/** @since 4.4 */
protected byte[] generateGSSToken(
final byte[] input, final Oid oid, final String authServer, final Credentials credentials)
throws GSSException {
byte[] inputBuff = input;
if (inputBuff == null) {
inputBuff = new byte[0];
}
final GSSManager manager = getManager();
final GSSName serverName =
manager.createName("HTTP@" + authServer, GSSName.NT_HOSTBASED_SERVICE);
final GSSCredential gssCredential;
if (credentials instanceof KerberosCredentials) {
gssCredential = ((KerberosCredentials) credentials).getGSSCredential();
} else {
gssCredential = null;
}
final GSSContext gssContext =
manager.createContext(
serverName.canonicalize(oid), oid, gssCredential, GSSContext.DEFAULT_LIFETIME);
gssContext.requestMutualAuth(true);
gssContext.requestCredDeleg(true);
return gssContext.initSecContext(inputBuff, 0, inputBuff.length);
}
private String getEncodedKerberosTicket(boolean spnego) throws Exception {
System.setProperty("java.security.auth.login.config", "src/test/resources/kerberos.jaas");
System.setProperty("org.apache.xml.security.ignoreLineBreaks", "true");
Oid kerberos5Oid = null;
if (spnego) {
kerberos5Oid = new Oid("1.3.6.1.5.5.2");
} else {
kerberos5Oid = new Oid("1.2.840.113554.1.2.2");
}
GSSManager manager = GSSManager.getInstance();
GSSName serverName =
manager.createName("*****@*****.**", GSSName.NT_HOSTBASED_SERVICE);
GSSContext context =
manager.createContext(
serverName.canonicalize(kerberos5Oid), kerberos5Oid, null, GSSContext.DEFAULT_LIFETIME);
context.requestCredDeleg(true);
final byte[] token = new byte[0];
String contextName = "alice";
LoginContext lc = new LoginContext(contextName);
lc.login();
byte[] ticket =
(byte[]) Subject.doAs(lc.getSubject(), new CreateServiceTicketAction(context, token));
return Base64.encode(ticket);
}
protected byte[] generateGSSToken(final byte[] input, final Oid oid, final String authServer)
throws GSSException {
byte[] token = input;
if (token == null) {
token = new byte[0];
}
final GSSManager manager = getManager();
final GSSName serverName =
manager.createName("HTTP@" + authServer, GSSName.NT_HOSTBASED_SERVICE);
final GSSContext gssContext =
manager.createContext(serverName.canonicalize(oid), oid, null, GSSContext.DEFAULT_LIFETIME);
gssContext.requestMutualAuth(true);
gssContext.requestCredDeleg(true);
return gssContext.initSecContext(token, 0, token.length);
}
public String generateToken(String authServer) throws Throwable {
try {
if (this.stripPort) {
authServer = authServer.substring(0, authServer.indexOf(":"));
}
if (log.isDebugEnabled()) {
log.debug("init " + authServer);
}
/* Using the SPNEGO OID is the correct method.
* Kerberos v5 works for IIS but not JBoss. Unwrapping
* the initial token when using SPNEGO OID looks like what is
* described here...
*
* http://msdn.microsoft.com/en-us/library/ms995330.aspx
*
* Another helpful URL...
*
* http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_SPNEGO_token.html
*
* Unfortunately SPNEGO is JRE >=1.6.
*/
/** Try SPNEGO by default, fall back to Kerberos later if error */
negotiationOid = new Oid(SPNEGO_OID);
boolean tryKerberos = false;
try {
GSSManager manager = GSSManager.getInstance();
GSSName serverName = manager.createName("HTTP/" + authServer, null);
gssContext =
manager.createContext(
serverName.canonicalize(negotiationOid),
negotiationOid,
null,
GSSContext.DEFAULT_LIFETIME);
gssContext.requestMutualAuth(true);
gssContext.requestCredDeleg(true);
} catch (GSSException ex) {
log.error("generateToken", ex);
// BAD MECH means we are likely to be using 1.5, fall back to Kerberos MECH.
