Search in sources :

Example 76 with GSSException

use of org.ietf.jgss.GSSException in project drill by apache.

the class DrillSpnegoLoginService method spnegoLogin.

private UserIdentity spnegoLogin(Object credentials, ServletRequest request) {
    String encodedAuthToken = (String) credentials;
    byte[] authToken = B64Code.decode(encodedAuthToken);
    GSSManager manager = GSSManager.getInstance();
    try {
        // Providing both OID's is required here. If we provide only one,
        // we're requiring that clients provide us the SPNEGO OID to authenticate via Kerberos.
        Oid[] knownOids = new Oid[2];
        // spnego
        knownOids[0] = new Oid("1.3.6.1.5.5.2");
        // kerberos
        knownOids[1] = new Oid("1.2.840.113554.1.2.2");
        GSSName gssName = manager.createName(spnegoConfig.getSpnegoPrincipal(), null);
        GSSCredential serverCreds = manager.createCredential(gssName, GSSCredential.INDEFINITE_LIFETIME, knownOids, GSSCredential.ACCEPT_ONLY);
        GSSContext gContext = manager.createContext(serverCreds);
        if (gContext == null) {
            logger.debug("SPNEGOUserRealm: failed to establish GSSContext");
        } else {
            while (!gContext.isEstablished()) {
                authToken = gContext.acceptSecContext(authToken, 0, authToken.length);
            }
            if (gContext.isEstablished()) {
                final String clientName = gContext.getSrcName().toString();
                final String realm = clientName.substring(clientName.indexOf(64) + 1);
                // Get the client user short name
                final String userShortName = new HadoopKerberosName(clientName).getShortName();
                logger.info("WebUser {} logged in from {}:{}", userShortName, request.getRemoteHost(), request.getRemotePort());
                logger.debug("Client Name: {}, realm: {} and shortName: {}", clientName, realm, userShortName);
                final SystemOptionManager sysOptions = drillContext.getOptionManager();
                final boolean isAdmin = ImpersonationUtil.hasAdminPrivileges(userShortName, ExecConstants.ADMIN_USERS_VALIDATOR.getAdminUsers(sysOptions), ExecConstants.ADMIN_USER_GROUPS_VALIDATOR.getAdminUserGroups(sysOptions));
                final Principal user = new DrillUserPrincipal(userShortName, isAdmin);
                final Subject subject = new Subject();
                subject.getPrincipals().add(user);
                if (isAdmin) {
                    return this._identityService.newUserIdentity(subject, user, DrillUserPrincipal.ADMIN_USER_ROLES);
                } else {
                    return this._identityService.newUserIdentity(subject, user, DrillUserPrincipal.NON_ADMIN_USER_ROLES);
                }
            }
        }
    } catch (GSSException gsse) {
        logger.warn("Caught GSSException trying to authenticate the client", gsse);
    } catch (IOException ex) {
        logger.warn("Caught IOException trying to get shortName of client user", ex);
    }
    return null;
}
Also used : GSSName(org.ietf.jgss.GSSName) HadoopKerberosName(org.apache.hadoop.security.HadoopKerberosName) SystemOptionManager(org.apache.drill.exec.server.options.SystemOptionManager) Oid(org.ietf.jgss.Oid) IOException(java.io.IOException) Subject(javax.security.auth.Subject) GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) GSSManager(org.ietf.jgss.GSSManager) GSSContext(org.ietf.jgss.GSSContext) Principal(java.security.Principal)

Example 77 with GSSException

use of org.ietf.jgss.GSSException in project tomcat by apache.

the class CombinedRealm method authenticate.

/**
 * {@inheritDoc}
 */
@Override
public Principal authenticate(GSSContext gssContext, boolean storeCred) {
    if (gssContext.isEstablished()) {
        Principal authenticatedUser = null;
        GSSName gssName = null;
        try {
            gssName = gssContext.getSrcName();
        } catch (GSSException e) {
            log.warn(sm.getString("realmBase.gssNameFail"), e);
            return null;
        }
        for (Realm realm : realms) {
            if (log.isDebugEnabled()) {
                log.debug(sm.getString("combinedRealm.authStart", gssName, realm.getClass().getName()));
            }
            authenticatedUser = realm.authenticate(gssContext, storeCred);
            if (authenticatedUser == null) {
                if (log.isDebugEnabled()) {
                    log.debug(sm.getString("combinedRealm.authFail", gssName, realm.getClass().getName()));
                }
            } else {
                if (log.isDebugEnabled()) {
                    log.debug(sm.getString("combinedRealm.authSuccess", gssName, realm.getClass().getName()));
                }
                break;
            }
        }
        return authenticatedUser;
    }
    // Fail in all other cases
    return null;
}
Also used : GSSName(org.ietf.jgss.GSSName) GSSException(org.ietf.jgss.GSSException) Realm(org.apache.catalina.Realm) Principal(java.security.Principal)

Example 78 with GSSException

use of org.ietf.jgss.GSSException in project tomcat by apache.

the class LockOutRealm method authenticate.

/**
 * {@inheritDoc}
 */
@Override
public Principal authenticate(GSSContext gssContext, boolean storeCreds) {
    if (gssContext.isEstablished()) {
        String username = null;
        GSSName name = null;
        try {
            name = gssContext.getSrcName();
        } catch (GSSException e) {
            log.warn(sm.getString("realmBase.gssNameFail"), e);
            return null;
        }
        username = name.toString();
        Principal authenticatedUser = super.authenticate(gssContext, storeCreds);
        return filterLockedAccounts(username, authenticatedUser);
    }
    // Fail in all other cases
    return null;
}
Also used : GSSName(org.ietf.jgss.GSSName) GSSException(org.ietf.jgss.GSSException) Principal(java.security.Principal)

Aggregations

GSSException (org.ietf.jgss.GSSException)78 GSSName (org.ietf.jgss.GSSName)39 Oid (org.ietf.jgss.Oid)35 GSSManager (org.ietf.jgss.GSSManager)33 GSSCredential (org.ietf.jgss.GSSCredential)31 GSSContext (org.ietf.jgss.GSSContext)30 PrivilegedActionException (java.security.PrivilegedActionException)24 LoginException (javax.security.auth.login.LoginException)20 Subject (javax.security.auth.Subject)18 Principal (java.security.Principal)16 IOException (java.io.IOException)11 LoginContext (javax.security.auth.login.LoginContext)8 SaslException (javax.security.sasl.SaslException)8 UnknownHostException (java.net.UnknownHostException)5 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)4 ServletException (javax.servlet.ServletException)4 HttpServletRequest (javax.servlet.http.HttpServletRequest)4 URISyntaxException (java.net.URISyntaxException)3 KerberosPrincipal (javax.security.auth.kerberos.KerberosPrincipal)3 SaslClient (javax.security.sasl.SaslClient)3