use of org.ietf.jgss.GSSException in project druid by druid-io.
the class DruidKerberosUtil method kerberosChallenge.
/**
* This method always needs to be called within a doAs block so that the client's TGT credentials
* can be read from the Subject.
*
* @return Kerberos Challenge String
*
* @throws Exception
*/
public static String kerberosChallenge(String server) throws AuthenticationException {
kerberosLock.lock();
try {
// This Oid for Kerberos GSS-API mechanism.
Oid mechOid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
GSSManager manager = GSSManager.getInstance();
// GSS name for server
GSSName serverName = manager.createName("HTTP@" + server, GSSName.NT_HOSTBASED_SERVICE);
// Create a GSSContext for authentication with the service.
// We're passing client credentials as null since we want them to be read from the Subject.
GSSContext gssContext = manager.createContext(serverName.canonicalize(mechOid), mechOid, null, GSSContext.DEFAULT_LIFETIME);
gssContext.requestMutualAuth(true);
gssContext.requestCredDeleg(true);
// Establish context
byte[] inToken = new byte[0];
byte[] outToken = gssContext.initSecContext(inToken, 0, inToken.length);
gssContext.dispose();
// Base64 encoded and stringified token for server
return new String(base64codec.encode(outToken));
} catch (GSSException | IllegalAccessException | NoSuchFieldException | ClassNotFoundException e) {
throw new AuthenticationException(e);
} finally {
kerberosLock.unlock();
}
}
use of org.ietf.jgss.GSSException in project jetty.project by eclipse.
the class SpnegoLoginService method login.
/**
* username will be null since the credentials will contain all the relevant info
*/
@Override
public UserIdentity login(String username, Object credentials, ServletRequest request) {
String encodedAuthToken = (String) credentials;
byte[] authToken = B64Code.decode(encodedAuthToken);
GSSManager manager = GSSManager.getInstance();
try {
// http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html
Oid krb5Oid = new Oid("1.3.6.1.5.5.2");
GSSName gssName = manager.createName(_targetName, null);
GSSCredential serverCreds = manager.createCredential(gssName, GSSCredential.INDEFINITE_LIFETIME, krb5Oid, GSSCredential.ACCEPT_ONLY);
GSSContext gContext = manager.createContext(serverCreds);
if (gContext == null) {
LOG.debug("SpnegoUserRealm: failed to establish GSSContext");
} else {
while (!gContext.isEstablished()) {
authToken = gContext.acceptSecContext(authToken, 0, authToken.length);
}
if (gContext.isEstablished()) {
String clientName = gContext.getSrcName().toString();
String role = clientName.substring(clientName.indexOf('@') + 1);
LOG.debug("SpnegoUserRealm: established a security context");
LOG.debug("Client Principal is: " + gContext.getSrcName());
LOG.debug("Server Principal is: " + gContext.getTargName());
LOG.debug("Client Default Role: " + role);
SpnegoUserPrincipal user = new SpnegoUserPrincipal(clientName, authToken);
Subject subject = new Subject();
subject.getPrincipals().add(user);
return _identityService.newUserIdentity(subject, user, new String[] { role });
}
}
} catch (GSSException gsse) {
LOG.warn(gsse);
}
return null;
}
use of org.ietf.jgss.GSSException in project tomcat by apache.
the class RealmBase method authenticate.
/**
* {@inheritDoc}
*/
@Override
public Principal authenticate(GSSContext gssContext, boolean storeCreds) {
if (gssContext.isEstablished()) {
GSSName gssName = null;
try {
gssName = gssContext.getSrcName();
} catch (GSSException e) {
log.warn(sm.getString("realmBase.gssNameFail"), e);
}
if (gssName != null) {
String name = gssName.toString();
if (isStripRealmForGss()) {
int i = name.indexOf('@');
if (i > 0) {
// Zero so we don;t leave a zero length name
name = name.substring(0, i);
}
}
GSSCredential gssCredential = null;
if (storeCreds && gssContext.getCredDelegState()) {
try {
gssCredential = gssContext.getDelegCred();
} catch (GSSException e) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("realmBase.delegatedCredentialFail", name), e);
}
}
}
return getPrincipal(name, gssCredential);
}
} else {
log.error(sm.getString("realmBase.gssContextNotEstablished"));
}
// Fail in all other cases
return null;
}
use of org.ietf.jgss.GSSException in project OpenAM by OpenRock.
the class WindowsDesktopSSO method authenticateToken.
