Java 类org.ietf.jgss.GSSContext 实例源码

/**
 * Starts as a client
 * @param target communication peer
 * @param mech GSS mech
 * @throws java.lang.Exception
 */
public void startAsClient(final String target, final Oid mech) throws Exception {
    doAs(new Action() {
        @Override
        public byte[] run(Context me, byte[] dummy) throws Exception {
            GSSManager m = GSSManager.getInstance();
            me.x = (ExtendedGSSContext)m.createContext(
                      target.indexOf('@') < 0 ?
                        m.createName(target, null) :
                        m.createName(target, GSSName.NT_HOSTBASED_SERVICE),
                    mech,
                    cred,
                    GSSContext.DEFAULT_LIFETIME);
            return null;
        }
    }, null);
}

public static void main(String[] args) throws Exception {
    GSSCredential cred = null;
    GSSContext ctx = GSSManager.getInstance().createContext(cred);

    String var =
        /*0000*/ "60 1C 06 06 2B 06 01 05 05 02 A0 12 30 10 A0 0E " +
        /*0010*/ "30 0C 06 0A 2B 06 01 04 01 82 37 02 02 0A ";
    byte[] token = new byte[var.length()/3];
    for (int i=0; i<token.length; i++) {
        token[i] = Integer.valueOf(var.substring(3*i,3*i+2), 16).byteValue();
    }
    try {
        ctx.acceptSecContext(token, 0, token.length);
    } catch (GSSException gsse) {
        System.out.println("Expected exception: " + gsse);
    }
}

public static void main(String[] args) throws Exception {

        // We don't care about clock difference
        new FileOutputStream("krb5.conf").write(
                "[libdefaults]\nclockskew=999999999".getBytes());
        System.setProperty("java.security.krb5.conf", "krb5.conf");
        Config.refresh();

        Subject subj = new Subject();
        KerberosPrincipal kp = new KerberosPrincipal(princ);
        KerberosKey kk = new KerberosKey(
                kp, key, EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, 0);
        subj.getPrincipals().add(kp);
        subj.getPrivateCredentials().add(kk);

        Subject.doAs(subj, new PrivilegedExceptionAction() {
            public Object run() throws Exception {
                GSSManager man = GSSManager.getInstance();
                GSSContext ctxt = man.createContext(man.createCredential(
                        null, GSSCredential.INDEFINITE_LIFETIME,
                        GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY));
                return ctxt.acceptSecContext(token, 0, token.length);
            }
        });
    }

/**
 * Sets up a <tt>GSSContext</tt> for communicating with the GSS-API protected ACI server and then sends the
 * action. The <tt>serverDetails</tt> are copied and a <tt>GssEncryptionCodec</tt> set on the copy that has the
 * <tt>GSSContext</tt> in it. Any excising <tt>EncryptionCodec</tt> will be removed as only the
 * <tt>GssEncryptionCodec</tt> can be used when communicating with Kerberos protected ACI servers.
 * @param serverDetails A <tt>GssAciServerDetails</tt> containing the service name and connection details.
 * @param parameters    The parameters to send with the ACI action.
 * @return A <tt>AciResponseInputStream</tt> containing the ACI response.
 * @throws java.io.IOException                                If an I/O (transport) error occurs. Some transport exceptions can be recovered from.
 * @throws com.autonomy.aci.client.transport.AciHttpException If a protocol exception occurs. Usually protocol
 *                                                            exceptions cannot be recovered from.
 * @throws java.lang.IllegalArgumentException                 if <tt>serverDetails</tt> isn't an instance of
 *                                                            <tt>GssAciServerDetails</tt> or there is no <tt>serviceName</tt> set in those details.
 */
@Override
public AciResponseInputStream executeAction(final AciServerDetails serverDetails, final Set<? extends ActionParameter<?>> parameters) throws IOException, AciHttpException {
    LOGGER.trace("executeAction() called...");

