@Test public void testRunAsICIR_TwoBeans() throws Exception { LoginContext lc = Util.getCLMLoginContext("user1", "password1"); lc.login(); try { // TODO - Enable once auth checks are working. /* * try { whoAmIBean.getCallerPrincipal(); fail("Expected call to whoAmIBean to fail"); } catch (Exception expected) * { } */ boolean[] response; response = entryBean.doubleDoIHaveRole("Users"); assertTrue(response[0]); assertFalse(response[1]); response = entryBean.doubleDoIHaveRole("Role1"); assertTrue(response[0]); assertFalse(response[1]); response = entryBean.doubleDoIHaveRole("Role2"); assertFalse(response[0]); assertTrue(response[1]); } finally { lc.logout(); } lc = Util.getCLMLoginContext("user2", "password2"); lc.login(); try { // Verify the call now passes. Principal user = whoAmIBean.getCallerPrincipal(); assertNotNull(user); boolean[] response; response = entryBean.doubleDoIHaveRole("Users"); assertTrue(response[0]); assertFalse(response[1]); response = entryBean.doubleDoIHaveRole("Role1"); assertFalse(response[0]); assertFalse(response[1]); response = entryBean.doubleDoIHaveRole("Role2"); assertTrue(response[0]); assertTrue(response[1]); } finally { lc.logout(); } }
@Override public void run(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException { LoginContext lc = null; if (request.getUserPrincipal() == null) { try { lc = doLogin(request, response); request = wrapRequest(request, lc); } catch (LoginException e) { // login failed handleLoginFailure(request, response, e); return; } } try { chain.doFilter(request, response); } finally { ClientLoginModule.getThreadLocalLogin().clear(); if (lc != null) { // a null lc may indicate an anonymous login try { lc.logout(); } catch (Exception e) { } } } }
/** * Re-Login a user in from the ticket cache. This method assumes that login had happened already. * The Subject field of this UserGroupInformation object is updated to have the new credentials. * * @throws IOException on a failure */ public synchronized void reloginFromTicketCache() throws IOException { if (!isSecurityEnabled() || user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS || !isKrbTkt) return; LoginContext login = getLogin(); if (login == null) { throw new IOException("login must be done first"); } if (!hasSufficientTimeElapsed()) { return; } try { LOG.info("Initiating logout for " + getUserName()); // clear up the kerberos state. But the tokens are not cleared! As per // the Java kerberos login module code, only the kerberos credentials // are cleared login.logout(); // login and also update the subject field of this instance to // have the new credentials (pass it to the LoginContext constructor) login = new LoginContext(HadoopConfiguration.USER_KERBEROS_CONFIG_NAME, getSubject()); LOG.info("Initiating re-login for " + getUserName()); login.login(); setLogin(login); } catch (LoginException le) { throw new IOException("Login failure for " + getUserName(), le); } }
@Test public void testRoleExpansion() throws LoginException { LoginContext context = new LoginContext( "ExpandedLDAPLogin", new CallbackHandler() { public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { for (int i = 0; i < callbacks.length; i++) { if (callbacks[i] instanceof NameCallback) { ((NameCallback) callbacks[i]).setName("first"); } else if (callbacks[i] instanceof PasswordCallback) { ((PasswordCallback) callbacks[i]).setPassword("secret".toCharArray()); } else { throw new UnsupportedCallbackException(callbacks[i]); } } } }); context.login(); Subject subject = context.getSubject(); boolean isAdmin = false; boolean isUser = false; for (Principal principal : subject.getPrincipals()) { if (principal instanceof GroupPrincipal) { GroupPrincipal groupPrincipal = (GroupPrincipal) principal; if (groupPrincipal.getName().equalsIgnoreCase("admins")) isAdmin = true; if (groupPrincipal.getName().equalsIgnoreCase("users")) isUser = true; } } // Should be in users by virtue of being in admins assertTrue(isAdmin && isUser); context.logout(); }
@After public void tearDown() throws Exception { AccessorUtil.getRuntimeAPI().deleteAllProcessInstances(bonitaProcess.getUUID()); AccessorUtil.getManagementAPI().disable(bonitaProcess.getUUID()); AccessorUtil.getManagementAPI().deleteProcess(bonitaProcess.getUUID()); loginContext.logout(); }
