public Subject krb5PasswordLogin(String password) {
String loginModuleName = "krb5UsernamePasswordLogin";
LOG.info(
"Attempting kerberos authentication of user: "******" using username and password mechanism");
// Set the domain to realm and the kdc
// System.setProperty("java.security.krb5.realm", "JTLAN.CO.UK");
// System.setProperty("java.security.krb5.kdc", "jtserver.jtlan.co.uk");
// System.setProperty("java.security.krb5.conf",
// "/home/turnerj/git/servlet-security-filter/KerberosSecurityFilter/src/main/resources/krb5.conf");
// Form jaasOptions map
Map<String, String> jaasOptions = new HashMap<String, String>();
jaasOptions.put("useKeyTab", "false");
jaasOptions.put("storeKey", "false");
jaasOptions.put("doNotPrompt", "false");
jaasOptions.put("refreshKrb5Config", "false");
jaasOptions.put("clearPass", "true");
jaasOptions.put("useTicketCache", "false");
LOG.debug("Dynamic jaas configuration used:" + jaasOptions.toString());
// Create dynamic jaas config
DynamicJaasConfiguration contextConfig = new DynamicJaasConfiguration();
contextConfig.addAppConfigEntry(
loginModuleName,
"com.sun.security.auth.module.Krb5LoginModule",
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
jaasOptions);
try {
/*
* Create login context using dynamic config
* The "krb5UsernamePasswordLogin" needs to correspond to a configuration in the jaas config.
*/
LoginContext loginCtx =
new LoginContext(
loginModuleName,
null,
new LoginUsernamePasswordHandler(clientPrincipal, password),
contextConfig);
loginCtx.login();
Subject clientSubject = loginCtx.getSubject();
String loggedInUser = principalNameFromSubject(clientSubject);
LOG.info(
"SUCCESSFUL LOGIN for user: "******" using username and password mechanism.");
return clientSubject;
} catch (LoginException le) {
le.printStackTrace();
// Failed logins are not an application error so the following line is at info level.
LOG.info(
"LOGIN FAILED for user: "******" using username and password mechanism. Reason: "
+ le.toString());
return null;
}
}
public Subject krb5KeytabLogin(String keytab) {
String loginModuleName = "krb5NonInteractiveClientLogin";
LOG.info("Attempting kerberos login of user: "******" using keytab: " + keytab);
// Form jaasOptions map
Map<String, String> jaasOptions = new HashMap<String, String>();
jaasOptions.put("useKeyTab", "true");
jaasOptions.put("keyTab", keytab);
jaasOptions.put("principal", clientPrincipal);
jaasOptions.put("storeKey", "true"); // Need this to be true for when the server side logs in.
jaasOptions.put("doNotPrompt", "true");
jaasOptions.put("refreshKrb5Config", "false");
jaasOptions.put("clearPass", "true");
jaasOptions.put("useTicketCache", "false");
LOG.debug("Dynamic jaas configuration used:" + jaasOptions.toString());
// Create dynamic jaas config
DynamicJaasConfiguration contextConfig = new DynamicJaasConfiguration();
contextConfig.addAppConfigEntry(
loginModuleName,
"com.sun.security.auth.module.Krb5LoginModule",
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
jaasOptions);
try {
/*
* The nonInteractiveCallbackHandler should not be needed as the jaas config sets the client to use keytab file and not prompt the user.
* Therefore this is suitable for system authentication. if the callback handler is used the nonInteractiveCallbackHandler just throws exceptions.
*/
LoginContext loginCtx =
new LoginContext(
loginModuleName, null, new NonInteractiveCallbackHandler(), contextConfig);
loginCtx.login();
Subject clientSubject = loginCtx.getSubject();
String loggedInUser = principalNameFromSubject(clientSubject);
LOG.info("SUCCESSFUL LOGIN for user: "******" using keytab: " + keytab);
return clientSubject;
} catch (LoginException le) {
LOG.info(
"LOGIN FAILED for user: "******" using keytab: "
+ keytab
+ " Reason: "
+ le.toString());
le.printStackTrace();
return null;
}
}
/**
* Begin user authentication.
*
* <p>Acquire the user's credentials and verify them against the specified LDAP directory.
*
* @return true always, since this <code>LoginModule</code> should not be ignored.
* @exception FailedLoginException if the authentication fails.
* @exception LoginException if this <code>LoginModule</code> is unable to perform the
* authentication.
*/
public boolean login() throws LoginException {
if (userProvider == null) {
throw new LoginException("Unable to locate the LDAP directory service");
}
if (debug) {
System.out.println("\t\t[LdapLoginModule] user provider: " + userProvider);
}
// attempt the authentication
if (tryFirstPass) {
try {
// attempt the authentication by getting the
// username and password from shared state
attemptAuthentication(true);
// authentication succeeded
succeeded = true;
if (debug) {
System.out.println("\t\t[LdapLoginModule] " + "tryFirstPass succeeded");
}
return true;
} catch (LoginException le) {
// authentication failed -- try again below by prompting
cleanState();
if (debug) {
System.out.println("\t\t[LdapLoginModule] " + "tryFirstPass failed: " + le.toString());
}
}
} else if (useFirstPass) {
try {
// attempt the authentication by getting the
// username and password from shared state
attemptAuthentication(true);
// authentication succeeded
succeeded = true;
if (debug) {
System.out.println("\t\t[LdapLoginModule] " + "useFirstPass succeeded");
}
return true;
} catch (LoginException le) {
// authentication failed
cleanState();
if (debug) {
System.out.println("\t\t[LdapLoginModule] " + "useFirstPass failed");
}
throw le;
}
}
// attempt the authentication by prompting for the username and pwd
try {
attemptAuthentication(false);
// authentication succeeded
succeeded = true;
if (debug) {
System.out.println("\t\t[LdapLoginModule] " + "authentication succeeded");
}
return true;
} catch (LoginException le) {
cleanState();
if (debug) {
System.out.println("\t\t[LdapLoginModule] " + "authentication failed");
}
throw le;
}
}
