/** * Starts as a client * @param target communication peer * @param mech GSS mech * @throws java.lang.Exception */ public void startAsClient(final String target, final Oid mech) throws Exception { doAs(new Action() { @Override public byte[] run(Context me, byte[] dummy) throws Exception { GSSManager m = GSSManager.getInstance(); me.x = (ExtendedGSSContext)m.createContext( target.indexOf('@') < 0 ? m.createName(target, null) : m.createName(target, GSSName.NT_HOSTBASED_SERVICE), mech, cred, GSSContext.DEFAULT_LIFETIME); return null; } }, null); }
/** * Starts as a server with the specified service name * @param name the service name * @param mech GSS mech * @throws java.lang.Exception */ public void startAsServer(final String name, final Oid mech, final boolean asInitiator) throws Exception { doAs(new Action() { @Override public byte[] run(Context me, byte[] dummy) throws Exception { GSSManager m = GSSManager.getInstance(); me.cred = m.createCredential( name == null ? null : (name.indexOf('@') < 0 ? m.createName(name, null) : m.createName(name, GSSName.NT_HOSTBASED_SERVICE)), GSSCredential.INDEFINITE_LIFETIME, mech, asInitiator? GSSCredential.INITIATE_AND_ACCEPT: GSSCredential.ACCEPT_ONLY); me.x = (ExtendedGSSContext)m.createContext(me.cred); return null; } }, null); }
static void testBad(String s) throws Exception { System.err.println("Trying " + s); try { new ObjectIdentifier(s); throw new Exception("should be invalid ObjectIdentifier"); } catch (IOException ioe) { System.err.println(ioe); } try { new Oid(s); throw new Exception("should be invalid Oid"); } catch (GSSException gsse) { ; } try { new EncryptedPrivateKeyInfo(s, new byte[8]); throw new Exception("should be invalid algorithm"); } catch (NoSuchAlgorithmException e) { ; } }
private Oid getOidForType( String type ) { if ("NT_USER_NAME".equals(type)) { return GSSName.NT_USER_NAME; } else if ("NT_HOSTBASED_SERVICE".equals(type)) { return GSSName.NT_HOSTBASED_SERVICE; } else if ("NT_MACHINE_UID_NAME".equals(type)) { return GSSName.NT_MACHINE_UID_NAME; } else if ("NT_STRING_UID_NAME".equals(type)) { return GSSName.NT_STRING_UID_NAME; } else if ("NT_ANONYMOUS".equals(type)) { return GSSName.NT_ANONYMOUS; } else if ("NT_EXPORT_NAME".equals(type)) { return GSSName.NT_EXPORT_NAME; } return GSSName.NT_USER_NAME; }
protected byte[] generateGSSToken( final byte[] input, final Oid oid ) throws GSSException { byte[] token = input; if (token == null) { token = new byte[0]; } GSSManager manager = getManager(); GSSName serverName = manager.createName(servicePrincipalName, servicePrincipalOid); GSSContext gssContext = manager.createContext(serverName.canonicalize(oid), oid, null, GSSContext.DEFAULT_LIFETIME); gssContext.requestMutualAuth(true); gssContext.requestCredDeleg(true); // Get client to login if not already done return gssClient.negotiate(gssContext, token); }
/** * A new instance of LoginConfigImpl must be created for each login request * since it's only used by a single (caller, mech) pair * @param caller defined in GSSUtil as CALLER_XXX final fields * @param oid defined in GSSUtil as XXX_MECH_OID final fields */ public LoginConfigImpl(GSSCaller caller, Oid mech) { this.caller = caller; if (mech.equals(GSSUtil.GSS_KRB5_MECH_OID)) { mechName = "krb5"; } else { throw new IllegalArgumentException(mech.toString() + " not supported"); } config = java.security.AccessController.doPrivileged (new java.security.PrivilegedAction <Configuration> () { public Configuration run() { return Configuration.getConfiguration(); } }); }
public static String validateServiceTicket(Subject subject, final byte[] serviceTicket) throws GSSException, IllegalAccessException, NoSuchFieldException, ClassNotFoundException, PrivilegedActionException { // Kerberos version 5 OID Oid krb5Oid = KerberosUtils.getOidInstance("GSS_KRB5_MECH_OID"); // Accept the context and return the client principal name. return Subject.doAs(subject, new PrivilegedExceptionAction<String>() { @Override public String run() throws Exception { String clientName = null; // Identify the server that communications are being made to. GSSManager manager = GSSManager.getInstance(); GSSContext context = manager.createContext((GSSCredential) null); context.acceptSecContext(serviceTicket, 0, serviceTicket.length); clientName = context.getSrcName().toString(); return clientName; } }); }
public static Oid getOidInstance(String oidName) throws ClassNotFoundException, GSSException, NoSuchFieldException, IllegalAccessException { Class<?> oidClass; if (IBM_JAVA) { if ("NT_GSS_KRB5_PRINCIPAL".equals(oidName)) { // IBM JDK GSSUtil class does not have field for krb5 principal oid return new Oid("1.2.840.113554.1.2.2.1"); } oidClass = Class.forName("com.ibm.security.jgss.GSSUtil"); } else { oidClass = Class.forName("sun.security.jgss.GSSUtil"); } Field oidField = oidClass.getDeclaredField(oidName); return (Oid)oidField.get(oidClass); }
