Example 51 with GSSException
use of org.ietf.jgss.GSSException in project jdk8u_jdk by JetBrains.
the class MoreKvno method main.
public static void main(String[] args) throws Exception {
OneKDC kdc = new OneKDC(null);
kdc.writeJAASConf();
// Rewrite keytab, 3 set of keys with different kvno
KeyTab ktab = KeyTab.create(OneKDC.KTAB);
p = new PrincipalName(OneKDC.SERVER + "@" + OneKDC.REALM, PrincipalName.KRB_NT_SRV_HST);
ktab.addEntry(p, "pass1".toCharArray(), 1, true);
ktab.addEntry(p, "pass3".toCharArray(), 3, true);
ktab.addEntry(p, "pass2".toCharArray(), 2, true);
ktab.save();
char[] pass = "pass2".toCharArray();
kdc.addPrincipal(OneKDC.SERVER, pass);
go(OneKDC.SERVER, "com.sun.security.jgss.krb5.accept", pass);
pass = "pass3".toCharArray();
kdc.addPrincipal(OneKDC.SERVER, pass);
// "server" initiate also, check pass2 is used at authentication
go(OneKDC.SERVER, "server", pass);
try {
pass = "pass4".toCharArray();
kdc.addPrincipal(OneKDC.SERVER, pass);
go(OneKDC.SERVER, "com.sun.security.jgss.krb5.accept", pass);
throw new Exception("This test should fail");
} catch (GSSException gsse) {
// Since 7197159, different kvno is accepted, this return code
// will never be thrown out again.
//KrbException ke = (KrbException)gsse.getCause();
//if (ke.returnCode() != Krb5.KRB_AP_ERR_BADKEYVER) {
// throw new Exception("Not expected failure code: " +
// ke.returnCode());
//}
}
}
Also used :
GSSException(org.ietf.jgss.GSSException)
KeyTab(sun.security.krb5.internal.ktab.KeyTab)
PrincipalName(sun.security.krb5.PrincipalName)
GSSException(org.ietf.jgss.GSSException)
KrbException(sun.security.krb5.KrbException)
Example 52 with GSSException
use of org.ietf.jgss.GSSException in project tdi-studio-se by Talend.
the class XRMSpnegoClientAction method run.
/**
* Obtain a service ticket
*/
public byte[] run() {
try {
GSSManager gssManager = GSSManager.getInstance();
Oid oid = new Oid("1.3.6.1.5.5.2");
GSSName gssService = gssManager.createName(serviceName, GSSName.NT_USER_NAME);
secContext = gssManager.createContext(gssService, oid, null, GSSContext.DEFAULT_LIFETIME);
secContext.requestMutualAuth(mutualAuth);
secContext.requestCredDeleg(Boolean.FALSE);
byte[] token = new byte[0];
return secContext.initSecContext(token, 0, token.length);
} catch (GSSException e) {
if (log.isDebugEnabled()) {
log.debug("Error in obtaining a Kerberos token", e);
}
}
return null;
}
Also used :
GSSName(org.ietf.jgss.GSSName)
GSSException(org.ietf.jgss.GSSException)
GSSManager(org.ietf.jgss.GSSManager)
Oid(org.ietf.jgss.Oid)
Example 53 with GSSException
use of org.ietf.jgss.GSSException in project voltdb by VoltDB.
the class HTTPClientInterface method spnegoLogin.