    // Validate that the server details are of the right type...
    Validate.isTrue((serverDetails instanceof GssAciServerDetails), "The serverDetails must be an instance of GssAciServerDetails.");
    Validate.isTrue(StringUtils.isNotBlank(((GssAciServerDetails) serverDetails).getServiceName()), "No serviceName set in serverDetails.");

    // Create the GSSContext...
    final GSSContext gssContext = getGSSContext((GssAciServerDetails) serverDetails);

    LOGGER.debug("Copying ACI server details and adding a GssEncryptionCodec...");

    // Copy the server details and add the GSSEncryptionCodec... We don't need the serviceName at this point...
    final AciServerDetails copyServerDetails = new AciServerDetails(serverDetails);
    copyServerDetails.setEncryptionCodec(new GssEncryptionCodec(gssContext));

    LOGGER.debug("Letting the superclass execute the action...");

    // Execute the action...
    return super.executeAction(copyServerDetails, parameters);
}

/**
 * Closes the session. If any {@link GSSContext} is present in the session 
 * then it is closed.
 * 
 * @param message the error message
 */
@Override
protected void closeSession(String message) {
    GSSContext ctx = (GSSContext) getSession().getAttribute(GSS_CONTEXT);
    if (ctx != null) {
        try {
            ctx.dispose();
        } catch (GSSException e) {
            e.printStackTrace();
            super.closeSession(message, e);
            return;
        }
    }
    super.closeSession(message);
}

/**
 * {@inheritDoc}
 */
@Override
public Principal authenticate(GSSContext gssContext, boolean storeCreds) {
    if (gssContext.isEstablished()) {
        String username = null;
        GSSName name = null;
        try {
            name = gssContext.getSrcName();
        } catch (GSSException e) {
            log.warn(sm.getString("realmBase.gssNameFail"), e);
            return null;
        }

        username = name.toString();

        Principal authenticatedUser = super.authenticate(gssContext, storeCreds);

        return filterLockedAccounts(username, authenticatedUser);
    }

    // Fail in all other cases
    return null;
}

protected byte[] generateGSSToken(
                                   final byte[] input,
                                   final Oid oid ) throws GSSException {

    byte[] token = input;
    if (token == null) {
        token = new byte[0];
    }
    GSSManager manager = getManager();

    GSSName serverName = manager.createName(servicePrincipalName, servicePrincipalOid);

    GSSContext gssContext = manager.createContext(serverName.canonicalize(oid),
                                                  oid,
                                                  null,
                                                  GSSContext.DEFAULT_LIFETIME);
    gssContext.requestMutualAuth(true);
    gssContext.requestCredDeleg(true);
    // Get client to login if not already done
    return gssClient.negotiate(gssContext, token);
}

/**
 * Called when SPNEGO client-service authentication is taking place.
 * 
 * @param context
 * @param negotiationToken
 * @return
 * @throws GSSException
 */
public byte[] negotiate( GSSContext context, byte[] negotiationToken ) throws GSSException {

    if (subject == null) {
        loginViaJAAS(); // throw GSSException if fail to login
    }
    // If we do not have the service ticket it will be retrieved
    // from the TGS on a call to initSecContext().
    NegotiateContextAction negotiationAction = new NegotiateContextAction(context, negotiationToken);
    // Run the negotiation as the initiator
    // The service ticket will then be cached in the Subject's
    // private credentials, as the subject.
    negotiationToken = (byte[]) Subject.doAs(subject, negotiationAction);
    if (negotiationAction.getGSSException() != null) {
        throw negotiationAction.getGSSException();
    }

    return negotiationToken;
}

public static String validateServiceTicket(Subject subject, final byte[] serviceTicket)
    throws GSSException, IllegalAccessException, NoSuchFieldException, ClassNotFoundException,
    PrivilegedActionException {
  // Kerberos version 5 OID
  Oid krb5Oid = KerberosUtils.getOidInstance("GSS_KRB5_MECH_OID");


  // Accept the context and return the client principal name.
  return Subject.doAs(subject, new PrivilegedExceptionAction<String>() {

