use of org.ietf.jgss.GSSManager in project registry by hortonworks.
the class TestKerberosAuthenticationHandler method testRequestWithAuthorization.
public void testRequestWithAuthorization() throws Exception {
String token = KerberosTestUtils.doAsClient(new Callable<String>() {
@Override
public String call() throws Exception {
GSSManager gssManager = GSSManager.getInstance();
GSSContext gssContext = null;
try {
String servicePrincipal = KerberosTestUtils.getServerPrincipal();
Oid oid = KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL");
GSSName serviceName = gssManager.createName(servicePrincipal, oid);
oid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
gssContext = gssManager.createContext(serviceName, oid, null, GSSContext.DEFAULT_LIFETIME);
gssContext.requestCredDeleg(true);
gssContext.requestMutualAuth(true);
byte[] inToken = new byte[0];
byte[] outToken = gssContext.initSecContext(inToken, 0, inToken.length);
Base64 base64 = new Base64(0);
return base64.encodeToString(outToken);
} finally {
if (gssContext != null) {
gssContext.dispose();
}
}
}
});
HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
Mockito.when(request.getHeader(KerberosAuthenticator.AUTHORIZATION)).thenReturn(KerberosAuthenticator.NEGOTIATE + " " + token);
Mockito.when(request.getServerName()).thenReturn("localhost");
AuthenticationToken authToken = handler.authenticate(request, response);
if (authToken != null) {
Mockito.verify(response).setHeader(Mockito.eq(KerberosAuthenticator.WWW_AUTHENTICATE), Mockito.matches(KerberosAuthenticator.NEGOTIATE + " .*"));
Mockito.verify(response).setStatus(HttpServletResponse.SC_OK);
Assert.assertEquals(KerberosTestUtils.getClientPrincipal(), authToken.getName());
Assert.assertTrue(KerberosTestUtils.getClientPrincipal().startsWith(authToken.getUserName()));
Assert.assertEquals(getExpectedType(), authToken.getType());
} else {
Mockito.verify(response).setHeader(Mockito.eq(KerberosAuthenticator.WWW_AUTHENTICATE), Mockito.matches(KerberosAuthenticator.NEGOTIATE + " .*"));
Mockito.verify(response).setStatus(HttpServletResponse.SC_UNAUTHORIZED);
}
}
use of org.ietf.jgss.GSSManager in project registry by hortonworks.
the class KerberosAuthenticator method doSpnegoSequence.
/**
* Implements the SPNEGO authentication sequence interaction using the current default principal
* in the Kerberos cache (normally set via kinit).
*
* @param token the authentication token being used for the user.
*
* @throws IOException if an IO error occurred.
* @throws AuthenticationException if an authentication error occurred.
*/
private void doSpnegoSequence(AuthenticatedURL.Token token) throws IOException, AuthenticationException {
try {
AccessControlContext context = AccessController.getContext();
Subject subject = Subject.getSubject(context);
if (subject == null || (subject.getPrivateCredentials(KerberosKey.class).isEmpty() && subject.getPrivateCredentials(KerberosTicket.class).isEmpty())) {
LOG.debug("No subject in context, logging in");
subject = new Subject();
LoginContext login = new LoginContext("", subject, null, new KerberosConfiguration());
login.login();
}
if (LOG.isDebugEnabled()) {
LOG.debug("Using subject: " + subject);
}
Subject.doAs(subject, new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
GSSContext gssContext = null;
try {
GSSManager gssManager = GSSManager.getInstance();
String servicePrincipal = KerberosUtil.getServicePrincipal("HTTP", KerberosAuthenticator.this.url.getHost());
Oid oid = KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL");
GSSName serviceName = gssManager.createName(servicePrincipal, oid);
oid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
gssContext = gssManager.createContext(serviceName, oid, null, GSSContext.DEFAULT_LIFETIME);
gssContext.requestCredDeleg(true);
gssContext.requestMutualAuth(true);
byte[] inToken = new byte[0];
byte[] outToken;
boolean established = false;
// Loop while the context is still not established
while (!established) {
outToken = gssContext.initSecContext(inToken, 0, inToken.length);
if (outToken != null) {
sendToken(outToken);
}
if (!gssContext.isEstablished()) {
inToken = readToken();
} else {
established = true;
}
}
} finally {
if (gssContext != null) {
gssContext.dispose();
}
}
return null;
}
});
} catch (PrivilegedActionException ex) {
throw new AuthenticationException(ex.getException());
} catch (LoginException ex) {
throw new AuthenticationException(ex);
}
AuthenticatedURL.extractToken(conn, token);
}
use of org.ietf.jgss.GSSManager in project wildfly by wildfly.
the class Utils method createKerberosTicketForServer.
