org.ietf.jgss.Oid Java Examples

The following examples show how to use org.ietf.jgss.Oid. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: KerberosUtil.java    From zeppelin with Apache License 2.0 6 votes vote down vote up
public static Oid getOidInstance(String oidName)
  throws ClassNotFoundException, GSSException, NoSuchFieldException,
  IllegalAccessException {
  Class<?> oidClass;
  if (IBM_JAVA) {
    if ("NT_GSS_KRB5_PRINCIPAL".equals(oidName)) {
      // IBM JDK GSSUtil class does not have field for krb5 principal oid
      return new Oid("1.2.840.113554.1.2.2.1");
    }
    oidClass = Class.forName("com.ibm.security.jgss.GSSUtil");
  } else {
    oidClass = Class.forName("sun.security.jgss.GSSUtil");
  }
  Field oidField = oidClass.getDeclaredField(oidName);
  return (Oid)oidField.get(oidClass);
}
 
Example #2
Source File: SpnegoLifeTime.java    From TencentKona-8 with GNU General Public License v2.0 6 votes vote down vote up
public static void main(String[] args) throws Exception {

        Oid oid = GSSUtil.GSS_SPNEGO_MECH_OID;
        new OneKDC(null).writeJAASConf();

        Context c, s;
        c = Context.fromJAAS("client");
        s = Context.fromJAAS("server");

        c.startAsClient(OneKDC.SERVER, oid);
        c.x().requestCredDeleg(true);
        s.startAsServer(oid);

        Context.handshake(c, s);

        GSSCredential cred = s.delegated().cred();
        cred.getRemainingInitLifetime(oid);
        cred.getUsage(oid);
    }
 
Example #3
Source File: KerberosUtil.java    From registry with Apache License 2.0 6 votes vote down vote up
public static Oid getOidInstance(String oidName)
        throws ClassNotFoundException, GSSException, NoSuchFieldException,
        IllegalAccessException {
    Class<?> oidClass;
    if (IBM_JAVA) {
        if ("NT_GSS_KRB5_PRINCIPAL".equals(oidName)) {
            // IBM JDK GSSUtil class does not have field for krb5 principal oid
            return new Oid("1.2.840.113554.1.2.2.1");
        }
        oidClass = Class.forName("com.ibm.security.jgss.GSSUtil");
    } else {
        oidClass = Class.forName("sun.security.jgss.GSSUtil");
    }
    Field oidField = oidClass.getDeclaredField(oidName);
    return (Oid) oidField.get(oidClass);
}
 
Example #4
Source File: Context.java    From openjdk-jdk8u with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Starts as a client
 * @param target communication peer
 * @param mech GSS mech
 * @throws java.lang.Exception
 */
public void startAsClient(final String target, final Oid mech) throws Exception {
    doAs(new Action() {
        @Override
        public byte[] run(Context me, byte[] dummy) throws Exception {
            GSSManager m = GSSManager.getInstance();
            me.x = (ExtendedGSSContext)m.createContext(
                      target.indexOf('@') < 0 ?
                        m.createName(target, null) :
                        m.createName(target, GSSName.NT_HOSTBASED_SERVICE),
                    mech,
                    cred,
                    GSSContext.DEFAULT_LIFETIME);
            return null;
        }
    }, null);
}
 
Example #5
Source File: OidFormat.java    From openjdk-8 with GNU General Public License v2.0 6 votes vote down vote up
static void testBad(String s) throws Exception {
    System.err.println("Trying " + s);
    try {
        new ObjectIdentifier(s);
        throw new Exception("should be invalid ObjectIdentifier");
    } catch (IOException ioe) {
        System.err.println(ioe);
    }

    try {
        new Oid(s);
        throw new Exception("should be invalid Oid");
    } catch (GSSException gsse) {
        ;
    }

    try {
        new EncryptedPrivateKeyInfo(s, new byte[8]);
        throw new Exception("should be invalid algorithm");
    } catch (NoSuchAlgorithmException e) {
        ;
    }
}
 
Example #6
Source File: SecurityRealmService.java    From wildfly-core with GNU Lesser General Public License v2.1 6 votes vote down vote up
private GSSKerberosCredential getGSSKerberosCredential(final String protocol, final String forHost)
        throws GeneralSecurityException {
    SubjectIdentity subjectIdentity = getSubjectIdentity(protocol, forHost);
    if (subjectIdentity == null) {
        throw ROOT_LOGGER.noSubjectIdentityForProtocolAndHost(protocol, forHost);
    }

    final GSSManager manager = GSSManager.getInstance();
    try {
        GSSCredential gssCredential = Subject.doAs(subjectIdentity.getSubject(),
                (PrivilegedExceptionAction<GSSCredential>) () -> manager.createCredential(null,
                        GSSCredential.DEFAULT_LIFETIME, new Oid[] { KERBEROS_V5, SPNEGO }, GSSCredential.ACCEPT_ONLY));

        return new GSSKerberosCredential(gssCredential);
    } catch (PrivilegedActionException e) {
        throw new GeneralSecurityException(e.getCause());
    }
}
 