    @Override
    public String run() throws Exception {
      String clientName = null;
      // Identify the server that communications are being made to.
      GSSManager manager = GSSManager.getInstance();
      GSSContext context = manager.createContext((GSSCredential) null);
      context.acceptSecContext(serviceTicket, 0, serviceTicket.length);
      clientName = context.getSrcName().toString();
      return clientName;
    }
  });
}

/**
 * {@inheritDoc}
 */
@Override
public Principal authenticate(GSSContext gssContext, boolean storeCreds) {
    if (gssContext.isEstablished()) {
        String username = null;
        GSSName name = null;
        try {
            name = gssContext.getSrcName();
        } catch (GSSException e) {
            log.warn(sm.getString("realmBase.gssNameFail"), e);
            return null;
        }

        username = name.toString();

        Principal authenticatedUser = super.authenticate(gssContext, storeCreds);

        return filterLockedAccounts(username, authenticatedUser);
    }

    // Fail in all other cases
    return null;
}

public static void main(String[] args) throws Exception {
    GSSCredential cred = null;
    GSSContext ctx = GSSManager.getInstance().createContext(cred);

    String var =
        /*0000*/ "60 1C 06 06 2B 06 01 05 05 02 A0 12 30 10 A0 0E " +
        /*0010*/ "30 0C 06 0A 2B 06 01 04 01 82 37 02 02 0A ";
    byte[] token = new byte[var.length()/3];
    for (int i=0; i<token.length; i++) {
        token[i] = Integer.valueOf(var.substring(3*i,3*i+2), 16).byteValue();
    }
    try {
        ctx.acceptSecContext(token, 0, token.length);
    } catch (GSSException gsse) {
        System.out.println("Expected exception: " + gsse);
    }
}

public static void main(String[] args) throws Exception {

        // We don't care about clock difference
        new FileOutputStream("krb5.conf").write(
                "[libdefaults]\nclockskew=999999999".getBytes());
        System.setProperty("java.security.krb5.conf", "krb5.conf");
        Config.refresh();

        Subject subj = new Subject();
        KerberosPrincipal kp = new KerberosPrincipal(princ);
        KerberosKey kk = new KerberosKey(
                kp, key, EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, 0);
        subj.getPrincipals().add(kp);
        subj.getPrivateCredentials().add(kk);

        Subject.doAs(subj, new PrivilegedExceptionAction() {
            public Object run() throws Exception {
                GSSManager man = GSSManager.getInstance();
                GSSContext ctxt = man.createContext(man.createCredential(
                        null, GSSCredential.INDEFINITE_LIFETIME,
                        GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY));
                return ctxt.acceptSecContext(token, 0, token.length);
            }
        });
    }

/**
 * Starts as a client
 * @param target communication peer
 * @param mech GSS mech
 * @throws java.lang.Exception
 */
public void startAsClient(final String target, final Oid mech) throws Exception {
    doAs(new Action() {
        @Override
        public byte[] run(Context me, byte[] dummy) throws Exception {
            GSSManager m = GSSManager.getInstance();
            me.x = (ExtendedGSSContext)m.createContext(
                      target.indexOf('@') < 0 ?
                        m.createName(target, null) :
                        m.createName(target, GSSName.NT_HOSTBASED_SERVICE),
                    mech,
                    cred,
                    GSSContext.DEFAULT_LIFETIME);
            return null;
        }
    }, null);
}

/**
 * Starts as a client
 * @param target communication peer
 * @param mech GSS mech
 * @throws java.lang.Exception
 */
public void startAsClient(final String target, final Oid mech) throws Exception {
    doAs(new Action() {
        @Override
        public byte[] run(Context me, byte[] dummy) throws Exception {
            GSSManager m = GSSManager.getInstance();
            me.x = m.createContext(
                      target.indexOf('@') < 0 ?
                        m.createName(target, null) :
                        m.createName(target, GSSName.NT_HOSTBASED_SERVICE),
                    mech,
                    cred,
                    GSSContext.DEFAULT_LIFETIME);
            return null;
        }
    }, null);
}

