
                if (!trustedRealms.isEmpty()) {
                    boolean foundTrustedRealm = false;
                    for (final String trustedRealm : trustedRealms) {
                        if (isTokenTrusted(userPrincipalName, trustedRealm)) {
                            foundTrustedRealm = true;
                            break;
                        }
                    }
                    if (!foundTrustedRealm) {
                        debug.error("Kerberos token for " + userPrincipalName + " not trusted");
                        final String[] data = { userPrincipalName };
                        throw new AuthLoginException(amAuthWindowsDesktopSSO, "untrustedToken", data);
                    }
                }
                // perform the search.
                if (lookupUserInRealm) {
                    String org = getRequestOrg();
                    String userValue = getUserName(userPrincipalName);
                    String userName = searchUserAccount(userValue, org);
                    if (userName != null && !userName.isEmpty()) {
                        storeUsernamePasswd(userValue, null);
                    } else {
                        String[] data = { userValue, org };
                        debug.error("WindowsDesktopSSO.authenticateToken: " + ": Unable to find the user " + userValue);
                        throw new AuthLoginException(amAuthWindowsDesktopSSO, "notfound", data);
                    }
                }
                if (debug.messageEnabled()) {
                    debug.message("WindowsDesktopSSO.authenticateToken:" + "User authenticated: " + user.toString());
                }
                if (user != null) {
                    setPrincipal(userPrincipalName);
                }
            }
            context.dispose();
            return null;
        }
    });
}

Example 10 with GSSCredential

use of org.ietf.jgss.GSSCredential in project calcite-avatica by apache.

the class HttpServerSpnegoWithoutJaasTest method testAuthenticatedClientsAllowed.

@Test
public void testAuthenticatedClientsAllowed() throws Exception {
    // Create the subject for the client
    final Subject clientSubject = JaasKrbUtil.loginUsingKeytab(SpnegoTestUtil.CLIENT_PRINCIPAL, clientKeytab);
    final Set<Principal> clientPrincipals = clientSubject.getPrincipals();
    // Make sure the subject has a principal
    assertFalse(clientPrincipals.isEmpty());
    // Get a TGT for the subject (might have many, different encryption types). The first should
    // be the default encryption type.
    Set<KerberosTicket> privateCredentials = clientSubject.getPrivateCredentials(KerberosTicket.class);
    assertFalse(privateCredentials.isEmpty());
    KerberosTicket tgt = privateCredentials.iterator().next();
    assertNotNull(tgt);
    LOG.info("Using TGT with etype: {}", tgt.getSessionKey().getAlgorithm());
    // The name of the principal
    final String principalName = clientPrincipals.iterator().next().getName();
    // Run this code, logged in as the subject (the client)
    byte[] response = Subject.doAs(clientSubject, new PrivilegedExceptionAction<byte[]>() {

        @Override
        public byte[] run() throws Exception {
            // Logs in with Kerberos via GSS
            GSSManager gssManager = GSSManager.getInstance();
            Oid oid = new Oid(SpnegoTestUtil.JGSS_KERBEROS_TICKET_OID);
            GSSName gssClient = gssManager.createName(principalName, GSSName.NT_USER_NAME);
            GSSCredential credential = gssManager.createCredential(gssClient, GSSCredential.DEFAULT_LIFETIME, oid, GSSCredential.INITIATE_ONLY);
            // Passes the GSSCredential into the HTTP client implementation
            final AvaticaCommonsHttpClientSpnegoImpl httpClient = new AvaticaCommonsHttpClientSpnegoImpl(httpServerUrl, credential);
            return httpClient.send(new byte[0]);
        }
    });
    // We should get a response which is "OK" with our client's name
    assertNotNull(response);
    assertEquals("OK " + SpnegoTestUtil.CLIENT_PRINCIPAL, new String(response, StandardCharsets.UTF_8));
}