Search in sources :

Example 36 with GSSCredential

use of org.ietf.jgss.GSSCredential in project qpid-broker-j by apache.

the class KerberosUtilities method buildTokenWithinSubjectWithKerberosTicket.

private byte[] buildTokenWithinSubjectWithKerberosTicket(String clientPrincipalName, String targetServerPrincipalName) throws GSSException {
    debug("Building token for client principal '{}' and server principal '{}'", clientPrincipalName, targetServerPrincipalName);
    final GSSManager manager = GSSManager.getInstance();
    final GSSName clientName = manager.createName(clientPrincipalName, GSSName.NT_USER_NAME);
    final GSSCredential credential;
    try {
        credential = manager.createCredential(clientName, GSSCredential.DEFAULT_LIFETIME, new Oid("1.2.840.113554.1.2.2"), GSSCredential.INITIATE_ONLY);
    } catch (GSSException e) {
        debug("Failure to create credential for {}", clientName, e);
        throw e;
    }
    debug("Client credential '{}'", credential);
    final GSSName serverName = manager.createName(targetServerPrincipalName, GSSName.NT_USER_NAME);
    final Oid spnegoMechOid = new Oid("1.3.6.1.5.5.2");
    final GSSContext clientContext = manager.createContext(serverName.canonicalize(spnegoMechOid), spnegoMechOid, credential, GSSContext.DEFAULT_LIFETIME);
    debug("Requesting ticket using initiator's credentials");
    try {
        clientContext.requestCredDeleg(true);
        debug("Requesting ticket");
        return clientContext.initSecContext(new byte[] {}, 0, 0);
    } catch (GSSException e) {
        debug("Failure to request token", e);
        throw e;
    } finally {
        clientContext.dispose();
    }
}
Also used : GSSName(org.ietf.jgss.GSSName) GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) GSSManager(org.ietf.jgss.GSSManager) GSSContext(org.ietf.jgss.GSSContext) Oid(org.ietf.jgss.Oid)

Example 37 with GSSCredential

use of org.ietf.jgss.GSSCredential in project zookeeper by apache.

the class ZooKeeperSaslServer method createSaslServer.

private SaslServer createSaslServer(final Login login) {
    synchronized (login) {
        Subject subject = login.getSubject();
        if (subject != null) {
            // server is using a JAAS-authenticated subject: determine service principal name and hostname from zk server's subject.
            if (subject.getPrincipals().size() > 0) {
                try {
                    final Object[] principals = subject.getPrincipals().toArray();
                    final Principal servicePrincipal = (Principal) principals[0];
                    // e.g. servicePrincipalNameAndHostname := "zookeeper/myhost.foo.com@FOO.COM"
                    final String servicePrincipalNameAndHostname = servicePrincipal.getName();
                    int indexOf = servicePrincipalNameAndHostname.indexOf("/");
                    // e.g. serviceHostnameAndKerbDomain := "myhost.foo.com@FOO.COM"
                    final String serviceHostnameAndKerbDomain = servicePrincipalNameAndHostname.substring(indexOf + 1, servicePrincipalNameAndHostname.length());
                    int indexOfAt = serviceHostnameAndKerbDomain.indexOf("@");
                    // Handle Kerberos Service as well as User Principal Names
                    final String servicePrincipalName, serviceHostname;
                    if (indexOf > 0) {
                        // e.g. servicePrincipalName := "zookeeper"
                        servicePrincipalName = servicePrincipalNameAndHostname.substring(0, indexOf);
                        // e.g. serviceHostname := "myhost.foo.com"
                        serviceHostname = serviceHostnameAndKerbDomain.substring(0, indexOfAt);
                    } else {
                        servicePrincipalName = servicePrincipalNameAndHostname.substring(0, indexOfAt);
                        serviceHostname = null;
                    }
                    // TODO: should depend on zoo.cfg specified mechs, but if subject is non-null, it can be assumed to be GSSAPI.
                    final String mech = "GSSAPI";
                    LOG.debug("serviceHostname is '" + serviceHostname + "'");
                    LOG.debug("servicePrincipalName is '" + servicePrincipalName + "'");
                    LOG.debug("SASL mechanism(mech) is '" + mech + "'");
                    boolean usingNativeJgss = Boolean.getBoolean("sun.security.jgss.native");
                    if (usingNativeJgss) {
                        // """
                        try {
                            GSSManager manager = GSSManager.getInstance();
                            Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
                            GSSName gssName = manager.createName(servicePrincipalName + "@" + serviceHostname, GSSName.NT_HOSTBASED_SERVICE);
                            GSSCredential cred = manager.createCredential(gssName, GSSContext.DEFAULT_LIFETIME, krb5Mechanism, GSSCredential.ACCEPT_ONLY);
                            subject.getPrivateCredentials().add(cred);
                            if (LOG.isDebugEnabled()) {
                                LOG.debug("Added private credential to subject: " + cred);
                            }
                        } catch (GSSException ex) {
                            LOG.warn("Cannot add private credential to subject; " + "clients authentication may fail", ex);
                        }
                    }
                    try {
                        return Subject.doAs(subject, new PrivilegedExceptionAction<SaslServer>() {

