Search in sources :

Example 51 with GSSManager

use of org.ietf.jgss.GSSManager in project registry by hortonworks.

the class TestKerberosAuthenticationHandler method testRequestWithAuthorization.

public void testRequestWithAuthorization() throws Exception {
    String token = KerberosTestUtils.doAsClient(new Callable<String>() {

        @Override
        public String call() throws Exception {
            GSSManager gssManager = GSSManager.getInstance();
            GSSContext gssContext = null;
            try {
                String servicePrincipal = KerberosTestUtils.getServerPrincipal();
                Oid oid = KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL");
                GSSName serviceName = gssManager.createName(servicePrincipal, oid);
                oid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
                gssContext = gssManager.createContext(serviceName, oid, null, GSSContext.DEFAULT_LIFETIME);
                gssContext.requestCredDeleg(true);
                gssContext.requestMutualAuth(true);
                byte[] inToken = new byte[0];
                byte[] outToken = gssContext.initSecContext(inToken, 0, inToken.length);
                Base64 base64 = new Base64(0);
                return base64.encodeToString(outToken);
            } finally {
                if (gssContext != null) {
                    gssContext.dispose();
                }
            }
        }
    });
    HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
    HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
    Mockito.when(request.getHeader(KerberosAuthenticator.AUTHORIZATION)).thenReturn(KerberosAuthenticator.NEGOTIATE + " " + token);
    Mockito.when(request.getServerName()).thenReturn("localhost");
    AuthenticationToken authToken = handler.authenticate(request, response);
    if (authToken != null) {
        Mockito.verify(response).setHeader(Mockito.eq(KerberosAuthenticator.WWW_AUTHENTICATE), Mockito.matches(KerberosAuthenticator.NEGOTIATE + " .*"));
        Mockito.verify(response).setStatus(HttpServletResponse.SC_OK);
        Assert.assertEquals(KerberosTestUtils.getClientPrincipal(), authToken.getName());
        Assert.assertTrue(KerberosTestUtils.getClientPrincipal().startsWith(authToken.getUserName()));
        Assert.assertEquals(getExpectedType(), authToken.getType());
    } else {
        Mockito.verify(response).setHeader(Mockito.eq(KerberosAuthenticator.WWW_AUTHENTICATE), Mockito.matches(KerberosAuthenticator.NEGOTIATE + " .*"));
        Mockito.verify(response).setStatus(HttpServletResponse.SC_UNAUTHORIZED);
    }
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) GSSName(org.ietf.jgss.GSSName) Base64(org.apache.commons.codec.binary.Base64) GSSManager(org.ietf.jgss.GSSManager) GSSContext(org.ietf.jgss.GSSContext) HttpServletResponse(javax.servlet.http.HttpServletResponse) Oid(org.ietf.jgss.Oid) ServletException(javax.servlet.ServletException) AuthenticationException(com.hortonworks.registries.auth.client.AuthenticationException)

Example 52 with GSSManager

use of org.ietf.jgss.GSSManager in project registry by hortonworks.

the class KerberosAuthenticator method doSpnegoSequence.

/**
 * Implements the SPNEGO authentication sequence interaction using the current default principal
 * in the Kerberos cache (normally set via kinit).
 *
 * @param token the authentication token being used for the user.
 *
 * @throws IOException if an IO error occurred.
 * @throws AuthenticationException if an authentication error occurred.
 */
private void doSpnegoSequence(AuthenticatedURL.Token token) throws IOException, AuthenticationException {
    try {
        AccessControlContext context = AccessController.getContext();
        Subject subject = Subject.getSubject(context);
        if (subject == null || (subject.getPrivateCredentials(KerberosKey.class).isEmpty() && subject.getPrivateCredentials(KerberosTicket.class).isEmpty())) {
            LOG.debug("No subject in context, logging in");
            subject = new Subject();
            LoginContext login = new LoginContext("", subject, null, new KerberosConfiguration());
            login.login();
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Using subject: " + subject);
        }
        Subject.doAs(subject, new PrivilegedExceptionAction<Void>() {