Example #7
Source File: Context.java    From jdk8u60 with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Starts as a client
 * @param target communication peer
 * @param mech GSS mech
 * @throws java.lang.Exception
 */
public void startAsClient(final String target, final Oid mech) throws Exception {
    doAs(new Action() {
        @Override
        public byte[] run(Context me, byte[] dummy) throws Exception {
            GSSManager m = GSSManager.getInstance();
            me.x = (ExtendedGSSContext)m.createContext(
                      target.indexOf('@') < 0 ?
                        m.createName(target, null) :
                        m.createName(target, GSSName.NT_HOSTBASED_SERVICE),
                    mech,
                    cred,
                    GSSContext.DEFAULT_LIFETIME);
            return null;
        }
    }, null);
}
 
Example #8
Source File: Context.java    From jdk8u60 with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Starts as a server with the specified service name
 * @param name the service name
 * @param mech GSS mech
 * @throws java.lang.Exception
 */
public void startAsServer(final String name, final Oid mech, final boolean asInitiator) throws Exception {
    doAs(new Action() {
        @Override
        public byte[] run(Context me, byte[] dummy) throws Exception {
            GSSManager m = GSSManager.getInstance();
            me.cred = m.createCredential(
                    name == null ? null :
                      (name.indexOf('@') < 0 ?
                        m.createName(name, null) :
                        m.createName(name, GSSName.NT_HOSTBASED_SERVICE)),
                    GSSCredential.INDEFINITE_LIFETIME,
                    mech,
                    asInitiator?
                            GSSCredential.INITIATE_AND_ACCEPT:
                            GSSCredential.ACCEPT_ONLY);
            me.x = (ExtendedGSSContext)m.createContext(me.cred);
            return null;
        }
    }, null);
}
 
Example #9
Source File: SpnegoLifeTime.java    From jdk8u-jdk with GNU General Public License v2.0 6 votes vote down vote up
public static void main(String[] args) throws Exception {

        Oid oid = GSSUtil.GSS_SPNEGO_MECH_OID;
        new OneKDC(null).writeJAASConf();

        Context c, s;
        c = Context.fromJAAS("client");
        s = Context.fromJAAS("server");

        c.startAsClient(OneKDC.SERVER, oid);
        c.x().requestCredDeleg(true);
        s.startAsServer(oid);

        Context.handshake(c, s);

        GSSCredential cred = s.delegated().cred();
        cred.getRemainingInitLifetime(oid);
        cred.getUsage(oid);
    }
 
Example #10
Source File: KerberosUtil.java    From big-c with Apache License 2.0 6 votes vote down vote up
public static Oid getOidInstance(String oidName) 
    throws ClassNotFoundException, GSSException, NoSuchFieldException,
    IllegalAccessException {
  Class<?> oidClass;
  if (IBM_JAVA) {
    if ("NT_GSS_KRB5_PRINCIPAL".equals(oidName)) {
      // IBM JDK GSSUtil class does not have field for krb5 principal oid
      return new Oid("1.2.840.113554.1.2.2.1");
    }
    oidClass = Class.forName("com.ibm.security.jgss.GSSUtil");
  } else {
    oidClass = Class.forName("sun.security.jgss.GSSUtil");
  }
  Field oidField = oidClass.getDeclaredField(oidName);
  return (Oid)oidField.get(oidClass);
}
 
Example #11
Source File: OidFormat.java    From jdk8u60 with GNU General Public License v2.0 6 votes vote down vote up
static void testBad(String s) throws Exception {
    System.err.println("Trying " + s);
    try {
        new ObjectIdentifier(s);
        throw new Exception("should be invalid ObjectIdentifier");
    } catch (IOException ioe) {
        System.err.println(ioe);
    }

    try {
        new Oid(s);
        throw new Exception("should be invalid Oid");
    } catch (GSSException gsse) {
        ;
    }

    try {
        new EncryptedPrivateKeyInfo(s, new byte[8]);
        throw new Exception("should be invalid algorithm");
    } catch (NoSuchAlgorithmException e) {
        ;
    }
}
 
