Java Code Examples for org.ietf.jgss.GSSManager#createCredential()

The following examples show how to use org.ietf.jgss.GSSManager#createCredential() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: LifeTimeInSeconds.java    From jdk8u-dev-jdk with GNU General Public License v2.0 6 votes vote down vote up
public static void main(String[] args) throws Exception {
    new OneKDC(null).writeJAASConf();
    System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");

    GSSManager gm = GSSManager.getInstance();
    GSSCredential cred = gm.createCredential(GSSCredential.INITIATE_AND_ACCEPT);
    int time = cred.getRemainingLifetime();
    int time2 = cred.getRemainingInitLifetime(null);
    // The test KDC issues a TGT with a default lifetime of 11 hours
    int elevenhrs = 11*3600;
    if (time > elevenhrs+60 || time < elevenhrs-60) {
        throw new Exception("getRemainingLifetime returns wrong value.");
    }
    if (time2 > elevenhrs+60 || time2 < elevenhrs-60) {
        throw new Exception("getRemainingInitLifetime returns wrong value.");
    }
}
 
Example 2
Source File: KerberizedClient.java    From elasticsearch-shield-kerberos-realm with Apache License 2.0 6 votes vote down vote up
GSSContext initGSS() throws Exception {
    final GSSManager MANAGER = GSSManager.getInstance();

    final PrivilegedExceptionAction<GSSCredential> action = new PrivilegedExceptionAction<GSSCredential>() {
        @Override
        public GSSCredential run() throws GSSException {
            return MANAGER.createCredential(null, GSSCredential.DEFAULT_LIFETIME, KrbConstants.SPNEGO, GSSCredential.INITIATE_ONLY);
        }
    };

    final GSSCredential clientcreds = Subject.doAs(initiatorSubject, action);

    final GSSContext context = MANAGER.createContext(MANAGER.createName(acceptorPrincipal, GSSName.NT_USER_NAME, KrbConstants.SPNEGO),
            KrbConstants.SPNEGO, clientcreds, GSSContext.DEFAULT_LIFETIME);

    //TODO make configurable
    context.requestMutualAuth(true);
    context.requestConf(true);
    context.requestInteg(true);
    context.requestReplayDet(true);
    context.requestSequenceDet(true);
    context.requestCredDeleg(false);

    return context;
}
 
Example 3
Source File: LifeTimeInSeconds.java    From jdk8u_jdk with GNU General Public License v2.0 6 votes vote down vote up
public static void main(String[] args) throws Exception {
    new OneKDC(null).writeJAASConf();
    System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");

    GSSManager gm = GSSManager.getInstance();
    GSSCredential cred = gm.createCredential(GSSCredential.INITIATE_AND_ACCEPT);
    int time = cred.getRemainingLifetime();
    int time2 = cred.getRemainingInitLifetime(null);
    // The test KDC issues a TGT with a default lifetime of 11 hours
    int elevenhrs = KDC.DEFAULT_LIFETIME;
    if (time > elevenhrs+60 || time < elevenhrs-60) {
        throw new Exception("getRemainingLifetime returns wrong value.");
    }
    if (time2 > elevenhrs+60 || time2 < elevenhrs-60) {
        throw new Exception("getRemainingInitLifetime returns wrong value.");
    }
}
 
Example 4
Source File: LifeTimeInSeconds.java    From openjdk-8 with GNU General Public License v2.0 6 votes vote down vote up
public static void main(String[] args) throws Exception {
    new OneKDC(null).writeJAASConf();
    System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");

    GSSManager gm = GSSManager.getInstance();
    GSSCredential cred = gm.createCredential(GSSCredential.INITIATE_AND_ACCEPT);
    int time = cred.getRemainingLifetime();
    int time2 = cred.getRemainingInitLifetime(null);
    // The test KDC issues a TGT with a default lifetime of 11 hours
    int elevenhrs = 11*3600;
    if (time > elevenhrs+60 || time < elevenhrs-60) {
        throw new Exception("getRemainingLifetime returns wrong value.");
    }
    if (time2 > elevenhrs+60 || time2 < elevenhrs-60) {
        throw new Exception("getRemainingInitLifetime returns wrong value.");
    }
}
 
