/** * Starts as a client * @param target communication peer * @param mech GSS mech * @throws java.lang.Exception */ public void startAsClient(final String target, final Oid mech) throws Exception { doAs(new Action() { @Override public byte[] run(Context me, byte[] dummy) throws Exception { GSSManager m = GSSManager.getInstance(); me.x = (ExtendedGSSContext)m.createContext( target.indexOf('@') < 0 ? m.createName(target, null) : m.createName(target, GSSName.NT_HOSTBASED_SERVICE), mech, cred, GSSContext.DEFAULT_LIFETIME); return null; } }, null); }
/** * Starts as a server with the specified service name * @param name the service name * @param mech GSS mech * @throws java.lang.Exception */ public void startAsServer(final String name, final Oid mech, final boolean asInitiator) throws Exception { doAs(new Action() { @Override public byte[] run(Context me, byte[] dummy) throws Exception { GSSManager m = GSSManager.getInstance(); me.cred = m.createCredential( name == null ? null : (name.indexOf('@') < 0 ? m.createName(name, null) : m.createName(name, GSSName.NT_HOSTBASED_SERVICE)), GSSCredential.INDEFINITE_LIFETIME, mech, asInitiator? GSSCredential.INITIATE_AND_ACCEPT: GSSCredential.ACCEPT_ONLY); me.x = (ExtendedGSSContext)m.createContext(me.cred); return null; } }, null); }
/** * {@inheritDoc} */ @Override public Principal authenticate(GSSContext gssContext, boolean storeCreds) { if (gssContext.isEstablished()) { String username = null; GSSName name = null; try { name = gssContext.getSrcName(); } catch (GSSException e) { log.warn(sm.getString("realmBase.gssNameFail"), e); return null; } username = name.toString(); Principal authenticatedUser = super.authenticate(gssContext, storeCreds); return filterLockedAccounts(username, authenticatedUser); } // Fail in all other cases return null; }
private Oid getOidForType( String type ) { if ("NT_USER_NAME".equals(type)) { return GSSName.NT_USER_NAME; } else if ("NT_HOSTBASED_SERVICE".equals(type)) { return GSSName.NT_HOSTBASED_SERVICE; } else if ("NT_MACHINE_UID_NAME".equals(type)) { return GSSName.NT_MACHINE_UID_NAME; } else if ("NT_STRING_UID_NAME".equals(type)) { return GSSName.NT_STRING_UID_NAME; } else if ("NT_ANONYMOUS".equals(type)) { return GSSName.NT_ANONYMOUS; } else if ("NT_EXPORT_NAME".equals(type)) { return GSSName.NT_EXPORT_NAME; } return GSSName.NT_USER_NAME; }
protected byte[] generateGSSToken( final byte[] input, final Oid oid ) throws GSSException { byte[] token = input; if (token == null) { token = new byte[0]; } GSSManager manager = getManager(); GSSName serverName = manager.createName(servicePrincipalName, servicePrincipalOid); GSSContext gssContext = manager.createContext(serverName.canonicalize(oid), oid, null, GSSContext.DEFAULT_LIFETIME); gssContext.requestMutualAuth(true); gssContext.requestCredDeleg(true); // Get client to login if not already done return gssClient.negotiate(gssContext, token); }
/** * Starts as a client * @param target communication peer * @param mech GSS mech * @throws java.lang.Exception */ public void startAsClient(final String target, final Oid mech) throws Exception { doAs(new Action() { @Override public byte[] run(Context me, byte[] dummy) throws Exception { GSSManager m = GSSManager.getInstance(); me.x = m.createContext( target.indexOf('@') < 0 ? m.createName(target, null) : m.createName(target, GSSName.NT_HOSTBASED_SERVICE), mech, cred, GSSContext.DEFAULT_LIFETIME); return null; } }, null); }
