Search in sources :

Example 1 with GSSException

use of org.ietf.jgss.GSSException in project druid by druid-io.

the class DruidKerberosUtil method kerberosChallenge.

/**
   * This method always needs to be called within a doAs block so that the client's TGT credentials
   * can be read from the Subject.
   *
   * @return Kerberos Challenge String
   *
   * @throws Exception
   */
public static String kerberosChallenge(String server) throws AuthenticationException {
    kerberosLock.lock();
    try {
        // This Oid for Kerberos GSS-API mechanism.
        Oid mechOid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
        GSSManager manager = GSSManager.getInstance();
        // GSS name for server
        GSSName serverName = manager.createName("HTTP@" + server, GSSName.NT_HOSTBASED_SERVICE);
        // Create a GSSContext for authentication with the service.
        // We're passing client credentials as null since we want them to be read from the Subject.
        GSSContext gssContext = manager.createContext(serverName.canonicalize(mechOid), mechOid, null, GSSContext.DEFAULT_LIFETIME);
        gssContext.requestMutualAuth(true);
        gssContext.requestCredDeleg(true);
        // Establish context
        byte[] inToken = new byte[0];
        byte[] outToken = gssContext.initSecContext(inToken, 0, inToken.length);
        gssContext.dispose();
        // Base64 encoded and stringified token for server
        return new String(base64codec.encode(outToken));
    } catch (GSSException | IllegalAccessException | NoSuchFieldException | ClassNotFoundException e) {
        throw new AuthenticationException(e);
    } finally {
        kerberosLock.unlock();
    }
}
Also used : GSSName(org.ietf.jgss.GSSName) GSSException(org.ietf.jgss.GSSException) AuthenticationException(org.apache.hadoop.security.authentication.client.AuthenticationException) GSSManager(org.ietf.jgss.GSSManager) GSSContext(org.ietf.jgss.GSSContext) Oid(org.ietf.jgss.Oid)

Example 2 with GSSException

use of org.ietf.jgss.GSSException in project jetty.project by eclipse.

the class SpnegoLoginService method login.

/**
     * username will be null since the credentials will contain all the relevant info
     */
@Override
public UserIdentity login(String username, Object credentials, ServletRequest request) {
    String encodedAuthToken = (String) credentials;
    byte[] authToken = B64Code.decode(encodedAuthToken);
    GSSManager manager = GSSManager.getInstance();
    try {
        // http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html
        Oid krb5Oid = new Oid("1.3.6.1.5.5.2");
        GSSName gssName = manager.createName(_targetName, null);
        GSSCredential serverCreds = manager.createCredential(gssName, GSSCredential.INDEFINITE_LIFETIME, krb5Oid, GSSCredential.ACCEPT_ONLY);
        GSSContext gContext = manager.createContext(serverCreds);
        if (gContext == null) {
            LOG.debug("SpnegoUserRealm: failed to establish GSSContext");
        } else {
            while (!gContext.isEstablished()) {
                authToken = gContext.acceptSecContext(authToken, 0, authToken.length);
            }
            if (gContext.isEstablished()) {
                String clientName = gContext.getSrcName().toString();
                String role = clientName.substring(clientName.indexOf('@') + 1);
                LOG.debug("SpnegoUserRealm: established a security context");
                LOG.debug("Client Principal is: " + gContext.getSrcName());
                LOG.debug("Server Principal is: " + gContext.getTargName());
                LOG.debug("Client Default Role: " + role);
                SpnegoUserPrincipal user = new SpnegoUserPrincipal(clientName, authToken);
                Subject subject = new Subject();
                subject.getPrincipals().add(user);
                return _identityService.newUserIdentity(subject, user, new String[] { role });
            }
        }
    } catch (GSSException gsse) {
        LOG.warn(gsse);
    }
    return null;
}
Also used : GSSName(org.ietf.jgss.GSSName) GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) GSSManager(org.ietf.jgss.GSSManager) GSSContext(org.ietf.jgss.GSSContext) Oid(org.ietf.jgss.Oid) Subject(javax.security.auth.Subject)

Example 3 with GSSException

use of org.ietf.jgss.GSSException in project tomcat by apache.

the class RealmBase method authenticate.

