public Subject krb5PasswordLogin(String password) {
String loginModuleName = "krb5UsernamePasswordLogin";
LOG.info(
"Attempting kerberos authentication of user: "******" using username and password mechanism");
// Set the domain to realm and the kdc
// System.setProperty("java.security.krb5.realm", "JTLAN.CO.UK");
// System.setProperty("java.security.krb5.kdc", "jtserver.jtlan.co.uk");
// System.setProperty("java.security.krb5.conf",
// "/home/turnerj/git/servlet-security-filter/KerberosSecurityFilter/src/main/resources/krb5.conf");
// Form jaasOptions map
Map<String, String> jaasOptions = new HashMap<String, String>();
jaasOptions.put("useKeyTab", "false");
jaasOptions.put("storeKey", "false");
jaasOptions.put("doNotPrompt", "false");
jaasOptions.put("refreshKrb5Config", "false");
jaasOptions.put("clearPass", "true");
jaasOptions.put("useTicketCache", "false");
LOG.debug("Dynamic jaas configuration used:" + jaasOptions.toString());
// Create dynamic jaas config
DynamicJaasConfiguration contextConfig = new DynamicJaasConfiguration();
contextConfig.addAppConfigEntry(
loginModuleName,
"com.sun.security.auth.module.Krb5LoginModule",
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
jaasOptions);
try {
/*
* Create login context using dynamic config
* The "krb5UsernamePasswordLogin" needs to correspond to a configuration in the jaas config.
*/
LoginContext loginCtx =
new LoginContext(
loginModuleName,
null,
new LoginUsernamePasswordHandler(clientPrincipal, password),
contextConfig);
loginCtx.login();
Subject clientSubject = loginCtx.getSubject();
String loggedInUser = principalNameFromSubject(clientSubject);
LOG.info(
"SUCCESSFUL LOGIN for user: "******" using username and password mechanism.");
return clientSubject;
} catch (LoginException le) {
le.printStackTrace();
// Failed logins are not an application error so the following line is at info level.
LOG.info(
"LOGIN FAILED for user: "******" using username and password mechanism. Reason: "
+ le.toString());
return null;
}
}
/**
* Tries to login the user. If username as well as password are correctly spelled this method
* returns the PatientSearch-Site, if not the Login-Failed Site will be returned.
*
* @return correct login: PatientSearch, else LoginFailed
* @throws Exception
*/
public String login() throws Exception {
// FacesContext fc = FacesContext.getCurrentInstance().getExternalContext().getResponse();
// HttpServletResponse resp =
// (HttpServletResponse)FacesContext.getCurrentInstance().getExternalContext().getResponse();
// resp.
// fc.getMessages().
// throw new Exception();
// TODO: facesContext - register new Error
try {
LoginContext lc = new LoginContext("Test");
lc.login();
} catch (LoginException e) {
e.printStackTrace();
} finally {
return "/errorPage.xhtml";
}
// File f = null;
// f.getName();
// if(findUser(username, password)){
// return "loginAccepted";
// }
// else{
// return "loginDenied";
// }
// if(findUser(username, password)){
// return "/patientSearch.xhtml";
// }
// else{
// return "/loginFalse.xhtml";
// }
}
/** @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response) */
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
HttpSession httpSession = request.getSession();
LoginContext lc = (LoginContext) httpSession.getAttribute("LoginContext");
try {
System.out.println("INVOCO IL LOGOUT");
lc.logout();
} catch (LoginException e) {
e.printStackTrace();
}
response.sendRedirect(response.encodeRedirectURL("/JAAS_XACML_Exercise2/public/logout.jsp"));
}
public Subject krb5KeytabLogin(String keytab) {
String loginModuleName = "krb5NonInteractiveClientLogin";
LOG.info("Attempting kerberos login of user: "******" using keytab: " + keytab);
// Form jaasOptions map
Map<String, String> jaasOptions = new HashMap<String, String>();
jaasOptions.put("useKeyTab", "true");
jaasOptions.put("keyTab", keytab);
jaasOptions.put("principal", clientPrincipal);
jaasOptions.put("storeKey", "true"); // Need this to be true for when the server side logs in.
jaasOptions.put("doNotPrompt", "true");
jaasOptions.put("refreshKrb5Config", "false");
jaasOptions.put("clearPass", "true");
jaasOptions.put("useTicketCache", "false");
LOG.debug("Dynamic jaas configuration used:" + jaasOptions.toString());
// Create dynamic jaas config
DynamicJaasConfiguration contextConfig = new DynamicJaasConfiguration();
contextConfig.addAppConfigEntry(
loginModuleName,
"com.sun.security.auth.module.Krb5LoginModule",
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
jaasOptions);
try {
/*
* The nonInteractiveCallbackHandler should not be needed as the jaas config sets the client to use keytab file and not prompt the user.
* Therefore this is suitable for system authentication. if the callback handler is used the nonInteractiveCallbackHandler just throws exceptions.
