Examples with GSSName org.ietf.jgss.GSSName used on opensource projects

Example 16 with GSSName

use of org.ietf.jgss.GSSName in project jdk8u_jdk by JetBrains.

the class NegotiatorImpl method init.

/**
     * Initialize the object, which includes:<ul>
     * <li>Find out what GSS mechanism to use from the system property
     * <code>http.negotiate.mechanism.oid</code>, defaults SPNEGO
     * <li>Creating the GSSName for the target host, "HTTP/"+hostname
     * <li>Creating GSSContext
     * <li>A first call to initSecContext</ul>
     */
private void init(HttpCallerInfo hci) throws GSSException {
    final Oid oid;
    if (hci.scheme.equalsIgnoreCase("Kerberos")) {
        // we can only use Kerberos mech when the scheme is kerberos
        oid = GSSUtil.GSS_KRB5_MECH_OID;
    } else {
        String pref = java.security.AccessController.doPrivileged(new java.security.PrivilegedAction<String>() {

            public String run() {
                return System.getProperty("http.auth.preference", "spnego");
            }
        });
        if (pref.equalsIgnoreCase("kerberos")) {
            oid = GSSUtil.GSS_KRB5_MECH_OID;
        } else {
            // currently there is no 3rd mech we can use
            oid = GSSUtil.GSS_SPNEGO_MECH_OID;
        }
    }
    GSSManagerImpl manager = new GSSManagerImpl(new HttpCaller(hci));
    // RFC 4559 4.1 uses uppercase service name "HTTP".
    // RFC 4120 6.2.1 demands the host be lowercase
    String peerName = "HTTP@" + hci.host.toLowerCase();
    GSSName serverName = manager.createName(peerName, GSSName.NT_HOSTBASED_SERVICE);
    context = manager.createContext(serverName, oid, null, GSSContext.DEFAULT_LIFETIME);
    // Always respect delegation policy in HTTP/SPNEGO.
    if (context instanceof ExtendedGSSContext) {
        ((ExtendedGSSContext) context).requestDelegPolicy(true);
    }
    oneToken = context.initSecContext(new byte[0], 0, 0);
}

Example 17 with GSSName

use of org.ietf.jgss.GSSName in project hbase by apache.

the class TestSpnegoHttpServer method testAllowedClient.

@Test
public void testAllowedClient() throws Exception {
    // Create the subject for the client
    final Subject clientSubject = JaasKrbUtil.loginUsingKeytab(CLIENT_PRINCIPAL, clientKeytab);
    final Set<Principal> clientPrincipals = clientSubject.getPrincipals();
    // Make sure the subject has a principal
    assertFalse(clientPrincipals.isEmpty());
    // Get a TGT for the subject (might have many, different encryption types). The first should
    // be the default encryption type.
    Set<KerberosTicket> privateCredentials = clientSubject.getPrivateCredentials(KerberosTicket.class);
    assertFalse(privateCredentials.isEmpty());
    KerberosTicket tgt = privateCredentials.iterator().next();
    assertNotNull(tgt);
    // The name of the principal
    final String principalName = clientPrincipals.iterator().next().getName();
    // Run this code, logged in as the subject (the client)
    HttpResponse resp = Subject.doAs(clientSubject, new PrivilegedExceptionAction<HttpResponse>() {

        @Override
        public HttpResponse run() throws Exception {
            // Logs in with Kerberos via GSS
            GSSManager gssManager = GSSManager.getInstance();
            // jGSS Kerberos login constant
            Oid oid = new Oid("1.2.840.113554.1.2.2");
            GSSName gssClient = gssManager.createName(principalName, GSSName.NT_USER_NAME);
            GSSCredential credential = gssManager.createCredential(gssClient, GSSCredential.DEFAULT_LIFETIME, oid, GSSCredential.INITIATE_ONLY);
            HttpClientContext context = HttpClientContext.create();
            Lookup<AuthSchemeProvider> authRegistry = RegistryBuilder.<AuthSchemeProvider>create().register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true, true)).build();
            HttpClient client = HttpClients.custom().setDefaultAuthSchemeRegistry(authRegistry).build();
            BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider();
            credentialsProvider.setCredentials(AuthScope.ANY, new KerberosCredentials(credential));
            URL url = new URL(getServerURL(server), "/echo?a=b");
            context.setTargetHost(new HttpHost(url.getHost(), url.getPort()));
            context.setCredentialsProvider(credentialsProvider);
            context.setAuthSchemeRegistry(authRegistry);
            HttpGet get = new HttpGet(url.toURI());
            return client.execute(get, context);
        }
    });
    assertNotNull(resp);
    assertEquals(HttpURLConnection.HTTP_OK, resp.getStatusLine().getStatusCode());
    assertEquals("a:b", EntityUtils.toString(resp.getEntity()).trim());
}

