use of org.ietf.jgss.GSSException in project ats-framework by Axway.
the class GssClient method loginViaJAAS.
/**
* Login to Kerberos KDC and accquire a TGT.
*
* @throws GSSException
*/
private void loginViaJAAS() throws GSSException {
try {
JaasKerberosConfiguration config = createGssKerberosConfiguration();
if (clientPrincipalPassword != null) {
config.setPassword(clientPrincipalPassword.toCharArray());
}
if (clientKeytab != null) {
config.setKeytab(clientKeytab.toString());
}
config.initialize();
LoginContext loginContext = null;
if (config.getCallbackHandler() != null) {
loginContext = new LoginContext("other", config.getCallbackHandler());
} else {
loginContext = new LoginContext("other");
}
loginContext.login();
// Subject will be populated with the Kerberos Principal name and the TGT.
// Krb5LoginModule obtains a TGT (KerberosTicket) for the user either from the KDC
// or from an existing ticket cache, and stores this TGT in the private credentials
// set of a Subject
subject = loginContext.getSubject();
log.debug("Logged in successfully as subject=\n" + subject.toString());
} catch (LoginException e) {
log.error(e);
throw new GSSException(GSSException.DEFECTIVE_CREDENTIAL, GSSException.BAD_STATUS, "Kerberos client '" + clientPrincipalName + "' failed to login to KDC. Error: " + e.getMessage());
}
}
use of org.ietf.jgss.GSSException in project OpenAM by OpenRock.
the class WindowsDesktopSSO method process.
/**
* Processes the authentication request.
*
* @param callbacks
* @param state
* @return -1 as succeeded; 0 as failed.
* @exception AuthLoginException upon any failure.
*/
public int process(Callback[] callbacks, int state) throws AuthLoginException {
int result = ISAuthConstants.LOGIN_IGNORE;
// Check to see if the Rest Auth Endpoint has signified that IWA has failed.
HttpServletRequest request = getHttpServletRequest();
if (request != null && hasWDSSOFailed(request)) {
return ISAuthConstants.LOGIN_IGNORE;
}
if (!getConfigParams()) {
initWindowsDesktopSSOAuth(options);
}
// retrieve the spnego token
byte[] spnegoToken = getSPNEGOTokenFromHTTPRequest(request);
if (spnegoToken == null) {
spnegoToken = getSPNEGOTokenFromCallback(callbacks);
}
if (spnegoToken == null) {
debug.error("spnego token is not valid.");
throw new AuthLoginException(amAuthWindowsDesktopSSO, "token", null);
}
if (debug.messageEnabled()) {
debug.message("SPNEGO token: \n" + DerValue.printByteArray(spnegoToken, 0, spnegoToken.length));
}
// parse the spnego token and extract the kerberos mech token from it
final byte[] kerberosToken = parseToken(spnegoToken);
if (kerberosToken == null) {
debug.error("kerberos token is not valid.");
throw new AuthLoginException(amAuthWindowsDesktopSSO, "token", null);
}
if (debug.messageEnabled()) {
debug.message("Kerberos token retrieved from SPNEGO token: \n" + DerValue.printByteArray(kerberosToken, 0, kerberosToken.length));
}
// authenticate the user with the kerberos token
try {
authenticateToken(kerberosToken, trustedKerberosRealms);
if (debug.messageEnabled()) {
debug.message("WindowsDesktopSSO kerberos authentication passed succesfully.");
}
result = ISAuthConstants.LOGIN_SUCCEED;
} catch (PrivilegedActionException pe) {
Exception e = extractException(pe);
if (e instanceof GSSException) {
int major = ((GSSException) e).getMajor();
if (major == GSSException.CREDENTIALS_EXPIRED) {
debug.message("Credential expired. Re-establish credential...");
serviceLogin();
try {