public void logoutSubject() { if (loginContext != null) { try { loginContext.logout(); } catch (LoginException le) { logger.error("Failed to logout kerberos subject", le); } } }
protected void closeLocalLogin(LoginContext lc) throws AgencyException { try { lc.logout(); } catch (LoginException e) { System.out.println("ERROR logout in WS"); throw new AgencyException( "Couldn't connect with the login service [LoginContext]. Contact your service provider.", e); } }
/* ------------------------------------------------------------ */ public void logout(UserIdentity user) { Set<JAASUserPrincipal> userPrincipals = user.getSubject().getPrincipals(JAASUserPrincipal.class); LoginContext loginContext = userPrincipals.iterator().next().getLoginContext(); try { loginContext.logout(); } catch (LoginException e) { LOG.warn(e); } }
/** * Call the logout method on the Jaas Login Module Set the username and currentRowkey to null for * clean up purposes */ public boolean logout() { try { usuarioLogged = null; FacesContext facesContext = FacesContext.getCurrentInstance(); HttpSession session = (HttpSession) facesContext.getExternalContext().getSession(false); context.logout(); session.invalidate(); } catch (Exception e) { log("SessionBean1::Exception occured while logging out" + e.getMessage()); error("Error Loggin out"); return false; } return true; }
/** @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response) */ protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { HttpSession httpSession = request.getSession(); LoginContext lc = (LoginContext) httpSession.getAttribute("LoginContext"); try { System.out.println("INVOCO IL LOGOUT"); lc.logout(); } catch (LoginException e) { e.printStackTrace(); } response.sendRedirect(response.encodeRedirectURL("/JAAS_XACML_Exercise2/public/logout.jsp")); }
public static void verifyPassword(String principal, String password) throws LoginException { LoginContext lc = null; try { lc = Krb5Login.withPassword(principal, password); lc.login(); } finally { if (lc != null) { try { lc.logout(); } catch (LoginException le) { ZimbraLog.account.warn("krb5 logout failed", le); } } } }
public void generate() throws SAXException, ProcessingException { if (log.isDebugEnabled()) log.debug("begin generate"); contentHandler.startDocument(); Document doc = XercesHelper.getNewDocument(); Element root = doc.createElement("authentication"); doc.appendChild(root); try { LoginContext lc = new LoginContext(jaasRealm, new InternalCallbackHandler()); lc.login(); Subject s = lc.getSubject(); if (log.isDebugEnabled()) log.debug("Subject is: " + s.getPrincipals().toString()); Element idElement = doc.createElement("ID"); root.appendChild(idElement); Iterator it = s.getPrincipals(java.security.Principal.class).iterator(); while (it.hasNext()) { Principal prp = (Principal) it.next(); if (prp.getName().equalsIgnoreCase("Roles")) { Element roles = doc.createElement("roles"); root.appendChild(roles); Group grp = (Group) prp; Enumeration member = grp.members(); while (member.hasMoreElements()) { Principal sg = (Principal) member.nextElement(); Element role = doc.createElement("role"); roles.appendChild(role); Text txt = doc.createTextNode(sg.getName()); role.appendChild(txt); } } else { Node nde = doc.createTextNode(prp.getName()); idElement.appendChild(nde); } } lc.logout(); } catch (Exception exe) { log.warn("Could not login user \"" + userid + "\""); } finally { try { DOMStreamer ds = new DOMStreamer(contentHandler); ds.stream(doc.getDocumentElement()); contentHandler.endDocument(); } catch (Exception exe) { log.error("Error streaming to dom", exe); } if (log.isDebugEnabled()) log.debug("end generate"); } }
@Test public void testAuthentication_TwoBeans() throws Exception { LoginContext lc = Util.getCLMLoginContext("user1", "password1"); lc.login(); try { String[] response = entryBean.doubleWhoAmI(); assertEquals("user1", response[0]); assertEquals( "anonymous", response[ 1]); // Unless a run-as-principal configuration has been done, you cannot expect a // principal } finally { lc.logout(); } }
