org.ietf.jgss.GSSCredential Java Examples
The following examples show how to use
org.ietf.jgss.GSSCredential.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: KrbCredSubKey.java From openjdk-jdk8u-backup with GNU General Public License v2.0 | 9 votes |
public static void main(String[] args) throws Exception { // We don't care about clock difference new FileOutputStream("krb5.conf").write( "[libdefaults]\nclockskew=999999999".getBytes()); System.setProperty("java.security.krb5.conf", "krb5.conf"); Config.refresh(); Subject subj = new Subject(); KerberosPrincipal kp = new KerberosPrincipal(princ); KerberosKey kk = new KerberosKey( kp, key, EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, 0); subj.getPrincipals().add(kp); subj.getPrivateCredentials().add(kk); Subject.doAs(subj, new PrivilegedExceptionAction() { public Object run() throws Exception { GSSManager man = GSSManager.getInstance(); GSSContext ctxt = man.createContext(man.createCredential( null, GSSCredential.INDEFINITE_LIFETIME, GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY)); return ctxt.acceptSecContext(token, 0, token.length); } }); }
Example #2
Source File: SpnegoLifeTime.java From hottub with GNU General Public License v2.0 | 6 votes |
public static void main(String[] args) throws Exception { Oid oid = GSSUtil.GSS_SPNEGO_MECH_OID; new OneKDC(null).writeJAASConf(); Context c, s; c = Context.fromJAAS("client"); s = Context.fromJAAS("server"); c.startAsClient(OneKDC.SERVER, oid); c.x().requestCredDeleg(true); s.startAsServer(oid); Context.handshake(c, s); GSSCredential cred = s.delegated().cred(); cred.getRemainingInitLifetime(oid); cred.getUsage(oid); }
Example #3
Source File: Context.java From dragonwell8_jdk with GNU General Public License v2.0 | 6 votes |
/** * Starts as a server with the specified service name * @param name the service name * @param mech GSS mech * @throws java.lang.Exception */ public void startAsServer(final String name, final Oid mech, final boolean asInitiator) throws Exception { doAs(new Action() { @Override public byte[] run(Context me, byte[] dummy) throws Exception { GSSManager m = GSSManager.getInstance(); me.cred = m.createCredential( name == null ? null : (name.indexOf('@') < 0 ? m.createName(name, null) : m.createName(name, GSSName.NT_HOSTBASED_SERVICE)), GSSCredential.INDEFINITE_LIFETIME, mech, asInitiator? GSSCredential.INITIATE_AND_ACCEPT: GSSCredential.ACCEPT_ONLY); me.x = (ExtendedGSSContext)m.createContext(me.cred); return null; } }, null); }
Example #4
Source File: SpnegoLifeTime.java From openjdk-8-source with GNU General Public License v2.0 | 6 votes |
public static void main(String[] args) throws Exception { Oid oid = GSSUtil.GSS_SPNEGO_MECH_OID; new OneKDC(null).writeJAASConf(); Context c, s; c = Context.fromJAAS("client"); s = Context.fromJAAS("server"); c.startAsClient(OneKDC.SERVER, oid); c.x().requestCredDeleg(true); s.startAsServer(oid); Context.handshake(c, s); GSSCredential cred = s.delegated().cred(); cred.getRemainingInitLifetime(oid); cred.getUsage(oid); }
Example #5
Source File: MechTokenMissing.java From dragonwell8_jdk with GNU General Public License v2.0 | 6 votes |
public static void main(String[] args) throws Exception { GSSCredential cred = null; GSSContext ctx = GSSManager.getInstance().createContext(cred); String var = /*0000*/ "60 1C 06 06 2B 06 01 05 05 02 A0 12 30 10 A0 0E " + /*0010*/ "30 0C 06 0A 2B 06 01 04 01 82 37 02 02 0A "; byte[] token = new byte[var.length()/3]; for (int i=0; i<token.length; i++) { token[i] = Integer.valueOf(var.substring(3*i,3*i+2), 16).byteValue(); } try { ctx.acceptSecContext(token, 0, token.length); } catch (GSSException gsse) { System.out.println("Expected exception: " + gsse); } }
Example #6
Source File: SpnegoLifeTime.java From dragonwell8_jdk with GNU General Public License v2.0 | 6 votes |
public static void main(String[] args) throws Exception { Oid oid = GSSUtil.GSS_SPNEGO_MECH_OID; new OneKDC(null).writeJAASConf(); Context c, s; c = Context.fromJAAS("client"); s = Context.fromJAAS("server"); c.startAsClient(OneKDC.SERVER, oid); c.x().requestCredDeleg(true); s.startAsServer(oid); Context.handshake(c, s); GSSCredential cred = s.delegated().cred(); cred.getRemainingInitLifetime(oid); cred.getUsage(oid); }