Example #12
Source File: Kerb5Context.java    From jcifs-ng with GNU Lesser General Public License v2.1 5 votes vote down vote up
Kerb5Context ( String host, String service, String name, int userLifetime, int contextLifetime, String realm ) throws GSSException {
    GSSManager manager = GSSManager.getInstance();
    GSSCredential clientCreds = null;
    Oid mechOid = JGSS_KRB5_MECH_OID;
    if ( realm != null ) {
        this.serviceName = manager.createName(service + "/" + host + "@" + realm, JGSS_KRB5_NAME_OID, mechOid);
    }
    else {
        this.serviceName = manager.createName(service + "@" + host, GSSName.NT_HOSTBASED_SERVICE, mechOid);
    }

    if ( log.isDebugEnabled() ) {
        log.debug("Service name is " + this.serviceName);
    }

    if ( name != null ) {
        this.clientName = manager.createName(name, GSSName.NT_USER_NAME, mechOid);
        clientCreds = manager.createCredential(this.clientName, userLifetime, mechOid, GSSCredential.INITIATE_ONLY);
    }
    else {
        this.clientName = null;
    }

    this.gssContext = manager.createContext(this.serviceName, mechOid, clientCreds, contextLifetime);

    this.gssContext.requestAnonymity(false);
    this.gssContext.requestSequenceDet(false);
    this.gssContext.requestConf(false);
    this.gssContext.requestInteg(false);
    this.gssContext.requestReplayDet(false);

    // per spec these should be set
    this.gssContext.requestMutualAuth(true);
    this.gssContext.requestCredDeleg(true);
}
 
Example #13
Source File: S4U2selfGSS.java    From openjdk-jdk8u with GNU General Public License v2.0 5 votes vote down vote up
public static void main(String[] args) throws Exception {
    Oid mech;
    if (args[0].equals("spnego")) {
        mech = GSSUtil.GSS_SPNEGO_MECH_OID;
    } else if (args[0].contains("krb5")) {
        mech = GSSUtil.GSS_KRB5_MECH_OID;
    } else {
        throw new Exception("Unknown mech");
    }

    OneKDC kdc = new OneKDC(null);
    kdc.writeJAASConf();
    kdc.setOption(KDC.Option.ALLOW_S4U2SELF, Arrays.asList(
            new String[]{OneKDC.USER + "@" + OneKDC.REALM}));
    Map<String,List<String>> map = new HashMap<>();
    map.put(OneKDC.USER + "@" + OneKDC.REALM, Arrays.asList(
            new String[]{OneKDC.SERVER + "@" + OneKDC.REALM}));
    kdc.setOption(KDC.Option.ALLOW_S4U2PROXY, map);

    Context c, s;
    System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
    c = Context.fromThinAir();
    s = Context.fromThinAir();

    c = c.impersonate(OneKDC.USER2);

    c.startAsClient(OneKDC.SERVER, mech);
    s.startAsServer(mech);

    Context.handshake(c, s);

    String n1 = c.x().getSrcName().toString().split("@")[0];
    String n2 = s.x().getSrcName().toString().split("@")[0];
    if (!n1.equals(OneKDC.USER2) || !n2.equals(OneKDC.USER2)) {
        throw new Exception("Impersonate failed");
    }

    s.dispose();
    c.dispose();
}
 
Example #14
Source File: GSSLibStub.java    From hottub with GNU General Public License v2.0 5 votes vote down vote up
static GSSLibStub getInstance(Oid mech) throws GSSException {
    GSSLibStub s = table.get(mech);
    if (s == null) {
        s = new GSSLibStub(mech);
        table.put(mech, s);
    }
    return s;
}
 
Example #15
Source File: S4U2selfAsServer.java    From openjdk-jdk8u with GNU General Public License v2.0 5 votes vote down vote up
public static void main(String[] args) throws Exception {
    Oid mech;
    if (args[0].equals("spnego")) {
        mech = GSSUtil.GSS_SPNEGO_MECH_OID;
    } else if (args[0].contains("krb5")) {
        mech = GSSUtil.GSS_KRB5_MECH_OID;
    } else {
        throw new Exception("Unknown mech");
    }

    OneKDC kdc = new OneKDC(null);
    kdc.writeJAASConf();
    kdc.setOption(KDC.Option.PREAUTH_REQUIRED, false);
    Map<String,List<String>> map = new HashMap<>();
    map.put(OneKDC.SERVER + "@" + OneKDC.REALM, Arrays.asList(
            new String[]{OneKDC.BACKEND + "@" + OneKDC.REALM}));
    kdc.setOption(KDC.Option.ALLOW_S4U2PROXY, map);
    kdc.setOption(KDC.Option.ALLOW_S4U2SELF, Arrays.asList(
            new String[]{OneKDC.SERVER + "@" + OneKDC.REALM}));

    Context s, b;
    s = Context.fromJAAS("server");
    b = Context.fromJAAS("backend");

    s.startAsServer(null, mech, false);

