Search in sources :

Example 6 with GSSException

use of org.ietf.jgss.GSSException in project presto by prestodb.

the class SpnegoFilter method doFilter.

@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain nextFilter) throws IOException, ServletException {
    // skip auth for http
    if (!servletRequest.isSecure()) {
        nextFilter.doFilter(servletRequest, servletResponse);
        return;
    }
    HttpServletRequest request = (HttpServletRequest) servletRequest;
    HttpServletResponse response = (HttpServletResponse) servletResponse;
    String header = request.getHeader(HttpHeaders.AUTHORIZATION);
    boolean includeRealm = "true".equalsIgnoreCase(request.getHeader(INCLUDE_REALM_HEADER));
    String requestSpnegoToken = null;
    if (header != null) {
        String[] parts = header.split("\\s+");
        if (parts.length == 2 && parts[0].equals(NEGOTIATE_SCHEME)) {
            try {
                requestSpnegoToken = parts[1];
                Optional<Result> authentication = authenticate(parts[1]);
                if (authentication.isPresent()) {
                    authentication.get().getToken().ifPresent(token -> response.setHeader(HttpHeaders.WWW_AUTHENTICATE, formatAuthenticationHeader(includeRealm, Optional.ofNullable(token))));
                    nextFilter.doFilter(new HttpServletRequestWrapper(request) {

                        @Override
                        public Principal getUserPrincipal() {
                            return authentication.get().getPrincipal();
                        }
                    }, servletResponse);
                    return;
                }
            } catch (GSSException | RuntimeException e) {
                throw new RuntimeException("Authentication error for token: " + parts[1], e);
            }
        }
    }
    sendChallenge(request, response, includeRealm, requestSpnegoToken);
}
Also used : HttpServletResponse(javax.servlet.http.HttpServletResponse) HttpServletRequest(javax.servlet.http.HttpServletRequest) GSSException(org.ietf.jgss.GSSException) HttpServletRequestWrapper(javax.servlet.http.HttpServletRequestWrapper) KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) Principal(java.security.Principal)

Example 7 with GSSException

use of org.ietf.jgss.GSSException in project presto by prestodb.

the class SpnegoFilter method authenticate.

private Optional<Result> authenticate(String token) throws GSSException {
    GSSContext context = doAs(loginContext.getSubject(), () -> gssManager.createContext(serverCredential));
    try {
        byte[] inputToken = Base64.getDecoder().decode(token);
        byte[] outputToken = context.acceptSecContext(inputToken, 0, inputToken.length);
        // if it can't be set up in a single challenge-response cycle
        if (context.isEstablished()) {
            return Optional.of(new Result(Optional.ofNullable(outputToken), new KerberosPrincipal(context.getSrcName().toString())));
        }
        LOG.debug("Failed to establish GSS context for token %s", token);
    } catch (GSSException e) {
        // ignore and fail the authentication
        LOG.debug(e, "Authentication failed for token %s", token);
    } finally {
        try {
            context.dispose();
        } catch (GSSException e) {
        // ignore
        }
    }
    return Optional.empty();
}
Also used : KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) GSSException(org.ietf.jgss.GSSException) GSSContext(org.ietf.jgss.GSSContext)

Example 8 with GSSException

use of org.ietf.jgss.GSSException in project jdk8u_jdk by JetBrains.

the class CtorTests2 method main.

/* standalone interface */
public static void main(String[] argv) throws Exception {
    try {
        GSSManager manager = GSSManager.getInstance();
        GSSName name = manager.createName("anonymous", GSSName.NT_ANONYMOUS);
        boolean anonymous = name.isAnonymous();
        if (anonymous == false) {
            throw new RuntimeException("GSSName.isAnonymous() returns false for GSSName.NT_ANONYMOUS");
        }
    } catch (GSSException e) {
        System.out.println("Not supported, ignored!");
    }
}
Also used : GSSName(org.ietf.jgss.GSSName) GSSException(org.ietf.jgss.GSSException) GSSManager(org.ietf.jgss.GSSManager)

Example 9 with GSSException

use of org.ietf.jgss.GSSException in project jdk8u_jdk by JetBrains.

the class DynamicKeytab method go.

