Search in sources :

Example 66 with GSSManager

use of org.ietf.jgss.GSSManager in project drill by apache.

the class TestDrillSpnegoAuthenticator method testSpnegoLoginInvalidToken.

/**
 * Test to verify authentication fails when client sends invalid SPNEGO token for the
 * {@link WebServerConstants#SPENGO_LOGIN_RESOURCE_PATH} resource.
 */
@Test
public void testSpnegoLoginInvalidToken() throws Exception {
    final HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
    final HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
    final HttpSession session = Mockito.mock(HttpSession.class);
    // Create client subject using it's principal and keytab
    final Subject clientSubject = JaasKrbUtil.loginUsingKeytab(spnegoHelper.CLIENT_PRINCIPAL, spnegoHelper.clientKeytab.getAbsoluteFile());
    // Generate a SPNEGO token for the peer SERVER_PRINCIPAL from this CLIENT_PRINCIPAL
    final String token = Subject.doAs(clientSubject, (PrivilegedExceptionAction<String>) () -> {
        final GSSManager gssManager = GSSManager.getInstance();
        GSSContext gssContext = null;
        try {
            final Oid oid = GSSUtil.GSS_SPNEGO_MECH_OID;
            final GSSName serviceName = gssManager.createName(spnegoHelper.SERVER_PRINCIPAL, GSSName.NT_USER_NAME, oid);
            gssContext = gssManager.createContext(serviceName, oid, null, GSSContext.DEFAULT_LIFETIME);
            gssContext.requestCredDeleg(true);
            gssContext.requestMutualAuth(true);
            byte[] outToken = new byte[0];
            outToken = gssContext.initSecContext(outToken, 0, outToken.length);
            return Base64.encodeBase64String(outToken);
        } finally {
            if (gssContext != null) {
                gssContext.dispose();
            }
        }
    });
    Mockito.when(request.getSession(true)).thenReturn(session);
    final String httpReqAuthHeader = String.format("%s:%s", HttpHeader.NEGOTIATE.asString(), String.format("%s%s", "1234", token));
    Mockito.when(request.getHeader(HttpHeader.AUTHORIZATION.asString())).thenReturn(httpReqAuthHeader);
    Mockito.when(request.getRequestURI()).thenReturn(WebServerConstants.SPENGO_LOGIN_RESOURCE_PATH);
    assertEquals(spnegoAuthenticator.validateRequest(request, response, false), Authentication.UNAUTHENTICATED);
    verify(session, never()).setAttribute(SessionAuthentication.__J_AUTHENTICATED, null);
    verify(response, never()).sendError(401);
    verify(response, never()).setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), HttpHeader.NEGOTIATE.asString());
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) GSSName(org.ietf.jgss.GSSName) HttpSession(javax.servlet.http.HttpSession) GSSManager(org.ietf.jgss.GSSManager) GSSContext(org.ietf.jgss.GSSContext) HttpServletResponse(javax.servlet.http.HttpServletResponse) Oid(org.ietf.jgss.Oid) Subject(javax.security.auth.Subject) BaseTest(org.apache.drill.test.BaseTest) SecurityTest(org.apache.drill.categories.SecurityTest) Test(org.junit.Test)

Example 67 with GSSManager

use of org.ietf.jgss.GSSManager in project drill by apache.

the class DrillSpnegoLoginService method spnegoLogin.