Example #7
Source File: LifeTimeInSeconds.java From jdk8u-jdk with GNU General Public License v2.0 | 6 votes |
public static void main(String[] args) throws Exception { new OneKDC(null).writeJAASConf(); System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); GSSManager gm = GSSManager.getInstance(); GSSCredential cred = gm.createCredential(GSSCredential.INITIATE_AND_ACCEPT); int time = cred.getRemainingLifetime(); int time2 = cred.getRemainingInitLifetime(null); // The test KDC issues a TGT with a default lifetime of 11 hours int elevenhrs = 11*3600; if (time > elevenhrs+60 || time < elevenhrs-60) { throw new Exception("getRemainingLifetime returns wrong value."); } if (time2 > elevenhrs+60 || time2 < elevenhrs-60) { throw new Exception("getRemainingInitLifetime returns wrong value."); } }
Example #8
Source File: KrbCredSubKey.java From TencentKona-8 with GNU General Public License v2.0 | 6 votes |
public static void main(String[] args) throws Exception { // We don't care about clock difference new FileOutputStream("krb5.conf").write( "[libdefaults]\nclockskew=999999999".getBytes()); System.setProperty("java.security.krb5.conf", "krb5.conf"); Config.refresh(); Subject subj = new Subject(); KerberosPrincipal kp = new KerberosPrincipal(princ); KerberosKey kk = new KerberosKey( kp, key, EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, 0); subj.getPrincipals().add(kp); subj.getPrivateCredentials().add(kk); Subject.doAs(subj, new PrivilegedExceptionAction() { public Object run() throws Exception { GSSManager man = GSSManager.getInstance(); GSSContext ctxt = man.createContext(man.createCredential( null, GSSCredential.INDEFINITE_LIFETIME, GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY)); return ctxt.acceptSecContext(token, 0, token.length); } }); }
Example #9
Source File: Context.java From jdk8u-jdk with GNU General Public License v2.0 | 6 votes |
/** * Starts as a server with the specified service name * @param name the service name * @param mech GSS mech * @throws java.lang.Exception */ public void startAsServer(final String name, final Oid mech, final boolean asInitiator) throws Exception { doAs(new Action() { @Override public byte[] run(Context me, byte[] dummy) throws Exception { GSSManager m = GSSManager.getInstance(); me.cred = m.createCredential( name == null ? null : (name.indexOf('@') < 0 ? m.createName(name, null) : m.createName(name, GSSName.NT_HOSTBASED_SERVICE)), GSSCredential.INDEFINITE_LIFETIME, mech, asInitiator? GSSCredential.INITIATE_AND_ACCEPT: GSSCredential.ACCEPT_ONLY); me.x = (ExtendedGSSContext)m.createContext(me.cred); return null; } }, null); }
Example #10
Source File: LifeTimeInSeconds.java From jdk8u-dev-jdk with GNU General Public License v2.0 | 6 votes |
public static void main(String[] args) throws Exception { new OneKDC(null).writeJAASConf(); System.setProperty("javax.security.auth.useSubjectCredsOnly", "false"); GSSManager gm = GSSManager.getInstance(); GSSCredential cred = gm.createCredential(GSSCredential.INITIATE_AND_ACCEPT); int time = cred.getRemainingLifetime(); int time2 = cred.getRemainingInitLifetime(null); // The test KDC issues a TGT with a default lifetime of 11 hours int elevenhrs = 11*3600; if (time > elevenhrs+60 || time < elevenhrs-60) { throw new Exception("getRemainingLifetime returns wrong value."); } if (time2 > elevenhrs+60 || time2 < elevenhrs-60) { throw new Exception("getRemainingInitLifetime returns wrong value."); } }
Example #11
Source File: SpnegoLifeTime.java From TencentKona-8 with GNU General Public License v2.0 | 6 votes |
public static void main(String[] args) throws Exception { Oid oid = GSSUtil.GSS_SPNEGO_MECH_OID; new OneKDC(null).writeJAASConf(); Context c, s; c = Context.fromJAAS("client"); s = Context.fromJAAS("server"); c.startAsClient(OneKDC.SERVER, oid); c.x().requestCredDeleg(true); s.startAsServer(oid); Context.handshake(c, s); GSSCredential cred = s.delegated().cred(); cred.getRemainingInitLifetime(oid); cred.getUsage(oid); }
