Search in sources :

Example 41 with GSSException

use of org.ietf.jgss.GSSException in project cxf by apache.

the class JAXRSIntermediaryPortTypeImpl method doubleIt.

public int doubleIt(int numberToDouble) {
    URL wsdl = JAXRSIntermediaryPortTypeImpl.class.getResource("DoubleIt.wsdl");
    Service service = Service.create(wsdl, SERVICE_QNAME);
    QName portQName = new QName(NAMESPACE, "DoubleItTransportSAML2Port");
    DoubleItPortType transportPort = service.getPort(portQName, DoubleItPortType.class);
    try {
        updateAddressPort(transportPort, KerberosDelegationTokenTest.PORT);
    } catch (Exception ex) {
        ex.printStackTrace();
    }
    // Retrieve delegated credential + set it on the outbound message
    SecurityContext securityContext = PhaseInterceptorChain.getCurrentMessage().get(SecurityContext.class);
    if (securityContext instanceof KerberosSecurityContext) {
        KerberosSecurityContext ksc = (KerberosSecurityContext) securityContext;
        try {
            GSSCredential delegatedCredential = ksc.getGSSContext().getDelegCred();
            Map<String, Object> context = ((BindingProvider) transportPort).getRequestContext();
            context.put(SecurityConstants.DELEGATED_CREDENTIAL, delegatedCredential);
        } catch (GSSException e) {
            e.printStackTrace();
        }
    }
    return transportPort.doubleIt(numberToDouble);
}
Also used : KerberosSecurityContext(org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter.KerberosSecurityContext) QName(javax.xml.namespace.QName) WebService(javax.jws.WebService) Service(javax.xml.ws.Service) BindingProvider(javax.xml.ws.BindingProvider) URL(java.net.URL) GSSException(org.ietf.jgss.GSSException) GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) SecurityContext(org.apache.cxf.security.SecurityContext) KerberosSecurityContext(org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter.KerberosSecurityContext) DoubleItPortType(org.example.contract.doubleit.DoubleItPortType)

Example 42 with GSSException

use of org.ietf.jgss.GSSException in project cxf by apache.

the class KerberosAuthenticationFilter method filter.

@Override
public void filter(ContainerRequestContext context) {
    List<String> authHeaders = messageContext.getHttpHeaders().getRequestHeader(HttpHeaders.AUTHORIZATION);
    if (authHeaders == null || authHeaders.size() != 1) {
        LOG.fine("No Authorization header is available");
        throw ExceptionUtils.toNotAuthorizedException(null, getFaultResponse());
    }
    String[] authPair = StringUtils.split(authHeaders.get(0), " ");
    if (authPair.length != 2 || !NEGOTIATE_SCHEME.equalsIgnoreCase(authPair[0])) {
        LOG.fine("Negotiate Authorization scheme is expected");
        throw ExceptionUtils.toNotAuthorizedException(null, getFaultResponse());
    }
    byte[] serviceTicket = getServiceTicket(authPair[1]);
    try {
        Subject serviceSubject = loginAndGetSubject();
        GSSContext gssContext = createGSSContext();
        Subject.doAs(serviceSubject, new ValidateServiceTicketAction(gssContext, serviceTicket));
        GSSName srcName = gssContext.getSrcName();
        if (srcName == null) {
            throw ExceptionUtils.toNotAuthorizedException(null, getFaultResponse());
        }
        String complexUserName = srcName.toString();
        String simpleUserName = complexUserName;
        int index = simpleUserName.lastIndexOf('@');
        if (index > 0) {
            simpleUserName = simpleUserName.substring(0, index);
        }
        Message m = JAXRSUtils.getCurrentMessage();
        m.put(SecurityContext.class, createSecurityContext(simpleUserName, complexUserName, gssContext));
        if (!gssContext.getCredDelegState()) {
            gssContext.dispose();
            gssContext = null;
        }
    } catch (LoginException e) {
        LOG.fine("Unsuccessful JAAS login for the service principal: " + e.getMessage());
        throw ExceptionUtils.toNotAuthorizedException(e, getFaultResponse());
    } catch (GSSException e) {
        LOG.fine("GSS API exception: " + e.getMessage());
        throw ExceptionUtils.toNotAuthorizedException(e, getFaultResponse());
    } catch (PrivilegedActionException e) {
        LOG.fine("PrivilegedActionException: " + e.getMessage());
        throw ExceptionUtils.toNotAuthorizedException(e, getFaultResponse());
    }
}
Also used : GSSName(org.ietf.jgss.GSSName) Message(org.apache.cxf.message.Message) PrivilegedActionException(java.security.PrivilegedActionException) Subject(javax.security.auth.Subject) GSSException(org.ietf.jgss.GSSException) GSSContext(org.ietf.jgss.GSSContext) LoginException(javax.security.auth.login.LoginException)

Example 43 with GSSException

use of org.ietf.jgss.GSSException in project cxf by apache.

the class AbstractSpnegoAuthSupplier method getToken.