Example 18 with GSSName

use of org.ietf.jgss.GSSName in project kafka by apache.

the class SaslServerAuthenticator method createSaslKerberosServer.

private SaslServer createSaslKerberosServer(final AuthCallbackHandler saslServerCallbackHandler, final Map<String, ?> configs) throws IOException {
    // server is using a JAAS-authenticated subject: determine service principal name and hostname from kafka server's subject.
    final Principal servicePrincipal = subject.getPrincipals().iterator().next();
    KerberosName kerberosName;
    try {
        kerberosName = KerberosName.parse(servicePrincipal.getName());
    } catch (IllegalArgumentException e) {
        throw new KafkaException("Principal has name with unexpected format " + servicePrincipal);
    }
    final String servicePrincipalName = kerberosName.serviceName();
    final String serviceHostname = kerberosName.hostName();
    LOG.debug("Creating SaslServer for {} with mechanism {}", kerberosName, saslMechanism);
    // As described in http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-features.html:
    // "To enable Java GSS to delegate to the native GSS library and its list of native mechanisms,
    // set the system property "sun.security.jgss.native" to true"
    // "In addition, when performing operations as a particular Subject, for example, Subject.doAs(...)
    // or Subject.doAsPrivileged(...), the to-be-used GSSCredential should be added to Subject's
    // private credential set. Otherwise, the GSS operations will fail since no credential is found."
    boolean usingNativeJgss = Boolean.getBoolean("sun.security.jgss.native");
    if (usingNativeJgss) {
        try {
            GSSManager manager = GSSManager.getInstance();
            // This Oid is used to represent the Kerberos version 5 GSS-API mechanism. It is defined in
            // RFC 1964.
            Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
            GSSName gssName = manager.createName(servicePrincipalName + "@" + serviceHostname, GSSName.NT_HOSTBASED_SERVICE);
            GSSCredential cred = manager.createCredential(gssName, GSSContext.INDEFINITE_LIFETIME, krb5Mechanism, GSSCredential.ACCEPT_ONLY);
            subject.getPrivateCredentials().add(cred);
        } catch (GSSException ex) {
            LOG.warn("Cannot add private credential to subject; clients authentication may fail", ex);
        }
    }
    try {
        return Subject.doAs(subject, new PrivilegedExceptionAction<SaslServer>() {

            public SaslServer run() throws SaslException {
                return Sasl.createSaslServer(saslMechanism, servicePrincipalName, serviceHostname, configs, saslServerCallbackHandler);
            }
        });
    } catch (PrivilegedActionException e) {
        throw new SaslException("Kafka Server failed to create a SaslServer to interact with a client during session authentication", e.getCause());
    }
}

Example 19 with GSSName

use of org.ietf.jgss.GSSName in project tomcat by apache.

the class LockOutRealm method authenticate.

/**
     * {@inheritDoc}
     */
@Override
public Principal authenticate(GSSContext gssContext, boolean storeCreds) {
    if (gssContext.isEstablished()) {
        String username = null;
        GSSName name = null;
        try {
            name = gssContext.getSrcName();
        } catch (GSSException e) {
            log.warn(sm.getString("realmBase.gssNameFail"), e);
            return null;
        }
        username = name.toString();
        Principal authenticatedUser = super.authenticate(gssContext, storeCreds);
        return filterLockedAccounts(username, authenticatedUser);
    }
    // Fail in all other cases
    return null;
}

Example 20 with GSSName

use of org.ietf.jgss.GSSName in project tomcat by apache.

the class CombinedRealm method authenticate.

/**
     * {@inheritDoc}
     */
@Override
public Principal authenticate(GSSContext gssContext, boolean storeCreds) {
    if (gssContext.isEstablished()) {
        Principal authenticatedUser = null;
        String username = null;
        GSSName name = null;
        try {
            name = gssContext.getSrcName();
        } catch (GSSException e) {
            log.warn(sm.getString("realmBase.gssNameFail"), e);
            return null;
        }
        username = name.toString();
        for (Realm realm : realms) {
            if (log.isDebugEnabled()) {
                log.debug(sm.getString("combinedRealm.authStart", username, realm.getClass().getName()));
            }
            authenticatedUser = realm.authenticate(gssContext, storeCreds);
            if (authenticatedUser == null) {
                if (log.isDebugEnabled()) {
                    log.debug(sm.getString("combinedRealm.authFail", username, realm.getClass().getName()));
                }
            } else {
                if (log.isDebugEnabled()) {
                    log.debug(sm.getString("combinedRealm.authSuccess", username, realm.getClass().getName()));
                }
                break;
            }
        }
        return authenticatedUser;
    }
    // Fail in all other cases
    return null;
}