Example 21 with GSSName
use of org.ietf.jgss.GSSName in project zookeeper by apache.
the class ZooKeeperSaslServer method createSaslServer.
private SaslServer createSaslServer(final Login login) {
synchronized (login) {
Subject subject = login.getSubject();
if (subject != null) {
// server is using a JAAS-authenticated subject: determine service principal name and hostname from zk server's subject.
if (subject.getPrincipals().size() > 0) {
try {
final Object[] principals = subject.getPrincipals().toArray();
final Principal servicePrincipal = (Principal) principals[0];
// e.g. servicePrincipalNameAndHostname := "zookeeper/myhost.foo.com@FOO.COM"
final String servicePrincipalNameAndHostname = servicePrincipal.getName();
int indexOf = servicePrincipalNameAndHostname.indexOf("/");
// e.g. serviceHostnameAndKerbDomain := "myhost.foo.com@FOO.COM"
final String serviceHostnameAndKerbDomain = servicePrincipalNameAndHostname.substring(indexOf + 1, servicePrincipalNameAndHostname.length());
int indexOfAt = serviceHostnameAndKerbDomain.indexOf("@");
// Handle Kerberos Service as well as User Principal Names
final String servicePrincipalName, serviceHostname;
if (indexOf > 0) {
// e.g. servicePrincipalName := "zookeeper"
servicePrincipalName = servicePrincipalNameAndHostname.substring(0, indexOf);
// e.g. serviceHostname := "myhost.foo.com"
serviceHostname = serviceHostnameAndKerbDomain.substring(0, indexOfAt);
} else {
servicePrincipalName = servicePrincipalNameAndHostname.substring(0, indexOfAt);
serviceHostname = null;
}
// TODO: should depend on zoo.cfg specified mechs, but if subject is non-null, it can be assumed to be GSSAPI.
final String mech = "GSSAPI";
LOG.debug("serviceHostname is '" + serviceHostname + "'");
LOG.debug("servicePrincipalName is '" + servicePrincipalName + "'");
LOG.debug("SASL mechanism(mech) is '" + mech + "'");
boolean usingNativeJgss = Boolean.getBoolean("sun.security.jgss.native");
if (usingNativeJgss) {
// """
try {
GSSManager manager = GSSManager.getInstance();
Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
GSSName gssName = manager.createName(servicePrincipalName + "@" + serviceHostname, GSSName.NT_HOSTBASED_SERVICE);
GSSCredential cred = manager.createCredential(gssName, GSSContext.DEFAULT_LIFETIME, krb5Mechanism, GSSCredential.ACCEPT_ONLY);
subject.getPrivateCredentials().add(cred);
if (LOG.isDebugEnabled()) {
LOG.debug("Added private credential to subject: " + cred);
}
} catch (GSSException ex) {
LOG.warn("Cannot add private credential to subject; " + "clients authentication may fail", ex);
}
}
try {
return Subject.doAs(subject, new PrivilegedExceptionAction<SaslServer>() {
public SaslServer run() {
try {
SaslServer saslServer;
saslServer = Sasl.createSaslServer(mech, servicePrincipalName, serviceHostname, null, login.callbackHandler);
return saslServer;
} catch (SaslException e) {
LOG.error("Zookeeper Server failed to create a SaslServer to interact with a client during session initiation: " + e);
e.printStackTrace();
return null;
}
}
});
} catch (PrivilegedActionException e) {
// TODO: exit server at this point(?)
LOG.error("Zookeeper Quorum member experienced a PrivilegedActionException exception while creating a SaslServer using a JAAS principal context:" + e);
e.printStackTrace();
}
} catch (IndexOutOfBoundsException e) {
LOG.error("server principal name/hostname determination error: ", e);
}
} else {
// TODO: use 'authMech=' value in zoo.cfg.