Example 5
Source File: ChannelFactory.java    From swift-k with Apache License 2.0 6 votes vote down vote up
public static GSSCredential getDefaultCredential() throws InvalidSecurityContextException {
	synchronized (ChannelFactory.class) {
		if (cachedCredential == null
				||
				(System.currentTimeMillis() - credentialTime) > DEFAULT_CREDENTIAL_REFRESH_INTERVAL) {
			credentialTime = System.currentTimeMillis();
			GSSManager manager = ExtendedGSSManager.getInstance();
			try {
				cachedCredential = manager.createCredential(GSSCredential.INITIATE_AND_ACCEPT);
			}
			catch (GSSException e) {
				throw new InvalidSecurityContextException(e);
			}
		}
		return cachedCredential;
	}
}
 
Example 6
Source File: LifeTimeInSeconds.java    From openjdk-8-source with GNU General Public License v2.0 6 votes vote down vote up
public static void main(String[] args) throws Exception {
    new OneKDC(null).writeJAASConf();
    System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");

    GSSManager gm = GSSManager.getInstance();
    GSSCredential cred = gm.createCredential(GSSCredential.INITIATE_AND_ACCEPT);
    int time = cred.getRemainingLifetime();
    int time2 = cred.getRemainingInitLifetime(null);
    // The test KDC issues a TGT with a default lifetime of 11 hours
    int elevenhrs = 11*3600;
    if (time > elevenhrs+60 || time < elevenhrs-60) {
        throw new Exception("getRemainingLifetime returns wrong value.");
    }
    if (time2 > elevenhrs+60 || time2 < elevenhrs-60) {
        throw new Exception("getRemainingInitLifetime returns wrong value.");
    }
}
 
Example 7
Source File: LifeTimeInSeconds.java    From hottub with GNU General Public License v2.0 6 votes vote down vote up
public static void main(String[] args) throws Exception {
    new OneKDC(null).writeJAASConf();
    System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");

    GSSManager gm = GSSManager.getInstance();
    GSSCredential cred = gm.createCredential(GSSCredential.INITIATE_AND_ACCEPT);
    int time = cred.getRemainingLifetime();
    int time2 = cred.getRemainingInitLifetime(null);
    // The test KDC issues a TGT with a default lifetime of 11 hours
    int elevenhrs = 11*3600;
    if (time > elevenhrs+60 || time < elevenhrs-60) {
        throw new Exception("getRemainingLifetime returns wrong value.");
    }
    if (time2 > elevenhrs+60 || time2 < elevenhrs-60) {
        throw new Exception("getRemainingInitLifetime returns wrong value.");
    }
}
 
Example 8
Source File: LifeTimeInSeconds.java    From jdk8u-jdk with GNU General Public License v2.0 6 votes vote down vote up
public static void main(String[] args) throws Exception {
    new OneKDC(null).writeJAASConf();
    System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");

    GSSManager gm = GSSManager.getInstance();
    GSSCredential cred = gm.createCredential(GSSCredential.INITIATE_AND_ACCEPT);
    int time = cred.getRemainingLifetime();
    int time2 = cred.getRemainingInitLifetime(null);
    // The test KDC issues a TGT with a default lifetime of 11 hours
    int elevenhrs = 11*3600;
    if (time > elevenhrs+60 || time < elevenhrs-60) {
        throw new Exception("getRemainingLifetime returns wrong value.");
    }
    if (time2 > elevenhrs+60 || time2 < elevenhrs-60) {
        throw new Exception("getRemainingInitLifetime returns wrong value.");
    }
}
 
Example 9
Source File: LifeTimeInSeconds.java    From openjdk-jdk9 with GNU General Public License v2.0 6 votes vote down vote up
public static void main(String[] args) throws Exception {
    new OneKDC(null).writeJAASConf();
    System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");

