Example 61 with GSSException
use of org.ietf.jgss.GSSException in project calcite-avatica by apache.
the class PropertyBasedSpnegoLoginService method login.
@Override
public UserIdentity login(String username, Object credentials, ServletRequest request) {
String encodedAuthToken = (String) credentials;
byte[] authToken = B64Code.decode(encodedAuthToken);
GSSManager manager = GSSManager.getInstance();
try {
// http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html
Oid spnegoOid = new Oid("1.3.6.1.5.5.2");
Oid krb5Oid = new Oid("1.2.840.113554.1.2.2");
GSSName gssName = manager.createName(serverPrincipal, null);
// CALCITE-1922 Providing both OIDs is the bug in Jetty we're working around. By specifying
// only one, we're requiring that clients *must* provide us the SPNEGO OID to authenticate
// via Kerberos which is wrong. Best as I can tell, the SPNEGO OID is meant as another
// layer of indirection (essentially is equivalent to setting the Kerberos OID).
GSSCredential serverCreds = manager.createCredential(gssName, GSSCredential.INDEFINITE_LIFETIME, new Oid[] { krb5Oid, spnegoOid }, GSSCredential.ACCEPT_ONLY);
GSSContext gContext = manager.createContext(serverCreds);
if (gContext == null) {
LOG.debug("SpnegoUserRealm: failed to establish GSSContext");
} else {
while (!gContext.isEstablished()) {
authToken = gContext.acceptSecContext(authToken, 0, authToken.length);
}
if (gContext.isEstablished()) {
String clientName = gContext.getSrcName().toString();
String role = clientName.substring(clientName.indexOf('@') + 1);
LOG.debug("SpnegoUserRealm: established a security context");
LOG.debug("Client Principal is: {}", gContext.getSrcName());
LOG.debug("Server Principal is: {}", gContext.getTargName());
LOG.debug("Client Default Role: {}", role);
SpnegoUserPrincipal user = new SpnegoUserPrincipal(clientName, authToken);
Subject subject = new Subject();
subject.getPrincipals().add(user);
return _identityService.newUserIdentity(subject, user, new String[] { role });
}
}
} catch (GSSException gsse) {
LOG.warn("Caught GSSException trying to authenticate the client", gsse);
}
return null;
}
Also used :
GSSName(org.ietf.jgss.GSSName)
GSSException(org.ietf.jgss.GSSException)
GSSCredential(org.ietf.jgss.GSSCredential)
GSSManager(org.ietf.jgss.GSSManager)
GSSContext(org.ietf.jgss.GSSContext)
Oid(org.ietf.jgss.Oid)
SpnegoUserPrincipal(org.eclipse.jetty.security.SpnegoUserPrincipal)
Subject(javax.security.auth.Subject)
Example 62 with GSSException
use of org.ietf.jgss.GSSException in project cxf by apache.
the class KerberosAuthenticationFilter method filter.
@Override
public void filter(ContainerRequestContext context) {
List<String> authHeaders = messageContext.getHttpHeaders().getRequestHeader(HttpHeaders.AUTHORIZATION);
if (authHeaders == null || authHeaders.size() != 1) {
LOG.fine("No Authorization header is available");
throw ExceptionUtils.toNotAuthorizedException(null, getFaultResponse());
}
String[] authPair = authHeaders.get(0).split(" ");
if (authPair.length != 2 || !NEGOTIATE_SCHEME.equalsIgnoreCase(authPair[0])) {
LOG.fine("Negotiate Authorization scheme is expected");
throw ExceptionUtils.toNotAuthorizedException(null, getFaultResponse());
}
byte[] serviceTicket = getServiceTicket(authPair[1]);
try {
Subject serviceSubject = loginAndGetSubject();
GSSContext gssContext = createGSSContext();
Subject.doAs(serviceSubject, new ValidateServiceTicketAction(gssContext, serviceTicket));
GSSName srcName = gssContext.getSrcName();
if (srcName == null) {
throw ExceptionUtils.toNotAuthorizedException(null, getFaultResponse());
}
String complexUserName = srcName.toString();
String simpleUserName = complexUserName;
int index = simpleUserName.lastIndexOf('@');
if (index > 0) {
simpleUserName = simpleUserName.substring(0, index);
}
Message m = JAXRSUtils.getCurrentMessage();
m.put(SecurityContext.class, createSecurityContext(simpleUserName, complexUserName, gssContext));
if (!gssContext.getCredDelegState()) {
gssContext.dispose();
}
} catch (LoginException e) {
LOG.fine("Unsuccessful JAAS login for the service principal: " + e.getMessage());
throw ExceptionUtils.toNotAuthorizedException(e, getFaultResponse());