    Context p = s.impersonate(OneKDC.USER);

    p.startAsClient(OneKDC.BACKEND, mech);
    b.startAsServer(mech);
    Context.handshake(p, b);

    p.startAsClient(OneKDC.BACKEND, mech);
    b.startAsServer(mech);
    Context.handshake(p, b);
}
 
Example #16
Source File: JgssIntegrationTest.java    From tutorials with MIT License 5 votes vote down vote up
@Before
public void setUp() throws SaslException, GSSException {
    GSSManager manager = GSSManager.getInstance();
    serverContext = manager.createContext((GSSCredential) null);
    String serverPrinciple = SERVER_PRINCIPAL;
    GSSName serverName = manager.createName(serverPrinciple, null);
    Oid krb5Oid = new Oid(MECHANISM);
    clientContext = manager.createContext(serverName, krb5Oid, (GSSCredential) null, GSSContext.DEFAULT_LIFETIME);
    clientContext.requestMutualAuth(true);
    clientContext.requestConf(true);
    clientContext.requestInteg(true);
}
 
Example #17
Source File: S4U2selfAsServer.java    From jdk8u-jdk with GNU General Public License v2.0 5 votes vote down vote up
public static void main(String[] args) throws Exception {
    Oid mech;
    if (args[0].equals("spnego")) {
        mech = GSSUtil.GSS_SPNEGO_MECH_OID;
    } else if (args[0].contains("krb5")) {
        mech = GSSUtil.GSS_KRB5_MECH_OID;
    } else {
        throw new Exception("Unknown mech");
    }

    OneKDC kdc = new OneKDC(null);
    kdc.writeJAASConf();
    kdc.setOption(KDC.Option.PREAUTH_REQUIRED, false);
    Map<String,List<String>> map = new HashMap<>();
    map.put(OneKDC.SERVER + "@" + OneKDC.REALM, Arrays.asList(
            new String[]{OneKDC.BACKEND + "@" + OneKDC.REALM}));
    kdc.setOption(KDC.Option.ALLOW_S4U2PROXY, map);
    kdc.setOption(KDC.Option.ALLOW_S4U2SELF, Arrays.asList(
            new String[]{OneKDC.SERVER + "@" + OneKDC.REALM}));

    Context s, b;
    s = Context.fromJAAS("server");
    b = Context.fromJAAS("backend");

    s.startAsServer(null, mech, false);

    Context p = s.impersonate(OneKDC.USER);

    p.startAsClient(OneKDC.BACKEND, mech);
    b.startAsServer(mech);
    Context.handshake(p, b);

    p.startAsClient(OneKDC.BACKEND, mech);
    b.startAsServer(mech);
    Context.handshake(p, b);
}
 
Example #18
Source File: GSSLibStub.java    From jdk8u_jdk with GNU General Public License v2.0 5 votes vote down vote up
static GSSLibStub getInstance(Oid mech) throws GSSException {
    GSSLibStub s = table.get(mech);
    if (s == null) {
        s = new GSSLibStub(mech);
        table.put(mech, s);
    }
    return s;
}
 
Example #19
Source File: GSSLibStub.java    From dragonwell8_jdk with GNU General Public License v2.0 5 votes vote down vote up
static GSSLibStub getInstance(Oid mech) throws GSSException {
    GSSLibStub s = table.get(mech);
    if (s == null) {
        s = new GSSLibStub(mech);
        table.put(mech, s);
    }
    return s;
}
 
Example #20
Source File: S4U2selfAsServer.java    From openjdk-8 with GNU General Public License v2.0 5 votes vote down vote up
public static void main(String[] args) throws Exception {
    Oid mech;
    if (args[0].equals("spnego")) {
        mech = GSSUtil.GSS_SPNEGO_MECH_OID;
    } else if (args[0].contains("krb5")) {
        mech = GSSUtil.GSS_KRB5_MECH_OID;
    } else {
        throw new Exception("Unknown mech");
    }

    OneKDC kdc = new OneKDC(null);
    kdc.writeJAASConf();
    kdc.setOption(KDC.Option.PREAUTH_REQUIRED, false);
    Map<String,List<String>> map = new HashMap<>();
    map.put(OneKDC.SERVER + "@" + OneKDC.REALM, Arrays.asList(
            new String[]{OneKDC.BACKEND + "@" + OneKDC.REALM}));
    kdc.setOption(KDC.Option.ALLOW_S4U2PROXY, map);
    kdc.setOption(KDC.Option.ALLOW_S4U2SELF, Arrays.asList(
            new String[]{OneKDC.SERVER + "@" + OneKDC.REALM}));

    Context s, b;
    s = Context.fromJAAS("server");
    b = Context.fromJAAS("backend");

    s.startAsServer(null, mech, false);

