use of org.ietf.jgss.GSSException in project OpenAM by OpenRock.
the class WindowsDesktopSSO method process.
/**
* Processes the authentication request.
*
* @param callbacks
* @param state
* @return -1 as succeeded; 0 as failed.
* @exception AuthLoginException upon any failure.
*/
public int process(Callback[] callbacks, int state) throws AuthLoginException {
int result = ISAuthConstants.LOGIN_IGNORE;
// Check to see if the Rest Auth Endpoint has signified that IWA has failed.
HttpServletRequest request = getHttpServletRequest();
if (request != null && hasWDSSOFailed(request)) {
return ISAuthConstants.LOGIN_IGNORE;
}
if (!getConfigParams()) {
initWindowsDesktopSSOAuth(options);
}
// retrieve the spnego token
byte[] spnegoToken = getSPNEGOTokenFromHTTPRequest(request);
if (spnegoToken == null) {
spnegoToken = getSPNEGOTokenFromCallback(callbacks);
}
if (spnegoToken == null) {
debug.error("spnego token is not valid.");
throw new AuthLoginException(amAuthWindowsDesktopSSO, "token", null);
}
if (debug.messageEnabled()) {
debug.message("SPNEGO token: \n" + DerValue.printByteArray(spnegoToken, 0, spnegoToken.length));
}
// parse the spnego token and extract the kerberos mech token from it
final byte[] kerberosToken = parseToken(spnegoToken);
if (kerberosToken == null) {
debug.error("kerberos token is not valid.");
throw new AuthLoginException(amAuthWindowsDesktopSSO, "token", null);
}
if (debug.messageEnabled()) {
debug.message("Kerberos token retrieved from SPNEGO token: \n" + DerValue.printByteArray(kerberosToken, 0, kerberosToken.length));
}
// authenticate the user with the kerberos token
try {
authenticateToken(kerberosToken, trustedKerberosRealms);
if (debug.messageEnabled()) {
debug.message("WindowsDesktopSSO kerberos authentication passed succesfully.");
}
result = ISAuthConstants.LOGIN_SUCCEED;
} catch (PrivilegedActionException pe) {
Exception e = extractException(pe);
if (e instanceof GSSException) {
int major = ((GSSException) e).getMajor();
if (major == GSSException.CREDENTIALS_EXPIRED) {
debug.message("Credential expired. Re-establish credential...");
serviceLogin();
try {
authenticateToken(kerberosToken, trustedKerberosRealms);
if (debug.messageEnabled()) {
debug.message("Authentication succeeded with new cred.");
result = ISAuthConstants.LOGIN_SUCCEED;
}
} catch (Exception ee) {
debug.error("Authentication failed with new cred.Stack Trace", ee);
throw new AuthLoginException(amAuthWindowsDesktopSSO, "auth", null, ee);
}
} else {
debug.error("Authentication failed with PrivilegedActionException wrapped GSSException. Stack Trace", e);
throw new AuthLoginException(amAuthWindowsDesktopSSO, "auth", null, e);
}
}
} catch (GSSException e1) {
int major = e1.getMajor();
if (major == GSSException.CREDENTIALS_EXPIRED) {
debug.message("Credential expired. Re-establish credential...");
serviceLogin();
try {
authenticateToken(kerberosToken, trustedKerberosRealms);
if (debug.messageEnabled()) {
debug.message("Authentication succeeded with new cred.");
result = ISAuthConstants.LOGIN_SUCCEED;
}
} catch (Exception ee) {
debug.error("Authentication failed with new cred. Stack Trace", ee);
throw new AuthLoginException(amAuthWindowsDesktopSSO, "auth", null, ee);
}
} else {
debug.error("Authentication failed with GSSException. Stack Trace", e1);
throw new AuthLoginException(amAuthWindowsDesktopSSO, "auth", null, e1);
}
} catch (AuthLoginException e2) {
debug.error("Authentication failed with AuthLoginException. Stack Trace", e2);
throw e2;
} catch (Exception e3) {
debug.error("Authentication failed with generic exception. Stack Trace", e3);
throw new AuthLoginException(amAuthWindowsDesktopSSO, "auth", null, e3);
}
return result;
}
use of org.ietf.jgss.GSSException in project jdk8u_jdk by JetBrains.
the class GssMemoryIssues method main.
public static void main(String[] argv) throws Exception {
GSSManager man = GSSManager.getInstance();
String s = "me@REALM";
GSSName name = man.createName(s, GSSName.NT_USER_NAME);
byte[] exported = name.export();
// Offset of the length of the mech name. Length in big endian
int lenOffset = exported.length - s.length() - 4;
// Make it huge
exported[lenOffset] = 0x7f;
try {
man.createName(exported, GSSName.NT_EXPORT_NAME);
} catch (GSSException gsse) {
System.out.println(gsse);
}
}
use of org.ietf.jgss.GSSException in project jdk8u_jdk by JetBrains.
the class MSOID method main.
public static void main(String[] args) throws Exception {
// msoid.txt is a NegTokenInit packet sent from Internet Explorer to
// IIS server on a test machine. No sensitive info included.
