@Override
public String run() throws HttpAuthenticationException {
// Get own Kerberos credentials for accepting connection
GSSManager manager = GSSManager.getInstance();
GSSContext gssContext = null;
String serverPrincipal = getPrincipalWithoutRealm(serviceUGI.getUserName());
try {
// This Oid for Kerberos GSS-API mechanism.
Oid kerberosMechOid = new Oid("1.2.840.113554.1.2.2");
// Oid for SPNego GSS-API mechanism.
Oid spnegoMechOid = new Oid("1.3.6.1.5.5.2");
// Oid for kerberos principal name
Oid krb5PrincipalOid = new Oid("1.2.840.113554.1.2.2.1");
// GSS name for server
GSSName serverName = manager.createName(serverPrincipal, krb5PrincipalOid);
// GSS credentials for server
GSSCredential serverCreds =
manager.createCredential(
serverName,
GSSCredential.DEFAULT_LIFETIME,
new Oid[] {kerberosMechOid, spnegoMechOid},
GSSCredential.ACCEPT_ONLY);
// Create a GSS context
gssContext = manager.createContext(serverCreds);
// Get service ticket from the authorization header
String serviceTicketBase64 = getAuthHeader(request, authType);
byte[] inToken = Base64.decodeBase64(serviceTicketBase64.getBytes());
gssContext.acceptSecContext(inToken, 0, inToken.length);
// Authenticate or deny based on its context completion
if (!gssContext.isEstablished()) {
throw new HttpAuthenticationException(
"Kerberos authentication failed: "
+ "unable to establish context with the service ticket "
+ "provided by the client.");
} else {
return getPrincipalWithoutRealmAndHost(gssContext.getSrcName().toString());
}
} catch (GSSException e) {
throw new HttpAuthenticationException("Kerberos authentication failed: ", e);
} finally {
if (gssContext != null) {
try {
gssContext.dispose();
} catch (GSSException e) {
// No-op
}
}
}
}
@Override
public GSSResult run() {
GSSContext context = null;
try {
GSSManager manager = GSSManager.getInstance();
context = manager.createContext((GSSCredential) null);
this.serviceTicket =
context.acceptSecContext(this.serviceTicket, 0, this.serviceTicket.length);
return new GSSResult(context, serviceTicket);
} catch (GSSException e) {
LogManager.logError(
LogConstants.CTX_SECURITY, e, RuntimePlugin.Util.gs(RuntimePlugin.Event.TEIID40014));
}
return null;
}
public boolean validateContext(ORB orb, Codec codec, byte[] contextToken) {
byte[] token = null;
try {
Oid krb5Oid = new Oid(KRB5MechOID.value.substring(4));
GSSManager gssManager = GSSManager.getInstance();
if (targetCreds == null) {
targetCreds =
gssManager.createCredential(
null, GSSCredential.INDEFINITE_LIFETIME, krb5Oid, GSSCredential.ACCEPT_ONLY);
}
validatedContext = gssManager.createContext(targetCreds);
token = validatedContext.acceptSecContext(contextToken, 0, contextToken.length);
} catch (GSSException e) {
logger.error("Error accepting Kerberos context: " + e);
}
if (token == null) {
logger.warn("Could not accept token");
return false;
}
return true;
}
public Void run() throws GSSException {
NegotiationContext negContext = exchange.getAttachment(NegotiationContext.ATTACHMENT_KEY);
if (negContext == null) {
negContext = new NegotiationContext();
exchange.putAttachment(NegotiationContext.ATTACHMENT_KEY, negContext);
// Also cache it on the connection for future calls.
exchange.getConnection().putAttachment(NegotiationContext.ATTACHMENT_KEY, negContext);
}
GSSContext gssContext = negContext.getGssContext();
if (gssContext == null) {
GSSManager manager = GSSManager.getInstance();
gssContext = manager.createContext((GSSCredential) null);
negContext.setGssContext(gssContext);
}
byte[] respToken =
gssContext.acceptSecContext(
challenge.array(), challenge.arrayOffset(), challenge.limit());
negContext.setResponseToken(respToken);
if (negContext.isEstablished()) {
result.setResult(
new AuthenticationResult(
negContext.getPrincipal(), AuthenticationOutcome.AUTHENTICATED));
} else {
// This isn't a failure but as the context is not established another round trip with the
// client is needed.
result.setResult(
new AuthenticationResult(
negContext.getPrincipal(), AuthenticationOutcome.NOT_AUTHENTICATED));
}
return null;
}
@Override
public byte[] run() throws GSSException {
return gssContext.acceptSecContext(decoded, 0, decoded.length);
}