                            public SaslServer run() {
                                try {
                                    SaslServer saslServer;
                                    saslServer = Sasl.createSaslServer(mech, servicePrincipalName, serviceHostname, null, login.callbackHandler);
                                    return saslServer;
                                } catch (SaslException e) {
                                    LOG.error("Zookeeper Server failed to create a SaslServer to interact with a client during session initiation: " + e);
                                    e.printStackTrace();
                                    return null;
                                }
                            }
                        });
                    } catch (PrivilegedActionException e) {
                        // TODO: exit server at this point(?)
                        LOG.error("Zookeeper Quorum member experienced a PrivilegedActionException exception while creating a SaslServer using a JAAS principal context:" + e);
                        e.printStackTrace();
                    }
                } catch (IndexOutOfBoundsException e) {
                    LOG.error("server principal name/hostname determination error: ", e);
                }
            } else {
                // TODO: use 'authMech=' value in zoo.cfg.
                try {
                    SaslServer saslServer = Sasl.createSaslServer("DIGEST-MD5", "zookeeper", "zk-sasl-md5", null, login.callbackHandler);
                    return saslServer;
                } catch (SaslException e) {
                    LOG.error("Zookeeper Quorum member failed to create a SaslServer to interact with a client during session initiation", e);
                }
            }
        }
    }
    LOG.error("failed to create saslServer object.");
    return null;
}
Also used : GSSName(org.ietf.jgss.GSSName) PrivilegedActionException(java.security.PrivilegedActionException) SaslServer(javax.security.sasl.SaslServer) Oid(org.ietf.jgss.Oid) SaslException(javax.security.sasl.SaslException) Subject(javax.security.auth.Subject) GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) GSSManager(org.ietf.jgss.GSSManager) Principal(java.security.Principal)

Example 38 with GSSCredential

use of org.ietf.jgss.GSSCredential in project kafka by apache.

the class SaslServerAuthenticator method createSaslKerberosServer.