authenticateToken(kerberosToken, trustedKerberosRealms);
if (debug.messageEnabled()) {
debug.message("Authentication succeeded with new cred.");
result = ISAuthConstants.LOGIN_SUCCEED;
}
} catch (Exception ee) {
debug.error("Authentication failed with new cred.Stack Trace", ee);
throw new AuthLoginException(amAuthWindowsDesktopSSO, "auth", null, ee);
}
} else {
debug.error("Authentication failed with PrivilegedActionException wrapped GSSException. Stack Trace", e);
throw new AuthLoginException(amAuthWindowsDesktopSSO, "auth", null, e);
}
}
} catch (GSSException e1) {
int major = e1.getMajor();
if (major == GSSException.CREDENTIALS_EXPIRED) {
debug.message("Credential expired. Re-establish credential...");
serviceLogin();
try {
authenticateToken(kerberosToken, trustedKerberosRealms);
if (debug.messageEnabled()) {
debug.message("Authentication succeeded with new cred.");
result = ISAuthConstants.LOGIN_SUCCEED;
}
} catch (Exception ee) {
debug.error("Authentication failed with new cred. Stack Trace", ee);
throw new AuthLoginException(amAuthWindowsDesktopSSO, "auth", null, ee);
}
} else {
debug.error("Authentication failed with GSSException. Stack Trace", e1);
throw new AuthLoginException(amAuthWindowsDesktopSSO, "auth", null, e1);
}
} catch (AuthLoginException e2) {
debug.error("Authentication failed with AuthLoginException. Stack Trace", e2);
throw e2;
} catch (Exception e3) {
debug.error("Authentication failed with generic exception. Stack Trace", e3);
throw new AuthLoginException(amAuthWindowsDesktopSSO, "auth", null, e3);
}
return result;
}
use of org.ietf.jgss.GSSException in project wildfly by wildfly.
the class CSIv2Util method createGSSUPMechOID.
/**
* <p>
* Create an ASN.1, DER encoded representation for the GSSUP OID mechanism.
* </p>
*
* @return the DER encoded representation of the GSSUP OID.
*/
public static byte[] createGSSUPMechOID() {
// kudos to org.ietf.jgss.Oid for the Oid utility need to strip the "oid:" part of the GSSUPMechOID first.
byte[] retval = {};
try {
Oid oid = new Oid(GSSUPMechOID.value.substring(4));
retval = oid.getDER();
} catch (GSSException e) {
IIOPLogger.ROOT_LOGGER.caughtExceptionEncodingGSSUPMechOID(e);
}
return retval;
}
use of org.ietf.jgss.GSSException in project async-http-client by AsyncHttpClient.
the class SpnegoEngine method generateToken.
public String generateToken(String server) throws SpnegoEngineException {
GSSContext gssContext = null;
// base64 decoded challenge
byte[] token = null;
Oid negotiationOid;
try {
log.debug("init {}", server);
/*
* Using the SPNEGO OID is the correct method. Kerberos v5 works for IIS but not JBoss. Unwrapping the initial token when using SPNEGO OID looks like what is described
* here...
*
* http://msdn.microsoft.com/en-us/library/ms995330.aspx
*
* Another helpful URL...
*
* http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_SPNEGO_token.html
*
* Unfortunately SPNEGO is JRE >=1.6.
*/
/** Try SPNEGO by default, fall back to Kerberos later if error */
negotiationOid = new Oid(SPNEGO_OID);
boolean tryKerberos = false;
try {
GSSManager manager = GSSManager.getInstance();
GSSName serverName = manager.createName("HTTP@" + server, GSSName.NT_HOSTBASED_SERVICE);
gssContext = manager.createContext(serverName.canonicalize(negotiationOid), negotiationOid, null, GSSContext.DEFAULT_LIFETIME);
gssContext.requestMutualAuth(true);
gssContext.requestCredDeleg(true);
} catch (GSSException ex) {
log.error("generateToken", ex);
// Rethrow any other exception.
