Example 36 with GSSException
use of org.ietf.jgss.GSSException in project voltdb by VoltDB.
the class ConnectionUtil method performAuthenticationHandShake.
private static final ByteBuffer performAuthenticationHandShake(final SocketChannel channel, final Subject subject, final String serviceName) throws IOException {
try {
String subjectPrincipal = subject.getPrincipals().iterator().next().getName();
final Optional<DelegatePrincipal> delegate = getDelegate(subject);
if (delegate.isPresent() && !subjectPrincipal.equals(serviceName)) {
throw new IOException("Delegate authentication is not allowed for user " + delegate.get().getName());
}
Subject.doAs(subject, new PrivilegedAction<GSSContext>() {
@Override
public GSSContext run() {
GSSContext context = null;
try {
/*
* The standard type designation for kerberos v5 secure service context
*/
final Oid krb5Oid = new Oid("1.2.840.113554.1.2.2");
/*
* The standard type designation for principal
*/
final Oid krb5PrincipalNameType = new Oid("1.2.840.113554.1.2.2.1");
final GSSName serverName = m_gssManager.createName(serviceName, krb5PrincipalNameType);
context = m_gssManager.createContext(serverName, krb5Oid, null, GSSContext.INDEFINITE_LIFETIME);
context.requestMutualAuth(true);
context.requestConf(true);
context.requestInteg(true);
establishSecurityContext(channel, context, delegate);
context.dispose();
context = null;
} catch (GSSException ex) {
throw new RuntimeException(ex);
} catch (IOException ex) {
throw new RuntimeException(ex);
} finally {
if (context != null)
try {
context.dispose();
} catch (Exception ignoreIt) {
}
}
return null;
}
});
} catch (SecurityException ex) {
// if we get here the authentication handshake failed.
try {
channel.close();
} catch (Exception ignoreIt) {
}
// PriviledgedActionException is the first wrapper. The runtime from Throwables would be
// the second wrapper
Throwable cause = ex.getCause();
if (cause != null && (cause instanceof RuntimeException) && cause.getCause() != null) {
cause = cause.getCause();
} else if (cause == null) {
cause = ex;
}
if (cause instanceof IOException) {
throw IOException.class.cast(cause);
} else {
throw new IOException("Authentication Handshake Failed", cause);
}
}
ByteBuffer lengthBuffer = ByteBuffer.allocate(4);
while (lengthBuffer.hasRemaining()) {
if (channel.read(lengthBuffer) == -1) {
channel.close();
throw new EOFException();
}
}
lengthBuffer.flip();
int responseSize = lengthBuffer.getInt();
ByteBuffer loginResponse = ByteBuffer.allocate(responseSize);
while (loginResponse.hasRemaining()) {
if (channel.read(loginResponse) == -1) {
channel.close();
throw new EOFException();
}
}
loginResponse.flip();
byte version = loginResponse.get();
if (version != (byte) 0) {
channel.close();
throw new IOException("Encountered unexpected version for the login response message: " + version);
}
return loginResponse;
}
Also used :
GSSName(org.ietf.jgss.GSSName)
IOException(java.io.IOException)
Oid(org.ietf.jgss.Oid)
ByteBuffer(java.nio.ByteBuffer)
IOException(java.io.IOException)
GSSException(org.ietf.jgss.GSSException)
EOFException(java.io.EOFException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
GSSException(org.ietf.jgss.GSSException)
GSSContext(org.ietf.jgss.GSSContext)
EOFException(java.io.EOFException)
Example 37 with GSSException
use of org.ietf.jgss.GSSException in project voltdb by VoltDB.
the class HTTPClientInterface method spnegoLogin.
private String spnegoLogin(String encodedToken) {
byte[] token = B64Code.decode(encodedToken);
try {
if (encodedToken == null || encodedToken.isEmpty()) {
return null;
}
final Oid spnegoOid = new Oid("1.3.6.1.5.5.2");
GSSManager manager = GSSManager.getInstance();
GSSName name = manager.createName(m_servicePrincipal, null);
GSSContext ctx = manager.createContext(name.canonicalize(spnegoOid), spnegoOid, null, GSSContext.INDEFINITE_LIFETIME);
if (ctx == null) {
m_rate_limited_log.log(EstTime.currentTimeMillis(), Level.ERROR, null, "Failed to establish security context for SPNEGO authentication");
return null;
}
while (!ctx.isEstablished()) {
token = ctx.acceptSecContext(token, 0, token.length);
}
if (ctx.isEstablished()) {
if (ctx.getSrcName() == null) {
m_rate_limited_log.log(EstTime.currentTimeMillis(), Level.ERROR, null, "Failed to read source name from established SPNEGO security context");
return null;
}
String user = ctx.getSrcName().toString();
if (m_log.isDebugEnabled()) {
m_log.debug("established SPNEGO security context for " + user);
}
return user;
}
return null;
} catch (GSSException e) {
m_rate_limited_log.log(EstTime.currentTimeMillis(), Level.ERROR, e, "failed SPNEGO authentication");
return null;
}
}
Also used :
GSSName(org.ietf.jgss.GSSName)
GSSException(org.ietf.jgss.GSSException)
GSSManager(org.ietf.jgss.GSSManager)
GSSContext(org.ietf.jgss.GSSContext)
Oid(org.ietf.jgss.Oid)
Aggregations
GSSException (org.ietf.jgss.GSSException)37
GSSName (org.ietf.jgss.GSSName)18
GSSManager (org.ietf.jgss.GSSManager)16
Oid (org.ietf.jgss.Oid)15
GSSContext (org.ietf.jgss.GSSContext)14
GSSCredential (org.ietf.jgss.GSSCredential)14
Principal (java.security.Principal)7
PrivilegedActionException (java.security.PrivilegedActionException)7
Subject (javax.security.auth.Subject)6
IOException (java.io.IOException)5
LoginException (javax.security.auth.login.LoginException)4
SaslException (javax.security.sasl.SaslException)4
PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)3
KerberosPrincipal (javax.security.auth.kerberos.KerberosPrincipal)3
SSOException (com.iplanet.sso.SSOException)2
AuthLoginException (com.sun.identity.authentication.spi.AuthLoginException)2
IdRepoException (com.sun.identity.idm.IdRepoException)2
FileOutputStream (java.io.FileOutputStream)2
UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)2
LoginContext (javax.security.auth.login.LoginContext)2
