use of org.ietf.jgss.GSSException in project cxf by apache.
the class JAXRSIntermediaryPortTypeImpl method doubleIt.
public int doubleIt(int numberToDouble) {
URL wsdl = JAXRSIntermediaryPortTypeImpl.class.getResource("DoubleIt.wsdl");
Service service = Service.create(wsdl, SERVICE_QNAME);
QName portQName = new QName(NAMESPACE, "DoubleItTransportSAML2Port");
DoubleItPortType transportPort = service.getPort(portQName, DoubleItPortType.class);
try {
updateAddressPort(transportPort, KerberosDelegationTokenTest.PORT);
} catch (Exception ex) {
ex.printStackTrace();
}
// Retrieve delegated credential + set it on the outbound message
SecurityContext securityContext = PhaseInterceptorChain.getCurrentMessage().get(SecurityContext.class);
if (securityContext instanceof KerberosSecurityContext) {
KerberosSecurityContext ksc = (KerberosSecurityContext) securityContext;
try {
GSSCredential delegatedCredential = ksc.getGSSContext().getDelegCred();
Map<String, Object> context = ((BindingProvider) transportPort).getRequestContext();
context.put(SecurityConstants.DELEGATED_CREDENTIAL, delegatedCredential);
} catch (GSSException e) {
e.printStackTrace();
}
}
return transportPort.doubleIt(numberToDouble);
}
use of org.ietf.jgss.GSSException in project cxf by apache.
the class KerberosAuthenticationFilter method filter.
@Override
public void filter(ContainerRequestContext context) {
List<String> authHeaders = messageContext.getHttpHeaders().getRequestHeader(HttpHeaders.AUTHORIZATION);
if (authHeaders == null || authHeaders.size() != 1) {
LOG.fine("No Authorization header is available");
throw ExceptionUtils.toNotAuthorizedException(null, getFaultResponse());
}
String[] authPair = StringUtils.split(authHeaders.get(0), " ");
if (authPair.length != 2 || !NEGOTIATE_SCHEME.equalsIgnoreCase(authPair[0])) {
LOG.fine("Negotiate Authorization scheme is expected");
throw ExceptionUtils.toNotAuthorizedException(null, getFaultResponse());
}
byte[] serviceTicket = getServiceTicket(authPair[1]);
try {
Subject serviceSubject = loginAndGetSubject();
GSSContext gssContext = createGSSContext();
Subject.doAs(serviceSubject, new ValidateServiceTicketAction(gssContext, serviceTicket));
GSSName srcName = gssContext.getSrcName();
if (srcName == null) {
throw ExceptionUtils.toNotAuthorizedException(null, getFaultResponse());
}
String complexUserName = srcName.toString();
String simpleUserName = complexUserName;
int index = simpleUserName.lastIndexOf('@');
if (index > 0) {
simpleUserName = simpleUserName.substring(0, index);
}
Message m = JAXRSUtils.getCurrentMessage();
m.put(SecurityContext.class, createSecurityContext(simpleUserName, complexUserName, gssContext));
if (!gssContext.getCredDelegState()) {
gssContext.dispose();
gssContext = null;
}
} catch (LoginException e) {
LOG.fine("Unsuccessful JAAS login for the service principal: " + e.getMessage());
throw ExceptionUtils.toNotAuthorizedException(e, getFaultResponse());
} catch (GSSException e) {
LOG.fine("GSS API exception: " + e.getMessage());
throw ExceptionUtils.toNotAuthorizedException(e, getFaultResponse());
} catch (PrivilegedActionException e) {
LOG.fine("PrivilegedActionException: " + e.getMessage());
throw ExceptionUtils.toNotAuthorizedException(e, getFaultResponse());
}
}
use of org.ietf.jgss.GSSException in project cxf by apache.
the class AbstractSpnegoAuthSupplier method getToken.
/**
* Create and return a service ticket token for a given service principal
* name
*
* @param authPolicy
* @param spn
* @return service ticket token
* @throws GSSException
* @throws LoginException
*/
private byte[] getToken(AuthorizationPolicy authPolicy, String spn, Oid oid, Message message) throws GSSException, LoginException {
GSSCredential delegatedCred = (GSSCredential) message.getContextualProperty(GSSCredential.class.getName());
Subject subject = null;
if (authPolicy != null && delegatedCred == null) {
String contextName = authPolicy.getAuthorization();
if (contextName == null) {
contextName = "";
}
if (!(StringUtils.isEmpty(authPolicy.getUserName()) && StringUtils.isEmpty(contextName) && loginConfig == null)) {
CallbackHandler callbackHandler = getUsernamePasswordHandler(authPolicy.getUserName(), authPolicy.getPassword());
LoginContext lc = new LoginContext(contextName, null, callbackHandler, loginConfig);
lc.login();
subject = lc.getSubject();
}
}
GSSManager manager = GSSManager.getInstance();
GSSName serverName = manager.createName(spn, serviceNameType);
GSSContext context = manager.createContext(serverName.canonicalize(oid), oid, delegatedCred, GSSContext.DEFAULT_LIFETIME);
context.requestCredDeleg(isCredDelegationRequired(message));
// If the delegated cred is not null then we only need the context to
// immediately return a ticket based on this credential without attempting
// to log on again
final byte[] token = new byte[0];
if (delegatedCred != null) {
return context.initSecContext(token, 0, token.length);
}
decorateSubject(subject);
try {
return Subject.doAs(subject, new CreateServiceTicketAction(context, token));
} catch (PrivilegedActionException e) {
if (e.getCause() instanceof GSSException) {
throw (GSSException) e.getCause();
}
LOG.log(Level.SEVERE, "initSecContext", e);
return null;
}
}
use of org.ietf.jgss.GSSException in project cxf by apache.
the class AbstractSpnegoAuthSupplier method getAuthorization.
public String getAuthorization(AuthorizationPolicy authPolicy, URI currentURI, Message message) {
if (!HttpAuthHeader.AUTH_TYPE_NEGOTIATE.equals(authPolicy.getAuthorizationType())) {
return null;
}
try {
String spn = getCompleteServicePrincipalName(currentURI);
boolean useKerberosOid = MessageUtils.getContextualBoolean(message, PROPERTY_USE_KERBEROS_OID);
Oid oid = new Oid(useKerberosOid ? KERBEROS_OID : SPNEGO_OID);
byte[] token = getToken(authPolicy, spn, oid, message);
return HttpAuthHeader.AUTH_TYPE_NEGOTIATE + " " + Base64Utility.encode(token);
} catch (LoginException e) {
throw new RuntimeException(e.getMessage(), e);
} catch (GSSException e) {
throw new RuntimeException(e.getMessage(), e);
}
}
Aggregations