use of org.ietf.jgss.GSSException in project presto by prestodb.
the class SpnegoFilter method doFilter.
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain nextFilter) throws IOException, ServletException {
// skip auth for http
if (!servletRequest.isSecure()) {
nextFilter.doFilter(servletRequest, servletResponse);
return;
}
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
String header = request.getHeader(HttpHeaders.AUTHORIZATION);
boolean includeRealm = "true".equalsIgnoreCase(request.getHeader(INCLUDE_REALM_HEADER));
String requestSpnegoToken = null;
if (header != null) {
String[] parts = header.split("\\s+");
if (parts.length == 2 && parts[0].equals(NEGOTIATE_SCHEME)) {
try {
requestSpnegoToken = parts[1];
Optional<Result> authentication = authenticate(parts[1]);
if (authentication.isPresent()) {
authentication.get().getToken().ifPresent(token -> response.setHeader(HttpHeaders.WWW_AUTHENTICATE, formatAuthenticationHeader(includeRealm, Optional.ofNullable(token))));
nextFilter.doFilter(new HttpServletRequestWrapper(request) {
@Override
public Principal getUserPrincipal() {
return authentication.get().getPrincipal();
}
}, servletResponse);
return;
}
} catch (GSSException | RuntimeException e) {
throw new RuntimeException("Authentication error for token: " + parts[1], e);
}
}
}
sendChallenge(request, response, includeRealm, requestSpnegoToken);
}
use of org.ietf.jgss.GSSException in project presto by prestodb.
the class SpnegoFilter method authenticate.
private Optional<Result> authenticate(String token) throws GSSException {
GSSContext context = doAs(loginContext.getSubject(), () -> gssManager.createContext(serverCredential));
try {
byte[] inputToken = Base64.getDecoder().decode(token);
byte[] outputToken = context.acceptSecContext(inputToken, 0, inputToken.length);
// if it can't be set up in a single challenge-response cycle
if (context.isEstablished()) {
return Optional.of(new Result(Optional.ofNullable(outputToken), new KerberosPrincipal(context.getSrcName().toString())));
}
LOG.debug("Failed to establish GSS context for token %s", token);
} catch (GSSException e) {
// ignore and fail the authentication
LOG.debug(e, "Authentication failed for token %s", token);
} finally {
try {
context.dispose();
} catch (GSSException e) {
// ignore
}
}
return Optional.empty();
}
use of org.ietf.jgss.GSSException in project jdk8u_jdk by JetBrains.
the class CtorTests2 method main.
/* standalone interface */
public static void main(String[] argv) throws Exception {
try {
GSSManager manager = GSSManager.getInstance();
GSSName name = manager.createName("anonymous", GSSName.NT_ANONYMOUS);
boolean anonymous = name.isAnonymous();
if (anonymous == false) {
throw new RuntimeException("GSSName.isAnonymous() returns false for GSSName.NT_ANONYMOUS");
}
} catch (GSSException e) {
System.out.println("Not supported, ignored!");
}
}
use of org.ietf.jgss.GSSException in project jdk8u_jdk by JetBrains.
the class DynamicKeytab method go.
void go() throws Exception {
OneKDC k = new OneKDC(null);
k.writeJAASConf();
Files.delete(Paths.get(OneKDC.KTAB));
// Starts with no keytab
c = Context.fromJAAS("client");
s = Context.fromJAAS("com.sun.security.jgss.krb5.accept");
// Test 1: read new key 1 from keytab
k.addPrincipal(OneKDC.SERVER, "pass1".toCharArray());
k.writeKtab(OneKDC.KTAB);
connect();
// Test 2: service key cached, find 1 in keytab (now contains 1 and 2)
k.addPrincipal(OneKDC.SERVER, "pass2".toCharArray());
k.appendKtab(OneKDC.KTAB);
connect();
// Test 3: re-login. Now find 2 in keytab
c = Context.fromJAAS("client");
connect();
// Test 4: re-login, KDC use 3 this time.