            @Override
            public Void run() throws Exception {
                GSSContext gssContext = null;
                try {
                    GSSManager gssManager = GSSManager.getInstance();
                    String servicePrincipal = KerberosUtil.getServicePrincipal("HTTP", KerberosAuthenticator.this.url.getHost());
                    Oid oid = KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL");
                    GSSName serviceName = gssManager.createName(servicePrincipal, oid);
                    oid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
                    gssContext = gssManager.createContext(serviceName, oid, null, GSSContext.DEFAULT_LIFETIME);
                    gssContext.requestCredDeleg(true);
                    gssContext.requestMutualAuth(true);
                    byte[] inToken = new byte[0];
                    byte[] outToken;
                    boolean established = false;
                    // Loop while the context is still not established
                    while (!established) {
                        outToken = gssContext.initSecContext(inToken, 0, inToken.length);
                        if (outToken != null) {
                            sendToken(outToken);
                        }
                        if (!gssContext.isEstablished()) {
                            inToken = readToken();
                        } else {
                            established = true;
                        }
                    }
                } finally {
                    if (gssContext != null) {
                        gssContext.dispose();
                    }
                }
                return null;
            }
        });
    } catch (PrivilegedActionException ex) {
        throw new AuthenticationException(ex.getException());
    } catch (LoginException ex) {
        throw new AuthenticationException(ex);
    }
    AuthenticatedURL.extractToken(conn, token);
}
Also used : GSSName(org.ietf.jgss.GSSName) PrivilegedActionException(java.security.PrivilegedActionException) Oid(org.ietf.jgss.Oid) Subject(javax.security.auth.Subject) LoginException(javax.security.auth.login.LoginException) PrivilegedActionException(java.security.PrivilegedActionException) IOException(java.io.IOException) LoginContext(javax.security.auth.login.LoginContext) AccessControlContext(java.security.AccessControlContext) GSSContext(org.ietf.jgss.GSSContext) GSSManager(org.ietf.jgss.GSSManager) LoginException(javax.security.auth.login.LoginException)

Example 53 with GSSManager

use of org.ietf.jgss.GSSManager in project wildfly by wildfly.

the class Utils method createKerberosTicketForServer.

/**
 * Creates Kerberos TGS ticket for given user to access given server.
 *
 * @param user
 * @param pass
 * @param serverName
 * @return
 */
public static byte[] createKerberosTicketForServer(final String user, final String pass, final GSSName serverName) throws MalformedURLException, LoginException, PrivilegedActionException {
    Objects.requireNonNull(serverName);
    final Krb5LoginConfiguration krb5Configuration = new Krb5LoginConfiguration(getLoginConfiguration());
    try {
        Configuration.setConfiguration(krb5Configuration);
        final LoginContext lc = loginWithKerberos(krb5Configuration, user, pass);
        try {
            return Subject.doAs(lc.getSubject(), new PrivilegedExceptionAction<byte[]>() {

                public byte[] run() throws Exception {
                    final GSSManager manager = GSSManager.getInstance();
                    final Oid oid = new Oid(OID_KERBEROS_V5);
                    final GSSContext gssContext = manager.createContext(serverName.canonicalize(oid), oid, null, 60);
                    gssContext.requestMutualAuth(true);
                    gssContext.requestCredDeleg(true);
                    return gssContext.initSecContext(new byte[0], 0, 0);
                }
            });
        } finally {
            lc.logout();
        }
    } finally {
        krb5Configuration.resetConfiguration();
    }
}
Also used : LoginContext(javax.security.auth.login.LoginContext) GSSManager(org.ietf.jgss.GSSManager) GSSContext(org.ietf.jgss.GSSContext) Oid(org.ietf.jgss.Oid) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) ClientProtocolException(org.apache.http.client.ClientProtocolException) PrivilegedActionException(java.security.PrivilegedActionException) IOException(java.io.IOException) UnknownHostException(java.net.UnknownHostException) LoginException(javax.security.auth.login.LoginException) ProtocolException(org.apache.http.ProtocolException) URISyntaxException(java.net.URISyntaxException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) MalformedURLException(java.net.MalformedURLException)

Example 54 with GSSManager

use of org.ietf.jgss.GSSManager in project tomee by apache.

the class KerberosAuthenticationFilter method createGSSContext.

protected GSSContext createGSSContext() throws GSSException {
    boolean useKerberosOid = PropertyUtils.isTrue(messageContext.getContextualProperty(PROPERTY_USE_KERBEROS_OID));
    Oid oid = new Oid(useKerberosOid ? KERBEROS_OID : SPNEGO_OID);
    GSSManager gssManager = GSSManager.getInstance();
    String spn = getCompleteServicePrincipalName();
    GSSName gssService = gssManager.createName(spn, null);
    return gssManager.createContext(gssService.canonicalize(oid), oid, null, GSSContext.DEFAULT_LIFETIME);
}
Also used : GSSName(org.ietf.jgss.GSSName) GSSManager(org.ietf.jgss.GSSManager) Oid(org.ietf.jgss.Oid)

Example 55 with GSSManager

use of org.ietf.jgss.GSSManager in project calcite-avatica by apache.

the class PropertyBasedSpnegoLoginService method login.