/**
* Creates Kerberos TGS ticket for given user to access given server.
*
* @param user
* @param pass
* @param serverName
* @return
*/
public static byte[] createKerberosTicketForServer(final String user, final String pass, final GSSName serverName) throws MalformedURLException, LoginException, PrivilegedActionException {
Objects.requireNonNull(serverName);
final Krb5LoginConfiguration krb5Configuration = new Krb5LoginConfiguration(getLoginConfiguration());
try {
Configuration.setConfiguration(krb5Configuration);
final LoginContext lc = loginWithKerberos(krb5Configuration, user, pass);
try {
return Subject.doAs(lc.getSubject(), new PrivilegedExceptionAction<byte[]>() {
public byte[] run() throws Exception {
final GSSManager manager = GSSManager.getInstance();
final Oid oid = new Oid(OID_KERBEROS_V5);
final GSSContext gssContext = manager.createContext(serverName.canonicalize(oid), oid, null, 60);
gssContext.requestMutualAuth(true);
gssContext.requestCredDeleg(true);
return gssContext.initSecContext(new byte[0], 0, 0);
}
});
} finally {
lc.logout();
}
} finally {
krb5Configuration.resetConfiguration();
}
}
use of org.ietf.jgss.GSSManager in project tomee by apache.
the class KerberosAuthenticationFilter method createGSSContext.
protected GSSContext createGSSContext() throws GSSException {
boolean useKerberosOid = PropertyUtils.isTrue(messageContext.getContextualProperty(PROPERTY_USE_KERBEROS_OID));
Oid oid = new Oid(useKerberosOid ? KERBEROS_OID : SPNEGO_OID);
GSSManager gssManager = GSSManager.getInstance();
String spn = getCompleteServicePrincipalName();
GSSName gssService = gssManager.createName(spn, null);
return gssManager.createContext(gssService.canonicalize(oid), oid, null, GSSContext.DEFAULT_LIFETIME);
}
use of org.ietf.jgss.GSSManager in project calcite-avatica by apache.
the class PropertyBasedSpnegoLoginService method login.
@Override
public UserIdentity login(String username, Object credentials, ServletRequest request) {
String encodedAuthToken = (String) credentials;
byte[] authToken = B64Code.decode(encodedAuthToken);
GSSManager manager = GSSManager.getInstance();
try {
// http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html
Oid spnegoOid = new Oid("1.3.6.1.5.5.2");
Oid krb5Oid = new Oid("1.2.840.113554.1.2.2");
GSSName gssName = manager.createName(serverPrincipal, null);
// CALCITE-1922 Providing both OIDs is the bug in Jetty we're working around. By specifying
// only one, we're requiring that clients *must* provide us the SPNEGO OID to authenticate
// via Kerberos which is wrong. Best as I can tell, the SPNEGO OID is meant as another
// layer of indirection (essentially is equivalent to setting the Kerberos OID).
GSSCredential serverCreds = manager.createCredential(gssName, GSSCredential.INDEFINITE_LIFETIME, new Oid[] { krb5Oid, spnegoOid }, GSSCredential.ACCEPT_ONLY);
GSSContext gContext = manager.createContext(serverCreds);
if (gContext == null) {
LOG.debug("SpnegoUserRealm: failed to establish GSSContext");
} else {
while (!gContext.isEstablished()) {
authToken = gContext.acceptSecContext(authToken, 0, authToken.length);
}
if (gContext.isEstablished()) {
String clientName = gContext.getSrcName().toString();
String role = clientName.substring(clientName.indexOf('@') + 1);
LOG.debug("SpnegoUserRealm: established a security context");
LOG.debug("Client Principal is: {}", gContext.getSrcName());
LOG.debug("Server Principal is: {}", gContext.getTargName());
LOG.debug("Client Default Role: {}", role);
SpnegoUserPrincipal user = new SpnegoUserPrincipal(clientName, authToken);
Subject subject = new Subject();
subject.getPrincipals().add(user);
return _identityService.newUserIdentity(subject, user, new String[] { role });
}
}
} catch (GSSException gsse) {
LOG.warn("Caught GSSException trying to authenticate the client", gsse);
}
return null;
}
Aggregations