try {
SaslServer saslServer = Sasl.createSaslServer("DIGEST-MD5", "zookeeper", "zk-sasl-md5", null, login.callbackHandler);
return saslServer;
} catch (SaslException e) {
LOG.error("Zookeeper Quorum member failed to create a SaslServer to interact with a client during session initiation", e);
}
}
}
}
LOG.error("failed to create saslServer object.");
return null;
}
Also used :
GSSName(org.ietf.jgss.GSSName)
PrivilegedActionException(java.security.PrivilegedActionException)
SaslServer(javax.security.sasl.SaslServer)
Oid(org.ietf.jgss.Oid)
SaslException(javax.security.sasl.SaslException)
Subject(javax.security.auth.Subject)
GSSException(org.ietf.jgss.GSSException)
GSSCredential(org.ietf.jgss.GSSCredential)
GSSManager(org.ietf.jgss.GSSManager)
Principal(java.security.Principal)
Example 22 with GSSName
use of org.ietf.jgss.GSSName in project blade by biezhi.
the class SpnegoLoginService method login.
/**
* username will be null since the credentials will contain all the relevant info
*/
@Override
public UserIdentity login(String username, Object credentials, ServletRequest request) {
String encodedAuthToken = (String) credentials;
byte[] authToken = B64Code.decode(encodedAuthToken);
GSSManager manager = GSSManager.getInstance();
try {
// http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html
Oid krb5Oid = new Oid("1.3.6.1.5.5.2");
GSSName gssName = manager.createName(_targetName, null);
GSSCredential serverCreds = manager.createCredential(gssName, GSSCredential.INDEFINITE_LIFETIME, krb5Oid, GSSCredential.ACCEPT_ONLY);
GSSContext gContext = manager.createContext(serverCreds);
if (gContext == null) {
LOG.debug("SpnegoUserRealm: failed to establish GSSContext");
} else {
while (!gContext.isEstablished()) {
authToken = gContext.acceptSecContext(authToken, 0, authToken.length);
}
if (gContext.isEstablished()) {
String clientName = gContext.getSrcName().toString();
String role = clientName.substring(clientName.indexOf('@') + 1);
LOG.debug("SpnegoUserRealm: established a security context");
LOG.debug("Client Principal is: " + gContext.getSrcName());
LOG.debug("Server Principal is: " + gContext.getTargName());
LOG.debug("Client Default Role: " + role);
SpnegoUserPrincipal user = new SpnegoUserPrincipal(clientName, authToken);
Subject subject = new Subject();
subject.getPrincipals().add(user);
return _identityService.newUserIdentity(subject, user, new String[] { role });
}
}
} catch (GSSException gsse) {
LOG.warn(gsse);
}
return null;
}
Also used :
GSSName(org.ietf.jgss.GSSName)
GSSException(org.ietf.jgss.GSSException)
GSSCredential(org.ietf.jgss.GSSCredential)
GSSManager(org.ietf.jgss.GSSManager)
GSSContext(org.ietf.jgss.GSSContext)
Oid(org.ietf.jgss.Oid)
Subject(javax.security.auth.Subject)
Example 23 with GSSName
use of org.ietf.jgss.GSSName in project hadoop by apache.
the class KerberosAuthenticator method doSpnegoSequence.
/**
* Implements the SPNEGO authentication sequence interaction using the current default principal
* in the Kerberos cache (normally set via kinit).
*
* @param token the authentication token being used for the user.
*
* @throws IOException if an IO error occurred.
* @throws AuthenticationException if an authentication error occurred.