public static void main(String[] args) throws Exception { Oid oid = GSSUtil.GSS_SPNEGO_MECH_OID; new OneKDC(null).writeJAASConf(); Context c, s; c = Context.fromJAAS("client"); s = Context.fromJAAS("server"); c.startAsClient(OneKDC.SERVER, oid); c.x().requestCredDeleg(true); s.startAsServer(oid); Context.handshake(c, s); GSSCredential cred = s.delegated().cred(); cred.getRemainingInitLifetime(oid); cred.getUsage(oid); }
/** * A new instance of LoginConfigImpl must be created for each login request * since it's only used by a single (caller, mech) pair * @param caller defined in GSSUtil as CALLER_XXX final fields * @param mech defined in GSSUtil as XXX_MECH_OID final fields */ public LoginConfigImpl(GSSCaller caller, Oid mech) { this.caller = caller; if (mech.equals(GSSUtil.GSS_KRB5_MECH_OID)) { mechName = "krb5"; } else { throw new IllegalArgumentException(mech.toString() + " not supported"); } config = java.security.AccessController.doPrivileged (new java.security.PrivilegedAction <Configuration> () { public Configuration run() { return Configuration.getConfiguration(); } }); }
/** * Starts as a client * @param target communication peer * @param mech GSS mech * @throws java.lang.Exception */ public void startAsClient(final String target, final Oid mech) throws Exception { doAs(new Action() { @Override public byte[] run(Context me, byte[] dummy) throws Exception { GSSManager m = GSSManager.getInstance(); me.x = m.createContext( target.indexOf('@') < 0 ? m.createName(target, null) : m.createName(target, GSSName.NT_HOSTBASED_SERVICE), mech, cred, GSSContext.DEFAULT_LIFETIME); return null; } }, null); }
/** * Starts as a server with the specified service name * @param name the service name * @param mech GSS mech * @throws java.lang.Exception */ public void startAsServer(final String name, final Oid mech, final boolean asInitiator) throws Exception { doAs(new Action() { @Override public byte[] run(Context me, byte[] dummy) throws Exception { GSSManager m = GSSManager.getInstance(); me.cred = m.createCredential( name == null ? null : (name.indexOf('@') < 0 ? m.createName(name, null) : m.createName(name, GSSName.NT_HOSTBASED_SERVICE)), GSSCredential.INDEFINITE_LIFETIME, mech, asInitiator? GSSCredential.INITIATE_AND_ACCEPT: GSSCredential.ACCEPT_ONLY); me.x = m.createContext(me.cred); return null; } }, null); }
public static Oid getOidInstance(String oidName) throws ClassNotFoundException, GSSException, NoSuchFieldException, IllegalAccessException { Class<?> oidClass; if (IBM_JAVA) { if ("NT_GSS_KRB5_PRINCIPAL".equals(oidName)) { // IBM JDK GSSUtil class does not have field for krb5 principal oid return new Oid("1.2.840.113554.1.2.2.1"); } oidClass = Class.forName("com.ibm.security.jgss.GSSUtil"); } else { oidClass = Class.forName("sun.security.jgss.GSSUtil"); } Field oidField = oidClass.getDeclaredField(oidName); return (Oid) oidField.get(oidClass); }
/** * @since 4.4 */ protected byte[] generateGSSToken( final byte[] input, final Oid oid, final String authServer, final Credentials credentials) throws GSSException { byte[] inputBuff = input; if (inputBuff == null) { inputBuff = new byte[0]; } final GSSManager manager = getManager(); final GSSName serverName = manager.createName(service + "@" + authServer, GSSName.NT_HOSTBASED_SERVICE); final GSSCredential gssCredential; if (credentials instanceof KerberosCredentials) { gssCredential = ((KerberosCredentials) credentials).getGSSCredential(); } else { gssCredential = null; } final GSSContext gssContext = manager.createContext( serverName.canonicalize(oid), oid, gssCredential, GSSContext.DEFAULT_LIFETIME); gssContext.requestMutualAuth(true); gssContext.requestCredDeleg(true); return gssContext.initSecContext(inputBuff, 0, inputBuff.length); }
private String acceptSecurityContext( final byte[] serviceTicket) throws GSSException { krb5Oid = new Oid( "1.2.840.113554.1.2.2"); // Accept the context and return the client principal name. return Subject.doAs( subject, new PrivilegedAction<String>() { public String run() { try { // Identify the server that communications are being made to. GSSManager manager = GSSManager.getInstance(); GSSContext context = manager.createContext( (GSSCredential) null); context.acceptSecContext( serviceTicket, 0, serviceTicket.length); return context.getSrcName().toString(); } catch ( Exception e) { e.printStackTrace(); return null; } } }); }