@SuppressWarnings("unchecked") @Override protected DirContext getDirContextInstance( final @SuppressWarnings("rawtypes") Hashtable environment) throws NamingException { environment.put(Context.SECURITY_AUTHENTICATION, "GSSAPI"); Subject serviceSubject = login(); final NamingException[] suppressedException = new NamingException[] {null}; DirContext dirContext = Subject.doAs( serviceSubject, new PrivilegedAction<DirContext>() { @Override public DirContext run() { try { return KerberosLdapContextSource.super.getDirContextInstance(environment); } catch (NamingException e) { suppressedException[0] = e; return null; } } }); if (suppressedException[0] != null) { throw suppressedException[0]; } return dirContext; }
public void startup(final BrokerOptions options) throws Exception { _eventLogger = new EventLogger(new SystemOutMessageLogger()); Subject.doAs( SecurityManager.getSystemTaskSubject("Broker"), new PrivilegedExceptionAction<Object>() { @Override public Object run() throws Exception { ch.qos.logback.classic.Logger logger = (ch.qos.logback.classic.Logger) LoggerFactory.getLogger(Logger.ROOT_LOGGER_NAME); if (!logger.iteratorForAppenders().hasNext()) { logger.setLevel(Level.ALL); logger.setAdditive(true); } StartupAppender startupAppender = new StartupAppender(); startupAppender.setContext(logger.getLoggerContext()); startupAppender.start(); logger.addAppender(startupAppender); try { startupImpl(options); } catch (RuntimeException e) { LOGGER.error("Exception during startup", e); startupAppender.logToConsole(); closeSystemConfigAndCleanUp(); } finally { logger.detachAppender(startupAppender); startupAppender.stop(); } return null; } }); }
public byte[] requestServiceTicket(Subject clientSubject, String servicePrincipalName) { // For some reason SPNs in the format HTTP/servicehost.domain end up as // HTTP/servicehost.domain/hostname. SPNs defined as [email protected] work fine. servicePrincipalName = servicePrincipalName.replace('/', '@'); try { Oid krb5Oid = new Oid("1.2.840.113554.1.2.2"); GSSManager manager = GSSManager.getInstance(); GSSName serverName = manager.createName(servicePrincipalName, GSSName.NT_HOSTBASED_SERVICE, krb5Oid); final GSSContext context = manager.createContext(serverName, krb5Oid, null, GSSContext.DEFAULT_LIFETIME); byte[] serviceTicket = Subject.doAs( clientSubject, new PrivilegedAction<byte[]>() { public byte[] run() { byte[] token = new byte[0]; // This is a one pass context initialisation. try { context.requestMutualAuth(false); context.requestCredDeleg(false); return context.initSecContext(token, 0, token.length); } catch (GSSException e) { e.printStackTrace(); return null; } } }); return serviceTicket; } catch (GSSException e) { e.printStackTrace(); return null; } }
private void continueWithEstablishedSecurityContext( Subject subject, final HttpServletRequest request, final HttpServletResponse response, final FilterChain chain) throws IOException, ServletException { try { Subject.doAs( subject, new PrivilegedExceptionAction<Object>() { @Override public Object run() throws Exception { chain.doFilter(request, response); return null; } }); } catch (PrivilegedActionException e) { Throwable t = e.getCause(); if (t instanceof IOException) { throw (IOException) t; } else if (t instanceof ServletException) { throw (ServletException) t; } else { throw new ServletException(t); } } }
/* * (non-Javadoc) * * @see org.eclipse.equinox.app.IApplication#start(org.eclipse.equinox.app. * IApplicationContext) */ @Override public Object start(IApplicationContext context) throws Exception { while (initApp() == false) { ConfigUtil config = ConfigUtil.getInstance(); ConfigDialog configDialog = new ConfigDialog(shell, config); if (configDialog.open() == Window.CANCEL) { return EXIT_OK; } } // Setup login context String configName = Activator.getConfigurationName(); URL configUrl = Activator.getContext().getBundle().getEntry(JAAS_CONFIG_FILE); loginContext = LoginContextFactory.createContext(configName, configUrl); Integer result = null; final Display display = PlatformUI.createDisplay(); try { // Run app in secure context result = (Integer) Subject.doAs(loginContext.getSubject(), getRunAction(display)); } finally { display.dispose(); loginContext.logout(); } // TBD handle javax.security.auth.login.LoginException if (result != null && PlatformUI.RETURN_RESTART == result.intValue()) return EXIT_RESTART; return EXIT_OK; }