private String spnegoLogin(String encodedToken) {
byte[] token = B64Code.decode(encodedToken);
try {
if (encodedToken == null || encodedToken.isEmpty()) {
return null;
}
final Oid spnegoOid = new Oid("1.3.6.1.5.5.2");
GSSManager manager = GSSManager.getInstance();
GSSName name = manager.createName(m_servicePrincipal, null);
GSSContext ctx = manager.createContext(name.canonicalize(spnegoOid), spnegoOid, null, GSSContext.INDEFINITE_LIFETIME);
if (ctx == null) {
m_rate_limited_log.log(EstTime.currentTimeMillis(), Level.ERROR, null, "Failed to establish security context for SPNEGO authentication");
return null;
}
while (!ctx.isEstablished()) {
token = ctx.acceptSecContext(token, 0, token.length);
}
if (ctx.isEstablished()) {
if (ctx.getSrcName() == null) {
m_rate_limited_log.log(EstTime.currentTimeMillis(), Level.ERROR, null, "Failed to read source name from established SPNEGO security context");
return null;
}
String user = ctx.getSrcName().toString();
if (m_log.isDebugEnabled()) {
m_log.debug("established SPNEGO security context for " + user);
}
return user;
}
return null;
} catch (GSSException e) {
m_rate_limited_log.log(EstTime.currentTimeMillis(), Level.ERROR, e, "failed SPNEGO authentication");
return null;
}
}
Also used :
GSSName(org.ietf.jgss.GSSName)
GSSException(org.ietf.jgss.GSSException)
GSSManager(org.ietf.jgss.GSSManager)
GSSContext(org.ietf.jgss.GSSContext)
Oid(org.ietf.jgss.Oid)
Example 54 with GSSException
use of org.ietf.jgss.GSSException in project voltdb by VoltDB.
the class ConnectionUtil method performAuthenticationHandShake.
private static final ByteBuffer performAuthenticationHandShake(final SocketChannel channel, final Subject subject, final String serviceName) throws IOException {
try {
String subjectPrincipal = subject.getPrincipals().iterator().next().getName();
final Optional<DelegatePrincipal> delegate = getDelegate(subject);
if (delegate.isPresent() && !subjectPrincipal.equals(serviceName)) {
throw new IOException("Delegate authentication is not allowed for user " + delegate.get().getName());
}
Subject.doAs(subject, new PrivilegedAction<GSSContext>() {
@Override
public GSSContext run() {
GSSContext context = null;
try {
/*
* The standard type designation for kerberos v5 secure service context
*/
final Oid krb5Oid = new Oid("1.2.840.113554.1.2.2");
/*
* The standard type designation for principal
*/
final Oid krb5PrincipalNameType = new Oid("1.2.840.113554.1.2.2.1");
final GSSName serverName = m_gssManager.createName(serviceName, krb5PrincipalNameType);
context = m_gssManager.createContext(serverName, krb5Oid, null, GSSContext.INDEFINITE_LIFETIME);
context.requestMutualAuth(true);
context.requestConf(true);
context.requestInteg(true);
establishSecurityContext(channel, context, delegate);
context.dispose();
context = null;
} catch (GSSException ex) {
throw new RuntimeException(ex);
} catch (IOException ex) {
throw new RuntimeException(ex);
} finally {
if (context != null)
try {
context.dispose();
} catch (Exception ignoreIt) {
}
}
return null;
}
});
} catch (SecurityException ex) {
// if we get here the authentication handshake failed.
try {
channel.close();
} catch (Exception ignoreIt) {
}
// PriviledgedActionException is the first wrapper. The runtime from Throwables would be
// the second wrapper
Throwable cause = ex.getCause();
if (cause != null && (cause instanceof RuntimeException) && cause.getCause() != null) {
cause = cause.getCause();
} else if (cause == null) {
cause = ex;
}
if (cause instanceof IOException) {
throw IOException.class.cast(cause);
} else {
throw new IOException("Authentication Handshake Failed", cause);
}
}
ByteBuffer lengthBuffer = ByteBuffer.allocate(4);
while (lengthBuffer.hasRemaining()) {
if (channel.read(lengthBuffer) == -1) {
channel.close();
throw new EOFException();
}
}
lengthBuffer.flip();
int responseSize = lengthBuffer.getInt();
ByteBuffer loginResponse = ByteBuffer.allocate(responseSize);
while (loginResponse.hasRemaining()) {
if (channel.read(loginResponse) == -1) {
channel.close();
throw new EOFException();
}
}
loginResponse.flip();
byte version = loginResponse.get();
if (version != (byte) 0) {
channel.close();
throw new IOException("Encountered unexpected version for the login response message: " + version);
}
return loginResponse;
}
Also used :
GSSName(org.ietf.jgss.GSSName)
IOException(java.io.IOException)
Oid(org.ietf.jgss.Oid)
ByteBuffer(java.nio.ByteBuffer)
IOException(java.io.IOException)
GSSException(org.ietf.jgss.GSSException)
EOFException(java.io.EOFException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
GSSException(org.ietf.jgss.GSSException)
GSSContext(org.ietf.jgss.GSSContext)
EOFException(java.io.EOFException)
Example 55 with GSSException
use of org.ietf.jgss.GSSException in project airlift by airlift.
