Search in sources :

Example 46 with GSSException

use of org.ietf.jgss.GSSException in project OpenAM by OpenRock.

the class WindowsDesktopSSO method process.

/**
     * Processes the authentication request.
     *
     * @param callbacks
     * @param state
     * @return  -1 as succeeded; 0 as failed.
     * @exception AuthLoginException upon any failure.
     */
public int process(Callback[] callbacks, int state) throws AuthLoginException {
    int result = ISAuthConstants.LOGIN_IGNORE;
    // Check to see if the Rest Auth Endpoint has signified that IWA has failed.
    HttpServletRequest request = getHttpServletRequest();
    if (request != null && hasWDSSOFailed(request)) {
        return ISAuthConstants.LOGIN_IGNORE;
    }
    if (!getConfigParams()) {
        initWindowsDesktopSSOAuth(options);
    }
    // retrieve the spnego token
    byte[] spnegoToken = getSPNEGOTokenFromHTTPRequest(request);
    if (spnegoToken == null) {
        spnegoToken = getSPNEGOTokenFromCallback(callbacks);
    }
    if (spnegoToken == null) {
        debug.error("spnego token is not valid.");
        throw new AuthLoginException(amAuthWindowsDesktopSSO, "token", null);
    }
    if (debug.messageEnabled()) {
        debug.message("SPNEGO token: \n" + DerValue.printByteArray(spnegoToken, 0, spnegoToken.length));
    }
    // parse the spnego token and extract the kerberos mech token from it
    final byte[] kerberosToken = parseToken(spnegoToken);
    if (kerberosToken == null) {
        debug.error("kerberos token is not valid.");
        throw new AuthLoginException(amAuthWindowsDesktopSSO, "token", null);
    }
    if (debug.messageEnabled()) {
        debug.message("Kerberos token retrieved from SPNEGO token: \n" + DerValue.printByteArray(kerberosToken, 0, kerberosToken.length));
    }
    // authenticate the user with the kerberos token
    try {
        authenticateToken(kerberosToken, trustedKerberosRealms);
        if (debug.messageEnabled()) {
            debug.message("WindowsDesktopSSO kerberos authentication passed succesfully.");
        }
        result = ISAuthConstants.LOGIN_SUCCEED;
    } catch (PrivilegedActionException pe) {
        Exception e = extractException(pe);
        if (e instanceof GSSException) {
            int major = ((GSSException) e).getMajor();
            if (major == GSSException.CREDENTIALS_EXPIRED) {
                debug.message("Credential expired. Re-establish credential...");
                serviceLogin();
                try {
                    authenticateToken(kerberosToken, trustedKerberosRealms);
                    if (debug.messageEnabled()) {
                        debug.message("Authentication succeeded with new cred.");
                        result = ISAuthConstants.LOGIN_SUCCEED;
                    }
                } catch (Exception ee) {
                    debug.error("Authentication failed with new cred.Stack Trace", ee);
                    throw new AuthLoginException(amAuthWindowsDesktopSSO, "auth", null, ee);
                }
            } else {
                debug.error("Authentication failed with PrivilegedActionException wrapped GSSException. Stack Trace", e);
                throw new AuthLoginException(amAuthWindowsDesktopSSO, "auth", null, e);
            }
        }
    } catch (GSSException e1) {
        int major = e1.getMajor();
        if (major == GSSException.CREDENTIALS_EXPIRED) {
            debug.message("Credential expired. Re-establish credential...");
            serviceLogin();
            try {
                authenticateToken(kerberosToken, trustedKerberosRealms);
                if (debug.messageEnabled()) {
                    debug.message("Authentication succeeded with new cred.");
                    result = ISAuthConstants.LOGIN_SUCCEED;
                }
            } catch (Exception ee) {
                debug.error("Authentication failed with new cred. Stack Trace", ee);
                throw new AuthLoginException(amAuthWindowsDesktopSSO, "auth", null, ee);
            }
        } else {
            debug.error("Authentication failed with GSSException. Stack Trace", e1);
            throw new AuthLoginException(amAuthWindowsDesktopSSO, "auth", null, e1);
        }
    } catch (AuthLoginException e2) {
        debug.error("Authentication failed with AuthLoginException. Stack Trace", e2);
        throw e2;
    } catch (Exception e3) {
        debug.error("Authentication failed with generic exception. Stack Trace", e3);
        throw new AuthLoginException(amAuthWindowsDesktopSSO, "auth", null, e3);
    }
    return result;
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) GSSException(org.ietf.jgss.GSSException) PrivilegedActionException(java.security.PrivilegedActionException) AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException) IdRepoException(com.sun.identity.idm.IdRepoException) PrivilegedActionException(java.security.PrivilegedActionException) GSSException(org.ietf.jgss.GSSException) AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException) SSOException(com.iplanet.sso.SSOException)

