Search in sources :

Example 26 with GSSException

use of org.ietf.jgss.GSSException in project ats-framework by Axway.

the class GssClient method loginViaJAAS.

/**
     * Login to Kerberos KDC and accquire a TGT.
     * 
     * @throws GSSException
     */
private void loginViaJAAS() throws GSSException {
    try {
        JaasKerberosConfiguration config = createGssKerberosConfiguration();
        if (clientPrincipalPassword != null) {
            config.setPassword(clientPrincipalPassword.toCharArray());
        }
        if (clientKeytab != null) {
            config.setKeytab(clientKeytab.toString());
        }
        config.initialize();
        LoginContext loginContext = null;
        if (config.getCallbackHandler() != null) {
            loginContext = new LoginContext("other", config.getCallbackHandler());
        } else {
            loginContext = new LoginContext("other");
        }
        loginContext.login();
        // Subject will be populated with the Kerberos Principal name and the TGT.
        // Krb5LoginModule obtains a TGT (KerberosTicket) for the user either from the KDC
        // or from an existing ticket cache, and stores this TGT in the private credentials
        // set of a Subject             
        subject = loginContext.getSubject();
        log.debug("Logged in successfully as subject=\n" + subject.toString());
    } catch (LoginException e) {
        log.error(e);
        throw new GSSException(GSSException.DEFECTIVE_CREDENTIAL, GSSException.BAD_STATUS, "Kerberos client '" + clientPrincipalName + "' failed to login to KDC. Error: " + e.getMessage());
    }
}
Also used : LoginContext(javax.security.auth.login.LoginContext) GSSException(org.ietf.jgss.GSSException) LoginException(javax.security.auth.login.LoginException)

Example 27 with GSSException

use of org.ietf.jgss.GSSException in project OpenAM by OpenRock.

the class WindowsDesktopSSO method process.

/**
     * Processes the authentication request.
     *
     * @param callbacks
     * @param state
     * @return  -1 as succeeded; 0 as failed.
     * @exception AuthLoginException upon any failure.
     */
public int process(Callback[] callbacks, int state) throws AuthLoginException {
    int result = ISAuthConstants.LOGIN_IGNORE;
    // Check to see if the Rest Auth Endpoint has signified that IWA has failed.
    HttpServletRequest request = getHttpServletRequest();
    if (request != null && hasWDSSOFailed(request)) {
        return ISAuthConstants.LOGIN_IGNORE;
    }
    if (!getConfigParams()) {
        initWindowsDesktopSSOAuth(options);
    }
    // retrieve the spnego token
    byte[] spnegoToken = getSPNEGOTokenFromHTTPRequest(request);
    if (spnegoToken == null) {
        spnegoToken = getSPNEGOTokenFromCallback(callbacks);
    }
    if (spnegoToken == null) {
        debug.error("spnego token is not valid.");
        throw new AuthLoginException(amAuthWindowsDesktopSSO, "token", null);
    }
    if (debug.messageEnabled()) {
        debug.message("SPNEGO token: \n" + DerValue.printByteArray(spnegoToken, 0, spnegoToken.length));
    }
    // parse the spnego token and extract the kerberos mech token from it
    final byte[] kerberosToken = parseToken(spnegoToken);
    if (kerberosToken == null) {
        debug.error("kerberos token is not valid.");
        throw new AuthLoginException(amAuthWindowsDesktopSSO, "token", null);
    }
    if (debug.messageEnabled()) {
        debug.message("Kerberos token retrieved from SPNEGO token: \n" + DerValue.printByteArray(kerberosToken, 0, kerberosToken.length));
    }
    // authenticate the user with the kerberos token
    try {
        authenticateToken(kerberosToken, trustedKerberosRealms);
        if (debug.messageEnabled()) {
            debug.message("WindowsDesktopSSO kerberos authentication passed succesfully.");
        }
        result = ISAuthConstants.LOGIN_SUCCEED;
    } catch (PrivilegedActionException pe) {
        Exception e = extractException(pe);
        if (e instanceof GSSException) {
            int major = ((GSSException) e).getMajor();
            if (major == GSSException.CREDENTIALS_EXPIRED) {
                debug.message("Credential expired. Re-establish credential...");
                serviceLogin();
                try {
                    authenticateToken(kerberosToken, trustedKerberosRealms);
                    if (debug.messageEnabled()) {
                        debug.message("Authentication succeeded with new cred.");
                        result = ISAuthConstants.LOGIN_SUCCEED;
                    }
                } catch (Exception ee) {
                    debug.error("Authentication failed with new cred.Stack Trace", ee);
                    throw new AuthLoginException(amAuthWindowsDesktopSSO, "auth", null, ee);
                }
            } else {
                debug.error("Authentication failed with PrivilegedActionException wrapped GSSException. Stack Trace", e);
                throw new AuthLoginException(amAuthWindowsDesktopSSO, "auth", null, e);
            }
        }
    } catch (GSSException e1) {
        int major = e1.getMajor();
        if (major == GSSException.CREDENTIALS_EXPIRED) {
            debug.message("Credential expired. Re-establish credential...");
            serviceLogin();
            try {
                authenticateToken(kerberosToken, trustedKerberosRealms);
                if (debug.messageEnabled()) {
                    debug.message("Authentication succeeded with new cred.");
                    result = ISAuthConstants.LOGIN_SUCCEED;
                }
            } catch (Exception ee) {
                debug.error("Authentication failed with new cred. Stack Trace", ee);
                throw new AuthLoginException(amAuthWindowsDesktopSSO, "auth", null, ee);
            }
        } else {
            debug.error("Authentication failed with GSSException. Stack Trace", e1);
            throw new AuthLoginException(amAuthWindowsDesktopSSO, "auth", null, e1);
        }
    } catch (AuthLoginException e2) {
        debug.error("Authentication failed with AuthLoginException. Stack Trace", e2);
        throw e2;
    } catch (Exception e3) {
        debug.error("Authentication failed with generic exception. Stack Trace", e3);
        throw new AuthLoginException(amAuthWindowsDesktopSSO, "auth", null, e3);
    }
    return result;
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) GSSException(org.ietf.jgss.GSSException) PrivilegedActionException(java.security.PrivilegedActionException) AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException) IdRepoException(com.sun.identity.idm.IdRepoException) PrivilegedActionException(java.security.PrivilegedActionException) GSSException(org.ietf.jgss.GSSException) AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException) SSOException(com.iplanet.sso.SSOException)