/** * This provides command line access to this JAAS module. * * @param args command line arguments * @throws Exception if an error occurs */ public static void main(final String[] args) throws Exception { String name = "ldaptive"; if (args.length > 0) { name = args[0]; } final LoginContext lc = new LoginContext(name, new TextCallbackHandler()); lc.login(); System.out.println("Authentication/Authorization succeeded"); final Set<Principal> principals = lc.getSubject().getPrincipals(); System.out.println("Subject Principal(s): "); for (Principal p : principals) { System.out.println(" " + p); } lc.logout(); }
/** Migration test from EJB Testsuite (security/TimerRunAs) to AS7 [JBQA-5483]. */ @Test public void testTimerNoSecurityAssociationPrincipal() throws Exception { LoginContext lc = Util.getCLMLoginContext("user1", "password1"); lc.login(); try { TimerTester test = (TimerTester) ctx.lookup("java:module/" + TimerTesterBean.class.getSimpleName()); assertNotNull(test); test.startTimer(150); Assert.assertTrue(TimerTesterBean.awaitTimerCall()); Assert.assertEquals( "user2", TimerTesterBean.calleeCallerPrincipal.iterator().next().getName()); } finally { lc.logout(); } }
public static void main(final String[] args) throws Exception { // Domain (pre-authentication) account // final String username = "******"; // For Non-WIA authentication against // libre Kerberos/LDAP servers final String username = "******"; // Password for the pre-auth acct. final String password = "******"; // Name of our krb5 config file final String krbfile = "/etc/krb5.conf"; // Name of our login config file final String loginfile = "src/main/conf/spnego.conf"; // Name of our login module final String module = "spnego-client"; // set some system properties System.setProperty("java.security.krb5.conf", krbfile); System.setProperty("java.security.auth.login.config", loginfile); System.setProperty("sun.security.krb5.debug", "true"); // assert HelloKDC.validate(username, password, krbfile, loginfile, module); final CallbackHandler handler = HelloKDC.getUsernamePasswordHandler(username, password); final LoginContext loginContext = new LoginContext(module, handler); // attempt to login loginContext.login(); // output some info System.out.println("Subject=" + loginContext.getSubject()); // logout loginContext.logout(); System.out.println("Connection test successful."); }
@Test public void testLdapExample1() throws Exception { System.out.println("testLdapExample1"); UsernamePasswordHandler handler = new UsernamePasswordHandler("josuna", "123".toCharArray()); LoginContext lc = new LoginContext("testLdapExample1", handler); lc.login(); Subject subject = lc.getSubject(); System.out.println("Subject: " + subject); Set groups = subject.getPrincipals(Group.class); assertTrue( "Principals contains josuna", subject.getPrincipals().contains(new SimplePrincipal("josuna"))); Group roles = (Group) groups.iterator().next(); assertTrue("adminoper is a role", roles.isMember(new SimplePrincipal("adminoper"))); lc.logout(); }
/** * This provides command line access to a <code>LdapLoginModule</code>. * * @param args <code>String[]</code> * @throws Exception if an error occurs */ public static void main(final String[] args) throws Exception { String name = "vt-ldap"; if (args.length > 0) { name = args[0]; } final LoginContext lc = new LoginContext(name, new TextCallbackHandler()); lc.login(); System.out.println("Authentication/Authorization succeeded"); final Set<Principal> principals = lc.getSubject().getPrincipals(); System.out.println("Subject Principal(s): "); final Iterator<Principal> i = principals.iterator(); while (i.hasNext()) { final Principal p = i.next(); System.out.println(" " + p); } lc.logout(); }
public void deleteInstance(String instanceUID) throws Exception { Context context = new InitialContext(); String icmaaetitle = (String) context.lookup("java:global/ICMAAETITLE"); LoginContext lctx = new LoginContext(icmaaetitle, null, pacsHandler, conf); lctx.login(); InitialContext ctx = new InitialContext(env); MBeanServerConnection mconn = (MBeanServerConnection) ctx.lookup("jmx/invoker/RMIAdaptor"); ObjectName contentEditName = new ObjectName("dcm4chee.archive:service=ContentEditService"); String[] inst = {instanceUID}; // mconn.invoke(contentEditName, "moveInstanceToTrash", new Object[] { // instanceUID }, new String[] { String.class.getName() }); mconn.invoke( contentEditName, "moveInstancesToTrash", new Object[] {inst}, new String[] {String[].class.getName()}); mconn.invoke(contentEditName, "emptyTrash", null, null); lctx.logout(); // System.out.println("Successfully deleted image "+instanceUID); }