/**
     * {@inheritDoc}
     */
@Override
public Principal authenticate(GSSContext gssContext, boolean storeCreds) {
    if (gssContext.isEstablished()) {
        GSSName gssName = null;
        try {
            gssName = gssContext.getSrcName();
        } catch (GSSException e) {
            log.warn(sm.getString("realmBase.gssNameFail"), e);
        }
        if (gssName != null) {
            String name = gssName.toString();
            if (isStripRealmForGss()) {
                int i = name.indexOf('@');
                if (i > 0) {
                    // Zero so we don;t leave a zero length name
                    name = name.substring(0, i);
                }
            }
            GSSCredential gssCredential = null;
            if (storeCreds && gssContext.getCredDelegState()) {
                try {
                    gssCredential = gssContext.getDelegCred();
                } catch (GSSException e) {
                    if (log.isDebugEnabled()) {
                        log.debug(sm.getString("realmBase.delegatedCredentialFail", name), e);
                    }
                }
            }
            return getPrincipal(name, gssCredential);
        }
    } else {
        log.error(sm.getString("realmBase.gssContextNotEstablished"));
    }
    // Fail in all other cases
    return null;
}
Also used : GSSName(org.ietf.jgss.GSSName) GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint)

Example 4 with GSSException

use of org.ietf.jgss.GSSException in project OpenAM by OpenRock.

the class WindowsDesktopSSO method authenticateToken.

private void authenticateToken(final byte[] kerberosToken, final Set<String> trustedRealms) throws AuthLoginException, GSSException, Exception {
    debug.message("In authenticationToken ...");
    Subject.doAs(serviceSubject, new PrivilegedExceptionAction() {

        public Object run() throws Exception {
            GSSContext context = GSSManager.getInstance().createContext((GSSCredential) null);
            if (debug.messageEnabled()) {
                debug.message("Context created.");
            }
            byte[] outToken = context.acceptSecContext(kerberosToken, 0, kerberosToken.length);
            if (outToken != null) {
                if (debug.messageEnabled()) {
                    debug.message("Token returned from acceptSecContext: \n" + DerValue.printByteArray(outToken, 0, outToken.length));
                }
            }
            if (!context.isEstablished()) {
                debug.error("Cannot establish context !");
                throw new AuthLoginException(amAuthWindowsDesktopSSO, "context", null);
            } else {
                if (debug.messageEnabled()) {
                    debug.message("Context established !");
                }
                GSSName user = context.getSrcName();
                final String userPrincipalName = user.toString();
                // expected default behaviour.
                if (!trustedRealms.isEmpty()) {
                    boolean foundTrustedRealm = false;
                    for (final String trustedRealm : trustedRealms) {
                        if (isTokenTrusted(userPrincipalName, trustedRealm)) {
                            foundTrustedRealm = true;
                            break;
                        }
                    }
                    if (!foundTrustedRealm) {
                        debug.error("Kerberos token for " + userPrincipalName + " not trusted");
                        final String[] data = { userPrincipalName };
                        throw new AuthLoginException(amAuthWindowsDesktopSSO, "untrustedToken", data);
                    }
                }
                // perform the search.
                if (lookupUserInRealm) {
                    String org = getRequestOrg();
                    String userValue = getUserName(userPrincipalName);
                    String userName = searchUserAccount(userValue, org);
                    if (userName != null && !userName.isEmpty()) {
                        storeUsernamePasswd(userValue, null);
                    } else {
                        String[] data = { userValue, org };
                        debug.error("WindowsDesktopSSO.authenticateToken: " + ": Unable to find the user " + userValue);
                        throw new AuthLoginException(amAuthWindowsDesktopSSO, "notfound", data);
                    }
                }
                if (debug.messageEnabled()) {
                    debug.message("WindowsDesktopSSO.authenticateToken:" + "User authenticated: " + user.toString());
                }
                if (user != null) {
                    setPrincipal(userPrincipalName);
                }
            }
            context.dispose();
            return null;
        }
    });
}
Also used : GSSName(org.ietf.jgss.GSSName) GSSCredential(org.ietf.jgss.GSSCredential) GSSContext(org.ietf.jgss.GSSContext) AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) IdRepoException(com.sun.identity.idm.IdRepoException) PrivilegedActionException(java.security.PrivilegedActionException) GSSException(org.ietf.jgss.GSSException) AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException) SSOException(com.iplanet.sso.SSOException)

