Example #1
0
  /**
   * Retrieves the caller's Subject, or Subject obtained by logging in via the specified caller.
   *
   * <p>Caller must have permission to: - access the Subject - create LoginContext - read the
   * auth.login.defaultCallbackHandler security property
   *
   * <p>NOTE: This method is used by JSSE Kerberos Cipher Suites
   */
  public static Subject getSubject(GSSCaller caller, AccessControlContext acc)
      throws LoginException {

    // Try to get the Subject from acc
    Subject subject = Subject.getSubject(acc);

    // Try to get Subject obtained from GSSUtil
    if (subject == null && !GSSUtil.useSubjectCredsOnly(caller)) {
      subject = GSSUtil.login(caller, GSSUtil.GSS_KRB5_MECH_OID);
    }
    return subject;
  }
Example #2
0
  /**
   * Retrieves the ServiceCreds for the specified server principal from the Subject in the specified
   * AccessControlContext. If not found, and if useSubjectCredsOnly is false, then obtain from a
   * LoginContext.
   *
   * <p>NOTE: This method is also used by JSSE Kerberos Cipher Suites
   */
  public static ServiceCreds getServiceCreds(
      GSSCaller caller, String serverPrincipal, AccessControlContext acc) throws LoginException {

    Subject accSubj = Subject.getSubject(acc);
    ServiceCreds sc = null;
    if (accSubj != null) {
      sc = ServiceCreds.getInstance(accSubj, serverPrincipal);
    }
    if (sc == null && !GSSUtil.useSubjectCredsOnly(caller)) {
      Subject subject = GSSUtil.login(caller, GSSUtil.GSS_KRB5_MECH_OID);
      sc = ServiceCreds.getInstance(subject, serverPrincipal);
    }
    return sc;
  }
Example #3
0
  /**
   * Retrieves the ticket corresponding to the client/server principal pair from the Subject in the
   * specified AccessControlContext. If the ticket can not be found in the Subject, and if
   * useSubjectCredsOnly is false, then obtain ticket from a LoginContext.
   */
  static KerberosTicket getTicket(
      GSSCaller caller, String clientPrincipal, String serverPrincipal, AccessControlContext acc)
      throws LoginException {

    // Try to get ticket from acc's Subject
    Subject accSubj = Subject.getSubject(acc);
    KerberosTicket ticket =
        SubjectComber.find(accSubj, serverPrincipal, clientPrincipal, KerberosTicket.class);

    // Try to get ticket from Subject obtained from GSSUtil
    if (ticket == null && !GSSUtil.useSubjectCredsOnly(caller)) {
      Subject subject = GSSUtil.login(caller, GSSUtil.GSS_KRB5_MECH_OID);
      ticket = SubjectComber.find(subject, serverPrincipal, clientPrincipal, KerberosTicket.class);
    }
    return ticket;
  }
Example #4
0
  /**
   * Retrieve the service ticket for serverPrincipal from caller's Subject or from Subject obtained
   * by logging in, or if not found, via the Ticket Granting Service using the TGT obtained from the
   * Subject.
   *
   * <p>Caller must have permission to: - access and update Subject's private credentials - create
   * LoginContext - read the auth.login.defaultCallbackHandler security property
   *
   * <p>NOTE: This method is used by JSSE Kerberos Cipher Suites
   */
  public static KerberosTicket getTicketFromSubjectAndTgs(
      GSSCaller caller,
      String clientPrincipal,
      String serverPrincipal,
      String tgsPrincipal,
      AccessControlContext acc)
      throws LoginException, KrbException, IOException {

    // 1. Try to find service ticket in acc subject
    Subject accSubj = Subject.getSubject(acc);
    KerberosTicket ticket =
        SubjectComber.find(accSubj, serverPrincipal, clientPrincipal, KerberosTicket.class);

    if (ticket != null) {
      return ticket; // found it
    }

    Subject loginSubj = null;
    if (!GSSUtil.useSubjectCredsOnly(caller)) {
      // 2. Try to get ticket from login
      try {
        loginSubj = GSSUtil.login(caller, GSSUtil.GSS_KRB5_MECH_OID);
        ticket =
            SubjectComber.find(loginSubj, serverPrincipal, clientPrincipal, KerberosTicket.class);
        if (ticket != null) {
          return ticket; // found it
        }
      } catch (LoginException e) {
        // No login entry to use
        // ignore and continue
      }
    }

    // Service ticket not found in subject or login
    // Try to get TGT to acquire service ticket

    // 3. Try to get TGT from acc subject
    KerberosTicket tgt =
        SubjectComber.find(accSubj, tgsPrincipal, clientPrincipal, KerberosTicket.class);

    boolean fromAcc;
    if (tgt == null && loginSubj != null) {
      // 4. Try to get TGT from login subject
      tgt = SubjectComber.find(loginSubj, tgsPrincipal, clientPrincipal, KerberosTicket.class);
      fromAcc = false;
    } else {
      fromAcc = true;
    }

    // 5. Try to get service ticket using TGT
    if (tgt != null) {
      Credentials tgtCreds = ticketToCreds(tgt);
      Credentials serviceCreds = Credentials.acquireServiceCreds(serverPrincipal, tgtCreds);
      if (serviceCreds != null) {
        ticket = credsToTicket(serviceCreds);

        // Store service ticket in acc's Subject
        if (fromAcc && accSubj != null && !accSubj.isReadOnly()) {
          accSubj.getPrivateCredentials().add(ticket);
        }
      }
    }
    return ticket;
  }