public static void main(String[] args) throws Exception { GSSCredential cred = null; GSSContext ctx = GSSManager.getInstance().createContext(cred); String var = /*0000*/ "60 1C 06 06 2B 06 01 05 05 02 A0 12 30 10 A0 0E " + /*0010*/ "30 0C 06 0A 2B 06 01 04 01 82 37 02 02 0A "; byte[] token = new byte[var.length()/3]; for (int i=0; i<token.length; i++) { token[i] = Integer.valueOf(var.substring(3*i,3*i+2), 16).byteValue(); } try { ctx.acceptSecContext(token, 0, token.length); } catch (GSSException gsse) { System.out.println("Expected exception: " + gsse); } }
public static void main(String[] args) throws Exception { // We don't care about clock difference new FileOutputStream("krb5.conf").write( "[libdefaults]\nclockskew=999999999".getBytes()); System.setProperty("java.security.krb5.conf", "krb5.conf"); Config.refresh(); Subject subj = new Subject(); KerberosPrincipal kp = new KerberosPrincipal(princ); KerberosKey kk = new KerberosKey( kp, key, EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, 0); subj.getPrincipals().add(kp); subj.getPrivateCredentials().add(kk); Subject.doAs(subj, new PrivilegedExceptionAction() { public Object run() throws Exception { GSSManager man = GSSManager.getInstance(); GSSContext ctxt = man.createContext(man.createCredential( null, GSSCredential.INDEFINITE_LIFETIME, GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY)); return ctxt.acceptSecContext(token, 0, token.length); } }); }
/** * Starts as a server with the specified service name * @param name the service name * @param mech GSS mech * @throws java.lang.Exception */ public void startAsServer(final String name, final Oid mech, final boolean asInitiator) throws Exception { doAs(new Action() { @Override public byte[] run(Context me, byte[] dummy) throws Exception { GSSManager m = GSSManager.getInstance(); me.cred = m.createCredential( name == null ? null : (name.indexOf('@') < 0 ? m.createName(name, null) : m.createName(name, GSSName.NT_HOSTBASED_SERVICE)), GSSCredential.INDEFINITE_LIFETIME, mech, asInitiator? GSSCredential.INITIATE_AND_ACCEPT: GSSCredential.ACCEPT_ONLY); me.x = (ExtendedGSSContext)m.createContext(me.cred); return null; } }, null); }
/** * Construct a new Principal, associated with the specified Realm, for the * specified username and password, with the specified role names * (as Strings). * * @param name The username of the user represented by this Principal * @param password Credentials used to authenticate this user * @param roles List of roles (must be Strings) possessed by this user * @param userPrincipal - the principal to be returned from the request * getUserPrincipal call if not null; if null, this will be returned * @param loginContext - If provided, this will be used to log out the user * at the appropriate time * @param gssCredential - If provided, the user's delegated credentials */ public GenericPrincipal(String name, String password, List<String> roles, Principal userPrincipal, LoginContext loginContext, GSSCredential gssCredential) { super(); this.name = name; this.password = password; this.userPrincipal = userPrincipal; if (roles != null) { this.roles = new String[roles.size()]; this.roles = roles.toArray(this.roles); if (this.roles.length > 1) Arrays.sort(this.roles); } this.loginContext = loginContext; this.gssCredential = gssCredential; }
public static String validateServiceTicket(Subject subject, final byte[] serviceTicket) throws GSSException, IllegalAccessException, NoSuchFieldException, ClassNotFoundException, PrivilegedActionException { // Kerberos version 5 OID Oid krb5Oid = KerberosUtils.getOidInstance("GSS_KRB5_MECH_OID"); // Accept the context and return the client principal name. return Subject.doAs(subject, new PrivilegedExceptionAction<String>() { @Override public String run() throws Exception { String clientName = null; // Identify the server that communications are being made to. GSSManager manager = GSSManager.getInstance(); GSSContext context = manager.createContext((GSSCredential) null); context.acceptSecContext(serviceTicket, 0, serviceTicket.length); clientName = context.getSrcName().toString(); return clientName; } }); }
