use of org.ietf.jgss.GSSException in project drill by apache.
the class DrillSpnegoLoginService method spnegoLogin.
private UserIdentity spnegoLogin(Object credentials, ServletRequest request) {
String encodedAuthToken = (String) credentials;
byte[] authToken = B64Code.decode(encodedAuthToken);
GSSManager manager = GSSManager.getInstance();
try {
// Providing both OID's is required here. If we provide only one,
// we're requiring that clients provide us the SPNEGO OID to authenticate via Kerberos.
Oid[] knownOids = new Oid[2];
// spnego
knownOids[0] = new Oid("1.3.6.1.5.5.2");
// kerberos
knownOids[1] = new Oid("1.2.840.113554.1.2.2");
GSSName gssName = manager.createName(spnegoConfig.getSpnegoPrincipal(), null);
GSSCredential serverCreds = manager.createCredential(gssName, GSSCredential.INDEFINITE_LIFETIME, knownOids, GSSCredential.ACCEPT_ONLY);
GSSContext gContext = manager.createContext(serverCreds);
if (gContext == null) {
logger.debug("SPNEGOUserRealm: failed to establish GSSContext");
} else {
while (!gContext.isEstablished()) {
authToken = gContext.acceptSecContext(authToken, 0, authToken.length);
}
if (gContext.isEstablished()) {
final String clientName = gContext.getSrcName().toString();
final String realm = clientName.substring(clientName.indexOf(64) + 1);
// Get the client user short name
final String userShortName = new HadoopKerberosName(clientName).getShortName();
logger.info("WebUser {} logged in from {}:{}", userShortName, request.getRemoteHost(), request.getRemotePort());
logger.debug("Client Name: {}, realm: {} and shortName: {}", clientName, realm, userShortName);
final SystemOptionManager sysOptions = drillContext.getOptionManager();
final boolean isAdmin = ImpersonationUtil.hasAdminPrivileges(userShortName, ExecConstants.ADMIN_USERS_VALIDATOR.getAdminUsers(sysOptions), ExecConstants.ADMIN_USER_GROUPS_VALIDATOR.getAdminUserGroups(sysOptions));
final Principal user = new DrillUserPrincipal(userShortName, isAdmin);
final Subject subject = new Subject();
subject.getPrincipals().add(user);
if (isAdmin) {
return this._identityService.newUserIdentity(subject, user, DrillUserPrincipal.ADMIN_USER_ROLES);
} else {
return this._identityService.newUserIdentity(subject, user, DrillUserPrincipal.NON_ADMIN_USER_ROLES);
}
}
}
} catch (GSSException gsse) {
logger.warn("Caught GSSException trying to authenticate the client", gsse);
} catch (IOException ex) {
logger.warn("Caught IOException trying to get shortName of client user", ex);
}
return null;
}
use of org.ietf.jgss.GSSException in project tomcat by apache.
the class CombinedRealm method authenticate.
/**
* {@inheritDoc}
*/
@Override
public Principal authenticate(GSSContext gssContext, boolean storeCred) {
if (gssContext.isEstablished()) {
Principal authenticatedUser = null;
GSSName gssName = null;
try {
gssName = gssContext.getSrcName();
} catch (GSSException e) {
log.warn(sm.getString("realmBase.gssNameFail"), e);
return null;
}
for (Realm realm : realms) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("combinedRealm.authStart", gssName, realm.getClass().getName()));
}
authenticatedUser = realm.authenticate(gssContext, storeCred);
if (authenticatedUser == null) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("combinedRealm.authFail", gssName, realm.getClass().getName()));
}
} else {
if (log.isDebugEnabled()) {
log.debug(sm.getString("combinedRealm.authSuccess", gssName, realm.getClass().getName()));
}
break;
}
}
return authenticatedUser;
}
// Fail in all other cases
return null;
}
use of org.ietf.jgss.GSSException in project tomcat by apache.
the class LockOutRealm method authenticate.
/**
* {@inheritDoc}
*/
@Override
public Principal authenticate(GSSContext gssContext, boolean storeCreds) {
if (gssContext.isEstablished()) {
String username = null;
GSSName name = null;
try {
name = gssContext.getSrcName();
} catch (GSSException e) {
log.warn(sm.getString("realmBase.gssNameFail"), e);
return null;
}
username = name.toString();
Principal authenticatedUser = super.authenticate(gssContext, storeCreds);
return filterLockedAccounts(username, authenticatedUser);
}
// Fail in all other cases
return null;
}
Aggregations