Example 28 with GSSException

use of org.ietf.jgss.GSSException in project wildfly by wildfly.

the class CSIv2Util method createGSSUPMechOID.

/**
     * <p>
     * Create an ASN.1, DER encoded representation for the GSSUP OID mechanism.
     * </p>
     *
     * @return the DER encoded representation of the GSSUP OID.
     */
public static byte[] createGSSUPMechOID() {
    // kudos to org.ietf.jgss.Oid for the Oid utility need to strip the "oid:" part of the GSSUPMechOID first.
    byte[] retval = {};
    try {
        Oid oid = new Oid(GSSUPMechOID.value.substring(4));
        retval = oid.getDER();
    } catch (GSSException e) {
        IIOPLogger.ROOT_LOGGER.caughtExceptionEncodingGSSUPMechOID(e);
    }
    return retval;
}
Also used : GSSException(org.ietf.jgss.GSSException) Oid(org.ietf.jgss.Oid)

Example 29 with GSSException

use of org.ietf.jgss.GSSException in project async-http-client by AsyncHttpClient.

the class SpnegoEngine method generateToken.

public String generateToken(String server) throws SpnegoEngineException {
    GSSContext gssContext = null;
    // base64 decoded challenge
    byte[] token = null;
    Oid negotiationOid;
    try {
        log.debug("init {}", server);
        /*
             * Using the SPNEGO OID is the correct method. Kerberos v5 works for IIS but not JBoss. Unwrapping the initial token when using SPNEGO OID looks like what is described
             * here...
             * 
             * http://msdn.microsoft.com/en-us/library/ms995330.aspx
             * 
             * Another helpful URL...
             * 
             * http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_SPNEGO_token.html
             * 
             * Unfortunately SPNEGO is JRE >=1.6.
             */
        /** Try SPNEGO by default, fall back to Kerberos later if error */
        negotiationOid = new Oid(SPNEGO_OID);
        boolean tryKerberos = false;
        try {
            GSSManager manager = GSSManager.getInstance();
            GSSName serverName = manager.createName("HTTP@" + server, GSSName.NT_HOSTBASED_SERVICE);
            gssContext = manager.createContext(serverName.canonicalize(negotiationOid), negotiationOid, null, GSSContext.DEFAULT_LIFETIME);
            gssContext.requestMutualAuth(true);
            gssContext.requestCredDeleg(true);
        } catch (GSSException ex) {
            log.error("generateToken", ex);
            // Rethrow any other exception.
            if (ex.getMajor() == GSSException.BAD_MECH) {
                log.debug("GSSException BAD_MECH, retry with Kerberos MECH");
                tryKerberos = true;
            } else {
                throw ex;
            }
        }
        if (tryKerberos) {
            /* Kerberos v5 GSS-API mechanism defined in RFC 1964. */
            log.debug("Using Kerberos MECH {}", KERBEROS_OID);
            negotiationOid = new Oid(KERBEROS_OID);
            GSSManager manager = GSSManager.getInstance();
            GSSName serverName = manager.createName("HTTP@" + server, GSSName.NT_HOSTBASED_SERVICE);
            gssContext = manager.createContext(serverName.canonicalize(negotiationOid), negotiationOid, null, GSSContext.DEFAULT_LIFETIME);
            gssContext.requestMutualAuth(true);
            gssContext.requestCredDeleg(true);
        }
        // TODO suspicious: this will always be null because no value has been assigned before. Assign directly?
        if (token == null) {
            token = new byte[0];
        }
        token = gssContext.initSecContext(token, 0, token.length);
        if (token == null) {
            throw new SpnegoEngineException("GSS security context initialization failed");
        }
        /*
             * IIS accepts Kerberos and SPNEGO tokens. Some other servers Jboss, Glassfish? seem to only accept SPNEGO. Below wraps Kerberos into SPNEGO token.
             */
        if (spnegoGenerator != null && negotiationOid.toString().equals(KERBEROS_OID)) {
            token = spnegoGenerator.generateSpnegoDERObject(token);
        }
        gssContext.dispose();
        String tokenstr = Base64.encode(token);
        log.debug("Sending response '{}' back to the server", tokenstr);
        return tokenstr;
    } catch (GSSException gsse) {
        log.error("generateToken", gsse);
        if (gsse.getMajor() == GSSException.DEFECTIVE_CREDENTIAL || gsse.getMajor() == GSSException.CREDENTIALS_EXPIRED)
            throw new SpnegoEngineException(gsse.getMessage(), gsse);
        if (gsse.getMajor() == GSSException.NO_CRED)
            throw new SpnegoEngineException(gsse.getMessage(), gsse);
        if (gsse.getMajor() == GSSException.DEFECTIVE_TOKEN || gsse.getMajor() == GSSException.DUPLICATE_TOKEN || gsse.getMajor() == GSSException.OLD_TOKEN)
            throw new SpnegoEngineException(gsse.getMessage(), gsse);
        // other error
        throw new SpnegoEngineException(gsse.getMessage());
    } catch (IOException ex) {
        throw new SpnegoEngineException(ex.getMessage());
    }
}
Also used : GSSName(org.ietf.jgss.GSSName) GSSException(org.ietf.jgss.GSSException) GSSContext(org.ietf.jgss.GSSContext) GSSManager(org.ietf.jgss.GSSManager) Oid(org.ietf.jgss.Oid) IOException(java.io.IOException)