public static void main(String[] args) throws Exception { Oid oid = GSSUtil.GSS_SPNEGO_MECH_OID; new OneKDC(null).writeJAASConf(); Context c, s; c = Context.fromJAAS("client"); s = Context.fromJAAS("server"); c.startAsClient(OneKDC.SERVER, oid); c.x().requestCredDeleg(true); s.startAsServer(oid); Context.handshake(c, s); GSSCredential cred = s.delegated().cred(); cred.getRemainingInitLifetime(oid); cred.getUsage(oid); }
public static void main(String[] args) throws Exception { new OneKDC(null).writeJAASConf(); System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); GSSManager gm = GSSManager.getInstance(); GSSCredential cred = gm.createCredential(GSSCredential.INITIATE_AND_ACCEPT); int time = cred.getRemainingLifetime(); int time2 = cred.getRemainingInitLifetime(null); // The test KDC issues a TGT with a default lifetime of 11 hours int elevenhrs = 11*3600; if (time > elevenhrs+60 || time < elevenhrs-60) { throw new Exception("getRemainingLifetime returns wrong value."); } if (time2 > elevenhrs+60 || time2 < elevenhrs-60) { throw new Exception("getRemainingInitLifetime returns wrong value."); } }
public static void main(String[] args) throws Exception { new OneKDC(null).writeJAASConf(); System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); GSSManager gm = GSSManager.getInstance(); GSSCredential cred = gm.createCredential(GSSCredential.INITIATE_AND_ACCEPT); int time = cred.getRemainingLifetime(); int time2 = cred.getRemainingInitLifetime(null); // The test KDC issues a TGT with a default lifetime of 11 hours int elevenhrs = KDC.DEFAULT_LIFETIME; if (time > elevenhrs+60 || time < elevenhrs-60) { throw new Exception("getRemainingLifetime returns wrong value."); } if (time2 > elevenhrs+60 || time2 < elevenhrs-60) { throw new Exception("getRemainingInitLifetime returns wrong value."); } }
/** * Starts as a server with the specified service name * @param name the service name * @param mech GSS mech * @throws java.lang.Exception */ public void startAsServer(final String name, final Oid mech, final boolean asInitiator) throws Exception { doAs(new Action() { @Override public byte[] run(Context me, byte[] dummy) throws Exception { GSSManager m = GSSManager.getInstance(); me.cred = m.createCredential( name == null ? null : (name.indexOf('@') < 0 ? m.createName(name, null) : m.createName(name, GSSName.NT_HOSTBASED_SERVICE)), GSSCredential.INDEFINITE_LIFETIME, mech, asInitiator? GSSCredential.INITIATE_AND_ACCEPT: GSSCredential.ACCEPT_ONLY); me.x = m.createContext(me.cred); return null; } }, null); }
/** * Process Kerberos token and get user name. * * @param gssToken GSS token * @return username Username of the logged in user if GSSToken can be decrypted correctly else return null * @throws GSSException */ public static String processToken(byte[] gssToken, GSSCredential gssCredentials) throws GSSException { GSSContext context = gssManager.createContext(gssCredentials); // Decrypt the kerberos ticket (GSS token) context.acceptSecContext(gssToken, 0, gssToken.length); // If we cannot decrypt the GSS Token properly we return the username as null. if (!context.isEstablished()) { log.error("Unable to decrypt the kerberos ticket as context was not established."); return null; } String loggedInUserName = context.getSrcName().toString(); String target = context.getTargName().toString(); if (log.isDebugEnabled()) { String msg = "Extracted details from GSS Token, LoggedIn User : " + loggedInUserName + " , Intended target : " + target; log.debug(msg); } return loggedInUserName; }
/** * Create GSSCredential as Subject * * @param subject login context subject * @return GSSCredential * @throws PrivilegedActionException */ private static GSSCredential createCredentialsForSubject(final Subject subject) throws PrivilegedActionException { final PrivilegedExceptionAction<GSSCredential> action = new PrivilegedExceptionAction<GSSCredential>() { public GSSCredential run() throws GSSException { return gssManager.createCredential(null, GSSCredential.INDEFINITE_LIFETIME, GSSUtil.GSS_SPNEGO_MECH_OID, GSSCredential.ACCEPT_ONLY); } }; if (log.isDebugEnabled()) { Set<Principal> principals = subject.getPrincipals(); String principalName = null; if (principals != null) { principalName = principals.toString(); } log.debug("Creating gss credentials as principal : " + principalName); } return Subject.doAs(subject, action); }