    Context p = s.impersonate(OneKDC.USER);

    p.startAsClient(OneKDC.BACKEND, mech);
    b.startAsServer(mech);
    Context.handshake(p, b);

    p.startAsClient(OneKDC.BACKEND, mech);
    b.startAsServer(mech);
    Context.handshake(p, b);
}
 
Example #21
Source File: S4U2selfAsServer.java    From jdk8u_jdk with GNU General Public License v2.0 5 votes vote down vote up
public static void main(String[] args) throws Exception {
    Oid mech;
    if (args[0].equals("spnego")) {
        mech = GSSUtil.GSS_SPNEGO_MECH_OID;
    } else if (args[0].contains("krb5")) {
        mech = GSSUtil.GSS_KRB5_MECH_OID;
    } else {
        throw new Exception("Unknown mech");
    }

    OneKDC kdc = new OneKDC(null);
    kdc.writeJAASConf();
    kdc.setOption(KDC.Option.PREAUTH_REQUIRED, false);
    Map<String,List<String>> map = new HashMap<>();
    map.put(OneKDC.SERVER + "@" + OneKDC.REALM, Arrays.asList(
            new String[]{OneKDC.BACKEND + "@" + OneKDC.REALM}));
    kdc.setOption(KDC.Option.ALLOW_S4U2PROXY, map);
    kdc.setOption(KDC.Option.ALLOW_S4U2SELF, Arrays.asList(
            new String[]{OneKDC.SERVER + "@" + OneKDC.REALM}));

    Context s, b;
    s = Context.fromJAAS("server");
    b = Context.fromJAAS("backend");

    s.startAsServer(null, mech, false);

    Context p = s.impersonate(OneKDC.USER);

    p.startAsClient(OneKDC.BACKEND, mech);
    b.startAsServer(mech);
    Context.handshake(p, b);

    p.startAsClient(OneKDC.BACKEND, mech);
    b.startAsServer(mech);
    Context.handshake(p, b);
}
 
Example #22
Source File: S4U2proxy.java    From openjdk-8 with GNU General Public License v2.0 5 votes vote down vote up
public static void main(String[] args) throws Exception {
    Oid mech;
    if (args[0].equals("spnego")) {
        mech = GSSUtil.GSS_SPNEGO_MECH_OID;
    } else if (args[0].contains("krb5")) {
        mech = GSSUtil.GSS_KRB5_MECH_OID;
    } else {
        throw new Exception("Unknown mech");
    }

    OneKDC kdc = new OneKDC(null);
    kdc.writeJAASConf();
    kdc.setOption(KDC.Option.PREAUTH_REQUIRED, false);
    Map<String,List<String>> map = new HashMap<>();
    map.put(OneKDC.SERVER + "@" + OneKDC.REALM, Arrays.asList(
            new String[]{OneKDC.BACKEND + "@" + OneKDC.REALM}));
    kdc.setOption(KDC.Option.ALLOW_S4U2PROXY, map);

    Context c, s, b;
    c = Context.fromJAAS("client");
    s = Context.fromJAAS("server");
    b = Context.fromJAAS("backend");

    c.startAsClient(OneKDC.SERVER, mech);
    s.startAsServer(null, mech, false);

    Context.handshake(c, s);
    Context p = s.delegated();

    p.startAsClient(OneKDC.BACKEND, mech);
    b.startAsServer(mech);
    Context.handshake(p, b);

    p.startAsClient(OneKDC.BACKEND, mech);
    b.startAsServer(mech);
    Context.handshake(p, b);
}
 
Example #23
Source File: S4U2selfGSS.java    From jdk8u-jdk with GNU General Public License v2.0 5 votes vote down vote up
public static void main(String[] args) throws Exception {
    Oid mech;
    if (args[0].equals("spnego")) {
        mech = GSSUtil.GSS_SPNEGO_MECH_OID;
    } else if (args[0].contains("krb5")) {
        mech = GSSUtil.GSS_KRB5_MECH_OID;
    } else {
        throw new Exception("Unknown mech");
    }

    OneKDC kdc = new OneKDC(null);
    kdc.writeJAASConf();
    kdc.setOption(KDC.Option.ALLOW_S4U2SELF, Arrays.asList(
            new String[]{OneKDC.USER + "@" + OneKDC.REALM}));
    Map<String,List<String>> map = new HashMap<>();
    map.put(OneKDC.USER + "@" + OneKDC.REALM, Arrays.asList(
            new String[]{OneKDC.SERVER + "@" + OneKDC.REALM}));
    kdc.setOption(KDC.Option.ALLOW_S4U2PROXY, map);

    Context c, s;
    System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
    c = Context.fromThinAir();
    s = Context.fromThinAir();

    c = c.impersonate(OneKDC.USER2);

    c.startAsClient(OneKDC.SERVER, mech);
    s.startAsServer(mech);