private void authenticateToken(final byte[] kerberosToken, final Set<String> trustedRealms) throws AuthLoginException, GSSException, Exception {
debug.message("In authenticationToken ...");
Subject.doAs(serviceSubject, new PrivilegedExceptionAction() {
public Object run() throws Exception {
GSSContext context = GSSManager.getInstance().createContext((GSSCredential) null);
if (debug.messageEnabled()) {
debug.message("Context created.");
}
byte[] outToken = context.acceptSecContext(kerberosToken, 0, kerberosToken.length);
if (outToken != null) {
if (debug.messageEnabled()) {
debug.message("Token returned from acceptSecContext: \n" + DerValue.printByteArray(outToken, 0, outToken.length));
}
}
if (!context.isEstablished()) {
debug.error("Cannot establish context !");
throw new AuthLoginException(amAuthWindowsDesktopSSO, "context", null);
} else {
if (debug.messageEnabled()) {
debug.message("Context established !");
}
GSSName user = context.getSrcName();
final String userPrincipalName = user.toString();
// expected default behaviour.
if (!trustedRealms.isEmpty()) {
boolean foundTrustedRealm = false;
for (final String trustedRealm : trustedRealms) {
if (isTokenTrusted(userPrincipalName, trustedRealm)) {
foundTrustedRealm = true;
break;
}
}
if (!foundTrustedRealm) {
debug.error("Kerberos token for " + userPrincipalName + " not trusted");
final String[] data = { userPrincipalName };
throw new AuthLoginException(amAuthWindowsDesktopSSO, "untrustedToken", data);
}
}
// perform the search.
if (lookupUserInRealm) {
String org = getRequestOrg();
String userValue = getUserName(userPrincipalName);
String userName = searchUserAccount(userValue, org);
if (userName != null && !userName.isEmpty()) {
storeUsernamePasswd(userValue, null);
} else {
String[] data = { userValue, org };
debug.error("WindowsDesktopSSO.authenticateToken: " + ": Unable to find the user " + userValue);
throw new AuthLoginException(amAuthWindowsDesktopSSO, "notfound", data);
}
}
if (debug.messageEnabled()) {
debug.message("WindowsDesktopSSO.authenticateToken:" + "User authenticated: " + user.toString());
}
if (user != null) {
setPrincipal(userPrincipalName);
}
}
context.dispose();
return null;
}
});
}
use of org.ietf.jgss.GSSException in project jdk8u_jdk by JetBrains.
the class PassSysProps method main.
public static void main(String[] args) throws Exception {
String authorizationId = null;
String protocol = "ldap";
String serverName = "server1";
CallbackHandler callbackHandler = new CallbackHandler() {
public void handle(Callback[] callbacks) {
}
};
// pass in system properties
Properties sysprops = System.getProperties();
SaslClient client1 = Sasl.createSaslClient(new String[] { DIGEST, PLAIN }, authorizationId, protocol, serverName, (Map) sysprops, callbackHandler);
System.out.println(client1);
SaslServer server1 = Sasl.createSaslServer(DIGEST, protocol, serverName, (Map) sysprops, callbackHandler);
System.out.println(server1);
// pass in string-valued props
Map<String, String> stringProps = new Hashtable<String, String>();
stringProps.put(Sasl.POLICY_NOPLAINTEXT, "true");
try {
SaslClient client2 = Sasl.createSaslClient(new String[] { GSSAPI, PLAIN }, authorizationId, protocol, serverName, stringProps, callbackHandler);
System.out.println(client2);
SaslServer server2 = Sasl.createSaslServer(GSSAPI, protocol, serverName, stringProps, callbackHandler);
System.out.println(server2);
} catch (SaslException se) {
Throwable t = se.getCause();
if (t instanceof GSSException) {
// allow GSSException because kerberos has not been initialized
} else {
throw se;
}
}
// pass in object-valued props
Map<String, Object> objProps = new Hashtable<String, Object>();
objProps.put("some.object.valued.property", System.err);
SaslClient client3 = Sasl.createSaslClient(new String[] { EXTERNAL, CRAM }, authorizationId, protocol, serverName, objProps, callbackHandler);
System.out.println(client3);
SaslServer server3 = Sasl.createSaslServer(CRAM, protocol, serverName, objProps, callbackHandler);
System.out.println(server3);
// pass in raw-type props
Map rawProps = new Hashtable();
rawProps.put(Sasl.POLICY_NOPLAINTEXT, "true");
rawProps.put("some.object.valued.property", System.err);
SaslClient client4 = Sasl.createSaslClient(new String[] { EXTERNAL, CRAM }, authorizationId, protocol, serverName, rawProps, callbackHandler);
System.out.println(client4);
SaslServer server4 = Sasl.createSaslServer(CRAM, protocol, serverName, rawProps, callbackHandler);
System.out.println(server4);
}
Aggregations