use of org.ietf.jgss.GSSManager in project drill by apache.
the class TestDrillSpnegoAuthenticator method testSpnegoLoginInvalidToken.
/**
* Test to verify authentication fails when client sends invalid SPNEGO token for the
* {@link WebServerConstants#SPENGO_LOGIN_RESOURCE_PATH} resource.
*/
@Test
public void testSpnegoLoginInvalidToken() throws Exception {
final HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
final HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
final HttpSession session = Mockito.mock(HttpSession.class);
// Create client subject using it's principal and keytab
final Subject clientSubject = JaasKrbUtil.loginUsingKeytab(spnegoHelper.CLIENT_PRINCIPAL, spnegoHelper.clientKeytab.getAbsoluteFile());
// Generate a SPNEGO token for the peer SERVER_PRINCIPAL from this CLIENT_PRINCIPAL
final String token = Subject.doAs(clientSubject, (PrivilegedExceptionAction<String>) () -> {
final GSSManager gssManager = GSSManager.getInstance();
GSSContext gssContext = null;
try {
final Oid oid = GSSUtil.GSS_SPNEGO_MECH_OID;
final GSSName serviceName = gssManager.createName(spnegoHelper.SERVER_PRINCIPAL, GSSName.NT_USER_NAME, oid);
gssContext = gssManager.createContext(serviceName, oid, null, GSSContext.DEFAULT_LIFETIME);
gssContext.requestCredDeleg(true);
gssContext.requestMutualAuth(true);
byte[] outToken = new byte[0];
outToken = gssContext.initSecContext(outToken, 0, outToken.length);
return Base64.encodeBase64String(outToken);
} finally {
if (gssContext != null) {
gssContext.dispose();
}
}
});
Mockito.when(request.getSession(true)).thenReturn(session);
final String httpReqAuthHeader = String.format("%s:%s", HttpHeader.NEGOTIATE.asString(), String.format("%s%s", "1234", token));
Mockito.when(request.getHeader(HttpHeader.AUTHORIZATION.asString())).thenReturn(httpReqAuthHeader);
Mockito.when(request.getRequestURI()).thenReturn(WebServerConstants.SPENGO_LOGIN_RESOURCE_PATH);
assertEquals(spnegoAuthenticator.validateRequest(request, response, false), Authentication.UNAUTHENTICATED);
verify(session, never()).setAttribute(SessionAuthentication.__J_AUTHENTICATED, null);
verify(response, never()).sendError(401);
verify(response, never()).setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), HttpHeader.NEGOTIATE.asString());
}
use of org.ietf.jgss.GSSManager in project drill by apache.
the class DrillSpnegoLoginService method spnegoLogin.
private UserIdentity spnegoLogin(Object credentials, ServletRequest request) {
String encodedAuthToken = (String) credentials;
byte[] authToken = B64Code.decode(encodedAuthToken);
GSSManager manager = GSSManager.getInstance();
try {
// Providing both OID's is required here. If we provide only one,
// we're requiring that clients provide us the SPNEGO OID to authenticate via Kerberos.
Oid[] knownOids = new Oid[2];
// spnego
knownOids[0] = new Oid("1.3.6.1.5.5.2");
// kerberos
knownOids[1] = new Oid("1.2.840.113554.1.2.2");
GSSName gssName = manager.createName(spnegoConfig.getSpnegoPrincipal(), null);
GSSCredential serverCreds = manager.createCredential(gssName, GSSCredential.INDEFINITE_LIFETIME, knownOids, GSSCredential.ACCEPT_ONLY);
GSSContext gContext = manager.createContext(serverCreds);
if (gContext == null) {
logger.debug("SPNEGOUserRealm: failed to establish GSSContext");
} else {
while (!gContext.isEstablished()) {
authToken = gContext.acceptSecContext(authToken, 0, authToken.length);
}
if (gContext.isEstablished()) {
final String clientName = gContext.getSrcName().toString();
final String realm = clientName.substring(clientName.indexOf(64) + 1);
// Get the client user short name
final String userShortName = new HadoopKerberosName(clientName).getShortName();
logger.info("WebUser {} logged in from {}:{}", userShortName, request.getRemoteHost(), request.getRemotePort());
logger.debug("Client Name: {}, realm: {} and shortName: {}", clientName, realm, userShortName);
final SystemOptionManager sysOptions = drillContext.getOptionManager();
final boolean isAdmin = ImpersonationUtil.hasAdminPrivileges(userShortName, ExecConstants.ADMIN_USERS_VALIDATOR.getAdminUsers(sysOptions), ExecConstants.ADMIN_USER_GROUPS_VALIDATOR.getAdminUserGroups(sysOptions));
final Principal user = new DrillUserPrincipal(userShortName, isAdmin);
final Subject subject = new Subject();
subject.getPrincipals().add(user);
if (isAdmin) {
return this._identityService.newUserIdentity(subject, user, DrillUserPrincipal.ADMIN_USER_ROLES);
} else {
return this._identityService.newUserIdentity(subject, user, DrillUserPrincipal.NON_ADMIN_USER_ROLES);
}
}
}
} catch (GSSException gsse) {
logger.warn("Caught GSSException trying to authenticate the client", gsse);
} catch (IOException ex) {
logger.warn("Caught IOException trying to get shortName of client user", ex);
}
return null;
}
Aggregations