// Rethrow any other exception.
if (ex.getMajor() == GSSException.BAD_MECH) {
log.debug("GSSException BAD_MECH, retry with Kerberos MECH");
tryKerberos = true;
} else {
throw ex;
}
}
if (tryKerberos) {
/* Kerberos v5 GSS-API mechanism defined in RFC 1964.*/
log.debug("Using Kerberos MECH " + KERBEROS_OID);
negotiationOid = new Oid(KERBEROS_OID);
GSSManager manager = GSSManager.getInstance();
GSSName serverName = manager.createName("HTTP/" + authServer, null);
gssContext =
manager.createContext(
serverName.canonicalize(negotiationOid),
negotiationOid,
null,
GSSContext.DEFAULT_LIFETIME);
gssContext.requestMutualAuth(true);
gssContext.requestCredDeleg(true);
}
if (token == null) {
token = new byte[0];
}
token = gssContext.initSecContext(token, 0, token.length);
if (token == null) {
throw new Exception("GSS security context initialization failed");
}
/*
* IIS accepts Kerberos and SPNEGO tokens. Some other servers Jboss, Glassfish?
* seem to only accept SPNEGO. Below wraps Kerberos into SPNEGO token.
*/
if (spengoGenerator != null && negotiationOid.toString().equals(KERBEROS_OID)) {
token = spengoGenerator.generateSpnegoDERObject(token);
}
String tokenstr = new String(Base64.encode(token));
if (log.isDebugEnabled()) {
log.debug("Sending response '" + tokenstr + "' back to the auth server");
}
return "Negotiate " + tokenstr;
} catch (GSSException gsse) {
log.error("generateToken", gsse);
if (gsse.getMajor() == GSSException.DEFECTIVE_CREDENTIAL
|| gsse.getMajor() == GSSException.CREDENTIALS_EXPIRED)
throw new Exception(gsse.getMessage(), gsse);
if (gsse.getMajor() == GSSException.NO_CRED) throw new Exception(gsse.getMessage(), gsse);
if (gsse.getMajor() == GSSException.DEFECTIVE_TOKEN
|| gsse.getMajor() == GSSException.DUPLICATE_TOKEN
|| gsse.getMajor() == GSSException.OLD_TOKEN)
throw new Exception(gsse.getMessage(), gsse);
// other error
throw new Exception(gsse.getMessage());
} catch (IOException ex) {
throw new Exception(ex.getMessage());
}
}
public void authenticate(AuthenticationProtocolClient authenticationprotocolclient, String s)
throws IOException, TerminatedStateException {
try {
logger.finest("Registering gss-ssh return messages.");
authenticationprotocolclient.registerMessage(
com.sshtools.j2ssh.authentication.SshMsgUserauthGssapiResponse.class, 60);
authenticationprotocolclient.registerMessage(
com.sshtools.j2ssh.authentication.SshMsgUserauthGssapiToken.class, 61);
authenticationprotocolclient.registerMessage(
com.sshtools.j2ssh.authentication.SshMsgUserauthGssapiError.class, 64);
authenticationprotocolclient.registerMessage(
com.sshtools.j2ssh.authentication.SshMsgUserauthGssapiErrtok.class, 65);
logger.finest("Sending gssapi user auth request.");
ByteArrayWriter bytearraywriter = new ByteArrayWriter();
bytearraywriter.writeUINT32(new UnsignedInteger32(1L));
byte abyte0[] = GSSConstants.MECH_OID.getDER();
bytearraywriter.writeBinaryString(abyte0);
logger.finest("Username:"******"gssapi", bytearraywriter.toByteArray());
authenticationprotocolclient.sendMessage(sshmsguserauthrequest);
logger.finest("Receiving user auth response:");