void go() throws Exception {
    OneKDC k = new OneKDC(null);
    k.writeJAASConf();
    Files.delete(Paths.get(OneKDC.KTAB));
    // Starts with no keytab
    c = Context.fromJAAS("client");
    s = Context.fromJAAS("com.sun.security.jgss.krb5.accept");
    // Test 1: read new key 1 from keytab
    k.addPrincipal(OneKDC.SERVER, "pass1".toCharArray());
    k.writeKtab(OneKDC.KTAB);
    connect();
    // Test 2: service key cached, find 1 in keytab (now contains 1 and 2)
    k.addPrincipal(OneKDC.SERVER, "pass2".toCharArray());
    k.appendKtab(OneKDC.KTAB);
    connect();
    // Test 3: re-login. Now find 2 in keytab
    c = Context.fromJAAS("client");
    connect();
    // Test 4: re-login, KDC use 3 this time.
    c = Context.fromJAAS("client");
    // Put 3 and 4 into keytab but keep the real key back to 3.
    k.addPrincipal(OneKDC.SERVER, "pass3".toCharArray());
    k.appendKtab(OneKDC.KTAB);
    k.addPrincipal(OneKDC.SERVER, "pass4".toCharArray());
    k.appendKtab(OneKDC.KTAB);
    k.addPrincipal(OneKDC.SERVER, "pass3".toCharArray());
    connect();
    // Test 5: invalid keytab file, should ignore
    try (FileOutputStream fos = new FileOutputStream(OneKDC.KTAB)) {
        fos.write("BADBADBAD".getBytes());
    }
    connect();
    // Test 6: delete keytab file, identical to revoke all
    Files.delete(Paths.get(OneKDC.KTAB));
    try {
        connect();
        throw new Exception("Should not success");
    } catch (GSSException gsse) {
        System.out.println(gsse);
        KrbException ke = (KrbException) gsse.getCause();
        // This should have been Krb5.KRB_AP_ERR_NOKEY
        if (ke.returnCode() != Krb5.API_INVALID_ARG) {
            throw new Exception("Not expected failure code: " + ke.returnCode());
        }
    }
    // Test 7: 3 revoked, should fail (now contains only 5)
    k.addPrincipal(OneKDC.SERVER, "pass5".toCharArray());
    // overwrite keytab, which means
    k.writeKtab(OneKDC.KTAB);
    // old key is revoked
    try {
        connect();
        throw new Exception("Should not success");
    } catch (GSSException gsse) {
        System.out.println(gsse);
    // Since 7197159, different kvno is accepted, this return code
    // will never be thrown out again.
    //KrbException ke = (KrbException)gsse.getCause();
    //if (ke.returnCode() != Krb5.KRB_AP_ERR_BADKEYVER) {
    //    throw new Exception("Not expected failure code: " +
    //            ke.returnCode());
    //}
    }
    // Test 8: an empty KDC means revoke all
    KDC.create("EMPTY.REALM").writeKtab(OneKDC.KTAB);
    try {
        connect();
        throw new Exception("Should not success");
    } catch (GSSException gsse) {
        System.out.println(gsse);
        KrbException ke = (KrbException) gsse.getCause();
        // This should have been Krb5.KRB_AP_ERR_NOKEY
        if (ke.returnCode() != Krb5.API_INVALID_ARG) {
            throw new Exception("Not expected failure code: " + ke.returnCode());
        }
    }
}
Also used : GSSException(org.ietf.jgss.GSSException) KrbException(sun.security.krb5.KrbException) FileOutputStream(java.io.FileOutputStream) GSSException(org.ietf.jgss.GSSException) KrbException(sun.security.krb5.KrbException)

Example 10 with GSSException

use of org.ietf.jgss.GSSException in project jdk8u_jdk by JetBrains.

the class ServiceCredsCombination method check.

/**
     * Checks the correct bound
     * @param a get a creds for this principal, null for default one
     * @param b expected name, null for still unbound, "NOCRED" for no creds
     * @param objs princs, keys and keytabs in the subject
     */
private static void check(final String a, String b, Object... objs) throws Exception {
    Subject subj = new Subject();
    for (Object obj : objs) {
        if (obj instanceof KerberosPrincipal) {
            subj.getPrincipals().add((KerberosPrincipal) obj);
        } else if (obj instanceof KerberosKey || obj instanceof KeyTab) {
            subj.getPrivateCredentials().add(obj);
        }
    }
    final GSSManager man = GSSManager.getInstance();
    try {
        String result = Subject.doAs(subj, new PrivilegedExceptionAction<String>() {

            @Override
            public String run() throws GSSException {
                GSSCredential cred = man.createCredential(a == null ? null : man.createName(r(a), null), GSSCredential.INDEFINITE_LIFETIME, GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY);
                GSSName name = cred.getName();
                return name == null ? null : name.toString();
            }
        });
        if (!Objects.equals(result, r(b))) {
            throw new Exception("Check failed: getInstance(" + a + ") has name " + result + ", not " + b);
        }
    } catch (PrivilegedActionException e) {
        if (!"NOCRED".equals(b)) {
            throw new Exception("Check failed: getInstance(" + a + ") is null " + ", but not one with name " + b);
        }
    }
}
Also used : KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal) GSSName(org.ietf.jgss.GSSName) PrivilegedActionException(java.security.PrivilegedActionException) Subject(javax.security.auth.Subject) PrivilegedActionException(java.security.PrivilegedActionException) GSSException(org.ietf.jgss.GSSException) KerberosKey(javax.security.auth.kerberos.KerberosKey) GSSException(org.ietf.jgss.GSSException) KeyTab(javax.security.auth.kerberos.KeyTab) GSSCredential(org.ietf.jgss.GSSCredential) GSSManager(org.ietf.jgss.GSSManager)

Aggregations

GSSException (org.ietf.jgss.GSSException)37 GSSName (org.ietf.jgss.GSSName)18 GSSManager (org.ietf.jgss.GSSManager)16 Oid (org.ietf.jgss.Oid)15 GSSContext (org.ietf.jgss.GSSContext)14 GSSCredential (org.ietf.jgss.GSSCredential)14 Principal (java.security.Principal)7 PrivilegedActionException (java.security.PrivilegedActionException)7 Subject (javax.security.auth.Subject)6 IOException (java.io.IOException)5 LoginException (javax.security.auth.login.LoginException)4 SaslException (javax.security.sasl.SaslException)4 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)3 KerberosPrincipal (javax.security.auth.kerberos.KerberosPrincipal)3 SSOException (com.iplanet.sso.SSOException)2 AuthLoginException (com.sun.identity.authentication.spi.AuthLoginException)2 IdRepoException (com.sun.identity.idm.IdRepoException)2 FileOutputStream (java.io.FileOutputStream)2 UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)2 LoginContext (javax.security.auth.login.LoginContext)2