Example #12
Source File: MechTokenMissing.java From openjdk-8 with GNU General Public License v2.0 | 6 votes |
public static void main(String[] args) throws Exception { GSSCredential cred = null; GSSContext ctx = GSSManager.getInstance().createContext(cred); String var = /*0000*/ "60 1C 06 06 2B 06 01 05 05 02 A0 12 30 10 A0 0E " + /*0010*/ "30 0C 06 0A 2B 06 01 04 01 82 37 02 02 0A "; byte[] token = new byte[var.length()/3]; for (int i=0; i<token.length; i++) { token[i] = Integer.valueOf(var.substring(3*i,3*i+2), 16).byteValue(); } try { ctx.acceptSecContext(token, 0, token.length); } catch (GSSException gsse) { System.out.println("Expected exception: " + gsse); } }
Example #13
Source File: TestInfoServersACL.java From hbase with Apache License 2.0 | 6 votes |
private CloseableHttpClient createHttpClient(String clientPrincipal) throws Exception { // Logs in with Kerberos via GSS GSSManager gssManager = GSSManager.getInstance(); // jGSS Kerberos login constant Oid oid = new Oid("1.2.840.113554.1.2.2"); GSSName gssClient = gssManager.createName(clientPrincipal, GSSName.NT_USER_NAME); GSSCredential credential = gssManager.createCredential( gssClient, GSSCredential.DEFAULT_LIFETIME, oid, GSSCredential.INITIATE_ONLY); Lookup<AuthSchemeProvider> authRegistry = RegistryBuilder.<AuthSchemeProvider>create() .register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true, true)).build(); BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider(); credentialsProvider.setCredentials(AuthScope.ANY, new KerberosCredentials(credential)); return HttpClients.custom().setDefaultAuthSchemeRegistry(authRegistry) .setDefaultCredentialsProvider(credentialsProvider).build(); }
Example #14
Source File: KerberosJdkProvider.java From keycloak with Apache License 2.0 | 6 votes |
@Override public KerberosTicket gssCredentialToKerberosTicket(KerberosTicket kerberosTicket, GSSCredential gssCredential) { try { Class<?> gssUtil = Class.forName("com.sun.security.jgss.GSSUtil"); Method createSubject = gssUtil.getMethod("createSubject", GSSName.class, GSSCredential.class); Subject subject = (Subject) createSubject.invoke(null, null, gssCredential); Set<KerberosTicket> kerberosTickets = subject.getPrivateCredentials(KerberosTicket.class); Iterator<KerberosTicket> iterator = kerberosTickets.iterator(); if (iterator.hasNext()) { return iterator.next(); } else { throw new KerberosSerializationUtils.KerberosSerializationException("Not available kerberosTicket in subject credentials. Subject was: " + subject.toString()); } } catch (KerberosSerializationUtils.KerberosSerializationException ke) { throw ke; } catch (Exception e) { throw new KerberosSerializationUtils.KerberosSerializationException("Unexpected error during convert GSSCredential to KerberosTicket", e); } }
Example #15
Source File: GSSCredentialsClient.java From keycloak with Apache License 2.0 | 6 votes |
private static LDAPUser invokeLdap(GSSCredential gssCredential, String username) throws NamingException { Hashtable env = new Hashtable(11); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, "ldap://localhost:10389"); if (gssCredential != null) { env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI"); env.put(Sasl.CREDENTIALS, gssCredential); } DirContext ctx = new InitialDirContext(env); try { Attributes attrs = ctx.getAttributes("uid=" + username + ",ou=People,dc=keycloak,dc=org"); String uid = username; String cn = (String) attrs.get("cn").get(); String sn = (String) attrs.get("sn").get(); return new LDAPUser(uid, cn, sn); } finally { ctx.close(); } }
Example #16
Source File: Context.java From openjdk-jdk9 with GNU General Public License v2.0 | 6 votes |