    GSSManager gm = GSSManager.getInstance();
    GSSCredential cred = gm.createCredential(GSSCredential.INITIATE_AND_ACCEPT);
    int time = cred.getRemainingLifetime();
    int time2 = cred.getRemainingInitLifetime(null);
    // The test KDC issues a TGT with a default lifetime of 11 hours
    int elevenhrs = KDC.DEFAULT_LIFETIME;
    if (time > elevenhrs+60 || time < elevenhrs-60) {
        throw new Exception("getRemainingLifetime returns wrong value.");
    }
    if (time2 > elevenhrs+60 || time2 < elevenhrs-60) {
        throw new Exception("getRemainingInitLifetime returns wrong value.");
    }
}
 
Example 10
Source File: TestInfoServersACL.java    From hbase with Apache License 2.0 6 votes vote down vote up
private CloseableHttpClient createHttpClient(String clientPrincipal) throws Exception {
  // Logs in with Kerberos via GSS
  GSSManager gssManager = GSSManager.getInstance();
  // jGSS Kerberos login constant
  Oid oid = new Oid("1.2.840.113554.1.2.2");
  GSSName gssClient = gssManager.createName(clientPrincipal, GSSName.NT_USER_NAME);
  GSSCredential credential = gssManager.createCredential(
      gssClient, GSSCredential.DEFAULT_LIFETIME, oid, GSSCredential.INITIATE_ONLY);

  Lookup<AuthSchemeProvider> authRegistry = RegistryBuilder.<AuthSchemeProvider>create()
      .register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true, true)).build();

  BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider();
  credentialsProvider.setCredentials(AuthScope.ANY, new KerberosCredentials(credential));

  return HttpClients.custom().setDefaultAuthSchemeRegistry(authRegistry)
      .setDefaultCredentialsProvider(credentialsProvider).build();
}
 
Example 11
Source File: LifeTimeInSeconds.java    From openjdk-jdk8u with GNU General Public License v2.0 6 votes vote down vote up
public static void main(String[] args) throws Exception {
    new OneKDC(null).writeJAASConf();
    System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");

    GSSManager gm = GSSManager.getInstance();
    GSSCredential cred = gm.createCredential(GSSCredential.INITIATE_AND_ACCEPT);
    int time = cred.getRemainingLifetime();
    int time2 = cred.getRemainingInitLifetime(null);
    // The test KDC issues a TGT with a default lifetime of 11 hours
    int elevenhrs = KDC.DEFAULT_LIFETIME;
    if (time > elevenhrs+60 || time < elevenhrs-60) {
        throw new Exception("getRemainingLifetime returns wrong value.");
    }
    if (time2 > elevenhrs+60 || time2 < elevenhrs-60) {
        throw new Exception("getRemainingInitLifetime returns wrong value.");
    }
}
 
Example 12
Source File: LifeTimeInSeconds.java    From jdk8u60 with GNU General Public License v2.0 6 votes vote down vote up
public static void main(String[] args) throws Exception {
    new OneKDC(null).writeJAASConf();
    System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");

    GSSManager gm = GSSManager.getInstance();
    GSSCredential cred = gm.createCredential(GSSCredential.INITIATE_AND_ACCEPT);
    int time = cred.getRemainingLifetime();
    int time2 = cred.getRemainingInitLifetime(null);
    // The test KDC issues a TGT with a default lifetime of 11 hours
    int elevenhrs = 11*3600;
    if (time > elevenhrs+60 || time < elevenhrs-60) {
        throw new Exception("getRemainingLifetime returns wrong value.");
    }
    if (time2 > elevenhrs+60 || time2 < elevenhrs-60) {
        throw new Exception("getRemainingInitLifetime returns wrong value.");
    }
}
 
Example 13
Source File: LifeTimeInSeconds.java    From TencentKona-8 with GNU General Public License v2.0 6 votes vote down vote up
public static void main(String[] args) throws Exception {
    new OneKDC(null).writeJAASConf();
    System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");

