예제 #1
0
  /** @since 4.4 */
  protected byte[] generateGSSToken(
      final byte[] input, final Oid oid, final String authServer, final Credentials credentials)
      throws GSSException {
    byte[] inputBuff = input;
    if (inputBuff == null) {
      inputBuff = new byte[0];
    }
    final GSSManager manager = getManager();
    final GSSName serverName =
        manager.createName("HTTP@" + authServer, GSSName.NT_HOSTBASED_SERVICE);

    final GSSCredential gssCredential;
    if (credentials instanceof KerberosCredentials) {
      gssCredential = ((KerberosCredentials) credentials).getGSSCredential();
    } else {
      gssCredential = null;
    }

    final GSSContext gssContext =
        manager.createContext(
            serverName.canonicalize(oid), oid, gssCredential, GSSContext.DEFAULT_LIFETIME);
    gssContext.requestMutualAuth(true);
    gssContext.requestCredDeleg(true);
    return gssContext.initSecContext(inputBuff, 0, inputBuff.length);
  }
예제 #2
0
  private String getEncodedKerberosTicket(boolean spnego) throws Exception {

    System.setProperty("java.security.auth.login.config", "src/test/resources/kerberos.jaas");
    System.setProperty("org.apache.xml.security.ignoreLineBreaks", "true");

    Oid kerberos5Oid = null;
    if (spnego) {
      kerberos5Oid = new Oid("1.3.6.1.5.5.2");
    } else {
      kerberos5Oid = new Oid("1.2.840.113554.1.2.2");
    }

    GSSManager manager = GSSManager.getInstance();
    GSSName serverName =
        manager.createName("*****@*****.**", GSSName.NT_HOSTBASED_SERVICE);

    GSSContext context =
        manager.createContext(
            serverName.canonicalize(kerberos5Oid), kerberos5Oid, null, GSSContext.DEFAULT_LIFETIME);

    context.requestCredDeleg(true);

    final byte[] token = new byte[0];

    String contextName = "alice";
    LoginContext lc = new LoginContext(contextName);
    lc.login();

    byte[] ticket =
        (byte[]) Subject.doAs(lc.getSubject(), new CreateServiceTicketAction(context, token));
    return Base64.encode(ticket);
  }
예제 #3
0
 protected byte[] generateGSSToken(final byte[] input, final Oid oid, final String authServer)
     throws GSSException {
   byte[] token = input;
   if (token == null) {
     token = new byte[0];
   }
   final GSSManager manager = getManager();
   final GSSName serverName =
       manager.createName("HTTP@" + authServer, GSSName.NT_HOSTBASED_SERVICE);
   final GSSContext gssContext =
       manager.createContext(serverName.canonicalize(oid), oid, null, GSSContext.DEFAULT_LIFETIME);
   gssContext.requestMutualAuth(true);
   gssContext.requestCredDeleg(true);
   return gssContext.initSecContext(token, 0, token.length);
 }
  /** {@inheritDoc} */
  @Override
  public Principal authenticate(GSSContext gssContext, boolean storeCred) {
    if (gssContext.isEstablished()) {
      GSSName gssName = null;
      try {
        gssName = gssContext.getSrcName();
      } catch (GSSException e) {
        log.warn(sm.getString("realmBase.gssNameFail"), e);
      }

      if (gssName != null) {
        String name = gssName.toString();

        if (isStripRealmForGss()) {
          int i = name.indexOf('@');
          if (i > 0) {
            // Zero so we don;t leave a zero length name
            name = name.substring(0, i);
          }
        }
        GSSCredential gssCredential = null;
        if (storeCred && gssContext.getCredDelegState()) {
          try {
            gssCredential = gssContext.getDelegCred();
          } catch (GSSException e) {
            if (log.isDebugEnabled()) {
              log.debug(sm.getString("realmBase.delegatedCredentialFail", name), e);
            }
          }
        }
        return getPrincipal(name, gssCredential);
      }
    }