} catch (GSSException e) {
LOG.fine("GSS API exception: " + e.getMessage());
throw ExceptionUtils.toNotAuthorizedException(e, getFaultResponse());
} catch (PrivilegedActionException e) {
LOG.fine("PrivilegedActionException: " + e.getMessage());
throw ExceptionUtils.toNotAuthorizedException(e, getFaultResponse());
}
}
Also used :
GSSName(org.ietf.jgss.GSSName)
Message(org.apache.cxf.message.Message)
PrivilegedActionException(java.security.PrivilegedActionException)
Subject(javax.security.auth.Subject)
GSSException(org.ietf.jgss.GSSException)
GSSContext(org.ietf.jgss.GSSContext)
LoginException(javax.security.auth.login.LoginException)
Example 63 with GSSException
use of org.ietf.jgss.GSSException in project cxf by apache.
the class AbstractSpnegoAuthSupplier method getAuthorization.
public String getAuthorization(AuthorizationPolicy authPolicy, URI currentURI, Message message) {
if (!HttpAuthHeader.AUTH_TYPE_NEGOTIATE.equals(authPolicy.getAuthorizationType())) {
return null;
}
try {
String spn = getCompleteServicePrincipalName(currentURI);
boolean useKerberosOid = MessageUtils.getContextualBoolean(message, PROPERTY_USE_KERBEROS_OID);
Oid oid = new Oid(useKerberosOid ? KERBEROS_OID : SPNEGO_OID);
byte[] token = getToken(authPolicy, spn, oid, message);
return HttpAuthHeader.AUTH_TYPE_NEGOTIATE + " " + Base64Utility.encode(token);
} catch (LoginException | GSSException e) {
throw new RuntimeException(e.getMessage(), e);
}
}
Also used :
GSSException(org.ietf.jgss.GSSException)
LoginException(javax.security.auth.login.LoginException)
Oid(org.ietf.jgss.Oid)
Example 64 with GSSException
use of org.ietf.jgss.GSSException in project cxf by apache.
the class AbstractSpnegoAuthSupplier method getToken.
/**
* Create and return a service ticket token for a given service principal
* name
*
* @param authPolicy
* @param spn
* @return service ticket token
* @throws GSSException
* @throws LoginException
*/
private byte[] getToken(AuthorizationPolicy authPolicy, String spn, Oid oid, Message message) throws GSSException, LoginException {
GSSCredential delegatedCred = (GSSCredential) message.getContextualProperty(GSSCredential.class.getName());
Subject subject = null;
if (authPolicy != null && delegatedCred == null) {
String contextName = authPolicy.getAuthorization();
if (contextName == null) {
contextName = "";
}
if (!(StringUtils.isEmpty(authPolicy.getUserName()) && StringUtils.isEmpty(contextName) && loginConfig == null)) {
CallbackHandler callbackHandler = getUsernamePasswordHandler(authPolicy.getUserName(), authPolicy.getPassword());
LoginContext lc = new LoginContext(contextName, null, callbackHandler, loginConfig);
lc.login();
subject = lc.getSubject();
}
}
GSSManager manager = GSSManager.getInstance();
GSSName serverName = manager.createName(spn, serviceNameType);
GSSContext context = manager.createContext(serverName.canonicalize(oid), oid, delegatedCred, GSSContext.DEFAULT_LIFETIME);
context.requestCredDeleg(isCredDelegationRequired(message));
// If the delegated cred is not null then we only need the context to
// immediately return a ticket based on this credential without attempting
// to log on again
final byte[] token = new byte[0];
if (delegatedCred != null) {
return context.initSecContext(token, 0, token.length);
}
decorateSubject(subject);
try {
return Subject.doAs(subject, new CreateServiceTicketAction(context, token));
} catch (PrivilegedActionException e) {
if (e.getCause() instanceof GSSException) {
throw (GSSException) e.getCause();
}
LOG.log(Level.SEVERE, "initSecContext", e);
return null;
}
}
Also used :
GSSName(org.ietf.jgss.GSSName)
NamePasswordCallbackHandler(org.apache.cxf.interceptor.security.NamePasswordCallbackHandler)
CallbackHandler(javax.security.auth.callback.CallbackHandler)
LoginContext(javax.security.auth.login.LoginContext)
GSSException(org.ietf.jgss.GSSException)
GSSCredential(org.ietf.jgss.GSSCredential)
PrivilegedActionException(java.security.PrivilegedActionException)
GSSManager(org.ietf.jgss.GSSManager)
GSSContext(org.ietf.jgss.GSSContext)
Subject(javax.security.auth.Subject)
Example 65 with GSSException
use of org.ietf.jgss.GSSException in project cxf by apache.