@Override protected EmbeddedCacheManager createCacheManager() throws Exception { final ConfigurationBuilder builder = getDefaultStandaloneCacheConfig(true); builder .indexing() .index(Index.LOCAL) .addIndexedEntity(TestEntity.class) .addProperty("default.directory_provider", "ram") .addProperty("lucene_version", "LUCENE_CURRENT") .security() .authorization() .enable() .role("admin") .role("query") .role("noquery"); return Subject.doAs( ADMIN, new PrivilegedAction<EmbeddedCacheManager>() { @Override public EmbeddedCacheManager run() { EmbeddedCacheManager ecm = TestCacheManagerFactory.createCacheManager(getSecureGlobalConfiguration(), builder); ecm.getCache(); return ecm; } }); }
public static void authenticate( PGStream pgStream, String host, String user, String password, String jaasApplicationName, String kerberosServerName, Logger logger) throws IOException, SQLException { if (logger.logDebug()) logger.debug(" <=BE AuthenticationReqGSS"); Object result = null; if (jaasApplicationName == null) jaasApplicationName = "pgjdbc"; if (kerberosServerName == null) kerberosServerName = "postgres"; try { LoginContext lc = new LoginContext(jaasApplicationName, new GSSCallbackHandler(user, password)); lc.login(); Subject sub = lc.getSubject(); PrivilegedAction action = new GssAction(pgStream, host, user, password, kerberosServerName, logger); result = Subject.doAs(sub, action); } catch (Exception e) { throw new PSQLException(GT.tr("GSS Authentication failed"), PSQLState.CONNECTION_FAILURE, e); } if (result instanceof IOException) throw (IOException) result; else if (result instanceof SQLException) throw (SQLException) result; else if (result != null) throw new PSQLException( GT.tr("GSS Authentication failed"), PSQLState.CONNECTION_FAILURE, (Exception) result); }
private String getEncodedKerberosTicket(boolean spnego) throws Exception { System.setProperty("java.security.auth.login.config", "src/test/resources/kerberos.jaas"); System.setProperty("org.apache.xml.security.ignoreLineBreaks", "true"); Oid kerberos5Oid = null; if (spnego) { kerberos5Oid = new Oid("1.3.6.1.5.5.2"); } else { kerberos5Oid = new Oid("1.2.840.113554.1.2.2"); } GSSManager manager = GSSManager.getInstance(); GSSName serverName = manager.createName("*****@*****.**", GSSName.NT_HOSTBASED_SERVICE); GSSContext context = manager.createContext( serverName.canonicalize(kerberos5Oid), kerberos5Oid, null, GSSContext.DEFAULT_LIFETIME); context.requestCredDeleg(true); final byte[] token = new byte[0]; String contextName = "alice"; LoginContext lc = new LoginContext(contextName); lc.login(); byte[] ticket = (byte[]) Subject.doAs(lc.getSubject(), new CreateServiceTicketAction(context, token)); return Base64.encode(ticket); }
@Override public void doFilter( final ServletRequest request, final ServletResponse response, final FilterChain chain) throws IOException, ServletException { HttpServletRequest httpRequest = ((HttpServletRequest) request); StringBuffer sourceUrl = httpRequest.getRequestURL(); String queryString = httpRequest.getQueryString(); if (queryString != null) { sourceUrl.append("?"); sourceUrl.append(queryString); } try { request.setAttribute( AbstractGatewayFilter.SOURCE_REQUEST_URL_ATTRIBUTE_NAME, Parser.parse(sourceUrl.toString())); } catch (URISyntaxException e) { throw new ServletException(e); } try { Subject.doAs( subject, new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { chain.doFilter(request, response); return null; } }); } catch (PrivilegedActionException e) { throw new ServletException(e); } }
public SaslServerContext( final String mech, final String serverName, final CallbackHandler callback_handler, final Map<String, String> props, final Subject subject) throws SaslException { this.subject = subject; if (this.subject != null) { try { server = Subject.doAs( this.subject, new PrivilegedExceptionAction<SaslServer>() { @Override public SaslServer run() throws Exception { return Sasl.createSaslServer( mech, "jgroups", serverName, props, callback_handler); } }); } catch (PrivilegedActionException e) { throw (SaslException) e.getCause(); // The createSaslServer will only throw this type of exception } } else { server = Sasl.createSaslServer(mech, "jgroups", serverName, props, callback_handler); } }