if (ex.getMajor() == GSSException.BAD_MECH) {
log.debug("GSSException BAD_MECH, retry with Kerberos MECH");
tryKerberos = true;
} else {
throw ex;
}
}
if (tryKerberos) {
/* Kerberos v5 GSS-API mechanism defined in RFC 1964. */
log.debug("Using Kerberos MECH {}", KERBEROS_OID);
negotiationOid = new Oid(KERBEROS_OID);
GSSManager manager = GSSManager.getInstance();
GSSName serverName = manager.createName("HTTP@" + server, GSSName.NT_HOSTBASED_SERVICE);
gssContext = manager.createContext(serverName.canonicalize(negotiationOid), negotiationOid, null, GSSContext.DEFAULT_LIFETIME);
gssContext.requestMutualAuth(true);
gssContext.requestCredDeleg(true);
}
// TODO suspicious: this will always be null because no value has been assigned before. Assign directly?
if (token == null) {
token = new byte[0];
}
token = gssContext.initSecContext(token, 0, token.length);
if (token == null) {
throw new SpnegoEngineException("GSS security context initialization failed");
}
/*
* IIS accepts Kerberos and SPNEGO tokens. Some other servers Jboss, Glassfish? seem to only accept SPNEGO. Below wraps Kerberos into SPNEGO token.
*/
if (spnegoGenerator != null && negotiationOid.toString().equals(KERBEROS_OID)) {
token = spnegoGenerator.generateSpnegoDERObject(token);
}
gssContext.dispose();
String tokenstr = Base64.encode(token);
log.debug("Sending response '{}' back to the server", tokenstr);
return tokenstr;
} catch (GSSException gsse) {
log.error("generateToken", gsse);
if (gsse.getMajor() == GSSException.DEFECTIVE_CREDENTIAL || gsse.getMajor() == GSSException.CREDENTIALS_EXPIRED)
throw new SpnegoEngineException(gsse.getMessage(), gsse);
if (gsse.getMajor() == GSSException.NO_CRED)
throw new SpnegoEngineException(gsse.getMessage(), gsse);
if (gsse.getMajor() == GSSException.DEFECTIVE_TOKEN || gsse.getMajor() == GSSException.DUPLICATE_TOKEN || gsse.getMajor() == GSSException.OLD_TOKEN)
throw new SpnegoEngineException(gsse.getMessage(), gsse);
// other error
throw new SpnegoEngineException(gsse.getMessage());
} catch (IOException ex) {
throw new SpnegoEngineException(ex.getMessage());
}
}
use of org.ietf.jgss.GSSException in project jdk8u_jdk by JetBrains.
the class OkAsDelegate method go.
void go(boolean forwardable, boolean requestDelegState, boolean requestDelegPolicyState, boolean delegState, boolean delegPolicyState, boolean delegated) throws Exception {
OneKDC kdc = new OneKDC(null);
kdc.setOption(KDC.Option.OK_AS_DELEGATE, System.getProperty("test.kdc.policy.ok-as-delegate"));
kdc.writeJAASConf();
if (!forwardable) {
// The default OneKDC always includes "forwardable = true"
// in krb5.conf, override it.
KDC.saveConfig(OneKDC.KRB5_CONF, kdc, "default_keytab_name = " + OneKDC.KTAB);
Config.refresh();
}
Context c, s;
c = Context.fromJAAS("client");
s = Context.fromJAAS("com.sun.security.jgss.krb5.accept");
Oid mech = GSSUtil.GSS_KRB5_MECH_OID;
if (System.getProperty("test.spnego") != null) {
mech = GSSUtil.GSS_SPNEGO_MECH_OID;
}
c.startAsClient(OneKDC.SERVER, mech);
ExtendedGSSContext cx = (ExtendedGSSContext) c.x();
cx.requestCredDeleg(requestDelegState);
cx.requestDelegPolicy(requestDelegPolicyState);
s.startAsServer(mech);
ExtendedGSSContext sx = (ExtendedGSSContext) s.x();
Context.handshake(c, s);
if (cx.getCredDelegState() != delegState) {
throw new Exception("Initiator cred state error");
}
if (sx.getCredDelegState() != delegState) {
throw new Exception("Acceptor cred state error");
}
if (cx.getDelegPolicyState() != delegPolicyState) {
throw new Exception("Initiator cred policy state error");
}
GSSCredential cred = null;
try {
cred = s.x().getDelegCred();
} catch (GSSException e) {
// leave cred as null
}
if (delegated != (cred != null)) {
throw new Exception("get cred error");
}
}
Aggregations