    // Fail in all other cases
    return null;
  }
  public String generateToken(String authServer) throws Throwable {

    try {
      if (this.stripPort) {
        authServer = authServer.substring(0, authServer.indexOf(":"));
      }

      if (log.isDebugEnabled()) {
        log.debug("init " + authServer);
      }
      /* Using the SPNEGO OID is the correct method.
       * Kerberos v5 works for IIS but not JBoss. Unwrapping
       * the initial token when using SPNEGO OID looks like what is
       * described here...
       *
       * http://msdn.microsoft.com/en-us/library/ms995330.aspx
       *
       * Another helpful URL...
       *
       * http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_SPNEGO_token.html
       *
       * Unfortunately SPNEGO is JRE >=1.6.
       */

      /** Try SPNEGO by default, fall back to Kerberos later if error */
      negotiationOid = new Oid(SPNEGO_OID);

      boolean tryKerberos = false;
      try {
        GSSManager manager = GSSManager.getInstance();
        GSSName serverName = manager.createName("HTTP/" + authServer, null);
        gssContext =
            manager.createContext(
                serverName.canonicalize(negotiationOid),
                negotiationOid,
                null,
                GSSContext.DEFAULT_LIFETIME);
        gssContext.requestMutualAuth(true);
        gssContext.requestCredDeleg(true);
      } catch (GSSException ex) {
        log.error("generateToken", ex);
        // BAD MECH means we are likely to be using 1.5, fall back to Kerberos MECH.
        // Rethrow any other exception.
        if (ex.getMajor() == GSSException.BAD_MECH) {
          log.debug("GSSException BAD_MECH, retry with Kerberos MECH");
          tryKerberos = true;
        } else {
          throw ex;
        }
      }
      if (tryKerberos) {
        /* Kerberos v5 GSS-API mechanism defined in RFC 1964.*/
        log.debug("Using Kerberos MECH " + KERBEROS_OID);
        negotiationOid = new Oid(KERBEROS_OID);
        GSSManager manager = GSSManager.getInstance();
        GSSName serverName = manager.createName("HTTP/" + authServer, null);
        gssContext =
            manager.createContext(
                serverName.canonicalize(negotiationOid),
                negotiationOid,
                null,
                GSSContext.DEFAULT_LIFETIME);
        gssContext.requestMutualAuth(true);
        gssContext.requestCredDeleg(true);
      }
      if (token == null) {
        token = new byte[0];
      }
      token = gssContext.initSecContext(token, 0, token.length);
      if (token == null) {
        throw new Exception("GSS security context initialization failed");
      }

      /*
       * IIS accepts Kerberos and SPNEGO tokens. Some other servers Jboss, Glassfish?
       * seem to only accept SPNEGO. Below wraps Kerberos into SPNEGO token.
       */
      if (spengoGenerator != null && negotiationOid.toString().equals(KERBEROS_OID)) {
        token = spengoGenerator.generateSpnegoDERObject(token);
      }

      String tokenstr = new String(Base64.encode(token));
      if (log.isDebugEnabled()) {
        log.debug("Sending response '" + tokenstr + "' back to the auth server");
      }
      return "Negotiate " + tokenstr;
    } catch (GSSException gsse) {
      log.error("generateToken", gsse);
      if (gsse.getMajor() == GSSException.DEFECTIVE_CREDENTIAL
          || gsse.getMajor() == GSSException.CREDENTIALS_EXPIRED)
        throw new Exception(gsse.getMessage(), gsse);
      if (gsse.getMajor() == GSSException.NO_CRED) throw new Exception(gsse.getMessage(), gsse);
      if (gsse.getMajor() == GSSException.DEFECTIVE_TOKEN
          || gsse.getMajor() == GSSException.DUPLICATE_TOKEN
          || gsse.getMajor() == GSSException.OLD_TOKEN)
        throw new Exception(gsse.getMessage(), gsse);
      // other error
      throw new Exception(gsse.getMessage());
    } catch (IOException ex) {
      throw new Exception(ex.getMessage());
    }
  }