private Object doAs( Subject subj, java.security.PrivilegedExceptionAction action, boolean displaySubject) throws Exception { Object o = null; if (_log.isDebugEnabled() && displaySubject) { printPrincipalsInSubject(subj); } /* 1- Retrieve the current Thread's AccessControlContext via * AccessController.getContext * 2- Instantiates a new AccessControlContext using the retrieved * context along with a new SubjectDomainCombiner (constructed * using the provided Subject). * 3- Finally, invoke AccessController.doPrivileged, passing it * the provided PrivilegedAction, as well as the newly * constructed AccessControlContext. */ o = Subject.doAs(subj, action); if (_log.isDebugEnabled() && displaySubject) { _log.debug("JaasClient. doAs done "); } return o; }
protected byte[] evaluateByServer(final byte[] exchange) throws PrivilegedActionException { return Subject.doAs( serverSubject, new PrivilegedExceptionAction<byte[]>() { public byte[] run() throws Exception { return server.evaluateResponse(exchange); } }); }
protected byte[] evaluateByClient(final byte[] exchange) throws PrivilegedActionException { return Subject.doAs( clientSubject, new PrivilegedExceptionAction<byte[]>() { public byte[] run() throws Exception { return client.evaluateChallenge(exchange); } }); }
protected String getPlainTextPassword(final JDBCSettings settings) { return Subject.doAs( SecurityManager.getSubjectWithAddedSystemRights(), new PrivilegedAction<String>() { @Override public String run() { return settings.getPassword(); } }); }
@Override protected void teardown() { Subject.doAs( ADMIN, new PrivilegedAction<Void>() { @Override public Void run() { QueryAuthorizationTest.super.teardown(); return null; } }); }
@Override protected void clearContent() { Subject.doAs( ADMIN, new PrivilegedAction<Void>() { @Override public Void run() { cacheManager.getCache().clear(); return null; } }); }
public void run() { try { Subject server = subjectFactory.getSubjectForHost(getHostName(exchange)); // The AcceptSecurityContext takes over responsibility for setting the result. Subject.doAs(server, new AcceptSecurityContext(result, exchange, challenge)); } catch (GeneralSecurityException e) { e.printStackTrace(); result.setResult(new AuthenticationResult(null, AuthenticationOutcome.NOT_AUTHENTICATED)); } catch (PrivilegedActionException e) { e.printStackTrace(); result.setResult(new AuthenticationResult(null, AuthenticationOutcome.NOT_AUTHENTICATED)); } }
/** * Test for the case that UserGroupInformation.getCurrentUser() is called when the * AccessControlContext has a Subject associated with it, but that Subject was not created by * Hadoop (ie it has no associated User principal) */ @Test public void testUGIUnderNonHadoopContext() throws Exception { Subject nonHadoopSubject = new Subject(); Subject.doAs( nonHadoopSubject, new PrivilegedExceptionAction<Void>() { public Void run() throws IOException { UserGroupInformation ugi = UserGroupInformation.getCurrentUser(); assertNotNull(ugi); return null; } }); }
@Test public void testRedirectingStringPost() throws Exception { Subject s = SSLUtil.createSubject(SSL_CERT, SSL_KEY); PrivilegedExceptionAction<Object> p = new PrivilegedExceptionAction<Object>() { @Override public Object run() throws Exception { testRedirectingStringPost(baseHttpUrl); testRedirectingStringPost(baseHttpsUrl); return null; } }; Subject.doAs(s, p); }
/** * POST Parameter data to this Job. * * @param entity The Representation Entity. */ @Post public void accept(final Representation entity) { Subject subject = getSubject(); if (subject == null) // anon { doAccept(entity); } else { Subject.doAs( subject, new PrivilegedAction<Object>() { public Object run() { doAccept(entity); return null; } }); } }
/** * Run the given action as the user, potentially throwing an exception. * * @param <T> the return type of the run method * @param action the method to execute * @return the value from the run method * @throws IOException if the action throws an IOException * @throws Error if the action throws an Error * @throws RuntimeException if the action throws a RuntimeException * @throws InterruptedException if the action throws an InterruptedException * @throws UndeclaredThrowableException if the action throws something else */ public <T> T doAs(PrivilegedExceptionAction<T> action) throws IOException, InterruptedException { try { return Subject.doAs(subject, action); } catch (PrivilegedActionException pae) { Throwable cause = pae.getCause(); if (cause instanceof IOException) { throw (IOException) cause; } else if (cause instanceof Error) { throw (Error) cause; } else if (cause instanceof RuntimeException) { throw (RuntimeException) cause; } else if (cause instanceof InterruptedException) { throw (InterruptedException) cause; } else { throw new UndeclaredThrowableException(pae, "Unknown exception in doAs"); } } }