SshMsgUserauthGssapiResponse sshmsguserauthgssapiresponse =
(SshMsgUserauthGssapiResponse) authenticationprotocolclient.readMessage(60);
ByteArrayReader bytearrayreader =
new ByteArrayReader(sshmsguserauthgssapiresponse.getRequestData());
byte abyte1[] = bytearrayreader.readBinaryString();
if (logger.isLoggable(Level.FINEST)) {
logger.log(Level.FINEST, "Mechanism requested: " + GSSConstants.MECH_OID);
logger.log(Level.FINEST, "Mechanism selected: " + new Oid(abyte1));
logger.log(Level.FINEST, "Verify that selected mechanism is GSSAPI.");
}
if (!GSSConstants.MECH_OID.equals(new Oid(abyte1))) {
logger.warning("Mechanism do not match!");
throw new IOException("Mechanism do not match!");
}
logger.finest("Creating GSS context base on grid credentials.");
GlobusGSSManagerImpl globusgssmanagerimpl = new GlobusGSSManagerImpl();
HostAuthorization gssAuth = new HostAuthorization(null);
GSSName targetName = gssAuth.getExpectedName(null, hostname);
GSSContext gsscontext =
globusgssmanagerimpl.createContext(
targetName, new Oid(abyte1), gsscredential, GSSCredential.INDEFINITE_LIFETIME - 1);
gsscontext.requestCredDeleg(true);
gsscontext.requestMutualAuth(true);
gsscontext.requestReplayDet(true);
gsscontext.requestSequenceDet(true);
// MOD
// gsscontext.requestConf(false);
gsscontext.requestConf(true);
Object type = GSIConstants.DELEGATION_TYPE_LIMITED;
gsscontext.requestCredDeleg(false);
((ExtendedGSSContext) gsscontext).setOption(GSSConstants.DELEGATION_TYPE, type);
logger.finest("Starting GSS token exchange.");
byte abyte2[] = new byte[0];
do {
if (gsscontext.isEstablished()) break;
byte abyte3[] = gsscontext.initSecContext(abyte2, 0, abyte2.length);
if (abyte3 != null) {
ByteArrayWriter bytearraywriter1 = new ByteArrayWriter();
bytearraywriter1.writeBinaryString(abyte3);
SshMsgUserauthGssapiToken sshmsguserauthgssapitoken =
new SshMsgUserauthGssapiToken(bytearraywriter1.toByteArray());
authenticationprotocolclient.sendMessage(sshmsguserauthgssapitoken);
}
if (!gsscontext.isEstablished()) {
SshMsgUserauthGssapiToken sshmsguserauthgssapitoken1 =
(SshMsgUserauthGssapiToken) authenticationprotocolclient.readMessage(61);
ByteArrayReader bytearrayreader1 =
new ByteArrayReader(sshmsguserauthgssapitoken1.getRequestData());
abyte2 = bytearrayreader1.readBinaryString();
}
} while (true);
logger.log(Level.FINEST, "Sending gssapi exchange complete.");
SshMsgUserauthGssapiExchangeComplete sshmsguserauthgssapiexchangecomplete =
new SshMsgUserauthGssapiExchangeComplete();
authenticationprotocolclient.sendMessage(sshmsguserauthgssapiexchangecomplete);
if (logger.isLoggable(Level.FINEST)) {
logger.log(
Level.FINEST,
"Context established.\nInitiator : "
+ gsscontext.getSrcName()
+ "\nAcceptor : "
+ gsscontext.getTargName()
+ "\nLifetime : "
+ gsscontext.getLifetime()
+ "\nIntegrity : "
+ gsscontext.getIntegState()
+ "\nConfidentiality : "
+ gsscontext.getConfState()
+ "\nAnonymity : "
+ gsscontext.getAnonymityState());
}
} catch (Throwable t) {
logger.log(Level.WARNING, "Got Exception: ", t);
throw new TerminatedStateException(AuthenticationProtocolState.FAILED);
}
}
