public Subject krb5PasswordLogin(String password) { String loginModuleName = "krb5UsernamePasswordLogin"; LOG.info( "Attempting kerberos authentication of user: "******" using username and password mechanism"); // Set the domain to realm and the kdc // System.setProperty("java.security.krb5.realm", "JTLAN.CO.UK"); // System.setProperty("java.security.krb5.kdc", "jtserver.jtlan.co.uk"); // System.setProperty("java.security.krb5.conf", // "/home/turnerj/git/servlet-security-filter/KerberosSecurityFilter/src/main/resources/krb5.conf"); // Form jaasOptions map Map<String, String> jaasOptions = new HashMap<String, String>(); jaasOptions.put("useKeyTab", "false"); jaasOptions.put("storeKey", "false"); jaasOptions.put("doNotPrompt", "false"); jaasOptions.put("refreshKrb5Config", "false"); jaasOptions.put("clearPass", "true"); jaasOptions.put("useTicketCache", "false"); LOG.debug("Dynamic jaas configuration used:" + jaasOptions.toString()); // Create dynamic jaas config DynamicJaasConfiguration contextConfig = new DynamicJaasConfiguration(); contextConfig.addAppConfigEntry( loginModuleName, "com.sun.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, jaasOptions); try { /* * Create login context using dynamic config * The "krb5UsernamePasswordLogin" needs to correspond to a configuration in the jaas config. */ LoginContext loginCtx = new LoginContext( loginModuleName, null, new LoginUsernamePasswordHandler(clientPrincipal, password), contextConfig); loginCtx.login(); Subject clientSubject = loginCtx.getSubject(); String loggedInUser = principalNameFromSubject(clientSubject); LOG.info( "SUCCESSFUL LOGIN for user: "******" using username and password mechanism."); return clientSubject; } catch (LoginException le) { le.printStackTrace(); // Failed logins are not an application error so the following line is at info level. LOG.info( "LOGIN FAILED for user: "******" using username and password mechanism. Reason: " + le.toString()); return null; } }
public Subject krb5KeytabLogin(String keytab) { String loginModuleName = "krb5NonInteractiveClientLogin"; LOG.info("Attempting kerberos login of user: "******" using keytab: " + keytab); // Form jaasOptions map Map<String, String> jaasOptions = new HashMap<String, String>(); jaasOptions.put("useKeyTab", "true"); jaasOptions.put("keyTab", keytab); jaasOptions.put("principal", clientPrincipal); jaasOptions.put("storeKey", "true"); // Need this to be true for when the server side logs in. jaasOptions.put("doNotPrompt", "true"); jaasOptions.put("refreshKrb5Config", "false"); jaasOptions.put("clearPass", "true"); jaasOptions.put("useTicketCache", "false"); LOG.debug("Dynamic jaas configuration used:" + jaasOptions.toString()); // Create dynamic jaas config DynamicJaasConfiguration contextConfig = new DynamicJaasConfiguration(); contextConfig.addAppConfigEntry( loginModuleName, "com.sun.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, jaasOptions); try { /* * The nonInteractiveCallbackHandler should not be needed as the jaas config sets the client to use keytab file and not prompt the user. * Therefore this is suitable for system authentication. if the callback handler is used the nonInteractiveCallbackHandler just throws exceptions. */ LoginContext loginCtx = new LoginContext( loginModuleName, null, new NonInteractiveCallbackHandler(), contextConfig); loginCtx.login(); Subject clientSubject = loginCtx.getSubject(); String loggedInUser = principalNameFromSubject(clientSubject); LOG.info("SUCCESSFUL LOGIN for user: "******" using keytab: " + keytab); return clientSubject; } catch (LoginException le) { LOG.info( "LOGIN FAILED for user: "******" using keytab: " + keytab + " Reason: " + le.toString()); le.printStackTrace(); return null; } }
/** * Begin user authentication. * * <p>Acquire the user's credentials and verify them against the specified LDAP directory. * * @return true always, since this <code>LoginModule</code> should not be ignored. * @exception FailedLoginException if the authentication fails. * @exception LoginException if this <code>LoginModule</code> is unable to perform the * authentication. */ public boolean login() throws LoginException { if (userProvider == null) { throw new LoginException("Unable to locate the LDAP directory service"); } if (debug) { System.out.println("\t\t[LdapLoginModule] user provider: " + userProvider); } // attempt the authentication if (tryFirstPass) { try { // attempt the authentication by getting the // username and password from shared state attemptAuthentication(true); // authentication succeeded succeeded = true; if (debug) { System.out.println("\t\t[LdapLoginModule] " + "tryFirstPass succeeded"); } return true; } catch (LoginException le) { // authentication failed -- try again below by prompting cleanState(); if (debug) { System.out.println("\t\t[LdapLoginModule] " + "tryFirstPass failed: " + le.toString()); } } } else if (useFirstPass) { try { // attempt the authentication by getting the // username and password from shared state attemptAuthentication(true); // authentication succeeded succeeded = true; if (debug) { System.out.println("\t\t[LdapLoginModule] " + "useFirstPass succeeded"); } return true; } catch (LoginException le) { // authentication failed cleanState(); if (debug) { System.out.println("\t\t[LdapLoginModule] " + "useFirstPass failed"); } throw le; } } // attempt the authentication by prompting for the username and pwd try { attemptAuthentication(false); // authentication succeeded succeeded = true; if (debug) { System.out.println("\t\t[LdapLoginModule] " + "authentication succeeded"); } return true; } catch (LoginException le) { cleanState(); if (debug) { System.out.println("\t\t[LdapLoginModule] " + "authentication failed"); } throw le; } }