/**
 * Create and return a service ticket token for a given service principal
 * name
 *
 * @param authPolicy
 * @param spn
 * @return service ticket token
 * @throws GSSException
 * @throws LoginException
 */
private byte[] getToken(AuthorizationPolicy authPolicy, String spn, Oid oid, Message message) throws GSSException, LoginException {
    GSSCredential delegatedCred = (GSSCredential) message.getContextualProperty(GSSCredential.class.getName());
    Subject subject = null;
    if (authPolicy != null && delegatedCred == null) {
        String contextName = authPolicy.getAuthorization();
        if (contextName == null) {
            contextName = "";
        }
        if (!(StringUtils.isEmpty(authPolicy.getUserName()) && StringUtils.isEmpty(contextName) && loginConfig == null)) {
            CallbackHandler callbackHandler = getUsernamePasswordHandler(authPolicy.getUserName(), authPolicy.getPassword());
            LoginContext lc = new LoginContext(contextName, null, callbackHandler, loginConfig);
            lc.login();
            subject = lc.getSubject();
        }
    }
    GSSManager manager = GSSManager.getInstance();
    GSSName serverName = manager.createName(spn, serviceNameType);
    GSSContext context = manager.createContext(serverName.canonicalize(oid), oid, delegatedCred, GSSContext.DEFAULT_LIFETIME);
    context.requestCredDeleg(isCredDelegationRequired(message));
    // If the delegated cred is not null then we only need the context to
    // immediately return a ticket based on this credential without attempting
    // to log on again
    final byte[] token = new byte[0];
    if (delegatedCred != null) {
        return context.initSecContext(token, 0, token.length);
    }
    decorateSubject(subject);
    try {
        return Subject.doAs(subject, new CreateServiceTicketAction(context, token));
    } catch (PrivilegedActionException e) {
        if (e.getCause() instanceof GSSException) {
            throw (GSSException) e.getCause();
        }
        LOG.log(Level.SEVERE, "initSecContext", e);
        return null;
    }
}
Also used : GSSName(org.ietf.jgss.GSSName) NamePasswordCallbackHandler(org.apache.cxf.interceptor.security.NamePasswordCallbackHandler) CallbackHandler(javax.security.auth.callback.CallbackHandler) LoginContext(javax.security.auth.login.LoginContext) GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) PrivilegedActionException(java.security.PrivilegedActionException) GSSManager(org.ietf.jgss.GSSManager) GSSContext(org.ietf.jgss.GSSContext) Subject(javax.security.auth.Subject)

Example 44 with GSSException

use of org.ietf.jgss.GSSException in project cxf by apache.

the class AbstractSpnegoAuthSupplier method getAuthorization.

public String getAuthorization(AuthorizationPolicy authPolicy, URI currentURI, Message message) {
    if (!HttpAuthHeader.AUTH_TYPE_NEGOTIATE.equals(authPolicy.getAuthorizationType())) {
        return null;
    }
    try {
        String spn = getCompleteServicePrincipalName(currentURI);
        boolean useKerberosOid = MessageUtils.getContextualBoolean(message, PROPERTY_USE_KERBEROS_OID);
        Oid oid = new Oid(useKerberosOid ? KERBEROS_OID : SPNEGO_OID);
        byte[] token = getToken(authPolicy, spn, oid, message);
        return HttpAuthHeader.AUTH_TYPE_NEGOTIATE + " " + Base64Utility.encode(token);
    } catch (LoginException e) {
        throw new RuntimeException(e.getMessage(), e);
    } catch (GSSException e) {
        throw new RuntimeException(e.getMessage(), e);
    }
}
Also used : GSSException(org.ietf.jgss.GSSException) LoginException(javax.security.auth.login.LoginException) Oid(org.ietf.jgss.Oid)

Aggregations

GSSException (org.ietf.jgss.GSSException)44 GSSName (org.ietf.jgss.GSSName)23 GSSManager (org.ietf.jgss.GSSManager)20 Oid (org.ietf.jgss.Oid)19 GSSCredential (org.ietf.jgss.GSSCredential)18 GSSContext (org.ietf.jgss.GSSContext)17 PrivilegedActionException (java.security.PrivilegedActionException)10 Principal (java.security.Principal)8 Subject (javax.security.auth.Subject)7 LoginException (javax.security.auth.login.LoginException)5 SaslException (javax.security.sasl.SaslException)5 IOException (java.io.IOException)4 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)3 KerberosPrincipal (javax.security.auth.kerberos.KerberosPrincipal)3 LoginContext (javax.security.auth.login.LoginContext)3 SaslServer (javax.security.sasl.SaslServer)3 SSOException (com.iplanet.sso.SSOException)2 AuthLoginException (com.sun.identity.authentication.spi.AuthLoginException)2 IdRepoException (com.sun.identity.idm.IdRepoException)2 FileOutputStream (java.io.FileOutputStream)2