    Context.handshake(c, s);

    String n1 = c.x().getSrcName().toString().split("@")[0];
    String n2 = s.x().getSrcName().toString().split("@")[0];
    if (!n1.equals(OneKDC.USER2) || !n2.equals(OneKDC.USER2)) {
        throw new Exception("Impersonate failed");
    }

    s.dispose();
    c.dispose();
}
 
Example #24
Source File: S4U2selfGSS.java    From TencentKona-8 with GNU General Public License v2.0 5 votes vote down vote up
public static void main(String[] args) throws Exception {
    Oid mech;
    if (args[0].equals("spnego")) {
        mech = GSSUtil.GSS_SPNEGO_MECH_OID;
    } else if (args[0].contains("krb5")) {
        mech = GSSUtil.GSS_KRB5_MECH_OID;
    } else {
        throw new Exception("Unknown mech");
    }

    OneKDC kdc = new OneKDC(null);
    kdc.writeJAASConf();
    kdc.setOption(KDC.Option.ALLOW_S4U2SELF, Arrays.asList(
            new String[]{OneKDC.USER + "@" + OneKDC.REALM}));
    Map<String,List<String>> map = new HashMap<>();
    map.put(OneKDC.USER + "@" + OneKDC.REALM, Arrays.asList(
            new String[]{OneKDC.SERVER + "@" + OneKDC.REALM}));
    kdc.setOption(KDC.Option.ALLOW_S4U2PROXY, map);

    Context c, s;
    System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
    c = Context.fromThinAir();
    s = Context.fromThinAir();

    c = c.impersonate(OneKDC.USER2);

    c.startAsClient(OneKDC.SERVER, mech);
    s.startAsServer(mech);

    Context.handshake(c, s);

    String n1 = c.x().getSrcName().toString().split("@")[0];
    String n2 = s.x().getSrcName().toString().split("@")[0];
    if (!n1.equals(OneKDC.USER2) || !n2.equals(OneKDC.USER2)) {
        throw new Exception("Impersonate failed");
    }

    s.dispose();
    c.dispose();
}
 
Example #25
Source File: GSSLibStub.java    From jdk8u-dev-jdk with GNU General Public License v2.0 5 votes vote down vote up
static GSSLibStub getInstance(Oid mech) throws GSSException {
    GSSLibStub s = table.get(mech);
    if (s == null) {
        s = new GSSLibStub(mech);
        table.put(mech, s);
    }
    return s;
}
 
Example #26
Source File: S4U2selfGSS.java    From jdk8u_jdk with GNU General Public License v2.0 5 votes vote down vote up
public static void main(String[] args) throws Exception {
    Oid mech;
    if (args[0].equals("spnego")) {
        mech = GSSUtil.GSS_SPNEGO_MECH_OID;
    } else if (args[0].contains("krb5")) {
        mech = GSSUtil.GSS_KRB5_MECH_OID;
    } else {
        throw new Exception("Unknown mech");
    }

    OneKDC kdc = new OneKDC(null);
    kdc.writeJAASConf();
    kdc.setOption(KDC.Option.ALLOW_S4U2SELF, Arrays.asList(
            new String[]{OneKDC.USER + "@" + OneKDC.REALM}));
    Map<String,List<String>> map = new HashMap<>();
    map.put(OneKDC.USER + "@" + OneKDC.REALM, Arrays.asList(
            new String[]{OneKDC.SERVER + "@" + OneKDC.REALM}));
    kdc.setOption(KDC.Option.ALLOW_S4U2PROXY, map);

    Context c, s;
    System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
    c = Context.fromThinAir();
    s = Context.fromThinAir();

    c = c.impersonate(OneKDC.USER2);

    c.startAsClient(OneKDC.SERVER, mech);
    s.startAsServer(mech);

    Context.handshake(c, s);

    String n1 = c.x().getSrcName().toString().split("@")[0];
    String n2 = s.x().getSrcName().toString().split("@")[0];
    if (!n1.equals(OneKDC.USER2) || !n2.equals(OneKDC.USER2)) {
        throw new Exception("Impersonate failed");
    }

    s.dispose();
    c.dispose();
}
 
Example #27
Source File: S4U2selfAsServer.java    From openjdk-jdk9 with GNU General Public License v2.0 5 votes vote down vote up
public static void main(String[] args) throws Exception {
    Oid mech;
    if (args[0].equals("spnego")) {
        mech = GSSUtil.GSS_SPNEGO_MECH_OID;
    } else if (args[0].contains("krb5")) {
        mech = GSSUtil.GSS_KRB5_MECH_OID;
    } else {
        throw new Exception("Unknown mech");
    }