/** * Returns the GSS-API interface for creating a security context. * * @param subject the person to be authenticated * @return GSSCredential to be used for creating a security context. * @throws PrivilegedActionException */ public static GSSCredential getClientCredential(final Subject subject) throws PrivilegedActionException { final PrivilegedExceptionAction<GSSCredential> action = new PrivilegedExceptionAction<GSSCredential>() { public GSSCredential run() throws GSSException { return MANAGER.createCredential( null , GSSCredential.DEFAULT_LIFETIME , SpnegoProvider.SPNEGO_OID , GSSCredential.INITIATE_ONLY); } }; return Subject.doAs(subject, action); }
/** * Returns the {@link GSSCredential} the server uses for pre-authentication. * * @param subject account server uses for pre-authentication * @return credential that allows server to authenticate clients * @throws PrivilegedActionException */ static GSSCredential getServerCredential(final Subject subject) throws PrivilegedActionException { final PrivilegedExceptionAction<GSSCredential> action = new PrivilegedExceptionAction<GSSCredential>() { public GSSCredential run() throws GSSException { return MANAGER.createCredential( null , GSSCredential.INDEFINITE_LIFETIME , SpnegoProvider.SPNEGO_OID , GSSCredential.ACCEPT_ONLY); } }; return Subject.doAs(subject, action); }
/** * @since 4.4 */ protected byte[] generateGSSToken( final byte[] input, final Oid oid, final String authServer, final Credentials credentials) throws GSSException { byte[] inputBuff = input; if (inputBuff == null) { inputBuff = new byte[0]; } final GSSManager manager = getManager(); final GSSName serverName = manager.createName(service + "@" + authServer, GSSName.NT_HOSTBASED_SERVICE); final GSSCredential gssCredential; if (credentials instanceof KerberosCredentials) { gssCredential = ((KerberosCredentials) credentials).getGSSCredential(); } else { gssCredential = null; } final GSSContext gssContext = manager.createContext( serverName.canonicalize(oid), oid, gssCredential, GSSContext.DEFAULT_LIFETIME); gssContext.requestMutualAuth(true); gssContext.requestCredDeleg(true); return gssContext.initSecContext(inputBuff, 0, inputBuff.length); }
private String acceptSecurityContext( final byte[] serviceTicket) throws GSSException { krb5Oid = new Oid( "1.2.840.113554.1.2.2"); // Accept the context and return the client principal name. return Subject.doAs( subject, new PrivilegedAction<String>() { public String run() { try { // Identify the server that communications are being made to. GSSManager manager = GSSManager.getInstance(); GSSContext context = manager.createContext( (GSSCredential) null); context.acceptSecContext( serviceTicket, 0, serviceTicket.length); return context.getSrcName().toString(); } catch ( Exception e) { e.printStackTrace(); return null; } } }); }
GSSContext initGSS() throws Exception { final GSSManager MANAGER = GSSManager.getInstance(); final PrivilegedExceptionAction<GSSCredential> action = new PrivilegedExceptionAction<GSSCredential>() { @Override public GSSCredential run() throws GSSException { return MANAGER.createCredential(null, GSSCredential.DEFAULT_LIFETIME, KrbConstants.SPNEGO, GSSCredential.INITIATE_ONLY); } }; final GSSCredential clientcreds = Subject.doAs(initiatorSubject, action); final GSSContext context = MANAGER.createContext(MANAGER.createName(acceptorPrincipal, GSSName.NT_USER_NAME, KrbConstants.SPNEGO), KrbConstants.SPNEGO, clientcreds, GSSContext.DEFAULT_LIFETIME); //TODO make configurable context.requestMutualAuth(true); context.requestConf(true); context.requestInteg(true); context.requestReplayDet(true); context.requestSequenceDet(true); context.requestCredDeleg(false); return context; }