Example 26 with GSSManager
use of org.ietf.jgss.GSSManager in project wildfly by wildfly.
the class Utils method createKerberosTicketForServer.
/**
* Creates Kerberos TGS ticket for given user to access given server.
*
* @param user
* @param pass
* @param serverName
* @return
*/
public static byte[] createKerberosTicketForServer(final String user, final String pass, final GSSName serverName) throws MalformedURLException, LoginException, PrivilegedActionException {
Objects.requireNonNull(serverName);
final Krb5LoginConfiguration krb5Configuration = new Krb5LoginConfiguration(getLoginConfiguration());
try {
Configuration.setConfiguration(krb5Configuration);
final LoginContext lc = loginWithKerberos(krb5Configuration, user, pass);
try {
return Subject.doAs(lc.getSubject(), new PrivilegedExceptionAction<byte[]>() {
public byte[] run() throws Exception {
final GSSManager manager = GSSManager.getInstance();
final Oid oid = new Oid(OID_KERBEROS_V5);
final GSSContext gssContext = manager.createContext(serverName.canonicalize(oid), oid, null, 60);
gssContext.requestMutualAuth(true);
gssContext.requestCredDeleg(true);
return gssContext.initSecContext(new byte[0], 0, 0);
}
});
} finally {
lc.logout();
}
} finally {
krb5Configuration.resetConfiguration();
}
}
Also used :
LoginContext(javax.security.auth.login.LoginContext)
GSSManager(org.ietf.jgss.GSSManager)
GSSContext(org.ietf.jgss.GSSContext)
Oid(org.ietf.jgss.Oid)
LoginException(javax.security.auth.login.LoginException)
ProtocolException(org.apache.http.ProtocolException)
URISyntaxException(java.net.URISyntaxException)
UnsupportedEncodingException(java.io.UnsupportedEncodingException)
PrivilegedActionException(java.security.PrivilegedActionException)
MalformedURLException(java.net.MalformedURLException)
IOException(java.io.IOException)
UnknownHostException(java.net.UnknownHostException)
Example 27 with GSSManager
use of org.ietf.jgss.GSSManager in project ats-framework by Axway.
the class GGSSchemeBase method generateGSSToken.
protected byte[] generateGSSToken(final byte[] input, final Oid oid) throws GSSException {
byte[] token = input;
if (token == null) {
token = new byte[0];
}
GSSManager manager = getManager();
GSSName serverName = manager.createName(servicePrincipalName, servicePrincipalOid);
GSSContext gssContext = manager.createContext(serverName.canonicalize(oid), oid, null, GSSContext.DEFAULT_LIFETIME);
gssContext.requestMutualAuth(true);
gssContext.requestCredDeleg(true);
// Get client to login if not already done
return gssClient.negotiate(gssContext, token);
}
Also used :
GSSName(org.ietf.jgss.GSSName)
GSSManager(org.ietf.jgss.GSSManager)
GSSContext(org.ietf.jgss.GSSContext)
Example 28 with GSSManager
use of org.ietf.jgss.GSSManager in project async-http-client by AsyncHttpClient.
the class SpnegoEngine method generateToken.
public String generateToken(String server) throws SpnegoEngineException {
GSSContext gssContext = null;
// base64 decoded challenge
byte[] token = null;
Oid negotiationOid;
try {
log.debug("init {}", server);
/*
* Using the SPNEGO OID is the correct method. Kerberos v5 works for IIS but not JBoss. Unwrapping the initial token when using SPNEGO OID looks like what is described
* here...
*
* http://msdn.microsoft.com/en-us/library/ms995330.aspx
*
* Another helpful URL...
*
* http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_SPNEGO_token.html
*
* Unfortunately SPNEGO is JRE >=1.6.
*/
/** Try SPNEGO by default, fall back to Kerberos later if error */
negotiationOid = new Oid(SPNEGO_OID);
boolean tryKerberos = false;
try {
GSSManager manager = GSSManager.getInstance();
GSSName serverName = manager.createName("HTTP@" + server, GSSName.NT_HOSTBASED_SERVICE);
gssContext = manager.createContext(serverName.canonicalize(negotiationOid), negotiationOid, null, GSSContext.DEFAULT_LIFETIME);
gssContext.requestMutualAuth(true);
gssContext.requestCredDeleg(true);
} catch (GSSException ex) {
log.error("generateToken", ex);
// Rethrow any other exception.
if (ex.getMajor() == GSSException.BAD_MECH) {
log.debug("GSSException BAD_MECH, retry with Kerberos MECH");
tryKerberos = true;
} else {
throw ex;
}
}
if (tryKerberos) {
/* Kerberos v5 GSS-API mechanism defined in RFC 1964. */
log.debug("Using Kerberos MECH {}", KERBEROS_OID);
negotiationOid = new Oid(KERBEROS_OID);
GSSManager manager = GSSManager.getInstance();
GSSName serverName = manager.createName("HTTP@" + server, GSSName.NT_HOSTBASED_SERVICE);
gssContext = manager.createContext(serverName.canonicalize(negotiationOid), negotiationOid, null, GSSContext.DEFAULT_LIFETIME);
gssContext.requestMutualAuth(true);
gssContext.requestCredDeleg(true);
}
// TODO suspicious: this will always be null because no value has been assigned before. Assign directly?
if (token == null) {
token = new byte[0];
}
token = gssContext.initSecContext(token, 0, token.length);
if (token == null) {
throw new SpnegoEngineException("GSS security context initialization failed");
}
/*
* IIS accepts Kerberos and SPNEGO tokens. Some other servers Jboss, Glassfish? seem to only accept SPNEGO. Below wraps Kerberos into SPNEGO token.