    GSSManager gm = GSSManager.getInstance();
    GSSCredential cred = gm.createCredential(GSSCredential.INITIATE_AND_ACCEPT);
    int time = cred.getRemainingLifetime();
    int time2 = cred.getRemainingInitLifetime(null);
    // The test KDC issues a TGT with a default lifetime of 11 hours
    int elevenhrs = KDC.DEFAULT_LIFETIME;
    if (time > elevenhrs+60 || time < elevenhrs-60) {
        throw new Exception("getRemainingLifetime returns wrong value.");
    }
    if (time2 > elevenhrs+60 || time2 < elevenhrs-60) {
        throw new Exception("getRemainingInitLifetime returns wrong value.");
    }
}
 
Example 14
Source File: HTTPKerberosAuthInterceptor.java    From java-client-api with Apache License 2.0 6 votes vote down vote up
@Override
public Object run() {
  try {
    Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2");
    Oid krb5PrincipalNameType = new Oid("1.2.840.113554.1.2.2.1");
    final GSSManager manager = GSSManager.getInstance();
    final GSSName clientName = manager.createName(clientPrincipalName, krb5PrincipalNameType);
    final GSSCredential clientCred = manager.createCredential(clientName, 8 * 3600, krb5Mechanism,
        GSSCredential.INITIATE_ONLY);
    final GSSName serverName = manager.createName(serverPrincipalName, krb5PrincipalNameType);

    final GSSContext context = manager.createContext(serverName, krb5Mechanism, clientCred,
        GSSContext.DEFAULT_LIFETIME);
    byte[] inToken = new byte[0];
    byte[] outToken = context.initSecContext(inToken, 0, inToken.length);
    if (outToken == null) {
      throw new FailedRequestException("could not initialize the security context");
    }
    context.requestMutualAuth(true);
    outputToken.append(new String(Base64.getEncoder().encode(outToken)));
    context.dispose();
  } catch (GSSException exception) {
    throw new FailedRequestException(exception.getMessage(), exception);
  }
  return null;
}
 
Example 15
Source File: GlobusSecurityContextImpl.java    From swift-k with Apache License 2.0 5 votes vote down vote up
private static GSSCredential loadDefaultProxy() {
    GSSManager manager = ExtendedGSSManager.getInstance();
    try {
        return manager.createCredential(GSSCredential.INITIATE_AND_ACCEPT);
    }
    catch (GSSException e) {
        throw new SecurityException(e);
    }
}
 
Example 16
Source File: HttpDoAsClient.java    From hbase with Apache License 2.0 5 votes vote down vote up
private String generateTicket() throws GSSException {
  final GSSManager manager = GSSManager.getInstance();
  // Oid for kerberos principal name
  Oid krb5PrincipalOid = new Oid("1.2.840.113554.1.2.2.1");
  Oid KERB_V5_OID = new Oid("1.2.840.113554.1.2.2");
  final GSSName clientName = manager.createName(principal,
      krb5PrincipalOid);
  final GSSCredential clientCred = manager.createCredential(clientName,
      8 * 3600,
      KERB_V5_OID,
      GSSCredential.INITIATE_ONLY);

  final GSSName serverName = manager.createName(principal, krb5PrincipalOid);

  final GSSContext context = manager.createContext(serverName,
      KERB_V5_OID,
      clientCred,
      GSSContext.DEFAULT_LIFETIME);
  context.requestMutualAuth(true);
  context.requestConf(false);
  context.requestInteg(true);

  final byte[] outToken = context.initSecContext(new byte[0], 0, 0);
  StringBuffer outputBuffer = new StringBuffer();
  outputBuffer.append("Negotiate ");
  outputBuffer.append(Bytes.toString(Base64.getEncoder().encode(outToken)));
  System.out.print("Ticket is: " + outputBuffer);
  return outputBuffer.toString();
}
 