*/
private void doSpnegoSequence(AuthenticatedURL.Token token) throws IOException, AuthenticationException {
try {
AccessControlContext context = AccessController.getContext();
Subject subject = Subject.getSubject(context);
if (subject == null || (!KerberosUtil.hasKerberosKeyTab(subject) && !KerberosUtil.hasKerberosTicket(subject))) {
LOG.debug("No subject in context, logging in");
subject = new Subject();
LoginContext login = new LoginContext("", subject, null, new KerberosConfiguration());
login.login();
}
if (LOG.isDebugEnabled()) {
LOG.debug("Using subject: " + subject);
}
Subject.doAs(subject, new PrivilegedExceptionAction<Void>() {
@Override
public Void run() throws Exception {
GSSContext gssContext = null;
try {
GSSManager gssManager = GSSManager.getInstance();
String servicePrincipal = KerberosUtil.getServicePrincipal("HTTP", KerberosAuthenticator.this.url.getHost());
Oid oid = KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL");
GSSName serviceName = gssManager.createName(servicePrincipal, oid);
oid = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
gssContext = gssManager.createContext(serviceName, oid, null, GSSContext.DEFAULT_LIFETIME);
gssContext.requestCredDeleg(true);
gssContext.requestMutualAuth(true);
byte[] inToken = new byte[0];
byte[] outToken;
boolean established = false;
// Loop while the context is still not established
while (!established) {
outToken = gssContext.initSecContext(inToken, 0, inToken.length);
if (outToken != null) {
sendToken(outToken);
}
if (!gssContext.isEstablished()) {
inToken = readToken();
} else {
established = true;
}
}
} finally {
if (gssContext != null) {
gssContext.dispose();
gssContext = null;
}
}
return null;
}
});
} catch (PrivilegedActionException ex) {
if (ex.getException() instanceof IOException) {
throw (IOException) ex.getException();
} else {
throw new AuthenticationException(ex.getException());
}
} catch (LoginException ex) {
throw new AuthenticationException(ex);
}
AuthenticatedURL.extractToken(conn, token);
}
Also used :
GSSName(org.ietf.jgss.GSSName)
PrivilegedActionException(java.security.PrivilegedActionException)
Oid(org.ietf.jgss.Oid)
IOException(java.io.IOException)
Subject(javax.security.auth.Subject)
LoginException(javax.security.auth.login.LoginException)
PrivilegedActionException(java.security.PrivilegedActionException)
IOException(java.io.IOException)
LoginContext(javax.security.auth.login.LoginContext)
AccessControlContext(java.security.AccessControlContext)
GSSContext(org.ietf.jgss.GSSContext)
GSSManager(org.ietf.jgss.GSSManager)
LoginException(javax.security.auth.login.LoginException)
Example 24 with GSSName
use of org.ietf.jgss.GSSName in project ats-framework by Axway.
the class GGSSchemeBase method generateGSSToken.
protected byte[] generateGSSToken(final byte[] input, final Oid oid) throws GSSException {
byte[] token = input;
if (token == null) {
token = new byte[0];
}
GSSManager manager = getManager();
GSSName serverName = manager.createName(servicePrincipalName, servicePrincipalOid);
GSSContext gssContext = manager.createContext(serverName.canonicalize(oid), oid, null, GSSContext.DEFAULT_LIFETIME);
gssContext.requestMutualAuth(true);
gssContext.requestCredDeleg(true);
// Get client to login if not already done
return gssClient.negotiate(gssContext, token);
}
Also used :
GSSName(org.ietf.jgss.GSSName)
GSSManager(org.ietf.jgss.GSSManager)
GSSContext(org.ietf.jgss.GSSContext)
Example 25 with GSSName
use of org.ietf.jgss.GSSName in project async-http-client by AsyncHttpClient.
the class SpnegoEngine method generateToken.
public String generateToken(String server) throws SpnegoEngineException {
GSSContext gssContext = null;
// base64 decoded challenge
byte[] token = null;
Oid negotiationOid;
try {
log.debug("init {}", server);
/*
* Using the SPNEGO OID is the correct method. Kerberos v5 works for IIS but not JBoss. Unwrapping the initial token when using SPNEGO OID looks like what is described
* here...
*
* http://msdn.microsoft.com/en-us/library/ms995330.aspx
*
* Another helpful URL...
*
* http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_SPNEGO_token.html
*
* Unfortunately SPNEGO is JRE >=1.6.
*/
/** Try SPNEGO by default, fall back to Kerberos later if error */
negotiationOid = new Oid(SPNEGO_OID);
boolean tryKerberos = false;
try {
GSSManager manager = GSSManager.getInstance();
GSSName serverName = manager.createName("HTTP@" + server, GSSName.NT_HOSTBASED_SERVICE);
gssContext = manager.createContext(serverName.canonicalize(negotiationOid), negotiationOid, null, GSSContext.DEFAULT_LIFETIME);
gssContext.requestMutualAuth(true);
gssContext.requestCredDeleg(true);
} catch (GSSException ex) {
log.error("generateToken", ex);
// Rethrow any other exception.