*/
if (spnegoGenerator != null && negotiationOid.toString().equals(KERBEROS_OID)) {
token = spnegoGenerator.generateSpnegoDERObject(token);
}
gssContext.dispose();
String tokenstr = Base64.encode(token);
log.debug("Sending response '{}' back to the server", tokenstr);
return tokenstr;
} catch (GSSException gsse) {
log.error("generateToken", gsse);
if (gsse.getMajor() == GSSException.DEFECTIVE_CREDENTIAL || gsse.getMajor() == GSSException.CREDENTIALS_EXPIRED)
throw new SpnegoEngineException(gsse.getMessage(), gsse);
if (gsse.getMajor() == GSSException.NO_CRED)
throw new SpnegoEngineException(gsse.getMessage(), gsse);
if (gsse.getMajor() == GSSException.DEFECTIVE_TOKEN || gsse.getMajor() == GSSException.DUPLICATE_TOKEN || gsse.getMajor() == GSSException.OLD_TOKEN)
throw new SpnegoEngineException(gsse.getMessage(), gsse);
// other error
throw new SpnegoEngineException(gsse.getMessage());
} catch (IOException ex) {
throw new SpnegoEngineException(ex.getMessage());
}
}
Also used :
GSSName(org.ietf.jgss.GSSName)
GSSException(org.ietf.jgss.GSSException)
GSSContext(org.ietf.jgss.GSSContext)
GSSManager(org.ietf.jgss.GSSManager)
Oid(org.ietf.jgss.Oid)
IOException(java.io.IOException)
Example 29 with GSSManager
use of org.ietf.jgss.GSSManager in project jdk8u_jdk by JetBrains.
the class GssMemoryIssues method main.
public static void main(String[] argv) throws Exception {
GSSManager man = GSSManager.getInstance();
String s = "me@REALM";
GSSName name = man.createName(s, GSSName.NT_USER_NAME);
byte[] exported = name.export();
// Offset of the length of the mech name. Length in big endian
int lenOffset = exported.length - s.length() - 4;
// Make it huge
exported[lenOffset] = 0x7f;
try {
man.createName(exported, GSSName.NT_EXPORT_NAME);
} catch (GSSException gsse) {
System.out.println(gsse);
}
}
Also used :
GSSName(org.ietf.jgss.GSSName)
GSSException(org.ietf.jgss.GSSException)
GSSManager(org.ietf.jgss.GSSManager)
Example 30 with GSSManager
use of org.ietf.jgss.GSSManager in project jdk8u_jdk by JetBrains.
the class KrbCredSubKey method main.
public static void main(String[] args) throws Exception {
// We don't care about clock difference
new FileOutputStream("krb5.conf").write("[libdefaults]\nclockskew=999999999".getBytes());
System.setProperty("java.security.krb5.conf", "krb5.conf");
Config.refresh();
Subject subj = new Subject();
KerberosPrincipal kp = new KerberosPrincipal(princ);
KerberosKey kk = new KerberosKey(kp, key, EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, 0);
subj.getPrincipals().add(kp);
subj.getPrivateCredentials().add(kk);
Subject.doAs(subj, new PrivilegedExceptionAction() {
public Object run() throws Exception {
GSSManager man = GSSManager.getInstance();
GSSContext ctxt = man.createContext(man.createCredential(null, GSSCredential.INDEFINITE_LIFETIME, GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY));
return ctxt.acceptSecContext(token, 0, token.length);
}
});
}
Also used :
KerberosPrincipal(javax.security.auth.kerberos.KerberosPrincipal)
KerberosKey(javax.security.auth.kerberos.KerberosKey)
FileOutputStream(java.io.FileOutputStream)
GSSManager(org.ietf.jgss.GSSManager)
GSSContext(org.ietf.jgss.GSSContext)
PrivilegedExceptionAction(java.security.PrivilegedExceptionAction)
Subject(javax.security.auth.Subject)
Aggregations
GSSManager (org.ietf.jgss.GSSManager)36
GSSName (org.ietf.jgss.GSSName)29
Oid (org.ietf.jgss.Oid)25
GSSException (org.ietf.jgss.GSSException)21
GSSContext (org.ietf.jgss.GSSContext)20
GSSCredential (org.ietf.jgss.GSSCredential)17
Subject (javax.security.auth.Subject)12
PrivilegedActionException (java.security.PrivilegedActionException)10
Principal (java.security.Principal)8
IOException (java.io.IOException)5
LoginContext (javax.security.auth.login.LoginContext)5
LoginException (javax.security.auth.login.LoginException)4
SaslException (javax.security.sasl.SaslException)4
PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)3
KerberosTicket (javax.security.auth.kerberos.KerberosTicket)3
SaslServer (javax.security.sasl.SaslServer)3
AuthenticationException (org.apache.hadoop.security.authentication.client.AuthenticationException)3
Test (org.junit.Test)3
FileOutputStream (java.io.FileOutputStream)2
URISyntaxException (java.net.URISyntaxException)2