Example 17
Source File: Kerb5Context.java    From jcifs-ng with GNU Lesser General Public License v2.1 5 votes vote down vote up
Kerb5Context ( String host, String service, String name, int userLifetime, int contextLifetime, String realm ) throws GSSException {
    GSSManager manager = GSSManager.getInstance();
    GSSCredential clientCreds = null;
    Oid mechOid = JGSS_KRB5_MECH_OID;
    if ( realm != null ) {
        this.serviceName = manager.createName(service + "/" + host + "@" + realm, JGSS_KRB5_NAME_OID, mechOid);
    }
    else {
        this.serviceName = manager.createName(service + "@" + host, GSSName.NT_HOSTBASED_SERVICE, mechOid);
    }

    if ( log.isDebugEnabled() ) {
        log.debug("Service name is " + this.serviceName);
    }

    if ( name != null ) {
        this.clientName = manager.createName(name, GSSName.NT_USER_NAME, mechOid);
        clientCreds = manager.createCredential(this.clientName, userLifetime, mechOid, GSSCredential.INITIATE_ONLY);
    }
    else {
        this.clientName = null;
    }

    this.gssContext = manager.createContext(this.serviceName, mechOid, clientCreds, contextLifetime);

    this.gssContext.requestAnonymity(false);
    this.gssContext.requestSequenceDet(false);
    this.gssContext.requestConf(false);
    this.gssContext.requestInteg(false);
    this.gssContext.requestReplayDet(false);

    // per spec these should be set
    this.gssContext.requestMutualAuth(true);
    this.gssContext.requestCredDeleg(true);
}
 
Example 18
Source File: PropertyBasedSpnegoLoginService.java    From calcite-avatica with Apache License 2.0 4 votes vote down vote up
@Override public UserIdentity login(String username, Object credentials,
    ServletRequest request) {
  String encodedAuthToken = (String) credentials;
  byte[] authToken = B64Code.decode(encodedAuthToken);

  GSSManager manager = GSSManager.getInstance();
  try {
    // http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html
    Oid spnegoOid = new Oid("1.3.6.1.5.5.2");
    Oid krb5Oid = new Oid("1.2.840.113554.1.2.2");
    GSSName gssName = manager.createName(serverPrincipal, null);
    // CALCITE-1922 Providing both OIDs is the bug in Jetty we're working around. By specifying
    // only one, we're requiring that clients *must* provide us the SPNEGO OID to authenticate
    // via Kerberos which is wrong. Best as I can tell, the SPNEGO OID is meant as another
    // layer of indirection (essentially is equivalent to setting the Kerberos OID).
    GSSCredential serverCreds = manager.createCredential(gssName,
        GSSCredential.INDEFINITE_LIFETIME, new Oid[] {krb5Oid, spnegoOid},
        GSSCredential.ACCEPT_ONLY);
    GSSContext gContext = manager.createContext(serverCreds);

    if (gContext == null) {
      LOG.debug("SpnegoUserRealm: failed to establish GSSContext");
    } else {
      while (!gContext.isEstablished()) {
        authToken = gContext.acceptSecContext(authToken, 0, authToken.length);
      }
      if (gContext.isEstablished()) {
        String clientName = gContext.getSrcName().toString();
        String role = clientName.substring(clientName.indexOf('@') + 1);

        LOG.debug("SpnegoUserRealm: established a security context");
        LOG.debug("Client Principal is: {}", gContext.getSrcName());
        LOG.debug("Server Principal is: {}", gContext.getTargName());
        LOG.debug("Client Default Role: {}", role);

        SpnegoUserPrincipal user = new SpnegoUserPrincipal(clientName, authToken);

        Subject subject = new Subject();
        subject.getPrincipals().add(user);

        return _identityService.newUserIdentity(subject, user, new String[]{role});
      }
    }
  } catch (GSSException gsse) {
    LOG.warn("Caught GSSException trying to authenticate the client", gsse);
  }

  return null;
}
 
Example 19
Source File: DrillSpnegoLoginService.java    From Bats with Apache License 2.0 4 votes vote down vote up
private UserIdentity spnegoLogin(Object credentials) {

    String encodedAuthToken = (String) credentials;
    byte[] authToken = B64Code.decode(encodedAuthToken);
    GSSManager manager = GSSManager.getInstance();

    try {
      // Providing both OID's is required here. If we provide only one,
      // we're requiring that clients provide us the SPNEGO OID to authenticate via Kerberos.
      Oid[] knownOids = new Oid[2];
      knownOids[0] = new Oid("1.3.6.1.5.5.2"); // spnego
      knownOids[1] = new Oid("1.2.840.113554.1.2.2"); // kerberos