public static void performAs(String principal, String keytab, PrivilegedExceptionAction action) throws PrivilegedActionException, LoginException { LoginContext lc = null; try { // Authenticate to Kerberos. lc = Krb5Login.withKeyTab(principal, keytab); lc.login(); // Assume the identity of the authenticated principal. Subject.doAs(lc.getSubject(), action); } finally { if (lc != null) { try { lc.logout(); } catch (LoginException le) { ZimbraLog.account.warn("krb5 logout failed", le); } } } }
/** * Calls the {@link #run()} method with an unrestricted {@link #session}. During this call, {@link * #isUnrestricted} is set to {@code true}. */ public void runUnrestricted() { isUnrestricted = true; try { if (sessionIsAlreadyUnrestricted) { run(); return; } LoginContext loginContext; try { loginContext = Framework.loginAs(originatingUsername); } catch (LoginException e) { throw new NuxeoException(e); } try { CoreSession baseSession = session; session = CoreInstance.openCoreSession(repositoryName); try { run(); } finally { try { session.close(); } finally { session = baseSession; } } } finally { try { // loginContext may be null in tests if (loginContext != null) { loginContext.logout(); } } catch (LoginException e) { throw new NuxeoException(e); } } } finally { isUnrestricted = false; } }
/** * Re-Login a user in from a keytab file. Loads a user identity from a keytab file and logs them * in. They become the currently logged-in user. This method assumes that {@link * #loginUserFromKeytab(String, String)} had happened already. The Subject field of this * UserGroupInformation object is updated to have the new credentials. * * @throws IOException on a failure */ public synchronized void reloginFromKeytab() throws IOException { if (!isSecurityEnabled() || user.getAuthenticationMethod() != AuthenticationMethod.KERBEROS || !isKeytab) return; LoginContext login = getLogin(); if (login == null || keytabFile == null) { throw new IOException("loginUserFromKeyTab must be done first"); } if (!hasSufficientTimeElapsed()) { return; } long start = 0; try { LOG.info("Initiating logout for " + getUserName()); synchronized (UserGroupInformation.class) { // clear up the kerberos state. But the tokens are not cleared! As per // the Java kerberos login module code, only the kerberos credentials // are cleared login.logout(); // login and also update the subject field of this instance to // have the new credentials (pass it to the LoginContext constructor) login = new LoginContext(HadoopConfiguration.KEYTAB_KERBEROS_CONFIG_NAME, getSubject()); LOG.info("Initiating re-login for " + keytabPrincipal); start = System.currentTimeMillis(); login.login(); metrics.loginSuccess.inc(System.currentTimeMillis() - start); setLogin(login); } } catch (LoginException le) { if (start > 0) { metrics.loginFailure.inc(System.currentTimeMillis() - start); } throw new IOException( "Login failure for " + keytabPrincipal + " from keytab " + keytabFile, le); } }
public void logout() throws LoginException { context.logout(); }
public OracleUser(LoginContext context) throws LoginException { this.context = context; context.logout(); context.login(); this.subject = context.getSubject(); }