/**
 * {@inheritDoc}
 */
@Override
public Principal authenticate(GSSContext gssContext, boolean storeCreds) {
    if (gssContext.isEstablished()) {
        String username = null;
        GSSName name = null;
        try {
            name = gssContext.getSrcName();
        } catch (GSSException e) {
            log.warn(sm.getString("realmBase.gssNameFail"), e);
            return null;
        }

        username = name.toString();

        Principal authenticatedUser = super.authenticate(gssContext, storeCreds);

        return filterLockedAccounts(username, authenticatedUser);
    }

    // Fail in all other cases
    return null;
}

public static void main(String[] args) throws Exception {
    GSSCredential cred = null;
    GSSContext ctx = GSSManager.getInstance().createContext(cred);

    String var =
        /*0000*/ "60 1C 06 06 2B 06 01 05 05 02 A0 12 30 10 A0 0E " +
        /*0010*/ "30 0C 06 0A 2B 06 01 04 01 82 37 02 02 0A ";
    byte[] token = new byte[var.length()/3];
    for (int i=0; i<token.length; i++) {
        token[i] = Integer.valueOf(var.substring(3*i,3*i+2), 16).byteValue();
    }
    try {
        ctx.acceptSecContext(token, 0, token.length);
    } catch (GSSException gsse) {
        System.out.println("Expected exception: " + gsse);
    }
}

public static void main(String[] args) throws Exception {

        // We don't care about clock difference
        new FileOutputStream("krb5.conf").write(
                "[libdefaults]\nclockskew=999999999".getBytes());
        System.setProperty("java.security.krb5.conf", "krb5.conf");
        Config.refresh();

        Subject subj = new Subject();
        KerberosPrincipal kp = new KerberosPrincipal(princ);
        KerberosKey kk = new KerberosKey(
                kp, key, EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, 0);
        subj.getPrincipals().add(kp);
        subj.getPrivateCredentials().add(kk);

        Subject.doAs(subj, new PrivilegedExceptionAction() {
            public Object run() throws Exception {
                GSSManager man = GSSManager.getInstance();
                GSSContext ctxt = man.createContext(man.createCredential(
                        null, GSSCredential.INDEFINITE_LIFETIME,
                        GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY));
                return ctxt.acceptSecContext(token, 0, token.length);
            }
        });
    }

/**
 * Starts as a client
 * @param target communication peer
 * @param mech GSS mech
 * @throws java.lang.Exception
 */
public void startAsClient(final String target, final Oid mech) throws Exception {
    doAs(new Action() {
        @Override
        public byte[] run(Context me, byte[] dummy) throws Exception {
            GSSManager m = GSSManager.getInstance();
            me.x = m.createContext(
                      target.indexOf('@') < 0 ?
                        m.createName(target, null) :
                        m.createName(target, GSSName.NT_HOSTBASED_SERVICE),
                    mech,
                    cred,
                    GSSContext.DEFAULT_LIFETIME);
            return null;
        }
    }, null);
}

public static void main(String[] args) throws Exception {
    GSSCredential cred = null;
    GSSContext ctx = GSSManager.getInstance().createContext(cred);

    String var =
        /*0000*/ "60 1C 06 06 2B 06 01 05 05 02 A0 12 30 10 A0 0E " +
        /*0010*/ "30 0C 06 0A 2B 06 01 04 01 82 37 02 02 0A ";
    byte[] token = new byte[var.length()/3];
    for (int i=0; i<token.length; i++) {
        token[i] = Integer.valueOf(var.substring(3*i,3*i+2), 16).byteValue();
    }
    try {
        ctx.acceptSecContext(token, 0, token.length);
    } catch (GSSException gsse) {
        System.out.println("Expected exception: " + gsse);
    }
}

public static void main(String[] args) throws Exception {

        // We don't care about clock difference
        new FileOutputStream("krb5.conf").write(
                "[libdefaults]\nclockskew=999999999".getBytes());
        System.setProperty("java.security.krb5.conf", "krb5.conf");
        Config.refresh();