Example 30 with GSSException

use of org.ietf.jgss.GSSException in project jdk8u_jdk by JetBrains.

the class OkAsDelegate method go.

void go(boolean forwardable, boolean requestDelegState, boolean requestDelegPolicyState, boolean delegState, boolean delegPolicyState, boolean delegated) throws Exception {
    OneKDC kdc = new OneKDC(null);
    kdc.setOption(KDC.Option.OK_AS_DELEGATE, System.getProperty("test.kdc.policy.ok-as-delegate"));
    kdc.writeJAASConf();
    if (!forwardable) {
        // The default OneKDC always includes "forwardable = true"
        // in krb5.conf, override it.
        KDC.saveConfig(OneKDC.KRB5_CONF, kdc, "default_keytab_name = " + OneKDC.KTAB);
        Config.refresh();
    }
    Context c, s;
    c = Context.fromJAAS("client");
    s = Context.fromJAAS("com.sun.security.jgss.krb5.accept");
    Oid mech = GSSUtil.GSS_KRB5_MECH_OID;
    if (System.getProperty("test.spnego") != null) {
        mech = GSSUtil.GSS_SPNEGO_MECH_OID;
    }
    c.startAsClient(OneKDC.SERVER, mech);
    ExtendedGSSContext cx = (ExtendedGSSContext) c.x();
    cx.requestCredDeleg(requestDelegState);
    cx.requestDelegPolicy(requestDelegPolicyState);
    s.startAsServer(mech);
    ExtendedGSSContext sx = (ExtendedGSSContext) s.x();
    Context.handshake(c, s);
    if (cx.getCredDelegState() != delegState) {
        throw new Exception("Initiator cred state error");
    }
    if (sx.getCredDelegState() != delegState) {
        throw new Exception("Acceptor cred state error");
    }
    if (cx.getDelegPolicyState() != delegPolicyState) {
        throw new Exception("Initiator cred policy state error");
    }
    GSSCredential cred = null;
    try {
        cred = s.x().getDelegCred();
    } catch (GSSException e) {
    // leave cred as null
    }
    if (delegated != (cred != null)) {
        throw new Exception("get cred error");
    }
}
Also used : ExtendedGSSContext(com.sun.security.jgss.ExtendedGSSContext) ExtendedGSSContext(com.sun.security.jgss.ExtendedGSSContext) GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) Oid(org.ietf.jgss.Oid) GSSException(org.ietf.jgss.GSSException)

Aggregations

GSSException (org.ietf.jgss.GSSException)37 GSSName (org.ietf.jgss.GSSName)18 GSSManager (org.ietf.jgss.GSSManager)16 Oid (org.ietf.jgss.Oid)15 GSSContext (org.ietf.jgss.GSSContext)14 GSSCredential (org.ietf.jgss.GSSCredential)14 Principal (java.security.Principal)7 PrivilegedActionException (java.security.PrivilegedActionException)7 Subject (javax.security.auth.Subject)6 IOException (java.io.IOException)5 LoginException (javax.security.auth.login.LoginException)4 SaslException (javax.security.sasl.SaslException)4 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)3 KerberosPrincipal (javax.security.auth.kerberos.KerberosPrincipal)3 SSOException (com.iplanet.sso.SSOException)2 AuthLoginException (com.sun.identity.authentication.spi.AuthLoginException)2 IdRepoException (com.sun.identity.idm.IdRepoException)2 FileOutputStream (java.io.FileOutputStream)2 UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)2 LoginContext (javax.security.auth.login.LoginContext)2