/** * Test Right Throw 2 events matching by one queue, but user can read only one event * * @throws MembershipServiceException * @throws GreetingServiceException * @throws EventQueueServiceException * @throws InterruptedException * @throws LoginException */ @Test(timeout = 50000) public void testNotificationRightEvent() throws MembershipServiceException, GreetingServiceException, EventQueueServiceException, InterruptedException, LoginException { logger.info("testNotificationRightEvent() called"); String caller = membership.getProfilePathForConnectedIdentifier(); // root permit to kermit to create something on / greeting.giveAutorization("/", "/profiles/kermit", new String[] {"create"}); loginContext.logout(); // login kermit UsernamePasswordHandler uph = new UsernamePasswordHandler("kermit", "thefrog"); loginContext = new LoginContext("qualipso", uph); loginContext.login(); // kermit create a folder and a resource on this folder and // create a read event on this name greeting.createFolder("/kermitFolder", "kermitFolder"); greeting.createName("/kermitFolder/kermitName", "kermitName"); greeting.readName("/kermitFolder/kermitName"); greeting.deleteName("/kermitFolder/kermitName"); greeting.deleteFolder("/kermitFolder"); loginContext.logout(); uph = new UsernamePasswordHandler("root", AllTests.ROOT_ACCOUNT_PASS); loginContext = new LoginContext("qualipso", uph); loginContext.login(); greeting.readName(pathResource); Event[] lEvent2 = new Event[] {}; while (lEvent2.length < 1) { lEvent2 = eqs.getEvents(pathQueue2); } assertTrue( "TestNotificationRighEvent : expected 1 events into queue2(" + pathQueue2 + ") but found " + lEvent2.length, lEvent2.length == 1); Event e = lEvent2[0]; assertEquals( "TestNotificationRighEvent : event resource expected " + pathResource + " but found " + e.getFromResource(), e.getFromResource(), pathResource); assertEquals( "TestNotificationRighEvent : event type expected greeting.name.create but found " + e.getEventType(), e.getEventType(), "greeting.name.read"); assertEquals( "TestNotificationRighEvent : event throwedBy expected " + caller + " but found" + e.getThrowedBy(), e.getThrowedBy(), caller); Thread.sleep(60); assertTrue( "TestNotificationRighEvent : expected 1 event into queue1 but found " + eqs.getEvents(pathQueue2).length, eqs.getEvents(pathQueue2).length == 1); }
/** * Calls logout, if necessary, on any associated JAASLoginContext. May in the future be extended * to cover other logout requirements. * * @throws Exception If something goes wrong with the logout. Uses Exception to allow for future * expansion of this method to cover other logout mechanisms that might throw a different * exception to LoginContext */ public void logout() throws Exception { if (loginContext != null) { loginContext.logout(); } }
/** * Returns response body for the given URL request as a String. It also checks if the returned * HTTP status code is the expected one. If the server returns {@link * HttpServletResponse#SC_UNAUTHORIZED} and an username is provided, then the given user is * authenticated against Kerberos and a new request is executed under the new subject. * * @param uri URI to which the request should be made * @param user Username * @param pass Password * @param expectedStatusCode expected status code returned from the requested server * @return HTTP response body * @throws IOException * @throws URISyntaxException * @throws PrivilegedActionException * @throws LoginException */ public static String makeCallWithKerberosAuthn( final URI uri, final String user, final String pass, final int expectedStatusCode) throws IOException, URISyntaxException, PrivilegedActionException, LoginException { LOGGER.info("Requesting URI: " + uri); final DefaultHttpClient httpClient = new DefaultHttpClient(); try { httpClient .getAuthSchemes() .register(AuthPolicy.SPNEGO, new JBossNegotiateSchemeFactory(true)); httpClient .getCredentialsProvider() .setCredentials(new AuthScope(null, -1, null), new NullHCCredentials()); final HttpGet httpGet = new HttpGet(uri); final HttpResponse response = httpClient.execute(httpGet); int statusCode = response.getStatusLine().getStatusCode(); if (HttpServletResponse.SC_UNAUTHORIZED != statusCode || StringUtils.isEmpty(user)) { assertEquals("Unexpected HTTP response status code.", expectedStatusCode, statusCode); return EntityUtils.toString(response.getEntity()); } final HttpEntity entity = response.getEntity(); final Header[] authnHeaders = response.getHeaders("WWW-Authenticate"); assertTrue( "WWW-Authenticate header is present", authnHeaders != null && authnHeaders.length > 0); final Set<String> authnHeaderValues = new HashSet<String>(); for (final Header header : authnHeaders) { authnHeaderValues.add(header.getValue()); } assertTrue( "WWW-Authenticate: Negotiate header is missing", authnHeaderValues.contains("Negotiate")); if (LOGGER.isDebugEnabled()) { LOGGER.debug("HTTP response was SC_UNAUTHORIZED, let's authenticate the user " + user); } if (entity != null) EntityUtils.consume(entity); // Use our custom configuration to avoid reliance on external config Configuration.setConfiguration(new Krb5LoginConfiguration()); // 1. Authenticate to Kerberos. final LoginContext lc = new LoginContext(Utils.class.getName(), new UsernamePasswordHandler(user, pass)); lc.login(); // 2. Perform the work as authenticated Subject. final String responseBody = Subject.doAs( lc.getSubject(), new PrivilegedExceptionAction<String>() { public String run() throws Exception { final HttpResponse response = httpClient.execute(httpGet); int statusCode = response.getStatusLine().getStatusCode(); assertEquals( "Unexpected status code returned after the authentication.", expectedStatusCode, statusCode); return EntityUtils.toString(response.getEntity()); } }); lc.logout(); return responseBody; } finally { // When HttpClient instance is no longer needed, // shut down the connection manager to ensure // immediate deallocation of all system resources httpClient.getConnectionManager().shutdown(); } }
/** * Creates request against SPNEGO protected web-app with FORM fallback. It tries to login using * SPNEGO first - if it fails, FORM is used. * * @param contextUrl * @param page * @param user * @param pass * @param expectedStatusCode * @return * @throws IOException * @throws URISyntaxException * @throws PrivilegedActionException * @throws LoginException */ public static String makeHttpCallWithFallback( final String contextUrl, final String page, final String user, final String pass, final int expectedStatusCode) throws IOException, URISyntaxException, PrivilegedActionException, LoginException { final String strippedContextUrl = StringUtils.stripEnd(contextUrl, "/"); final String url = strippedContextUrl + page; LOGGER.info("Requesting URL: " + url); final DefaultHttpClient httpClient = new DefaultHttpClient(); httpClient.setRedirectStrategy(REDIRECT_STRATEGY); String unauthorizedPageBody = null; try { httpClient .getAuthSchemes() .register(AuthPolicy.SPNEGO, new JBossNegotiateSchemeFactory(true)); httpClient .getCredentialsProvider() .setCredentials(new AuthScope(null, -1, null), new NullHCCredentials()); final HttpGet httpGet = new HttpGet(url); final HttpResponse response = httpClient.execute(httpGet); int statusCode = response.getStatusLine().getStatusCode(); if (HttpServletResponse.SC_UNAUTHORIZED != statusCode || StringUtils.isEmpty(user)) { assertEquals("Unexpected HTTP response status code.", expectedStatusCode, statusCode); return EntityUtils.toString(response.getEntity()); } final Header[] authnHeaders = response.getHeaders("WWW-Authenticate"); assertTrue( "WWW-Authenticate header is present", authnHeaders != null && authnHeaders.length > 0); final Set<String> authnHeaderValues = new HashSet<String>(); for (final Header header : authnHeaders) { authnHeaderValues.add(header.getValue()); } assertTrue( "WWW-Authenticate: Negotiate header is missing", authnHeaderValues.contains("Negotiate")); LOGGER.debug("HTTP response was SC_UNAUTHORIZED, let's authenticate the user " + user); unauthorizedPageBody = EntityUtils.toString(response.getEntity()); // Use our custom configuration to avoid reliance on external config Configuration.setConfiguration(new Krb5LoginConfiguration()); // 1. Authenticate to Kerberos. final LoginContext lc = new LoginContext(Utils.class.getName(), new UsernamePasswordHandler(user, pass)); lc.login(); // 2. Perform the work as authenticated Subject. final String responseBody = Subject.doAs( lc.getSubject(), new PrivilegedExceptionAction<String>() { public String run() throws Exception { final HttpResponse response = httpClient.execute(httpGet); int statusCode = response.getStatusLine().getStatusCode(); assertEquals( "Unexpected status code returned after the authentication.", expectedStatusCode, statusCode); return EntityUtils.toString(response.getEntity()); } }); lc.logout(); return responseBody; } catch (LoginException e) { assertNotNull(unauthorizedPageBody); assertTrue(unauthorizedPageBody.contains("j_security_check")); HttpPost httpPost = new HttpPost(strippedContextUrl + "/j_security_check"); List<NameValuePair> nameValuePairs = new ArrayList<NameValuePair>(); nameValuePairs.add(new BasicNameValuePair("j_username", user)); nameValuePairs.add(new BasicNameValuePair("j_password", pass)); httpPost.setEntity(new UrlEncodedFormEntity(nameValuePairs)); final HttpResponse response = httpClient.execute(httpPost); int statusCode = response.getStatusLine().getStatusCode(); assertEquals( "Unexpected status code returned after the authentication.", expectedStatusCode, statusCode); return EntityUtils.toString(response.getEntity()); } finally { // When HttpClient instance is no longer needed, // shut down the connection manager to ensure // immediate deallocation of all system resources httpClient.getConnectionManager().shutdown(); } }
@SuppressWarnings("unchecked") public static void main(String[] args) throws Exception { args = siftArgs(args); System.setProperty(javax.naming.Context.URL_PKG_PREFIXES, "org.apache.openejb.client"); // the new initial context is automatically hooked up to the server side // java:openejb/client/${clientModuleId} tree final InitialContext initialContext = new InitialContext(); // path to the client jar file final String path = (String) initialContext.lookup("java:info/path"); // TODO: Download the file final File file = new File(path); // Create a child class loader containing the application jar ClassLoader classLoader = Thread.currentThread().getContextClassLoader(); if (classLoader == null) { classLoader = new URLClassLoader(new URL[] {file.toURI().toURL()}); } else { classLoader = new URLClassLoader(new URL[] {file.toURI().toURL()}, classLoader); } Thread.currentThread().setContextClassLoader(classLoader); // load the main class and get the main method // do this first so we fail fast on a bad class path final String mainClassName = (String) initialContext.lookup("java:info/mainClass"); final Class mainClass = classLoader.loadClass(mainClassName); final Method mainMethod = mainClass.getMethod("main", String[].class); // load the callback handler class // again do this before any major work so we can fail fase Class callbackHandlerClass = null; try { final String callbackHandlerName = (String) initialContext.lookup("java:info/callbackHandler"); callbackHandlerClass = classLoader.loadClass(callbackHandlerName); } catch (NameNotFoundException ignored) { } final InjectionMetaData injectionMetaData = (InjectionMetaData) initialContext.lookup("java:info/injections"); ClientInstance.get().setComponent(InjectionMetaData.class, injectionMetaData); for (final Injection injection : injectionMetaData.getInjections()) { try { final Object value = initialContext.lookup("java:" + injection.getJndiName()); final Class target = classLoader.loadClass(injection.getTargetClass()); final Field field = target.getDeclaredField(injection.getName()); setAccessible(field); field.set(null, value); } catch (Throwable e) { //noinspection UseOfSystemOutOrSystemErr System.err.println( "Injection FAILED: class=" + injection.getTargetClass() + ", name=" + injection.getName() + ", jndi-ref=" + injection.getJndiName()); e.printStackTrace(); } } // if there is no security then just call the main method final Object[] mainArgs = new Object[] {args}; if (callbackHandlerClass == null) { invoke(mainMethod, mainArgs); } else { // create the callback handler final CallbackHandler callbackHandler = (CallbackHandler) callbackHandlerClass.newInstance(); // initialize the jaas system loadJassLoginConfig(classLoader); // login final LoginContext loginContext = new LoginContext("ClientLogin", callbackHandler); loginContext.login(); // success - get the subject final Subject subject = loginContext.getSubject(); // call the main method in a doAs so the subject is associated with the thread try { Subject.doAs( subject, new PrivilegedExceptionAction() { public Object run() throws Exception { invoke(mainMethod, mainArgs); return null; } }); } finally { // And finally, logout loginContext.logout(); } } }