        Subject subj = new Subject();
        KerberosPrincipal kp = new KerberosPrincipal(princ);
        KerberosKey kk = new KerberosKey(
                kp, key, EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, 0);
        subj.getPrincipals().add(kp);
        subj.getPrivateCredentials().add(kk);

        Subject.doAs(subj, new PrivilegedExceptionAction() {
            public Object run() throws Exception {
                GSSManager man = GSSManager.getInstance();
                GSSContext ctxt = man.createContext(man.createCredential(
                        null, GSSCredential.INDEFINITE_LIFETIME,
                        GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY));
                return ctxt.acceptSecContext(token, 0, token.length);
            }
        });
    }

/**
 * Starts as a client
 * @param target communication peer
 * @param mech GSS mech
 * @throws java.lang.Exception
 */
public void startAsClient(final String target, final Oid mech) throws Exception {
    doAs(new Action() {
        @Override
        public byte[] run(Context me, byte[] dummy) throws Exception {
            GSSManager m = GSSManager.getInstance();
            me.x = (ExtendedGSSContext)m.createContext(
                      target.indexOf('@') < 0 ?
                        m.createName(target, null) :
                        m.createName(target, GSSName.NT_HOSTBASED_SERVICE),
                    mech,
                    cred,
                    GSSContext.DEFAULT_LIFETIME);
            return null;
        }
    }, null);
}

/**
 * Process Kerberos token and get user name.
 *
 * @param gssToken GSS token
 * @return username Username of the logged in user if GSSToken can be decrypted correctly else return null
 * @throws GSSException
 */
public static String processToken(byte[] gssToken, GSSCredential gssCredentials) throws GSSException {
    GSSContext context = gssManager.createContext(gssCredentials);
    // Decrypt the kerberos ticket (GSS token)
    context.acceptSecContext(gssToken, 0, gssToken.length);

    // If we cannot decrypt the GSS Token properly we return the username as null.
    if (!context.isEstablished()) {
        log.error("Unable to decrypt the kerberos ticket as context was not established.");
        return null;
    }

    String loggedInUserName = context.getSrcName().toString();
    String target = context.getTargName().toString();

    if (log.isDebugEnabled()) {
        String msg = "Extracted details from GSS Token, LoggedIn User : " + loggedInUserName
                + " , Intended target : " + target;
        log.debug(msg);
    }

    return loggedInUserName;
}

public static void main(String[] args) throws Exception {
    GSSCredential cred = null;
    GSSContext ctx = GSSManager.getInstance().createContext(cred);

    String var =
        /*0000*/ "60 1C 06 06 2B 06 01 05 05 02 A0 12 30 10 A0 0E " +
        /*0010*/ "30 0C 06 0A 2B 06 01 04 01 82 37 02 02 0A ";
    byte[] token = new byte[var.length()/3];
    for (int i=0; i<token.length; i++) {
        token[i] = Integer.valueOf(var.substring(3*i,3*i+2), 16).byteValue();
    }
    try {
        ctx.acceptSecContext(token, 0, token.length);
    } catch (GSSException gsse) {
        System.out.println("Expected exception: " + gsse);
    }
}

public static void main(String[] args) throws Exception {

        // We don't care about clock difference
        new FileOutputStream("krb5.conf").write(
                "[libdefaults]\nclockskew=999999999".getBytes());
        System.setProperty("java.security.krb5.conf", "krb5.conf");
        Config.refresh();

        Subject subj = new Subject();
        KerberosPrincipal kp = new KerberosPrincipal(princ);
        KerberosKey kk = new KerberosKey(
                kp, key, EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, 0);
        subj.getPrincipals().add(kp);
        subj.getPrivateCredentials().add(kk);

        Subject.doAs(subj, new PrivilegedExceptionAction() {
            public Object run() throws Exception {
                GSSManager man = GSSManager.getInstance();
                GSSContext ctxt = man.createContext(man.createCredential(
                        null, GSSCredential.INDEFINITE_LIFETIME,
                        GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY));
                return ctxt.acceptSecContext(token, 0, token.length);
            }
        });
    }