private SaslServer createSaslKerberosServer(final AuthCallbackHandler saslServerCallbackHandler, final Map<String, ?> configs) throws IOException {
    // server is using a JAAS-authenticated subject: determine service principal name and hostname from kafka server's subject.
    final Principal servicePrincipal = subject.getPrincipals().iterator().next();
    KerberosName kerberosName;
    try {
        kerberosName = KerberosName.parse(servicePrincipal.getName());
    } catch (IllegalArgumentException e) {
        throw new KafkaException("Principal has name with unexpected format " + servicePrincipal);
    }
    final String servicePrincipalName = kerberosName.serviceName();
    final String serviceHostname = kerberosName.hostName();
    LOG.debug("Creating SaslServer for {} with mechanism {}", kerberosName, saslMechanism);
    // As described in http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-features.html:
    // "To enable Java GSS to delegate to the native GSS library and its list of native mechanisms,
    // set the system property "sun.security.jgss.native" to true"
    // "In addition, when performing operations as a particular Subject, for example, Subject.doAs(...)
    // or Subject.doAsPrivileged(...), the to-be-used GSSCredential should be added to Subject's
    // private credential set. Otherwise, the GSS operations will fail since no credential is found."
    boolean usingNativeJgss = Boolean.getBoolean("sun.security.jgss.native");
    if (usingNativeJgss) {
        try {
            GSSManager manager = GSSManager.getInstance();
            // This Oid is used to represent the Kerberos version 5 GSS-API mechanism. It is defined in
            // RFC 1964.
            Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
            GSSName gssName = manager.createName(servicePrincipalName + "@" + serviceHostname, GSSName.NT_HOSTBASED_SERVICE);
            GSSCredential cred = manager.createCredential(gssName, GSSContext.INDEFINITE_LIFETIME, krb5Mechanism, GSSCredential.ACCEPT_ONLY);
            subject.getPrivateCredentials().add(cred);
        } catch (GSSException ex) {
            LOG.warn("Cannot add private credential to subject; clients authentication may fail", ex);
        }
    }
    try {
        return Subject.doAs(subject, new PrivilegedExceptionAction<SaslServer>() {

            public SaslServer run() throws SaslException {
                return Sasl.createSaslServer(saslMechanism, servicePrincipalName, serviceHostname, configs, saslServerCallbackHandler);
            }
        });
    } catch (PrivilegedActionException e) {
        throw new SaslException("Kafka Server failed to create a SaslServer to interact with a client during session authentication", e.getCause());
    }
}
Also used : GSSName(org.ietf.jgss.GSSName) PrivilegedActionException(java.security.PrivilegedActionException) SaslServer(javax.security.sasl.SaslServer) KerberosName(org.apache.kafka.common.security.kerberos.KerberosName) Oid(org.ietf.jgss.Oid) SaslException(javax.security.sasl.SaslException) GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) GSSManager(org.ietf.jgss.GSSManager) KafkaException(org.apache.kafka.common.KafkaException) Principal(java.security.Principal) KafkaPrincipal(org.apache.kafka.common.security.auth.KafkaPrincipal)

Example 39 with GSSCredential

use of org.ietf.jgss.GSSCredential in project blade by biezhi.

the class SpnegoLoginService method login.

/**
     * username will be null since the credentials will contain all the relevant info
     */
@Override
public UserIdentity login(String username, Object credentials, ServletRequest request) {
    String encodedAuthToken = (String) credentials;
    byte[] authToken = B64Code.decode(encodedAuthToken);
    GSSManager manager = GSSManager.getInstance();
    try {
        // http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html
        Oid krb5Oid = new Oid("1.3.6.1.5.5.2");
        GSSName gssName = manager.createName(_targetName, null);
        GSSCredential serverCreds = manager.createCredential(gssName, GSSCredential.INDEFINITE_LIFETIME, krb5Oid, GSSCredential.ACCEPT_ONLY);
        GSSContext gContext = manager.createContext(serverCreds);
        if (gContext == null) {
            LOG.debug("SpnegoUserRealm: failed to establish GSSContext");
        } else {
            while (!gContext.isEstablished()) {
                authToken = gContext.acceptSecContext(authToken, 0, authToken.length);
            }
            if (gContext.isEstablished()) {
                String clientName = gContext.getSrcName().toString();
                String role = clientName.substring(clientName.indexOf('@') + 1);
                LOG.debug("SpnegoUserRealm: established a security context");
                LOG.debug("Client Principal is: " + gContext.getSrcName());
                LOG.debug("Server Principal is: " + gContext.getTargName());
                LOG.debug("Client Default Role: " + role);
                SpnegoUserPrincipal user = new SpnegoUserPrincipal(clientName, authToken);
                Subject subject = new Subject();
                subject.getPrincipals().add(user);
                return _identityService.newUserIdentity(subject, user, new String[] { role });
            }
        }
    } catch (GSSException gsse) {
        LOG.warn(gsse);
    }
    return null;
}
Also used : GSSName(org.ietf.jgss.GSSName) GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) GSSManager(org.ietf.jgss.GSSManager) GSSContext(org.ietf.jgss.GSSContext) Oid(org.ietf.jgss.Oid) Subject(javax.security.auth.Subject)