Example 47 with GSSException

use of org.ietf.jgss.GSSException in project jdk8u_jdk by JetBrains.

the class GssMemoryIssues method main.

public static void main(String[] argv) throws Exception {
    GSSManager man = GSSManager.getInstance();
    String s = "me@REALM";
    GSSName name = man.createName(s, GSSName.NT_USER_NAME);
    byte[] exported = name.export();
    // Offset of the length of the mech name. Length in big endian
    int lenOffset = exported.length - s.length() - 4;
    // Make it huge
    exported[lenOffset] = 0x7f;
    try {
        man.createName(exported, GSSName.NT_EXPORT_NAME);
    } catch (GSSException gsse) {
        System.out.println(gsse);
    }
}
Also used : GSSName(org.ietf.jgss.GSSName) GSSException(org.ietf.jgss.GSSException) GSSManager(org.ietf.jgss.GSSManager)

Example 48 with GSSException

use of org.ietf.jgss.GSSException in project jdk8u_jdk by JetBrains.

the class MSOID method main.

public static void main(String[] args) throws Exception {
    // msoid.txt is a NegTokenInit packet sent from Internet Explorer to
    // IIS server on a test machine. No sensitive info included.
    byte[] header = Files.readAllBytes(Paths.get(System.getProperty("test.src"), "msoid.txt"));
    byte[] token = Base64.getMimeDecoder().decode(Arrays.copyOfRange(header, 10, header.length));
    GSSCredential cred = null;
    GSSContext ctx = GSSManager.getInstance().createContext(cred);
    try {
        ctx.acceptSecContext(token, 0, token.length);
        // and acceptor chooses another mech and goes on
        throw new Exception("Should fail");
    } catch (GSSException gsse) {
        // After the fix, GSS_KRB5_MECH_OID_MS is recognized but the token
        // cannot be accepted because we don't have any krb5 credential.
        gsse.printStackTrace();
        if (gsse.getMajor() != GSSException.NO_CRED) {
            throw gsse;
        }
        for (StackTraceElement st : gsse.getStackTrace()) {
            if (st.getClassName().startsWith("sun.security.jgss.krb5.")) {
                // Good, it is already in krb5 mech's hand.
                return;
            }
        }
        throw gsse;
    }
}
Also used : GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) GSSContext(org.ietf.jgss.GSSContext) GSSException(org.ietf.jgss.GSSException) Exception(java.lang.Exception)

Example 49 with GSSException

use of org.ietf.jgss.GSSException in project jdk8u_jdk by JetBrains.

the class IgnoreChannelBinding method main.

public static void main(String[] args) throws Exception {
    new OneKDC(null).writeJAASConf();
    Context c = Context.fromJAAS("client");
    Context s = Context.fromJAAS("server");
    // All silent
    c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
    s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
    Context.handshake(c, s);
    // Initiator req, acceptor ignore
    c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
    c.x().setChannelBinding(new ChannelBinding(InetAddress.getByName("client.rabbit.hole"), InetAddress.getByName("host.rabbit.hole"), new byte[0]));
    s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
    Context.handshake(c, s);
    // Both req, and match
    c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
    c.x().setChannelBinding(new ChannelBinding(InetAddress.getByName("client.rabbit.hole"), InetAddress.getByName("host.rabbit.hole"), new byte[0]));
    s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
    s.x().setChannelBinding(new ChannelBinding(InetAddress.getByName("client.rabbit.hole"), InetAddress.getByName("host.rabbit.hole"), new byte[0]));
    Context.handshake(c, s);
    // Both req, NOT match
    c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
    c.x().setChannelBinding(new ChannelBinding(InetAddress.getByName("client.rabbit.hole"), InetAddress.getByName("host.rabbit.hole"), new byte[0]));
    s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
    s.x().setChannelBinding(new ChannelBinding(InetAddress.getByName("client.rabbit.hole"), InetAddress.getByName("host.rabbit.hole"), // 0 -> 1
    new byte[1]));
    try {
        Context.handshake(c, s);
        throw new Exception("Acceptor should reject initiator");
    } catch (GSSException ge) {
    // Expected bahavior
    }
    // Acceptor req, reject
    c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
    s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
    s.x().setChannelBinding(new ChannelBinding(InetAddress.getByName("client.rabbit.hole"), InetAddress.getByName("host.rabbit.hole"), new byte[0]));
    try {
        Context.handshake(c, s);
        throw new Exception("Acceptor should reject initiator");
    } catch (GSSException ge) {
        // Expected bahavior
        if (ge.getMajor() != GSSException.BAD_BINDINGS) {
            throw ge;
        }
    }
}
Also used : GSSException(org.ietf.jgss.GSSException) GSSException(org.ietf.jgss.GSSException) ChannelBinding(org.ietf.jgss.ChannelBinding)