c = Context.fromJAAS("client");
// Put 3 and 4 into keytab but keep the real key back to 3.
k.addPrincipal(OneKDC.SERVER, "pass3".toCharArray());
k.appendKtab(OneKDC.KTAB);
k.addPrincipal(OneKDC.SERVER, "pass4".toCharArray());
k.appendKtab(OneKDC.KTAB);
k.addPrincipal(OneKDC.SERVER, "pass3".toCharArray());
connect();
// Test 5: invalid keytab file, should ignore
try (FileOutputStream fos = new FileOutputStream(OneKDC.KTAB)) {
fos.write("BADBADBAD".getBytes());
}
connect();
// Test 6: delete keytab file, identical to revoke all
Files.delete(Paths.get(OneKDC.KTAB));
try {
connect();
throw new Exception("Should not success");
} catch (GSSException gsse) {
System.out.println(gsse);
KrbException ke = (KrbException) gsse.getCause();
// This should have been Krb5.KRB_AP_ERR_NOKEY
if (ke.returnCode() != Krb5.API_INVALID_ARG) {
throw new Exception("Not expected failure code: " + ke.returnCode());
}
}
// Test 7: 3 revoked, should fail (now contains only 5)
k.addPrincipal(OneKDC.SERVER, "pass5".toCharArray());
// overwrite keytab, which means
k.writeKtab(OneKDC.KTAB);
// old key is revoked
try {
connect();
throw new Exception("Should not success");
} catch (GSSException gsse) {
System.out.println(gsse);
// Since 7197159, different kvno is accepted, this return code
// will never be thrown out again.
//KrbException ke = (KrbException)gsse.getCause();
//if (ke.returnCode() != Krb5.KRB_AP_ERR_BADKEYVER) {
// throw new Exception("Not expected failure code: " +
// ke.returnCode());
//}
}
// Test 8: an empty KDC means revoke all
KDC.create("EMPTY.REALM").writeKtab(OneKDC.KTAB);
try {
connect();
throw new Exception("Should not success");
} catch (GSSException gsse) {
System.out.println(gsse);
KrbException ke = (KrbException) gsse.getCause();
// This should have been Krb5.KRB_AP_ERR_NOKEY
if (ke.returnCode() != Krb5.API_INVALID_ARG) {
throw new Exception("Not expected failure code: " + ke.returnCode());
}
}
}
use of org.ietf.jgss.GSSException in project jdk8u_jdk by JetBrains.
the class ServiceCredsCombination method check.
/**
* Checks the correct bound
* @param a get a creds for this principal, null for default one
* @param b expected name, null for still unbound, "NOCRED" for no creds
* @param objs princs, keys and keytabs in the subject
*/
private static void check(final String a, String b, Object... objs) throws Exception {
Subject subj = new Subject();
for (Object obj : objs) {
if (obj instanceof KerberosPrincipal) {
subj.getPrincipals().add((KerberosPrincipal) obj);
} else if (obj instanceof KerberosKey || obj instanceof KeyTab) {
subj.getPrivateCredentials().add(obj);
}
}
final GSSManager man = GSSManager.getInstance();
try {
String result = Subject.doAs(subj, new PrivilegedExceptionAction<String>() {
@Override
public String run() throws GSSException {
GSSCredential cred = man.createCredential(a == null ? null : man.createName(r(a), null), GSSCredential.INDEFINITE_LIFETIME, GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY);
GSSName name = cred.getName();
return name == null ? null : name.toString();
}
});
if (!Objects.equals(result, r(b))) {
throw new Exception("Check failed: getInstance(" + a + ") has name " + result + ", not " + b);
}
} catch (PrivilegedActionException e) {
if (!"NOCRED".equals(b)) {
throw new Exception("Check failed: getInstance(" + a + ") is null " + ", but not one with name " + b);
}
}
}
Aggregations