private UserIdentity spnegoLogin(Object credentials, ServletRequest request) {
    String encodedAuthToken = (String) credentials;
    byte[] authToken = B64Code.decode(encodedAuthToken);
    GSSManager manager = GSSManager.getInstance();
    try {
        // Providing both OID's is required here. If we provide only one,
        // we're requiring that clients provide us the SPNEGO OID to authenticate via Kerberos.
        Oid[] knownOids = new Oid[2];
        // spnego
        knownOids[0] = new Oid("1.3.6.1.5.5.2");
        // kerberos
        knownOids[1] = new Oid("1.2.840.113554.1.2.2");
        GSSName gssName = manager.createName(spnegoConfig.getSpnegoPrincipal(), null);
        GSSCredential serverCreds = manager.createCredential(gssName, GSSCredential.INDEFINITE_LIFETIME, knownOids, GSSCredential.ACCEPT_ONLY);
        GSSContext gContext = manager.createContext(serverCreds);
        if (gContext == null) {
            logger.debug("SPNEGOUserRealm: failed to establish GSSContext");
        } else {
            while (!gContext.isEstablished()) {
                authToken = gContext.acceptSecContext(authToken, 0, authToken.length);
            }
            if (gContext.isEstablished()) {
                final String clientName = gContext.getSrcName().toString();
                final String realm = clientName.substring(clientName.indexOf(64) + 1);
                // Get the client user short name
                final String userShortName = new HadoopKerberosName(clientName).getShortName();
                logger.info("WebUser {} logged in from {}:{}", userShortName, request.getRemoteHost(), request.getRemotePort());
                logger.debug("Client Name: {}, realm: {} and shortName: {}", clientName, realm, userShortName);
                final SystemOptionManager sysOptions = drillContext.getOptionManager();
                final boolean isAdmin = ImpersonationUtil.hasAdminPrivileges(userShortName, ExecConstants.ADMIN_USERS_VALIDATOR.getAdminUsers(sysOptions), ExecConstants.ADMIN_USER_GROUPS_VALIDATOR.getAdminUserGroups(sysOptions));
                final Principal user = new DrillUserPrincipal(userShortName, isAdmin);
                final Subject subject = new Subject();
                subject.getPrincipals().add(user);
                if (isAdmin) {
                    return this._identityService.newUserIdentity(subject, user, DrillUserPrincipal.ADMIN_USER_ROLES);
                } else {
                    return this._identityService.newUserIdentity(subject, user, DrillUserPrincipal.NON_ADMIN_USER_ROLES);
                }
            }
        }
    } catch (GSSException gsse) {
        logger.warn("Caught GSSException trying to authenticate the client", gsse);
    } catch (IOException ex) {
        logger.warn("Caught IOException trying to get shortName of client user", ex);
    }
    return null;
}
Also used : GSSName(org.ietf.jgss.GSSName) HadoopKerberosName(org.apache.hadoop.security.HadoopKerberosName) SystemOptionManager(org.apache.drill.exec.server.options.SystemOptionManager) Oid(org.ietf.jgss.Oid) IOException(java.io.IOException) Subject(javax.security.auth.Subject) GSSException(org.ietf.jgss.GSSException) GSSCredential(org.ietf.jgss.GSSCredential) GSSManager(org.ietf.jgss.GSSManager) GSSContext(org.ietf.jgss.GSSContext) Principal(java.security.Principal)

Aggregations

GSSManager (org.ietf.jgss.GSSManager)67 GSSName (org.ietf.jgss.GSSName)56 Oid (org.ietf.jgss.Oid)51 GSSContext (org.ietf.jgss.GSSContext)38 GSSCredential (org.ietf.jgss.GSSCredential)38 GSSException (org.ietf.jgss.GSSException)34 Subject (javax.security.auth.Subject)29 PrivilegedActionException (java.security.PrivilegedActionException)19 Principal (java.security.Principal)17 IOException (java.io.IOException)10 LoginContext (javax.security.auth.login.LoginContext)10 LoginException (javax.security.auth.login.LoginException)10 Test (org.junit.Test)9 KerberosTicket (javax.security.auth.kerberos.KerberosTicket)7 KerberosCredentials (org.apache.http.auth.KerberosCredentials)7 SaslException (javax.security.sasl.SaslException)6 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)5 KerberosPrincipal (javax.security.auth.kerberos.KerberosPrincipal)4 HttpServletRequest (javax.servlet.http.HttpServletRequest)4 HttpServletResponse (javax.servlet.http.HttpServletResponse)4