      GSSName gssName = manager.createName(spnegoConfig.getSpnegoPrincipal(), null);
      GSSCredential serverCreds = manager.createCredential(gssName, GSSCredential.INDEFINITE_LIFETIME,
          knownOids, GSSCredential.ACCEPT_ONLY);
      GSSContext gContext = manager.createContext(serverCreds);

      if (gContext == null) {
        logger.debug("SPNEGOUserRealm: failed to establish GSSContext");
      } else {
        while (!gContext.isEstablished()) {
          authToken = gContext.acceptSecContext(authToken, 0, authToken.length);
        }

        if (gContext.isEstablished()) {
          final String clientName = gContext.getSrcName().toString();
          final String realm = clientName.substring(clientName.indexOf(64) + 1);

          // Get the client user short name
          final String userShortName = new HadoopKerberosName(clientName).getShortName();

          logger.debug("Client Name: {}, realm: {} and shortName: {}", clientName, realm, userShortName);
          final SystemOptionManager sysOptions = drillContext.getOptionManager();
          final boolean isAdmin = ImpersonationUtil.hasAdminPrivileges(userShortName,
              ExecConstants.ADMIN_USERS_VALIDATOR.getAdminUsers(sysOptions),
              ExecConstants.ADMIN_USER_GROUPS_VALIDATOR.getAdminUserGroups(sysOptions));

          final Principal user = new DrillUserPrincipal(userShortName, isAdmin);
          final Subject subject = new Subject();
          subject.getPrincipals().add(user);

          if (isAdmin) {
            return this._identityService.newUserIdentity(subject, user, DrillUserPrincipal.ADMIN_USER_ROLES);
          } else {
            return this._identityService.newUserIdentity(subject, user, DrillUserPrincipal.NON_ADMIN_USER_ROLES);
          }
        }
      }
    } catch (GSSException gsse) {
      logger.warn("Caught GSSException trying to authenticate the client", gsse);
    } catch (IOException ex) {
      logger.warn("Caught IOException trying to get shortName of client user", ex);
    }
    return null;
  }
 
Example 20
Source File: GSSAPIAuthenticationMechanism.java    From quarkus-http with Apache License 2.0 4 votes vote down vote up
public AuthenticationMechanismOutcome run() throws GSSException {
    NegotiationContext negContext = exchange.getAttachment(NegotiationContext.ATTACHMENT_KEY);
    if (negContext == null) {
        negContext = new NegotiationContext();
        exchange.putAttachment(NegotiationContext.ATTACHMENT_KEY, negContext);
    }

    GSSContext gssContext = negContext.getGssContext();
    if (gssContext == null) {
        GSSManager manager = GSSManager.getInstance();

        GSSCredential credential = manager.createCredential(null, GSSCredential.INDEFINITE_LIFETIME, mechanisms, GSSCredential.ACCEPT_ONLY);

        gssContext = manager.createContext(credential);

        negContext.setGssContext(gssContext);
    }

    byte[] respToken = gssContext.acceptSecContext(challenge.array(), challenge.arrayOffset(), challenge.writerIndex());
    negContext.setResponseToken(respToken);

    if (negContext.isEstablished()) {

        if (respToken != null) {
            // There will be no further challenge but we do have a token so set it here.
            exchange.addResponseHeader(WWW_AUTHENTICATE,
                    NEGOTIATE_PREFIX + FlexBase64.encodeString(respToken, false));
        }
        IdentityManager identityManager = securityContext.getIdentityManager();
        final Account account = identityManager.verify(new GSSContextCredential(negContext.getGssContext()));
        if (account != null) {
            securityContext.authenticationComplete(account, name, false);
            return AuthenticationMechanismOutcome.AUTHENTICATED;
        } else {
            return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
        }
    } else {
        // This isn't a failure but as the context is not established another round trip with the client is needed.
        return AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
    }
}