byte[] header = Files.readAllBytes(Paths.get(System.getProperty("test.src"), "msoid.txt"));
byte[] token = Base64.getMimeDecoder().decode(Arrays.copyOfRange(header, 10, header.length));
GSSCredential cred = null;
GSSContext ctx = GSSManager.getInstance().createContext(cred);
try {
ctx.acceptSecContext(token, 0, token.length);
// and acceptor chooses another mech and goes on
throw new Exception("Should fail");
} catch (GSSException gsse) {
// After the fix, GSS_KRB5_MECH_OID_MS is recognized but the token
// cannot be accepted because we don't have any krb5 credential.
gsse.printStackTrace();
if (gsse.getMajor() != GSSException.NO_CRED) {
throw gsse;
}
for (StackTraceElement st : gsse.getStackTrace()) {
if (st.getClassName().startsWith("sun.security.jgss.krb5.")) {
// Good, it is already in krb5 mech's hand.
return;
}
}
throw gsse;
}
}
use of org.ietf.jgss.GSSException in project jdk8u_jdk by JetBrains.
the class IgnoreChannelBinding method main.
public static void main(String[] args) throws Exception {
new OneKDC(null).writeJAASConf();
Context c = Context.fromJAAS("client");
Context s = Context.fromJAAS("server");
// All silent
c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
Context.handshake(c, s);
// Initiator req, acceptor ignore
c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
c.x().setChannelBinding(new ChannelBinding(InetAddress.getByName("client.rabbit.hole"), InetAddress.getByName("host.rabbit.hole"), new byte[0]));
s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
Context.handshake(c, s);
// Both req, and match
c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
c.x().setChannelBinding(new ChannelBinding(InetAddress.getByName("client.rabbit.hole"), InetAddress.getByName("host.rabbit.hole"), new byte[0]));
s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
s.x().setChannelBinding(new ChannelBinding(InetAddress.getByName("client.rabbit.hole"), InetAddress.getByName("host.rabbit.hole"), new byte[0]));
Context.handshake(c, s);
// Both req, NOT match
c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
c.x().setChannelBinding(new ChannelBinding(InetAddress.getByName("client.rabbit.hole"), InetAddress.getByName("host.rabbit.hole"), new byte[0]));
s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
s.x().setChannelBinding(new ChannelBinding(InetAddress.getByName("client.rabbit.hole"), InetAddress.getByName("host.rabbit.hole"), // 0 -> 1
new byte[1]));
try {
Context.handshake(c, s);
throw new Exception("Acceptor should reject initiator");
} catch (GSSException ge) {
// Expected bahavior
}
// Acceptor req, reject
c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID);
s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
s.x().setChannelBinding(new ChannelBinding(InetAddress.getByName("client.rabbit.hole"), InetAddress.getByName("host.rabbit.hole"), new byte[0]));
try {
Context.handshake(c, s);
throw new Exception("Acceptor should reject initiator");
} catch (GSSException ge) {
// Expected bahavior
if (ge.getMajor() != GSSException.BAD_BINDINGS) {
throw ge;
}
}
}
use of org.ietf.jgss.GSSException in project jdk8u_jdk by JetBrains.
the class OkAsDelegate method go.
void go(boolean forwardable, boolean requestDelegState, boolean requestDelegPolicyState, boolean delegState, boolean delegPolicyState, boolean delegated) throws Exception {
OneKDC kdc = new OneKDC(null);
kdc.setOption(KDC.Option.OK_AS_DELEGATE, System.getProperty("test.kdc.policy.ok-as-delegate"));
kdc.writeJAASConf();
if (!forwardable) {
// The default OneKDC always includes "forwardable = true"
// in krb5.conf, override it.
KDC.saveConfig(OneKDC.KRB5_CONF, kdc, "default_keytab_name = " + OneKDC.KTAB);
Config.refresh();
}
Context c, s;
c = Context.fromJAAS("client");
s = Context.fromJAAS("com.sun.security.jgss.krb5.accept");
Oid mech = GSSUtil.GSS_KRB5_MECH_OID;
if (System.getProperty("test.spnego") != null) {
mech = GSSUtil.GSS_SPNEGO_MECH_OID;
}
c.startAsClient(OneKDC.SERVER, mech);
ExtendedGSSContext cx = (ExtendedGSSContext) c.x();
cx.requestCredDeleg(requestDelegState);
cx.requestDelegPolicy(requestDelegPolicyState);
s.startAsServer(mech);
ExtendedGSSContext sx = (ExtendedGSSContext) s.x();
Context.handshake(c, s);
if (cx.getCredDelegState() != delegState) {
throw new Exception("Initiator cred state error");
}
if (sx.getCredDelegState() != delegState) {
throw new Exception("Acceptor cred state error");
}
if (cx.getDelegPolicyState() != delegPolicyState) {
throw new Exception("Initiator cred policy state error");
}
GSSCredential cred = null;
try {
cred = s.x().getDelegCred();
} catch (GSSException e) {
// leave cred as null
}
if (delegated != (cred != null)) {
throw new Exception("get cred error");
}
}
Aggregations