/** * Starts as a client * @param target communication peer * @param mech GSS mech * @throws java.lang.Exception */ public void startAsClient(final String target, final Oid mech) throws Exception { doAs(new Action() { @Override public byte[] run(Context me, byte[] dummy) throws Exception { GSSManager m = GSSManager.getInstance(); me.x = (ExtendedGSSContext)m.createContext( target.indexOf('@') < 0 ? m.createName(target, null) : m.createName(target, GSSName.NT_HOSTBASED_SERVICE), mech, cred, GSSContext.DEFAULT_LIFETIME); return null; } }, null); }
public static void main(String[] args) throws Exception { GSSCredential cred = null; GSSContext ctx = GSSManager.getInstance().createContext(cred); String var = /*0000*/ "60 1C 06 06 2B 06 01 05 05 02 A0 12 30 10 A0 0E " + /*0010*/ "30 0C 06 0A 2B 06 01 04 01 82 37 02 02 0A "; byte[] token = new byte[var.length()/3]; for (int i=0; i<token.length; i++) { token[i] = Integer.valueOf(var.substring(3*i,3*i+2), 16).byteValue(); } try { ctx.acceptSecContext(token, 0, token.length); } catch (GSSException gsse) { System.out.println("Expected exception: " + gsse); } }
public static void main(String[] args) throws Exception { // We don't care about clock difference new FileOutputStream("krb5.conf").write( "[libdefaults]\nclockskew=999999999".getBytes()); System.setProperty("java.security.krb5.conf", "krb5.conf"); Config.refresh(); Subject subj = new Subject(); KerberosPrincipal kp = new KerberosPrincipal(princ); KerberosKey kk = new KerberosKey( kp, key, EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, 0); subj.getPrincipals().add(kp); subj.getPrivateCredentials().add(kk); Subject.doAs(subj, new PrivilegedExceptionAction() { public Object run() throws Exception { GSSManager man = GSSManager.getInstance(); GSSContext ctxt = man.createContext(man.createCredential( null, GSSCredential.INDEFINITE_LIFETIME, GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY)); return ctxt.acceptSecContext(token, 0, token.length); } }); }
/** * Sets up a <tt>GSSContext</tt> for communicating with the GSS-API protected ACI server and then sends the * action. The <tt>serverDetails</tt> are copied and a <tt>GssEncryptionCodec</tt> set on the copy that has the * <tt>GSSContext</tt> in it. Any excising <tt>EncryptionCodec</tt> will be removed as only the * <tt>GssEncryptionCodec</tt> can be used when communicating with Kerberos protected ACI servers. * @param serverDetails A <tt>GssAciServerDetails</tt> containing the service name and connection details. * @param parameters The parameters to send with the ACI action. * @return A <tt>AciResponseInputStream</tt> containing the ACI response. * @throws java.io.IOException If an I/O (transport) error occurs. Some transport exceptions can be recovered from. * @throws com.autonomy.aci.client.transport.AciHttpException If a protocol exception occurs. Usually protocol * exceptions cannot be recovered from. * @throws java.lang.IllegalArgumentException if <tt>serverDetails</tt> isn't an instance of * <tt>GssAciServerDetails</tt> or there is no <tt>serviceName</tt> set in those details. */ @Override public AciResponseInputStream executeAction(final AciServerDetails serverDetails, final Set<? extends ActionParameter<?>> parameters) throws IOException, AciHttpException { LOGGER.trace("executeAction() called..."); // Validate that the server details are of the right type... Validate.isTrue((serverDetails instanceof GssAciServerDetails), "The serverDetails must be an instance of GssAciServerDetails."); Validate.isTrue(StringUtils.isNotBlank(((GssAciServerDetails) serverDetails).getServiceName()), "No serviceName set in serverDetails."); // Create the GSSContext... final GSSContext gssContext = getGSSContext((GssAciServerDetails) serverDetails); LOGGER.debug("Copying ACI server details and adding a GssEncryptionCodec..."); // Copy the server details and add the GSSEncryptionCodec... We don't need the serviceName at this point... final AciServerDetails copyServerDetails = new AciServerDetails(serverDetails); copyServerDetails.setEncryptionCodec(new GssEncryptionCodec(gssContext)); LOGGER.debug("Letting the superclass execute the action..."); // Execute the action... return super.executeAction(copyServerDetails, parameters); }