Example 40 with GSSCredential

use of org.ietf.jgss.GSSCredential in project hadoop by apache.

the class KerberosAuthenticationHandler method runWithPrincipal.

private AuthenticationToken runWithPrincipal(String serverPrincipal, byte[] clientToken, Base64 base64, HttpServletResponse response) throws IOException, AuthenticationException, ClassNotFoundException, GSSException, IllegalAccessException, NoSuchFieldException {
    GSSContext gssContext = null;
    GSSCredential gssCreds = null;
    AuthenticationToken token = null;
    try {
        LOG.trace("SPNEGO initiated with server principal [{}]", serverPrincipal);
        gssCreds = this.gssManager.createCredential(this.gssManager.createName(serverPrincipal, KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL")), GSSCredential.INDEFINITE_LIFETIME, new Oid[] { KerberosUtil.getOidInstance("GSS_SPNEGO_MECH_OID"), KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID") }, GSSCredential.ACCEPT_ONLY);
        gssContext = this.gssManager.createContext(gssCreds);
        byte[] serverToken = gssContext.acceptSecContext(clientToken, 0, clientToken.length);
        if (serverToken != null && serverToken.length > 0) {
            String authenticate = base64.encodeToString(serverToken);
            response.setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, KerberosAuthenticator.NEGOTIATE + " " + authenticate);
        }
        if (!gssContext.isEstablished()) {
            response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
            LOG.trace("SPNEGO in progress");
        } else {
            String clientPrincipal = gssContext.getSrcName().toString();
            KerberosName kerberosName = new KerberosName(clientPrincipal);
            String userName = kerberosName.getShortName();
            token = new AuthenticationToken(userName, clientPrincipal, getType());
            response.setStatus(HttpServletResponse.SC_OK);
            LOG.trace("SPNEGO completed for client principal [{}]", clientPrincipal);
        }
    } finally {
        if (gssContext != null) {
            gssContext.dispose();
        }
        if (gssCreds != null) {
            gssCreds.dispose();
        }
    }
    return token;
}
Also used : GSSCredential(org.ietf.jgss.GSSCredential) GSSContext(org.ietf.jgss.GSSContext) Oid(org.ietf.jgss.Oid) KerberosName(org.apache.hadoop.security.authentication.util.KerberosName)

Aggregations

GSSCredential (org.ietf.jgss.GSSCredential)66 GSSManager (org.ietf.jgss.GSSManager)38 Oid (org.ietf.jgss.Oid)36 GSSName (org.ietf.jgss.GSSName)34 GSSException (org.ietf.jgss.GSSException)33 GSSContext (org.ietf.jgss.GSSContext)28 Subject (javax.security.auth.Subject)22 Principal (java.security.Principal)19 PrivilegedActionException (java.security.PrivilegedActionException)19 IOException (java.io.IOException)9 LoginContext (javax.security.auth.login.LoginContext)9 LoginException (javax.security.auth.login.LoginException)9 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)8 KerberosCredentials (org.apache.http.auth.KerberosCredentials)7 KerberosTicket (javax.security.auth.kerberos.KerberosTicket)6 SaslException (javax.security.sasl.SaslException)6 SPNegoSchemeFactory (org.apache.http.impl.auth.SPNegoSchemeFactory)4 BasicCredentialsProvider (org.apache.http.impl.client.BasicCredentialsProvider)4 Test (org.junit.Test)4 ExtendedGSSContext (com.sun.security.jgss.ExtendedGSSContext)3