/** * Starts as a server with the specified service name * @param name the service name * @param mech GSS mech * @throws java.lang.Exception */ public void startAsServer(final String name, final Oid mech, final boolean asInitiator) throws Exception { doAs(new Action() { @Override public byte[] run(Context me, byte[] dummy) throws Exception { GSSManager m = GSSManager.getInstance(); me.cred = m.createCredential( name == null ? null : (name.indexOf('@') < 0 ? m.createName(name, null) : m.createName(name, GSSName.NT_HOSTBASED_SERVICE)), GSSCredential.INDEFINITE_LIFETIME, mech, asInitiator? GSSCredential.INITIATE_AND_ACCEPT: GSSCredential.ACCEPT_ONLY); me.x = m.createContext(me.cred); return null; } }, null); }
Example #17
Source File: AbstractKerberosTest.java From keycloak with Apache License 2.0 | 6 votes |
protected String invokeLdap(GSSCredential gssCredential, String username) throws NamingException { Hashtable env = new Hashtable(11); env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); env.put(Context.PROVIDER_URL, "ldap://localhost:10389"); if (gssCredential != null) { env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI"); env.put(Sasl.CREDENTIALS, gssCredential); } DirContext ctx = new InitialDirContext(env); try { Attributes attrs = ctx.getAttributes("uid=" + username + ",ou=People,dc=keycloak,dc=org"); String cn = (String) attrs.get("cn").get(); String sn = (String) attrs.get("sn").get(); return cn + " " + sn; } finally { ctx.close(); } }
Example #18
Source File: MechTokenMissing.java From jdk8u-jdk with GNU General Public License v2.0 | 6 votes |
public static void main(String[] args) throws Exception { GSSCredential cred = null; GSSContext ctx = GSSManager.getInstance().createContext(cred); String var = /*0000*/ "60 1C 06 06 2B 06 01 05 05 02 A0 12 30 10 A0 0E " + /*0010*/ "30 0C 06 0A 2B 06 01 04 01 82 37 02 02 0A "; byte[] token = new byte[var.length()/3]; for (int i=0; i<token.length; i++) { token[i] = Integer.valueOf(var.substring(3*i,3*i+2), 16).byteValue(); } try { ctx.acceptSecContext(token, 0, token.length); } catch (GSSException gsse) { System.out.println("Expected exception: " + gsse); } }
Example #19
Source File: SpnegoLifeTime.java From openjdk-jdk9 with GNU General Public License v2.0 | 6 votes |
public static void main(String[] args) throws Exception { Oid oid = GSSUtil.GSS_SPNEGO_MECH_OID; new OneKDC(null).writeJAASConf(); Context c, s; c = Context.fromJAAS("client"); s = Context.fromJAAS("server"); c.startAsClient(OneKDC.SERVER, oid); c.x().requestCredDeleg(true); s.startAsServer(oid); Context.handshake(c, s); GSSCredential cred = s.delegated().cred(); cred.getRemainingInitLifetime(oid); cred.getUsage(oid); }
Example #20
Source File: MechTokenMissing.java From openjdk-jdk8u with GNU General Public License v2.0 | 6 votes |
public static void main(String[] args) throws Exception { GSSCredential cred = null; GSSContext ctx = GSSManager.getInstance().createContext(cred); String var = /*0000*/ "60 1C 06 06 2B 06 01 05 05 02 A0 12 30 10 A0 0E " + /*0010*/ "30 0C 06 0A 2B 06 01 04 01 82 37 02 02 0A "; byte[] token = new byte[var.length()/3]; for (int i=0; i<token.length; i++) { token[i] = Integer.valueOf(var.substring(3*i,3*i+2), 16).byteValue(); } try { ctx.acceptSecContext(token, 0, token.length); } catch (GSSException gsse) { System.out.println("Expected exception: " + gsse); } }
Example #21
Source File: KrbCredSubKey.java From jdk8u_jdk with GNU General Public License v2.0 | 6 votes |
public static void main(String[] args) throws Exception { // We don't care about clock difference new FileOutputStream("krb5.conf").write( "[libdefaults]\nclockskew=999999999".getBytes()); System.setProperty("java.security.krb5.conf", "krb5.conf"); Config.refresh(); Subject subj = new Subject(); KerberosPrincipal kp = new KerberosPrincipal(princ); KerberosKey kk = new KerberosKey( kp, key, EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, 0); subj.getPrincipals().add(kp); subj.getPrivateCredentials().add(kk); Subject.doAs(subj, new PrivilegedExceptionAction() { public Object run() throws Exception { GSSManager man = GSSManager.getInstance(); GSSContext ctxt = man.createContext(man.createCredential( null, GSSCredential.INDEFINITE_LIFETIME, GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY)); return ctxt.acceptSecContext(token, 0, token.length); } }); }