the class SpnegoAuthentication method authenticate.
@Override
public Result authenticate(Request request, ContentResponse response, HeaderInfo headerInfo, Attributes attributes) {
URI normalizedUri = UriUtil.normalizedUri(request.getURI());
return new Result() {
@Override
public URI getURI() {
return normalizedUri;
}
@Override
public void apply(Request request) {
GSSContext context = null;
try {
String servicePrincipal = makeServicePrincipal(remoteServiceName, normalizedUri.getHost(), useCanonicalHostname);
Session session = getSession();
context = doAs(session.getLoginContext().getSubject(), () -> {
GSSContext result = GSS_MANAGER.createContext(GSS_MANAGER.createName(servicePrincipal, NT_HOSTBASED_SERVICE), SPNEGO_OID, session.getClientCredential(), INDEFINITE_LIFETIME);
result.requestMutualAuth(true);
result.requestConf(true);
result.requestInteg(true);
result.requestCredDeleg(false);
return result;
});
byte[] token = context.initSecContext(new byte[0], 0, 0);
if (token != null) {
request.header(headerInfo.getHeader(), format("%s %s", NEGOTIATE, Base64.getEncoder().encodeToString(token)));
} else {
throw new RuntimeException(format("No token generated from GSS context for %s", request.getURI()));
}
} catch (GSSException e) {
throw new RuntimeException(format("Failed to establish GSSContext for request %s", request.getURI()), e);
} catch (LoginException e) {
throw new RuntimeException(format("Failed to establish LoginContext for request %s", request.getURI()), e);
} finally {
try {
if (context != null) {
context.dispose();
}
} catch (GSSException e) {
// ignore
}
}
}
};
}
Also used :
GSSException(org.ietf.jgss.GSSException)
GSSContext(org.ietf.jgss.GSSContext)
Request(org.eclipse.jetty.client.api.Request)
LoginException(javax.security.auth.login.LoginException)
URI(java.net.URI)
Aggregations
GSSException (org.ietf.jgss.GSSException)78
GSSName (org.ietf.jgss.GSSName)39
Oid (org.ietf.jgss.Oid)35
GSSManager (org.ietf.jgss.GSSManager)33
GSSCredential (org.ietf.jgss.GSSCredential)31
GSSContext (org.ietf.jgss.GSSContext)30
PrivilegedActionException (java.security.PrivilegedActionException)24
LoginException (javax.security.auth.login.LoginException)20
Subject (javax.security.auth.Subject)18
Principal (java.security.Principal)16
IOException (java.io.IOException)11
LoginContext (javax.security.auth.login.LoginContext)8
SaslException (javax.security.sasl.SaslException)8
UnknownHostException (java.net.UnknownHostException)5
PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)4
ServletException (javax.servlet.ServletException)4
HttpServletRequest (javax.servlet.http.HttpServletRequest)4
URISyntaxException (java.net.URISyntaxException)3
KerberosPrincipal (javax.security.auth.kerberos.KerberosPrincipal)3
SaslClient (javax.security.sasl.SaslClient)3