@Override public boolean authenticate(Request request, HttpServletResponse response, LoginConfig config) throws IOException { if (checkForCachedAuthentication(request, response, true)) { return true; } MessageBytes authorization = request.getCoyoteRequest().getMimeHeaders().getValue("authorization"); if (authorization == null) { if (log.isDebugEnabled()) { log.debug(sm.getString("authenticator.noAuthHeader")); } response.setHeader("WWW-Authenticate", "Negotiate"); response.sendError(HttpServletResponse.SC_UNAUTHORIZED); return false; } authorization.toBytes(); ByteChunk authorizationBC = authorization.getByteChunk(); if (!authorizationBC.startsWithIgnoreCase("negotiate ", 0)) { if (log.isDebugEnabled()) { log.debug(sm.getString("spnegoAuthenticator.authHeaderNotNego")); } response.setHeader("WWW-Authenticate", "Negotiate"); response.sendError(HttpServletResponse.SC_UNAUTHORIZED); return false; } authorizationBC.setOffset(authorizationBC.getOffset() + 10); byte[] decoded = Base64.decodeBase64( authorizationBC.getBuffer(), authorizationBC.getOffset(), authorizationBC.getLength()); if (getApplyJava8u40Fix()) { SpnegoTokenFixer.fix(decoded); } if (decoded.length == 0) { if (log.isDebugEnabled()) { log.debug(sm.getString("spnegoAuthenticator.authHeaderNoToken")); } response.setHeader("WWW-Authenticate", "Negotiate"); response.sendError(HttpServletResponse.SC_UNAUTHORIZED); return false; } LoginContext lc = null; GSSContext gssContext = null; byte[] outToken = null; Principal principal = null; try { try { lc = new LoginContext(getLoginConfigName()); lc.login(); } catch (LoginException e) { log.error(sm.getString("spnegoAuthenticator.serviceLoginFail"), e); response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); return false; } Subject subject = lc.getSubject(); // Assume the GSSContext is stateless // TODO: Confirm this assumption final GSSManager manager = GSSManager.getInstance(); // IBM JDK only understands indefinite lifetime final int credentialLifetime; if (Globals.IS_IBM_JVM) { credentialLifetime = GSSCredential.INDEFINITE_LIFETIME; } else { credentialLifetime = GSSCredential.DEFAULT_LIFETIME; } final PrivilegedExceptionAction<GSSCredential> action = new PrivilegedExceptionAction<GSSCredential>() { @Override public GSSCredential run() throws GSSException { return manager.createCredential( null, credentialLifetime, new Oid("1.3.6.1.5.5.2"), GSSCredential.ACCEPT_ONLY); } }; gssContext = manager.createContext(Subject.doAs(subject, action)); outToken = Subject.doAs(lc.getSubject(), new AcceptAction(gssContext, decoded)); if (outToken == null) { if (log.isDebugEnabled()) { log.debug(sm.getString("spnegoAuthenticator.ticketValidateFail")); } // Start again response.setHeader("WWW-Authenticate", "Negotiate"); response.sendError(HttpServletResponse.SC_UNAUTHORIZED); return false; } principal = Subject.doAs( subject, new AuthenticateAction(context.getRealm(), gssContext, storeDelegatedCredential)); } catch (GSSException e) { if (log.isDebugEnabled()) { log.debug(sm.getString("spnegoAuthenticator.ticketValidateFail"), e); } response.setHeader("WWW-Authenticate", "Negotiate"); response.sendError(HttpServletResponse.SC_UNAUTHORIZED); return false; } catch (PrivilegedActionException e) { Throwable cause = e.getCause(); if (cause instanceof GSSException) { if (log.isDebugEnabled()) { log.debug(sm.getString("spnegoAuthenticator.serviceLoginFail"), e); } } else { log.error(sm.getString("spnegoAuthenticator.serviceLoginFail"), e); } response.setHeader("WWW-Authenticate", "Negotiate"); response.sendError(HttpServletResponse.SC_UNAUTHORIZED); return false; } finally { if (gssContext != null) { try { gssContext.dispose(); } catch (GSSException e) { // Ignore } } if (lc != null) { try { lc.logout(); } catch (LoginException e) { // Ignore } } } // Send response token on success and failure response.setHeader("WWW-Authenticate", "Negotiate " + Base64.encodeBase64String(outToken)); if (principal != null) { register(request, response, principal, Constants.SPNEGO_METHOD, principal.getName(), null); Pattern p = noKeepAliveUserAgents; if (p != null) { MessageBytes ua = request.getCoyoteRequest().getMimeHeaders().getValue("user-agent"); if (ua != null && p.matcher(ua.toString()).matches()) { response.setHeader("Connection", "close"); } } return true; } response.sendError(HttpServletResponse.SC_UNAUTHORIZED); return false; }