Example #22
Source File: Context.java From jdk8u60 with GNU General Public License v2.0 | 6 votes |
/** * Starts as a server with the specified service name * @param name the service name * @param mech GSS mech * @throws java.lang.Exception */ public void startAsServer(final String name, final Oid mech, final boolean asInitiator) throws Exception { doAs(new Action() { @Override public byte[] run(Context me, byte[] dummy) throws Exception { GSSManager m = GSSManager.getInstance(); me.cred = m.createCredential( name == null ? null : (name.indexOf('@') < 0 ? m.createName(name, null) : m.createName(name, GSSName.NT_HOSTBASED_SERVICE)), GSSCredential.INDEFINITE_LIFETIME, mech, asInitiator? GSSCredential.INITIATE_AND_ACCEPT: GSSCredential.ACCEPT_ONLY); me.x = (ExtendedGSSContext)m.createContext(me.cred); return null; } }, null); }
Example #23
Source File: MechTokenMissing.java From openjdk-8-source with GNU General Public License v2.0 | 6 votes |
public static void main(String[] args) throws Exception { GSSCredential cred = null; GSSContext ctx = GSSManager.getInstance().createContext(cred); String var = /*0000*/ "60 1C 06 06 2B 06 01 05 05 02 A0 12 30 10 A0 0E " + /*0010*/ "30 0C 06 0A 2B 06 01 04 01 82 37 02 02 0A "; byte[] token = new byte[var.length()/3]; for (int i=0; i<token.length; i++) { token[i] = Integer.valueOf(var.substring(3*i,3*i+2), 16).byteValue(); } try { ctx.acceptSecContext(token, 0, token.length); } catch (GSSException gsse) { System.out.println("Expected exception: " + gsse); } }
Example #24
Source File: Context.java From jdk8u-jdk with GNU General Public License v2.0 | 6 votes |
/** * Starts as a server with the specified service name * @param name the service name * @param mech GSS mech * @throws java.lang.Exception */ public void startAsServer(final String name, final Oid mech, final boolean asInitiator) throws Exception { doAs(new Action() { @Override public byte[] run(Context me, byte[] dummy) throws Exception { GSSManager m = GSSManager.getInstance(); me.cred = m.createCredential( name == null ? null : (name.indexOf('@') < 0 ? m.createName(name, null) : m.createName(name, GSSName.NT_HOSTBASED_SERVICE)), GSSCredential.INDEFINITE_LIFETIME, mech, asInitiator? GSSCredential.INITIATE_AND_ACCEPT: GSSCredential.ACCEPT_ONLY); me.x = (ExtendedGSSContext)m.createContext(me.cred); return null; } }, null); }
Example #25
Source File: MechTokenMissing.java From jdk8u60 with GNU General Public License v2.0 | 6 votes |
public static void main(String[] args) throws Exception { GSSCredential cred = null; GSSContext ctx = GSSManager.getInstance().createContext(cred); String var = /*0000*/ "60 1C 06 06 2B 06 01 05 05 02 A0 12 30 10 A0 0E " + /*0010*/ "30 0C 06 0A 2B 06 01 04 01 82 37 02 02 0A "; byte[] token = new byte[var.length()/3]; for (int i=0; i<token.length; i++) { token[i] = Integer.valueOf(var.substring(3*i,3*i+2), 16).byteValue(); } try { ctx.acceptSecContext(token, 0, token.length); } catch (GSSException gsse) { System.out.println("Expected exception: " + gsse); } }
Example #26
Source File: KerberosSerializationUtils.java From keycloak with Apache License 2.0 | 5 votes |
public static String serializeCredential(KerberosTicket kerberosTicket, GSSCredential gssCredential) throws KerberosSerializationException { try { if (gssCredential == null) { throw new KerberosSerializationException("Null credential given as input"); } kerberosTicket = KerberosJdkProvider.getProvider().gssCredentialToKerberosTicket(kerberosTicket, gssCredential); return serialize(kerberosTicket); } catch (IOException e) { throw new KerberosSerializationException("Unexpected exception when serialize GSSCredential", e); } }
Example #27
Source File: HttpNegotiateServer.java From jdk8u60 with GNU General Public License v2.0 | 5 votes |