/** * Closes the session. If any {@link GSSContext} is present in the session * then it is closed. * * @param message the error message */ @Override protected void closeSession(String message) { GSSContext ctx = (GSSContext) getSession().getAttribute(GSS_CONTEXT); if (ctx != null) { try { ctx.dispose(); } catch (GSSException e) { e.printStackTrace(); super.closeSession(message, e); return; } } super.closeSession(message); }
/** * {@inheritDoc} */ @Override public Principal authenticate(GSSContext gssContext, boolean storeCreds) { if (gssContext.isEstablished()) { String username = null; GSSName name = null; try { name = gssContext.getSrcName(); } catch (GSSException e) { log.warn(sm.getString("realmBase.gssNameFail"), e); return null; } username = name.toString(); Principal authenticatedUser = super.authenticate(gssContext, storeCreds); return filterLockedAccounts(username, authenticatedUser); } // Fail in all other cases return null; }
protected byte[] generateGSSToken( final byte[] input, final Oid oid ) throws GSSException { byte[] token = input; if (token == null) { token = new byte[0]; } GSSManager manager = getManager(); GSSName serverName = manager.createName(servicePrincipalName, servicePrincipalOid); GSSContext gssContext = manager.createContext(serverName.canonicalize(oid), oid, null, GSSContext.DEFAULT_LIFETIME); gssContext.requestMutualAuth(true); gssContext.requestCredDeleg(true); // Get client to login if not already done return gssClient.negotiate(gssContext, token); }
/** * Called when SPNEGO client-service authentication is taking place. * * @param context * @param negotiationToken * @return * @throws GSSException */ public byte[] negotiate( GSSContext context, byte[] negotiationToken ) throws GSSException { if (subject == null) { loginViaJAAS(); // throw GSSException if fail to login } // If we do not have the service ticket it will be retrieved // from the TGS on a call to initSecContext(). NegotiateContextAction negotiationAction = new NegotiateContextAction(context, negotiationToken); // Run the negotiation as the initiator // The service ticket will then be cached in the Subject's // private credentials, as the subject. negotiationToken = (byte[]) Subject.doAs(subject, negotiationAction); if (negotiationAction.getGSSException() != null) { throw negotiationAction.getGSSException(); } return negotiationToken; }
public static String validateServiceTicket(Subject subject, final byte[] serviceTicket) throws GSSException, IllegalAccessException, NoSuchFieldException, ClassNotFoundException, PrivilegedActionException { // Kerberos version 5 OID Oid krb5Oid = KerberosUtils.getOidInstance("GSS_KRB5_MECH_OID"); // Accept the context and return the client principal name. return Subject.doAs(subject, new PrivilegedExceptionAction<String>() { @Override public String run() throws Exception { String clientName = null; // Identify the server that communications are being made to. GSSManager manager = GSSManager.getInstance(); GSSContext context = manager.createContext((GSSCredential) null); context.acceptSecContext(serviceTicket, 0, serviceTicket.length); clientName = context.getSrcName().toString(); return clientName; } }); }
/** * Starts as a client * @param target communication peer * @param mech GSS mech * @throws java.lang.Exception */ public void startAsClient(final String target, final Oid mech) throws Exception { doAs(new Action() { @Override public byte[] run(Context me, byte[] dummy) throws Exception { GSSManager m = GSSManager.getInstance(); me.x = m.createContext( target.indexOf('@') < 0 ? m.createName(target, null) : m.createName(target, GSSName.NT_HOSTBASED_SERVICE), mech, cred, GSSContext.DEFAULT_LIFETIME); return null; } }, null); }
/** * Process Kerberos token and get user name. * * @param gssToken GSS token * @return username Username of the logged in user if GSSToken can be decrypted correctly else return null * @throws GSSException */ public static String processToken(byte[] gssToken, GSSCredential gssCredentials) throws GSSException { GSSContext context = gssManager.createContext(gssCredentials); // Decrypt the kerberos ticket (GSS token) context.acceptSecContext(gssToken, 0, gssToken.length); // If we cannot decrypt the GSS Token properly we return the username as null. if (!context.isEstablished()) { log.error("Unable to decrypt the kerberos ticket as context was not established."); return null; } String loggedInUserName = context.getSrcName().toString(); String target = context.getTargName().toString(); if (log.isDebugEnabled()) { String msg = "Extracted details from GSS Token, LoggedIn User : " + loggedInUserName + " , Intended target : " + target; log.debug(msg); } return loggedInUserName; }