*/
LoginContext loginCtx =
new LoginContext(
loginModuleName, null, new NonInteractiveCallbackHandler(), contextConfig);
loginCtx.login();
Subject clientSubject = loginCtx.getSubject();
String loggedInUser = principalNameFromSubject(clientSubject);
LOG.info("SUCCESSFUL LOGIN for user: "******" using keytab: " + keytab);
return clientSubject;
} catch (LoginException le) {
LOG.info(
"LOGIN FAILED for user: "******" using keytab: "
+ keytab
+ " Reason: "
+ le.toString());
le.printStackTrace();
return null;
}
}
private static void testPerformAs() {
try {
// performAs("service/[email protected]",
// "/apps/workgroup-audit/keytab/keytab.workgroup-audit", new Dummy("phoebe"));
// performAs("service/[email protected]", "/etc/krb5.keytab", new
// DummyAction("phoebe"));
// performAs("ldap/[email protected]", "/etc/krb5.keytab", new SearchAction());
performAs("ldap/[email protected]", "/etc/krb5.keytab", new SearchAction());
} catch (LoginException le) {
le.printStackTrace();
} catch (PrivilegedActionException pae) {
Exception e = pae.getException();
System.out.println("exception msg is: " + e.getMessage());
e.printStackTrace();
}
}
/**
* The instance method checks if for the given user the password is correct. The test itself is
* done with
*
* @param _name name of the person name to check
* @param _passwd password of the person to check
* @see #checkLogin
*/
protected boolean checkLogin(final String _name, final String _passwd) {
boolean ret = false;
try {
LoginContext login =
new LoginContext(this.application, new LoginCallBackHandler(_name, _passwd));
login.login();
Person person = null;
for (JAASSystem system : JAASSystem.getAllJAASSystems()) {
Set users = login.getSubject().getPrincipals(system.getPersonJAASPrincipleClass());
System.out.println("---------------------->users=" + users);
for (Object persObj : users) {
try {
String persKey = (String) system.getPersonMethodKey().invoke(persObj, null);
Person foundPerson = Person.getWithJAASKey(system, persKey);
if (foundPerson == null) {
// TODO: JAASKey for person must be added!!!
} else if (person == null) {
person = foundPerson;
} else if (person.getId() != foundPerson.getId()) {
LOG.error(
"For JAAS system "
+ system.getName()
+ " "
+ "person with key '"
+ persKey
+ "' is not unique!"
+ "Have found person '"
+ person.getName()
+ "' "
+ "(id = "
+ person.getId()
+ ") and person "
+ "'"
+ foundPerson.getName()
+ "' "
+ "(id = "
+ foundPerson.getId()
+ ").");
// TODO: throw exception!!
}
} catch (IllegalAccessException e) {
LOG.error("could not execute person key method for system " + system.getName(), e);
// TODO: throw exception!!
} catch (IllegalArgumentException e) {
LOG.error("could not execute person key method for system " + system.getName(), e);
// TODO: throw exception!!
} catch (InvocationTargetException e) {
LOG.error("could not execute person key method for system " + system.getName(), e);
// TODO: throw exception!!
}
}
}
if (person == null) {
for (JAASSystem system : JAASSystem.getAllJAASSystems()) {
Set users = login.getSubject().getPrincipals(system.getPersonJAASPrincipleClass());
for (Object persObj : users) {
try {
String persKey = (String) system.getPersonMethodKey().invoke(persObj, null);
if (person == null) {
person = Person.createPerson(system, persKey, persKey);
} else {
person.assignToJAASSystem(system, persKey);
}
} catch (IllegalAccessException e) {
LOG.error("could not execute person key method for system " + system.getName(), e);
// TODO: throw exception!!
} catch (IllegalArgumentException e) {
LOG.error("could not execute person key method for system " + system.getName(), e);
// TODO: throw exception!!
} catch (InvocationTargetException e) {
LOG.error("could not execute person key method for system " + system.getName(), e);
// TODO: throw exception!!
}
}
}
}
person.cleanUp();
for (JAASSystem system : JAASSystem.getAllJAASSystems()) {
if (system.getRoleJAASPrincipleClass() != null) {
Set rolesJaas = login.getSubject().getPrincipals(system.getRoleJAASPrincipleClass());
Set<Role> rolesEfaps = new HashSet<Role>();
for (Object roleObj : rolesJaas) {
try {
String roleKey = (String) system.getRoleMethodKey().invoke(roleObj, null);
Role roleEfaps = Role.getWithJAASKey(system, roleKey);
if (roleEfaps != null) {
rolesEfaps.add(roleEfaps);
}
} catch (IllegalAccessException e) {
LOG.error("could not execute role key method for system " + system.getName(), e);
} catch (IllegalArgumentException e) {
LOG.error("could not execute role key method for system " + system.getName(), e);
} catch (InvocationTargetException e) {
LOG.error("could not execute role key method for system " + system.getName(), e);
}
}
person.setRoles(system, rolesEfaps);
}
}
ret = true;
} catch (EFapsException e) {
e.printStackTrace();
LOG.error("login failed for '" + _name + "'", e);
} catch (LoginException e) {
e.printStackTrace();
LOG.error("login failed for '" + _name + "'", e);
}
return ret;
}