the class JAXRSIntermediaryPortTypeImpl method doubleIt.
public int doubleIt(int numberToDouble) {
URL wsdl = JAXRSIntermediaryPortTypeImpl.class.getResource("DoubleIt.wsdl");
Service service = Service.create(wsdl, SERVICE_QNAME);
QName portQName = new QName(NAMESPACE, "DoubleItTransportSAML2Port");
DoubleItPortType transportPort = service.getPort(portQName, DoubleItPortType.class);
try {
updateAddressPort(transportPort, KerberosDelegationTokenTest.PORT);
} catch (Exception ex) {
ex.printStackTrace();
}
// Retrieve delegated credential + set it on the outbound message
SecurityContext securityContext = PhaseInterceptorChain.getCurrentMessage().get(SecurityContext.class);
if (securityContext instanceof KerberosSecurityContext) {
KerberosSecurityContext ksc = (KerberosSecurityContext) securityContext;
try {
GSSCredential delegatedCredential = ksc.getGSSContext().getDelegCred();
Map<String, Object> context = ((BindingProvider) transportPort).getRequestContext();
context.put(SecurityConstants.DELEGATED_CREDENTIAL, delegatedCredential);
} catch (GSSException e) {
e.printStackTrace();
}
}
return transportPort.doubleIt(numberToDouble);
}
Also used :
KerberosSecurityContext(org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter.KerberosSecurityContext)
QName(javax.xml.namespace.QName)
WebService(javax.jws.WebService)
Service(javax.xml.ws.Service)
BindingProvider(javax.xml.ws.BindingProvider)
URL(java.net.URL)
GSSException(org.ietf.jgss.GSSException)
GSSException(org.ietf.jgss.GSSException)
GSSCredential(org.ietf.jgss.GSSCredential)
SecurityContext(org.apache.cxf.security.SecurityContext)
KerberosSecurityContext(org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter.KerberosSecurityContext)
DoubleItPortType(org.example.contract.doubleit.DoubleItPortType)
Aggregations
GSSException (org.ietf.jgss.GSSException)78
GSSName (org.ietf.jgss.GSSName)39
Oid (org.ietf.jgss.Oid)35
GSSManager (org.ietf.jgss.GSSManager)33
GSSCredential (org.ietf.jgss.GSSCredential)31
GSSContext (org.ietf.jgss.GSSContext)30
PrivilegedActionException (java.security.PrivilegedActionException)24
LoginException (javax.security.auth.login.LoginException)20
Subject (javax.security.auth.Subject)18
Principal (java.security.Principal)16
IOException (java.io.IOException)11
LoginContext (javax.security.auth.login.LoginContext)8
SaslException (javax.security.sasl.SaslException)8
UnknownHostException (java.net.UnknownHostException)5
PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)4
ServletException (javax.servlet.ServletException)4
HttpServletRequest (javax.servlet.http.HttpServletRequest)4
URISyntaxException (java.net.URISyntaxException)3
KerberosPrincipal (javax.security.auth.kerberos.KerberosPrincipal)3
SaslClient (javax.security.sasl.SaslClient)3