/**
 * Starts as a client
 * @param target communication peer
 * @param mech GSS mech
 * @throws java.lang.Exception
 */
public void startAsClient(final String target, final Oid mech) throws Exception {
    doAs(new Action() {
        @Override
        public byte[] run(Context me, byte[] dummy) throws Exception {
            GSSManager m = GSSManager.getInstance();
            me.x = (ExtendedGSSContext)m.createContext(
                      target.indexOf('@') < 0 ?
                        m.createName(target, null) :
                        m.createName(target, GSSName.NT_HOSTBASED_SERVICE),
                    mech,
                    cred,
                    GSSContext.DEFAULT_LIFETIME);
            return null;
        }
    }, null);
}

/**
 * Returns a GSSContextt for the given url with a default lifetime.
 *  
 * @param url http address
 * @return GSSContext for the given url
 * @throws GSSException
 * @throws PrivilegedActionException
 */
private GSSContext getGSSContext(final URL url) throws GSSException
    , PrivilegedActionException {

    if (null == this.credential) {
        if (null == this.loginContext) {
            throw new IllegalStateException(
                    "GSSCredential AND LoginContext NOT initialized");

        } else {
            this.credential = SpnegoProvider.getClientCredential(
                    this.loginContext.getSubject());
        }
    }

    return SpnegoProvider.getGSSContext(this.credential, url);
}

/**
 * @since 4.4
 */
protected byte[] generateGSSToken(
        final byte[] input, final Oid oid, final String authServer,
        final Credentials credentials) throws GSSException {
    byte[] inputBuff = input;
    if (inputBuff == null) {
        inputBuff = new byte[0];
    }
    final GSSManager manager = getManager();
    final GSSName serverName = manager.createName(service + "@" + authServer, GSSName.NT_HOSTBASED_SERVICE);

    final GSSCredential gssCredential;
    if (credentials instanceof KerberosCredentials) {
        gssCredential = ((KerberosCredentials) credentials).getGSSCredential();
    } else {
        gssCredential = null;
    }

    final GSSContext gssContext = manager.createContext(
            serverName.canonicalize(oid), oid, gssCredential, GSSContext.DEFAULT_LIFETIME);
    gssContext.requestMutualAuth(true);
    gssContext.requestCredDeleg(true);
    return gssContext.initSecContext(inputBuff, 0, inputBuff.length);
}

private String acceptSecurityContext( final byte[] serviceTicket)
    throws GSSException {
  krb5Oid = new Oid( "1.2.840.113554.1.2.2");

  // Accept the context and return the client principal name.
  return Subject.doAs( subject, new PrivilegedAction<String>() {
    public String run() {
      try {
        // Identify the server that communications are being made to.
        GSSManager manager = GSSManager.getInstance();
        GSSContext context = manager.createContext( (GSSCredential) null);
        context.acceptSecContext( serviceTicket, 0, serviceTicket.length);
        return context.getSrcName().toString();
      }
      catch ( Exception e) {
        e.printStackTrace();
        return null;
      }
    }
  });
}

private void initiateSecurityContext( String servicePrincipalName)
    throws GSSException {
  GSSManager manager = GSSManager.getInstance();
  GSSName serverName = manager.createName( servicePrincipalName,
      GSSName.NT_HOSTBASED_SERVICE);
  final GSSContext context = manager.createContext( serverName, krb5Oid, null,
      GSSContext.DEFAULT_LIFETIME);
  // The GSS context initiation has to be performed as a privileged action.
  this.serviceTicket = Subject.doAs( subject, new PrivilegedAction<byte[]>() {
    public byte[] run() {
      try {
        byte[] token = new byte[0];
        // This is a one pass context initialisation.
        context.requestMutualAuth( false);
        context.requestCredDeleg( false);
        return context.initSecContext( token, 0, token.length);
      }
      catch ( GSSException e) {
        e.printStackTrace();
        return null;
      }
    }
  });