if (ex.getMajor() == GSSException.BAD_MECH) {
log.debug("GSSException BAD_MECH, retry with Kerberos MECH");
tryKerberos = true;
} else {
throw ex;
}
}
if (tryKerberos) {
/* Kerberos v5 GSS-API mechanism defined in RFC 1964. */
log.debug("Using Kerberos MECH {}", KERBEROS_OID);
negotiationOid = new Oid(KERBEROS_OID);
GSSManager manager = GSSManager.getInstance();
GSSName serverName = manager.createName("HTTP@" + server, GSSName.NT_HOSTBASED_SERVICE);
gssContext = manager.createContext(serverName.canonicalize(negotiationOid), negotiationOid, null, GSSContext.DEFAULT_LIFETIME);
gssContext.requestMutualAuth(true);
gssContext.requestCredDeleg(true);
}
// TODO suspicious: this will always be null because no value has been assigned before. Assign directly?
if (token == null) {
token = new byte[0];
}
token = gssContext.initSecContext(token, 0, token.length);
if (token == null) {
throw new SpnegoEngineException("GSS security context initialization failed");
}
/*
* IIS accepts Kerberos and SPNEGO tokens. Some other servers Jboss, Glassfish? seem to only accept SPNEGO. Below wraps Kerberos into SPNEGO token.
*/
if (spnegoGenerator != null && negotiationOid.toString().equals(KERBEROS_OID)) {
token = spnegoGenerator.generateSpnegoDERObject(token);
}
gssContext.dispose();
String tokenstr = Base64.encode(token);
log.debug("Sending response '{}' back to the server", tokenstr);
return tokenstr;
} catch (GSSException gsse) {
log.error("generateToken", gsse);
if (gsse.getMajor() == GSSException.DEFECTIVE_CREDENTIAL || gsse.getMajor() == GSSException.CREDENTIALS_EXPIRED)
throw new SpnegoEngineException(gsse.getMessage(), gsse);
if (gsse.getMajor() == GSSException.NO_CRED)
throw new SpnegoEngineException(gsse.getMessage(), gsse);
if (gsse.getMajor() == GSSException.DEFECTIVE_TOKEN || gsse.getMajor() == GSSException.DUPLICATE_TOKEN || gsse.getMajor() == GSSException.OLD_TOKEN)
throw new SpnegoEngineException(gsse.getMessage(), gsse);
// other error
throw new SpnegoEngineException(gsse.getMessage());
} catch (IOException ex) {
throw new SpnegoEngineException(ex.getMessage());
}
}
Also used :
GSSName(org.ietf.jgss.GSSName)
GSSException(org.ietf.jgss.GSSException)
GSSContext(org.ietf.jgss.GSSContext)
GSSManager(org.ietf.jgss.GSSManager)
Oid(org.ietf.jgss.Oid)
IOException(java.io.IOException)
Aggregations
GSSName (org.ietf.jgss.GSSName)31
GSSManager (org.ietf.jgss.GSSManager)24
Oid (org.ietf.jgss.Oid)20
GSSException (org.ietf.jgss.GSSException)19
GSSContext (org.ietf.jgss.GSSContext)16
GSSCredential (org.ietf.jgss.GSSCredential)13
Subject (javax.security.auth.Subject)9
Principal (java.security.Principal)7
PrivilegedActionException (java.security.PrivilegedActionException)6
IOException (java.io.IOException)4
Test (org.junit.Test)4
KerberosTicket (javax.security.auth.kerberos.KerberosTicket)3
KrbException (org.apache.kerby.kerberos.kerb.KrbException)3
ExtendedGSSContext (com.sun.security.jgss.ExtendedGSSContext)2
LoginContext (javax.security.auth.login.LoginContext)2
LoginException (javax.security.auth.login.LoginException)2
SaslException (javax.security.sasl.SaslException)2
SaslServer (javax.security.sasl.SaslServer)2
AvaticaCommonsHttpClientSpnegoImpl (org.apache.calcite.avatica.remote.AvaticaCommonsHttpClientSpnegoImpl)2
AuthenticationException (org.apache.hadoop.security.authentication.client.AuthenticationException)2