/** * Returns a GSSContextt for the given url with a default lifetime. * * @param url http address * @return GSSContext for the given url * @throws GSSException * @throws PrivilegedActionException */ private GSSContext getGSSContext(final URL url) throws GSSException , PrivilegedActionException { if (null == this.credential) { if (null == this.loginContext) { throw new IllegalStateException( "GSSCredential AND LoginContext NOT initialized"); } else { this.credential = SpnegoProvider.getClientCredential( this.loginContext.getSubject()); } } return SpnegoProvider.getGSSContext(this.credential, url); }
/** * @since 4.4 */ protected byte[] generateGSSToken( final byte[] input, final Oid oid, final String authServer, final Credentials credentials) throws GSSException { byte[] inputBuff = input; if (inputBuff == null) { inputBuff = new byte[0]; } final GSSManager manager = getManager(); final GSSName serverName = manager.createName(service + "@" + authServer, GSSName.NT_HOSTBASED_SERVICE); final GSSCredential gssCredential; if (credentials instanceof KerberosCredentials) { gssCredential = ((KerberosCredentials) credentials).getGSSCredential(); } else { gssCredential = null; } final GSSContext gssContext = manager.createContext( serverName.canonicalize(oid), oid, gssCredential, GSSContext.DEFAULT_LIFETIME); gssContext.requestMutualAuth(true); gssContext.requestCredDeleg(true); return gssContext.initSecContext(inputBuff, 0, inputBuff.length); }
private String acceptSecurityContext( final byte[] serviceTicket) throws GSSException { krb5Oid = new Oid( "1.2.840.113554.1.2.2"); // Accept the context and return the client principal name. return Subject.doAs( subject, new PrivilegedAction<String>() { public String run() { try { // Identify the server that communications are being made to. GSSManager manager = GSSManager.getInstance(); GSSContext context = manager.createContext( (GSSCredential) null); context.acceptSecContext( serviceTicket, 0, serviceTicket.length); return context.getSrcName().toString(); } catch ( Exception e) { e.printStackTrace(); return null; } } }); }
private void initiateSecurityContext( String servicePrincipalName) throws GSSException { GSSManager manager = GSSManager.getInstance(); GSSName serverName = manager.createName( servicePrincipalName, GSSName.NT_HOSTBASED_SERVICE); final GSSContext context = manager.createContext( serverName, krb5Oid, null, GSSContext.DEFAULT_LIFETIME); // The GSS context initiation has to be performed as a privileged action. this.serviceTicket = Subject.doAs( subject, new PrivilegedAction<byte[]>() { public byte[] run() { try { byte[] token = new byte[0]; // This is a one pass context initialisation. context.requestMutualAuth( false); context.requestCredDeleg( false); return context.initSecContext( token, 0, token.length); } catch ( GSSException e) { e.printStackTrace(); return null; } } }); }
private static String getUsernameFromGSSContext(final GSSContext gssContext, final boolean strip, final ESLogger logger) { if (gssContext.isEstablished()) { GSSName gssName = null; try { gssName = gssContext.getSrcName(); } catch (final GSSException e) { logger.error("Unable to get src name from gss context", e); } if (gssName != null) { String name = gssName.toString(); return stripRealmName(name, strip); } } return null; }
GSSContext initGSS() throws Exception { final GSSManager MANAGER = GSSManager.getInstance(); final PrivilegedExceptionAction<GSSCredential> action = new PrivilegedExceptionAction<GSSCredential>() { @Override public GSSCredential run() throws GSSException { return MANAGER.createCredential(null, GSSCredential.DEFAULT_LIFETIME, KrbConstants.SPNEGO, GSSCredential.INITIATE_ONLY); } }; final GSSCredential clientcreds = Subject.doAs(initiatorSubject, action); final GSSContext context = MANAGER.createContext(MANAGER.createName(acceptorPrincipal, GSSName.NT_USER_NAME, KrbConstants.SPNEGO), KrbConstants.SPNEGO, clientcreds, GSSContext.DEFAULT_LIFETIME); //TODO make configurable context.requestMutualAuth(true); context.requestConf(true); context.requestInteg(true); context.requestReplayDet(true); context.requestSequenceDet(true); context.requestCredDeleg(false); return context; }