}

private static String getUsernameFromGSSContext(final GSSContext gssContext, final boolean strip, final ESLogger logger) {
    if (gssContext.isEstablished()) {
        GSSName gssName = null;
        try {
            gssName = gssContext.getSrcName();
        } catch (final GSSException e) {
            logger.error("Unable to get src name from gss context", e);
        }

        if (gssName != null) {
            String name = gssName.toString();

            return stripRealmName(name, strip);

        }
    }

    return null;
}

GSSContext initGSS() throws Exception {
    final GSSManager MANAGER = GSSManager.getInstance();

    final PrivilegedExceptionAction<GSSCredential> action = new PrivilegedExceptionAction<GSSCredential>() {
        @Override
        public GSSCredential run() throws GSSException {
            return MANAGER.createCredential(null, GSSCredential.DEFAULT_LIFETIME, KrbConstants.SPNEGO, GSSCredential.INITIATE_ONLY);
        }
    };

    final GSSCredential clientcreds = Subject.doAs(initiatorSubject, action);

    final GSSContext context = MANAGER.createContext(MANAGER.createName(acceptorPrincipal, GSSName.NT_USER_NAME, KrbConstants.SPNEGO),
            KrbConstants.SPNEGO, clientcreds, GSSContext.DEFAULT_LIFETIME);

    //TODO make configurable
    context.requestMutualAuth(true);
    context.requestConf(true);
    context.requestInteg(true);
    context.requestReplayDet(true);
    context.requestSequenceDet(true);
    context.requestCredDeleg(false);

    return context;
}

public static void main(String[] args) throws Exception {
    GSSCredential cred = null;
    GSSContext ctx = GSSManager.getInstance().createContext(cred);

    String var =
        /*0000*/ "60 1C 06 06 2B 06 01 05 05 02 A0 12 30 10 A0 0E " +
        /*0010*/ "30 0C 06 0A 2B 06 01 04 01 82 37 02 02 0A ";
    byte[] token = new byte[var.length()/3];
    for (int i=0; i<token.length; i++) {
        token[i] = Integer.valueOf(var.substring(3*i,3*i+2), 16).byteValue();
    }
    try {
        ctx.acceptSecContext(token, 0, token.length);
    } catch (GSSException gsse) {
        System.out.println("Expected exception: " + gsse);
    }
}

public static void main(String[] args) throws Exception {

        // We don't care about clock difference
        new FileOutputStream("krb5.conf").write(
                "[libdefaults]\nclockskew=999999999".getBytes());
        System.setProperty("java.security.krb5.conf", "krb5.conf");
        Config.refresh();

        Subject subj = new Subject();
        KerberosPrincipal kp = new KerberosPrincipal(princ);
        KerberosKey kk = new KerberosKey(
                kp, key, EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, 0);
        subj.getPrincipals().add(kp);
        subj.getPrivateCredentials().add(kk);

        Subject.doAs(subj, new PrivilegedExceptionAction() {
            public Object run() throws Exception {
                GSSManager man = GSSManager.getInstance();
                GSSContext ctxt = man.createContext(man.createCredential(
                        null, GSSCredential.INDEFINITE_LIFETIME,
                        GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY));
                return ctxt.acceptSecContext(token, 0, token.length);
            }
        });
    }

/**
 * Starts as a client
 * @param target communication peer
 * @param mech GSS mech
 * @throws java.lang.Exception
 */
public void startAsClient(final String target, final Oid mech) throws Exception {
    doAs(new Action() {
        @Override
        public byte[] run(Context me, byte[] dummy) throws Exception {
            GSSManager m = GSSManager.getInstance();
            me.x = (ExtendedGSSContext)m.createContext(
                      target.indexOf('@') < 0 ?
                        m.createName(target, null) :
                        m.createName(target, GSSName.NT_HOSTBASED_SERVICE),
                    mech,
                    cred,
                    GSSContext.DEFAULT_LIFETIME);
            return null;
        }
    }, null);
}