/** * Starts as a server with the specified service name * @param name the service name * @param mech GSS mech * @throws java.lang.Exception */ public void startAsServer(final String name, final Oid mech, final boolean asInitiator) throws Exception { doAs(new Action() { @Override public byte[] run(Context me, byte[] dummy) throws Exception { GSSManager m = GSSManager.getInstance(); me.cred = m.createCredential( name == null ? null : (name.indexOf('@') < 0 ? m.createName(name, null) : m.createName(name, GSSName.NT_HOSTBASED_SERVICE)), GSSCredential.INDEFINITE_LIFETIME, mech, asInitiator? GSSCredential.INITIATE_AND_ACCEPT: GSSCredential.ACCEPT_ONLY); me.x = m.createContext(me.cred); return null; } }, null); }
/** * @since 4.4 */ protected byte[] generateGSSToken( final byte[] input, final Oid oid, final String authServer, final Credentials credentials) throws GSSException { byte[] inputBuff = input; if (inputBuff == null) { inputBuff = new byte[0]; } final GSSManager manager = getManager(); final GSSName serverName = manager.createName(service + "@" + authServer, GSSName.NT_HOSTBASED_SERVICE); final GSSCredential gssCredential; if (credentials instanceof KerberosCredentials) { gssCredential = ((KerberosCredentials) credentials).getGSSCredential(); } else { gssCredential = null; } final GSSContext gssContext = manager.createContext( serverName.canonicalize(oid), oid, gssCredential, GSSContext.DEFAULT_LIFETIME); gssContext.requestMutualAuth(true); gssContext.requestCredDeleg(true); return gssContext.initSecContext(inputBuff, 0, inputBuff.length); }
private void initiateSecurityContext( String servicePrincipalName) throws GSSException { GSSManager manager = GSSManager.getInstance(); GSSName serverName = manager.createName( servicePrincipalName, GSSName.NT_HOSTBASED_SERVICE); final GSSContext context = manager.createContext( serverName, krb5Oid, null, GSSContext.DEFAULT_LIFETIME); // The GSS context initiation has to be performed as a privileged action. this.serviceTicket = Subject.doAs( subject, new PrivilegedAction<byte[]>() { public byte[] run() { try { byte[] token = new byte[0]; // This is a one pass context initialisation. context.requestMutualAuth( false); context.requestCredDeleg( false); return context.initSecContext( token, 0, token.length); } catch ( GSSException e) { e.printStackTrace(); return null; } } }); }
private static String getUsernameFromGSSContext(final GSSContext gssContext, final boolean strip, final ESLogger logger) { if (gssContext.isEstablished()) { GSSName gssName = null; try { gssName = gssContext.getSrcName(); } catch (final GSSException e) { logger.error("Unable to get src name from gss context", e); } if (gssName != null) { String name = gssName.toString(); return stripRealmName(name, strip); } } return null; }
GSSContext initGSS() throws Exception { final GSSManager MANAGER = GSSManager.getInstance(); final PrivilegedExceptionAction<GSSCredential> action = new PrivilegedExceptionAction<GSSCredential>() { @Override public GSSCredential run() throws GSSException { return MANAGER.createCredential(null, GSSCredential.DEFAULT_LIFETIME, KrbConstants.SPNEGO, GSSCredential.INITIATE_ONLY); } }; final GSSCredential clientcreds = Subject.doAs(initiatorSubject, action); final GSSContext context = MANAGER.createContext(MANAGER.createName(acceptorPrincipal, GSSName.NT_USER_NAME, KrbConstants.SPNEGO), KrbConstants.SPNEGO, clientcreds, GSSContext.DEFAULT_LIFETIME); //TODO make configurable context.requestMutualAuth(true); context.requestConf(true); context.requestInteg(true); context.requestReplayDet(true); context.requestSequenceDet(true); context.requestCredDeleg(false); return context; }