Example 5 with GSSException

use of org.ietf.jgss.GSSException in project jdk8u_jdk by JetBrains.

the class PassSysProps method main.

public static void main(String[] args) throws Exception {
    String authorizationId = null;
    String protocol = "ldap";
    String serverName = "server1";
    CallbackHandler callbackHandler = new CallbackHandler() {

        public void handle(Callback[] callbacks) {
        }
    };
    // pass in system properties
    Properties sysprops = System.getProperties();
    SaslClient client1 = Sasl.createSaslClient(new String[] { DIGEST, PLAIN }, authorizationId, protocol, serverName, (Map) sysprops, callbackHandler);
    System.out.println(client1);
    SaslServer server1 = Sasl.createSaslServer(DIGEST, protocol, serverName, (Map) sysprops, callbackHandler);
    System.out.println(server1);
    // pass in string-valued props
    Map<String, String> stringProps = new Hashtable<String, String>();
    stringProps.put(Sasl.POLICY_NOPLAINTEXT, "true");
    try {
        SaslClient client2 = Sasl.createSaslClient(new String[] { GSSAPI, PLAIN }, authorizationId, protocol, serverName, stringProps, callbackHandler);
        System.out.println(client2);
        SaslServer server2 = Sasl.createSaslServer(GSSAPI, protocol, serverName, stringProps, callbackHandler);
        System.out.println(server2);
    } catch (SaslException se) {
        Throwable t = se.getCause();
        if (t instanceof GSSException) {
        // allow GSSException because kerberos has not been initialized
        } else {
            throw se;
        }
    }
    // pass in object-valued props
    Map<String, Object> objProps = new Hashtable<String, Object>();
    objProps.put("some.object.valued.property", System.err);
    SaslClient client3 = Sasl.createSaslClient(new String[] { EXTERNAL, CRAM }, authorizationId, protocol, serverName, objProps, callbackHandler);
    System.out.println(client3);
    SaslServer server3 = Sasl.createSaslServer(CRAM, protocol, serverName, objProps, callbackHandler);
    System.out.println(server3);
    // pass in raw-type props
    Map rawProps = new Hashtable();
    rawProps.put(Sasl.POLICY_NOPLAINTEXT, "true");
    rawProps.put("some.object.valued.property", System.err);
    SaslClient client4 = Sasl.createSaslClient(new String[] { EXTERNAL, CRAM }, authorizationId, protocol, serverName, rawProps, callbackHandler);
    System.out.println(client4);
    SaslServer server4 = Sasl.createSaslServer(CRAM, protocol, serverName, rawProps, callbackHandler);
    System.out.println(server4);
}
Also used : Hashtable(java.util.Hashtable) Properties(java.util.Properties) GSSException(org.ietf.jgss.GSSException) Map(java.util.Map)

Aggregations

GSSException (org.ietf.jgss.GSSException)77 GSSName (org.ietf.jgss.GSSName)39 Oid (org.ietf.jgss.Oid)35 GSSManager (org.ietf.jgss.GSSManager)33 GSSCredential (org.ietf.jgss.GSSCredential)31 GSSContext (org.ietf.jgss.GSSContext)29 PrivilegedActionException (java.security.PrivilegedActionException)24 LoginException (javax.security.auth.login.LoginException)19 Subject (javax.security.auth.Subject)18 Principal (java.security.Principal)16 IOException (java.io.IOException)11 LoginContext (javax.security.auth.login.LoginContext)8 SaslException (javax.security.sasl.SaslException)8 UnknownHostException (java.net.UnknownHostException)5 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)4 ServletException (javax.servlet.ServletException)4 HttpServletRequest (javax.servlet.http.HttpServletRequest)4 URISyntaxException (java.net.URISyntaxException)3 KerberosPrincipal (javax.security.auth.kerberos.KerberosPrincipal)3 SaslClient (javax.security.sasl.SaslClient)3