    OneKDC kdc = new OneKDC(null);
    kdc.writeJAASConf();
    kdc.setOption(KDC.Option.PREAUTH_REQUIRED, false);
    Map<String,List<String>> map = new HashMap<>();
    map.put(OneKDC.SERVER + "@" + OneKDC.REALM, Arrays.asList(
            new String[]{OneKDC.BACKEND + "@" + OneKDC.REALM}));
    kdc.setOption(KDC.Option.ALLOW_S4U2PROXY, map);
    kdc.setOption(KDC.Option.ALLOW_S4U2SELF, Arrays.asList(
            new String[]{OneKDC.SERVER + "@" + OneKDC.REALM}));

    Context s, b;
    s = Context.fromJAAS("server");
    b = Context.fromJAAS("backend");

    s.startAsServer(null, mech, false);

    Context p = s.impersonate(OneKDC.USER);

    p.startAsClient(OneKDC.BACKEND, mech);
    b.startAsServer(mech);
    Context.handshake(p, b);

    p.startAsClient(OneKDC.BACKEND, mech);
    b.startAsServer(mech);
    Context.handshake(p, b);
}
 
Example #28
Source File: AbstractSpnegoNegotiatorTest.java    From elasticsearch-hadoop with Apache License 2.0 4 votes vote down vote up
@Test
public void testSuccessfulNegotiate() throws IOException, GSSException, InterruptedException {
    // Mechanisms
    final GSSManager gssManager = GSSManager.getInstance();
    final Oid spnegoOid = new Oid("1.3.6.1.5.5.2");

    // Configure logins
    Configuration configuration = new Configuration();
    SecurityUtil.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS, configuration);
    UserGroupInformation.setConfiguration(configuration);

    // Login as Server
    UserGroupInformation server = UserGroupInformation.loginUserFromKeytabAndReturnUGI(KerberosSuite.PRINCIPAL_SERVER, KEYTAB_FILE.getAbsolutePath());
    final GSSName gssServicePrincipalName = gssManager.createName(KerberosSuite.PRINCIPAL_SERVER, GSSName.NT_USER_NAME);
    final GSSCredential gssServiceCredential = server.doAs(new PrivilegedExceptionAction<GSSCredential>() {
        @Override
        public GSSCredential run() throws Exception {
            return gssManager.createCredential(
                    gssServicePrincipalName,
                    GSSCredential.DEFAULT_LIFETIME,
                    spnegoOid,
                    GSSCredential.ACCEPT_ONLY
            );
        }
    });
    final GSSContext serverCtx = gssManager.createContext(gssServiceCredential);

    // Login as Client and Create negotiator
    UserGroupInformation client = UserGroupInformation.loginUserFromKeytabAndReturnUGI(KerberosSuite.PRINCIPAL_CLIENT, KEYTAB_FILE.getAbsolutePath());
    final SpnegoNegotiator spnegoNegotiator = client.doAs(new PrivilegedExceptionAction<SpnegoNegotiator>() {
        @Override
        public SpnegoNegotiator run() throws Exception {
            return new SpnegoNegotiator(KerberosSuite.PRINCIPAL_CLIENT, KerberosSuite.PRINCIPAL_SERVER);
        }
    });

    byte[] token = new byte[0];
    boolean authenticated = false;

    for (int idx = 0; idx < 100; idx++) {
        if (!spnegoNegotiator.established()) {
            if (token.length > 0) {
                spnegoNegotiator.setTokenData(Base64.encodeBase64String(token));
            }
            String baseToken = client.doAs(new PrivilegedExceptionAction<String>() {
                @Override
                public String run() throws Exception {
                    return spnegoNegotiator.send();
                }
            });
            token = Base64.decodeBase64(baseToken);
        }

        if (!spnegoNegotiator.established() && serverCtx.isEstablished()) {
            fail("Server is established, but client is not.");
        }

        if (!serverCtx.isEstablished()) {
            final byte[] currentToken = token;
            token = server.doAs(new PrivilegedExceptionAction<byte[]>() {
                @Override
                public byte[] run() throws Exception {
                    return serverCtx.acceptSecContext(currentToken, 0, currentToken.length);
                }
            });
        }

        if (serverCtx.isEstablished() && spnegoNegotiator.established()) {
            authenticated = true;
            break;
        }
    }

    assertThat(authenticated, is(true));
    assertThat(serverCtx.isEstablished(), is(true));
    assertThat(spnegoNegotiator.established(), is(true));

    spnegoNegotiator.close();
    assertThat(spnegoNegotiator.established(), is(false));
}
 