private JSONAware handleSecurely( final ServletRequestHandler pReqHandler, final HttpServletRequest pReq, final HttpServletResponse pResp) throws IOException, PrivilegedActionException { Subject subject = (Subject) pReq.getAttribute(ConfigKey.JAAS_SUBJECT_REQUEST_ATTRIBUTE); if (subject != null) { return Subject.doAs( subject, new PrivilegedExceptionAction<JSONAware>() { public JSONAware run() throws IOException { return pReqHandler.handleRequest(pReq, pResp); } }); } else { return pReqHandler.handleRequest(pReq, pResp); } }
public void testQuery() throws Exception { Policy.setPolicy(new SurefireTestingPolicy()); System.setSecurityManager(new SecurityManager()); try { Subject.doAs( QUERY, new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { queryTest(); return null; } }); } finally { System.setSecurityManager(null); Policy.setPolicy(null); } }
public static void main(String[] args) { if (args.length != 2) { System.out.println("Usage: java demo.sas.KerberosServer <ior_file> <password>"); System.exit(-1); } // login - with Kerberos LoginContext loginContext = null; try { JaasTxtCalbackHandler cbHandler = new JaasTxtCalbackHandler(); cbHandler.setMyPassword(args[1].toCharArray()); loginContext = new LoginContext("KerberosService", cbHandler); loginContext.login(); } catch (LoginException le) { System.out.println("Login error: " + le); System.exit(1); } mySubject = loginContext.getSubject(); myPrincipal = (Principal) mySubject.getPrincipals().iterator().next(); System.out.println("Found principal " + myPrincipal.getName()); // run in privileged mode final String[] finalArgs = args; try { Subject.doAs( mySubject, new PrivilegedAction() { public Object run() { try { // create application KerberosServer app = new KerberosServer(finalArgs); app.orb.run(); } catch (Exception e) { System.out.println("Error running program: " + e); } return null; } }); } catch (Exception e) { System.out.println("Error running privileged: " + e); } }
public static void performAs(String principal, String keytab, PrivilegedExceptionAction action) throws PrivilegedActionException, LoginException { LoginContext lc = null; try { // Authenticate to Kerberos. lc = Krb5Login.withKeyTab(principal, keytab); lc.login(); // Assume the identity of the authenticated principal. Subject.doAs(lc.getSubject(), action); } finally { if (lc != null) { try { lc.logout(); } catch (LoginException le) { ZimbraLog.account.warn("krb5 logout failed", le); } } } }
private void doit( final boolean get, final HttpServletRequest request, final HttpServletResponse response) throws ServletException, IOException { if (jobUpdater == null) { // config error response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); response.setContentType("text/plain"); PrintWriter w = response.getWriter(); w.println("servlet is not configured to accept requests"); w.close(); return; } Subject subject = AuthenticationUtil.getSubject(request); if (subject == null) { processRequest(get, request, response); } else { try { Subject.doAs( subject, new PrivilegedExceptionAction<Object>() { public Object run() throws PrivilegedActionException { try { processRequest(get, request, response); return null; } catch (Exception ex) { throw new PrivilegedActionException(ex); } } }); } catch (PrivilegedActionException pex) { if (pex.getCause() instanceof ServletException) throw (ServletException) pex.getCause(); else if (pex.getCause() instanceof IOException) throw (IOException) pex.getCause(); else if (pex.getCause() instanceof RuntimeException) throw (RuntimeException) pex.getCause(); else throw new RuntimeException(pex.getCause()); } } }