Example 50 with GSSException

use of org.ietf.jgss.GSSException in project jdk8u_jdk by JetBrains.

the class OkAsDelegate method go.

void go(boolean forwardable, boolean requestDelegState, boolean requestDelegPolicyState, boolean delegState, boolean delegPolicyState, boolean delegated) throws Exception {
    OneKDC kdc = new OneKDC(null);
    kdc.setOption(KDC.Option.OK_AS_DELEGATE, System.getProperty("test.kdc.policy.ok-as-delegate"));
    kdc.writeJAASConf();
    if (!forwardable) {
        // The default OneKDC always includes "forwardable = true"
        // in krb5.conf, override it.
        KDC.saveConfig(OneKDC.KRB5_CONF, kdc, "default_keytab_name = " + OneKDC.KTAB);
        Config.refresh();
    }
    Context c, s;
    c = Context.fromJAAS("client");
    s = Context.fromJAAS("com.sun.security.jgss.krb5.accept");
    Oid mech = GSSUtil.GSS_KRB5_MECH_OID;
    if (System.getProperty("test.spnego") != null) {
        mech = GSSUtil.GSS_SPNEGO_MECH_OID;
    }
    c.startAsClient(OneKDC.SERVER, mech);
    ExtendedGSSContext cx = (ExtendedGSSContext) c.x();
    cx.requestCredDeleg(requestDelegState);
    cx.requestDelegPolicy(requestDelegPolicyState);
    s.startAsServer(mech);
    ExtendedGSSContext sx = (ExtendedGSSContext) s.x();
    Context.handshake(c, s);
    if (cx.getCredDelegState() != delegState) {
        throw new Exception("Initiator cred state error");
    }
    if (sx.getCredDelegState() != delegState) {
        throw new Exception("Acceptor cred state error");
    }
    if (cx.getDelegPolicyState() != delegPolicyState) {
        throw new Exception("Initiator cred policy state error");
    }
    GSSCredential cred = null;
    try {
        cred = s.x().getDelegCred();
    } catch (GSSException e) {
    // leave cred as null
    }
    if (delegated != (cred != null)) {
        throw new Exception("get cred error");
    }
}
Also used : ExtendedGSSContext(com.sun.security.jgss.ExtendedGSSContext) ExtendedGSSContext(com.sun.security.jgss.ExtendedGSSContext) GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) Oid(org.ietf.jgss.Oid) GSSException(org.ietf.jgss.GSSException)

Aggregations

GSSException (org.ietf.jgss.GSSException)78 GSSName (org.ietf.jgss.GSSName)39 Oid (org.ietf.jgss.Oid)35 GSSManager (org.ietf.jgss.GSSManager)33 GSSCredential (org.ietf.jgss.GSSCredential)31 GSSContext (org.ietf.jgss.GSSContext)30 PrivilegedActionException (java.security.PrivilegedActionException)24 LoginException (javax.security.auth.login.LoginException)20 Subject (javax.security.auth.Subject)18 Principal (java.security.Principal)16 IOException (java.io.IOException)11 LoginContext (javax.security.auth.login.LoginContext)8 SaslException (javax.security.sasl.SaslException)8 UnknownHostException (java.net.UnknownHostException)5 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)4 ServletException (javax.servlet.ServletException)4 HttpServletRequest (javax.servlet.http.HttpServletRequest)4 URISyntaxException (java.net.URISyntaxException)3 KerberosPrincipal (javax.security.auth.kerberos.KerberosPrincipal)3 SaslClient (javax.security.sasl.SaslClient)3