public Context impersonate(final String someone) throws Exception { try { GSSCredential creds = Subject.doAs(s, new PrivilegedExceptionAction<GSSCredential>() { @Override public GSSCredential run() throws Exception { GSSManager m = GSSManager.getInstance(); GSSName other = m.createName(someone, GSSName.NT_USER_NAME); if (Context.this.cred == null) { Context.this.cred = m.createCredential(GSSCredential.INITIATE_ONLY); } return ((ExtendedGSSCredential)Context.this.cred).impersonate(other); } }); Context out = new Context(); out.s = s; out.cred = creds; out.name = name + " as " + out.cred.getName().toString(); return out; } catch (PrivilegedActionException pae) { throw pae.getException(); } }
public byte[] run() { try { GSSManager gssManager = GSSManager.getInstance(); Oid kerberos5Oid = new Oid(KERBEROS_OID); GSSCredential credentials = this.delegatedCredential; GSSName gssService = gssManager.createName(this.serviceName, GSSName.NT_HOSTBASED_SERVICE); GSSContext secContext = gssManager.createContext(gssService, kerberos5Oid, credentials, GSSContext.DEFAULT_LIFETIME); secContext.requestMutualAuth(false); byte[] token = new byte[0]; byte[] returnedToken = secContext.initSecContext(token, 0, token.length); secContext.dispose(); return returnedToken; } catch (GSSException e) { if (LogManager.isMessageToBeRecorded(LogConstants.CTX_WS, MessageLevel.DETAIL)) { LogManager.logDetail(LogConstants.CTX_WS, "Error in obtaining a Kerberos token"); //$NON-NLS-1$ } } return null; }
/** * Starts as a client * @param target communication peer * @param mech GSS mech * @throws java.lang.Exception */ public void startAsClient(final String target, final Oid mech) throws Exception { doAs(new Action() { @Override public byte[] run(Context me, byte[] dummy) throws Exception { GSSManager m = GSSManager.getInstance(); me.x = (ExtendedGSSContext)m.createContext( target.indexOf('@') < 0 ? m.createName(target, null) : m.createName(target, GSSName.NT_HOSTBASED_SERVICE), mech, cred, GSSContext.DEFAULT_LIFETIME); return null; } }, null); f = false; }
/** * Starts as a server with the specified service name * @param name the service name * @param mech GSS mech * @throws java.lang.Exception */ public void startAsServer(final String name, final Oid mech) throws Exception { doAs(new Action() { @Override public byte[] run(Context me, byte[] dummy) throws Exception { GSSManager m = GSSManager.getInstance(); me.x = (ExtendedGSSContext)m.createContext(m.createCredential( name == null ? null : (name.indexOf('@') < 0 ? m.createName(name, null) : m.createName(name, GSSName.NT_HOSTBASED_SERVICE)), GSSCredential.INDEFINITE_LIFETIME, mech, GSSCredential.ACCEPT_ONLY)); return null; } }, null); f = false; }
/** * Initializes the GSS context and creates the initial token. */ private byte[] createGssToken() throws GSSException, UnknownHostException { GSSManager manager = GSSManager.getInstance(); // Oids for Kerberos5 Oid mech = new Oid( "1.2.840.113554.1.2.2" ); Oid nameType = new Oid( "1.2.840.113554.1.2.2.1" ); // Canonicalize hostname to create SPN like MIT Kerberos does String host = InetAddress.getByName( socket.getHost() ).getCanonicalHostName(); int port = socket.getPort(); GSSName serverName = manager.createName( "MSSQLSvc/" + host + ":" + port, nameType ); Logger.println( "GSS: Using SPN " + serverName ); _gssContext = manager.createContext( serverName, mech, null, GSSContext.DEFAULT_LIFETIME ); _gssContext.requestMutualAuth( true ); // FIXME: may fail, check via _gssContext.getMutualAuthState() byte[] token = _gssContext.initSecContext( new byte[0], 0, 0 ); Logger.println( "GSS: Created GSS token (length: " + token.length + ")" ); return token; }