Example #29
Source File: S4U2proxy.java    From TencentKona-8 with GNU General Public License v2.0 4 votes vote down vote up
public static void main(String[] args) throws Exception {
    Oid mech;
    if (args[0].equals("spnego")) {
        mech = GSSUtil.GSS_SPNEGO_MECH_OID;
    } else if (args[0].contains("krb5")) {
        mech = GSSUtil.GSS_KRB5_MECH_OID;
    } else {
        throw new Exception("Unknown mech");
    }

    OneKDC kdc = new OneKDC(null);
    kdc.writeJAASConf();
    kdc.setOption(KDC.Option.PREAUTH_REQUIRED, false);
    Map<String,List<String>> map = new HashMap<>();
    map.put(OneKDC.SERVER + "@" + OneKDC.REALM, Arrays.asList(
            new String[]{OneKDC.BACKEND + "@" + OneKDC.REALM}));
    kdc.setOption(KDC.Option.ALLOW_S4U2PROXY, map);

    Context c, s, b;
    c = Context.fromJAAS("client");
    s = Context.fromJAAS("server");
    b = Context.fromJAAS("backend");

    c.startAsClient(OneKDC.SERVER, mech);
    s.startAsServer(null, mech, false);

    Context.handshake(c, s);
    Context p = s.delegated();

    p.startAsClient(OneKDC.BACKEND, mech);

    // 8044215: requestCredDeleg is useless and harmless
    p.x().requestCredDeleg(true);

    b.startAsServer(mech);
    Context.handshake(p, b);

    p.startAsClient(OneKDC.BACKEND, mech);
    b.startAsServer(mech);
    Context.handshake(p, b);
}
 
Example #30
Source File: S4U2self.java    From TencentKona-8 with GNU General Public License v2.0 4 votes vote down vote up
public static void main(String[] args) throws Exception {
    // Test case, different policy settings in KDC:
    //                   |     ALLOW_S4U2SELF on
    //                   |   USER    USER2    none
    // ALLOW_S4U2PORXY   |-------------------------
    // USER to BACKEND   |   0       1        2
    // USER2 to BACKEND  |   3
    // USER to SERVER    |   4
    //      none         |   5
    //
    // 0 should succeed, all other fail
    int test = 0;
    Oid mech;
    if (args[0].equals("spnego")) {
        mech = GSSUtil.GSS_SPNEGO_MECH_OID;
    } else if (args[0].contains("krb5")) {
        mech = GSSUtil.GSS_KRB5_MECH_OID;
        test = Integer.parseInt(args[1]);
    } else {
        throw new Exception("Unknown mech");
    }

    OneKDC kdc = new OneKDC(null);
    kdc.writeJAASConf();

    switch (test) {
        case 1:
            kdc.setOption(KDC.Option.ALLOW_S4U2SELF, Arrays.asList(
                    new String[]{OneKDC.USER2 + "@" + OneKDC.REALM}));
            break;
        case 2:
            // No S4U2self
            break;
        default:
            kdc.setOption(KDC.Option.ALLOW_S4U2SELF, Arrays.asList(
                    new String[]{OneKDC.USER + "@" + OneKDC.REALM}));
            break;
    }

    Map<String,List<String>> map = new HashMap<>();
    switch (test) {
        case 3:
            map.put(OneKDC.USER2 + "@" + OneKDC.REALM, Arrays.asList(
                    new String[]{OneKDC.BACKEND + "@" + OneKDC.REALM}));
            kdc.setOption(KDC.Option.ALLOW_S4U2PROXY, map);
            break;
        case 4:
            map.put(OneKDC.USER + "@" + OneKDC.REALM, Arrays.asList(
                    new String[]{OneKDC.SERVER + "@" + OneKDC.REALM}));
            kdc.setOption(KDC.Option.ALLOW_S4U2PROXY, map);
            break;
        case 5:
            // No S4U2proxy set
            break;
        default:
            map.put(OneKDC.USER + "@" + OneKDC.REALM, Arrays.asList(
                    new String[]{OneKDC.BACKEND + "@" + OneKDC.REALM}));
            kdc.setOption(KDC.Option.ALLOW_S4U2PROXY, map);
            break;
    }

    Context c, s;
    c = Context.fromJAAS("client");

    c = c.impersonate(OneKDC.USER2);
    c.status();

    c.startAsClient(OneKDC.BACKEND, mech);

    s = Context.fromJAAS("backend");
    s.startAsServer(mech);

    Context.handshake(c, s);

    Context.transmit("i say high --", c, s);
    Context.transmit("   you say low", s, c);

    c.status();
    s.status();

    String n1 = c.x().getSrcName().toString().split("@")[0];
    String n2 = s.x().getSrcName().toString().split("@")[0];
    if (!n1.equals(OneKDC.USER2) || !n2.equals(OneKDC.USER2)) {
        throw new Exception("Impersonate failed");
    }

    s.dispose();
    c.dispose();
}