@Override
public UserIdentity login(String username, Object credentials, ServletRequest request) {
    String encodedAuthToken = (String) credentials;
    byte[] authToken = B64Code.decode(encodedAuthToken);
    GSSManager manager = GSSManager.getInstance();
    try {
        // http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html
        Oid spnegoOid = new Oid("1.3.6.1.5.5.2");
        Oid krb5Oid = new Oid("1.2.840.113554.1.2.2");
        GSSName gssName = manager.createName(serverPrincipal, null);
        // CALCITE-1922 Providing both OIDs is the bug in Jetty we're working around. By specifying
        // only one, we're requiring that clients *must* provide us the SPNEGO OID to authenticate
        // via Kerberos which is wrong. Best as I can tell, the SPNEGO OID is meant as another
        // layer of indirection (essentially is equivalent to setting the Kerberos OID).
        GSSCredential serverCreds = manager.createCredential(gssName, GSSCredential.INDEFINITE_LIFETIME, new Oid[] { krb5Oid, spnegoOid }, GSSCredential.ACCEPT_ONLY);
        GSSContext gContext = manager.createContext(serverCreds);
        if (gContext == null) {
            LOG.debug("SpnegoUserRealm: failed to establish GSSContext");
        } else {
            while (!gContext.isEstablished()) {
                authToken = gContext.acceptSecContext(authToken, 0, authToken.length);
            }
            if (gContext.isEstablished()) {
                String clientName = gContext.getSrcName().toString();
                String role = clientName.substring(clientName.indexOf('@') + 1);
                LOG.debug("SpnegoUserRealm: established a security context");
                LOG.debug("Client Principal is: {}", gContext.getSrcName());
                LOG.debug("Server Principal is: {}", gContext.getTargName());
                LOG.debug("Client Default Role: {}", role);
                SpnegoUserPrincipal user = new SpnegoUserPrincipal(clientName, authToken);
                Subject subject = new Subject();
                subject.getPrincipals().add(user);
                return _identityService.newUserIdentity(subject, user, new String[] { role });
            }
        }
    } catch (GSSException gsse) {
        LOG.warn("Caught GSSException trying to authenticate the client", gsse);
    }
    return null;
}
Also used : GSSName(org.ietf.jgss.GSSName) GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) GSSManager(org.ietf.jgss.GSSManager) GSSContext(org.ietf.jgss.GSSContext) Oid(org.ietf.jgss.Oid) SpnegoUserPrincipal(org.eclipse.jetty.security.SpnegoUserPrincipal) Subject(javax.security.auth.Subject)

Aggregations

GSSManager (org.ietf.jgss.GSSManager)67 GSSName (org.ietf.jgss.GSSName)56 Oid (org.ietf.jgss.Oid)51 GSSContext (org.ietf.jgss.GSSContext)38 GSSCredential (org.ietf.jgss.GSSCredential)38 GSSException (org.ietf.jgss.GSSException)34 Subject (javax.security.auth.Subject)29 PrivilegedActionException (java.security.PrivilegedActionException)19 Principal (java.security.Principal)17 IOException (java.io.IOException)10 LoginContext (javax.security.auth.login.LoginContext)10 LoginException (javax.security.auth.login.LoginException)10 Test (org.junit.Test)9 KerberosTicket (javax.security.auth.kerberos.KerberosTicket)7 KerberosCredentials (org.apache.http.auth.KerberosCredentials)7 SaslException (javax.security.sasl.SaslException)6 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)5 KerberosPrincipal (javax.security.auth.kerberos.KerberosPrincipal)4 HttpServletRequest (javax.servlet.http.HttpServletRequest)4 HttpServletResponse (javax.servlet.http.HttpServletResponse)4