public MyServerAuthenticator(boolean proxy, String scheme, String principal, String ktab) throws Exception { this.scheme = scheme; if (proxy) { reqHdr = "Proxy-Authenticate"; respHdr = "Proxy-Authorization"; err = HttpURLConnection.HTTP_PROXY_AUTH; } Krb5LoginModule krb5 = new Krb5LoginModule(); Map<String, String> map = new HashMap<>(); Map<String, Object> shared = new HashMap<>(); map.put("storeKey", "true"); map.put("isInitiator", "false"); map.put("useKeyTab", "true"); map.put("keyTab", ktab); map.put("principal", principal); krb5.initialize(s, null, shared, map); krb5.login(); krb5.commit(); m = GSSManager.getInstance(); cred = Subject.doAs(s, new PrivilegedExceptionAction<GSSCredential>() { @Override public GSSCredential run() throws Exception { System.err.println("Creating GSSCredential"); return m.createCredential( null, GSSCredential.INDEFINITE_LIFETIME, MyServerAuthenticator.this.scheme.equalsIgnoreCase("Negotiate")? GSSUtil.GSS_SPNEGO_MECH_OID: GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY); } }); }
Example #28
Source File: AvaticaCommonsHttpClientSpnegoImpl.java From calcite-avatica with Apache License 2.0 | 5 votes |
public void setGSSCredential(GSSCredential credential) { this.authRegistry = RegistryBuilder.<AuthSchemeProvider>create().register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(STRIP_PORT_ON_SERVER_LOOKUP, USE_CANONICAL_HOSTNAME)).build(); this.credentialsProvider = new BasicCredentialsProvider(); if (null != credential) { // Non-null credential should be used directly with KerberosCredentials. // This is never set by the JDBC driver, nor the tests this.credentialsProvider.setCredentials(AuthScope.ANY, new KerberosCredentials(credential)); } else { // A null credential implies that the user is logged in via JAAS using the // java.security.auth.login.config system property this.credentialsProvider.setCredentials(AuthScope.ANY, EmptyCredentials.INSTANCE); } }
Example #29
Source File: MSOID.java From openjdk-jdk9 with GNU General Public License v2.0 | 5 votes |
public static void main(String[] args) throws Exception { // msoid.txt is a NegTokenInit packet sent from Internet Explorer to // IIS server on a test machine. No sensitive info included. byte[] header = Files.readAllBytes( Paths.get(System.getProperty("test.src"), "msoid.txt")); byte[] token = Base64.getMimeDecoder().decode( Arrays.copyOfRange(header, 10, header.length)); GSSCredential cred = null; GSSContext ctx = GSSManager.getInstance().createContext(cred); try { ctx.acceptSecContext(token, 0, token.length); // Before the fix, GSS_KRB5_MECH_OID_MS is not recognized // and acceptor chooses another mech and goes on throw new Exception("Should fail"); } catch (GSSException gsse) { // After the fix, GSS_KRB5_MECH_OID_MS is recognized but the token // cannot be accepted because we don't have any krb5 credential. gsse.printStackTrace(); if (gsse.getMajor() != GSSException.NO_CRED) { throw gsse; } for (StackTraceElement st: gsse.getStackTrace()) { if (st.getClassName().startsWith("sun.security.jgss.krb5.")) { // Good, it is already in krb5 mech's hand. return; } } throw gsse; } }
Example #30
Source File: HttpNegotiateServer.java From hottub with GNU General Public License v2.0 | 5 votes |
public MyServerAuthenticator(boolean proxy, String scheme, String principal, String ktab) throws Exception { this.scheme = scheme; if (proxy) { reqHdr = "Proxy-Authenticate"; respHdr = "Proxy-Authorization"; err = HttpURLConnection.HTTP_PROXY_AUTH; } Krb5LoginModule krb5 = new Krb5LoginModule(); Map<String, String> map = new HashMap<>(); Map<String, Object> shared = new HashMap<>(); map.put("storeKey", "true"); map.put("isInitiator", "false"); map.put("useKeyTab", "true"); map.put("keyTab", ktab); map.put("principal", principal); krb5.initialize(s, null, shared, map); krb5.login(); krb5.commit(); m = GSSManager.getInstance(); cred = Subject.doAs(s, new PrivilegedExceptionAction<GSSCredential>() { @Override public GSSCredential run() throws Exception { System.err.println("Creating GSSCredential"); return m.createCredential( null, GSSCredential.INDEFINITE_LIFETIME, MyServerAuthenticator.this.scheme.equalsIgnoreCase("Negotiate")? GSSUtil.GSS_SPNEGO_MECH_OID: GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY); } }); }