private void authenticateToken(final byte[] kerberosToken) throws AuthLoginException, GSSException, Exception { debug.message("In authenticationToken ..."); Subject.doAs( serviceSubject, new PrivilegedExceptionAction() { public Object run() throws Exception { GSSContext context = GSSManager.getInstance().createContext((GSSCredential) null); debug.message("Context created."); byte[] outToken = context.acceptSecContext(kerberosToken, 0, kerberosToken.length); if (outToken != null) { if (debug.messageEnabled()) { debug.message( "Token returned from acceptSecContext: \n" + DerValue.printByteArray(outToken, 0, outToken.length)); } } if (!context.isEstablished()) { debug.message("Cannot establish context !"); throw new AuthLoginException(amAuthWindowsDesktopSSO, "context", null); } else { debug.message("Context establised !"); GSSName user = context.getSrcName(); storeUsernamePasswd(user.toString(), null); if (debug.messageEnabled()) { debug.message("User authenticated: " + user.toString()); } if (user != null) { setPrincipal(user.toString()); } } context.dispose(); return null; } }); }
/** * Get Sentry authorized client to communicate with sentry server, the client can be for a * minicluster, real distributed cluster, sentry server can use policy file or it's a service. * * @param clientShortName: principal prefix string * @param clientKeyTabDir: authorization key path * @return sentry client to talk to sentry server * @throws Exception */ public static SentryPolicyServiceClient getSentryClient( String clientShortName, String clientKeyTabDir) throws Exception { if (!useSentryService) { LOGGER.info("Running on a minicluser env."); return getSentryClient(); } if (clientKerberos) { if (sentryConf == null) { sentryConf = new Configuration(false); } final String SENTRY_HOST = System.getProperty("sentry.host", SERVER_HOST); final String SERVER_KERBEROS_PRINCIPAL = "sentry/" + SENTRY_HOST + "@" + REALM; sentryConf.set(ServerConfig.PRINCIPAL, SERVER_KERBEROS_PRINCIPAL); sentryConf.set(ServerConfig.KEY_TAB, SERVER_KEY_TAB); sentryConf.set(ServerConfig.ALLOW_CONNECT, "hive"); sentryConf.set(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "false"); sentryConf.set( ClientConfig.SERVER_RPC_ADDRESS, System.getProperty("sentry.service.server.rpc.address")); sentryConf.set( ClientConfig.SERVER_RPC_PORT, System.getProperty("sentry.service.server.rpc.port", "8038")); sentryConf.set(ClientConfig.SERVER_RPC_CONN_TIMEOUT, "720000"); // millis Subject clientSubject = getClientSubject(clientShortName, clientKeyTabDir); client = Subject.doAs( clientSubject, new PrivilegedExceptionAction<SentryPolicyServiceClient>() { @Override public SentryPolicyServiceClient run() throws Exception { return SentryServiceClientFactory.create(sentryConf); } }); } else { client = getSentryClient(); } return client; }
/** * Respond to server's SASL token. * * @param saslTokenMessage contains server's SASL token * @return client's response SASL token */ public byte[] saslResponse(SaslMessageToken saslTokenMessage) { try { final SaslMessageToken fSaslTokenMessage = saslTokenMessage; byte[] retval = Subject.doAs( subject, new PrivilegedExceptionAction<byte[]>() { public byte[] run() { try { byte[] retval = saslClient.evaluateChallenge(fSaslTokenMessage.getSaslToken()); return retval; } catch (SaslException e) { LOG.error("saslResponse: Failed to respond to SASL server's token:", e); throw new RuntimeException(e); } } }); return retval; } catch (PrivilegedActionException e) { LOG.error("Failed to generate response for token: ", e); throw new RuntimeException(e); } }
/** * Perform the JAAS login and run the command within a privileged scope. * * @param privilegedSendMessage the PrivilegedSendMessage * @return The result Document */ private Document runPrivileged(final PrivilegedSendMessage privilegedSendMessage) { final CallbackHandler handler = new ProvidedAuthCallback(username, password); Document result; try { final LoginContext lc = new LoginContext("", null, handler, new KerberosJaasConfiguration(kerberosDebug)); lc.login(); result = Subject.doAs(lc.getSubject(), privilegedSendMessage); } catch (LoginException e) { throw new WinRMRuntimeIOException( "Login failure sending message on " + getTargetURL() + " error: " + e.getMessage(), privilegedSendMessage.getRequestDocument(), null, e); } catch (PrivilegedActionException e) { throw new WinRMRuntimeIOException( "Failure sending message on " + getTargetURL() + " error: " + e.getMessage(), privilegedSendMessage.getRequestDocument(), null, e.getException()); } return result; }