Java Code Examples for javax.security.auth.kerberos.KerberosPrincipal#getName()

The following examples show how to use javax.security.auth.kerberos.KerberosPrincipal#getName() . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: SimpleLDAPAuthenticationManagerTest.java    From qpid-broker-j with Apache License 2.0 7 votes vote down vote up
private void setUpKerberos() throws Exception
{
    final LdapServer ldapServer = LDAP.getLdapServer();
    final KdcServer kdcServer =
            ServerAnnotationProcessor.getKdcServer(LDAP.getDirectoryService(), ldapServer.getPort() + 1);
    kdcServer.getConfig().setPaEncTimestampRequired(false);

    final int port = kdcServer.getTransports()[0].getPort();
    final String krb5confPath = createKrb5Conf(port);
    SYSTEM_PROPERTY_SETTER.setSystemProperty("java.security.krb5.conf", krb5confPath);
    SYSTEM_PROPERTY_SETTER.setSystemProperty("java.security.krb5.realm", null);
    SYSTEM_PROPERTY_SETTER.setSystemProperty("java.security.krb5.kdc", null);

    final KerberosPrincipal servicePrincipal =
            new KerberosPrincipal(LDAP_SERVICE_NAME + "/" + HOSTNAME + "@" + REALM,
                                  KerberosPrincipal.KRB_NT_SRV_HST);
    final String servicePrincipalName = servicePrincipal.getName();
    ldapServer.setSaslHost(servicePrincipalName.substring(servicePrincipalName.indexOf("/") + 1,
                                                          servicePrincipalName.indexOf("@")));
    ldapServer.setSaslPrincipal(servicePrincipalName);
    ldapServer.setSearchBaseDn(USERS_DN);

    createPrincipal("KDC", "KDC", "krbtgt", UUID.randomUUID().toString(), "krbtgt/" + REALM + "@" + REALM);
    createPrincipal("Service", "LDAP Service", "ldap", UUID.randomUUID().toString(), servicePrincipalName);
}
 
Example 2
Source File: Krb5Util.java    From dragonwell8_jdk with GNU General Public License v2.0 6 votes vote down vote up
public static Credentials ticketToCreds(KerberosTicket kerbTicket)
        throws KrbException, IOException {
    KerberosPrincipal clientAlias = KerberosSecrets
            .getJavaxSecurityAuthKerberosAccess()
            .kerberosTicketGetClientAlias(kerbTicket);
    KerberosPrincipal serverAlias = KerberosSecrets
            .getJavaxSecurityAuthKerberosAccess()
            .kerberosTicketGetServerAlias(kerbTicket);
    return new Credentials(
        kerbTicket.getEncoded(),
        kerbTicket.getClient().getName(),
        (clientAlias != null ? clientAlias.getName() : null),
        kerbTicket.getServer().getName(),
        (serverAlias != null ? serverAlias.getName() : null),
        kerbTicket.getSessionKey().getEncoded(),
        kerbTicket.getSessionKeyType(),
        kerbTicket.getFlags(),
        kerbTicket.getAuthTime(),
        kerbTicket.getStartTime(),
        kerbTicket.getEndTime(),
        kerbTicket.getRenewTill(),
        kerbTicket.getClientAddresses());
}
 
Example 3
Source File: Krb5Util.java    From TencentKona-8 with GNU General Public License v2.0 6 votes vote down vote up
public static Credentials ticketToCreds(KerberosTicket kerbTicket)
        throws KrbException, IOException {
    KerberosPrincipal clientAlias = KerberosSecrets
            .getJavaxSecurityAuthKerberosAccess()
            .kerberosTicketGetClientAlias(kerbTicket);
    KerberosPrincipal serverAlias = KerberosSecrets
            .getJavaxSecurityAuthKerberosAccess()
            .kerberosTicketGetServerAlias(kerbTicket);
    return new Credentials(
        kerbTicket.getEncoded(),
        kerbTicket.getClient().getName(),
        (clientAlias != null ? clientAlias.getName() : null),
        kerbTicket.getServer().getName(),
        (serverAlias != null ? serverAlias.getName() : null),
        kerbTicket.getSessionKey().getEncoded(),
        kerbTicket.getSessionKeyType(),
        kerbTicket.getFlags(),
        kerbTicket.getAuthTime(),
        kerbTicket.getStartTime(),
        kerbTicket.getEndTime(),
        kerbTicket.getRenewTill(),
        kerbTicket.getClientAddresses());
}
 
Example 4
Source File: Krb5Util.java    From openjdk-jdk8u with GNU General Public License v2.0 6 votes vote down vote up
public static Credentials ticketToCreds(KerberosTicket kerbTicket)
        throws KrbException, IOException {
    KerberosPrincipal clientAlias = KerberosSecrets
            .getJavaxSecurityAuthKerberosAccess()
            .kerberosTicketGetClientAlias(kerbTicket);
    KerberosPrincipal serverAlias = KerberosSecrets
            .getJavaxSecurityAuthKerberosAccess()
            .kerberosTicketGetServerAlias(kerbTicket);
    return new Credentials(
        kerbTicket.getEncoded(),
        kerbTicket.getClient().getName(),
        (clientAlias != null ? clientAlias.getName() : null),
        kerbTicket.getServer().getName(),
        (serverAlias != null ? serverAlias.getName() : null),
        kerbTicket.getSessionKey().getEncoded(),
        kerbTicket.getSessionKeyType(),
        kerbTicket.getFlags(),
        kerbTicket.getAuthTime(),
        kerbTicket.getStartTime(),
        kerbTicket.getEndTime(),
        kerbTicket.getRenewTill(),
        kerbTicket.getClientAddresses());
}
 
Example 5
Source File: UserGroupInformation.java    From hadoop with Apache License 2.0 6 votes vote down vote up
/**
 * Create a UserGroupInformation from a Subject with Kerberos principal.
 *
 * @param user                The KerberosPrincipal to use in UGI
 *
 * @throws IOException        if the kerberos login fails
 */
public static UserGroupInformation getUGIFromSubject(Subject subject)
    throws IOException {
  if (subject == null) {
    throw new IOException("Subject must not be null");
  }

  if (subject.getPrincipals(KerberosPrincipal.class).isEmpty()) {
    throw new IOException("Provided Subject must contain a KerberosPrincipal");
  }

  KerberosPrincipal principal =
      subject.getPrincipals(KerberosPrincipal.class).iterator().next();

  User ugiUser = new User(principal.getName(),
      AuthenticationMethod.KERBEROS, null);
  subject.getPrincipals().add(ugiUser);
  UserGroupInformation ugi = new UserGroupInformation(subject);
  ugi.setLogin(null);
  ugi.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
  return ugi;
}
 
Example 6
Source File: UserGroupInformation.java    From big-c with Apache License 2.0 6 votes vote down vote up
/**
 * Create a UserGroupInformation from a Subject with Kerberos principal.
 *
 * @param user                The KerberosPrincipal to use in UGI
 *
 * @throws IOException        if the kerberos login fails
 */
public static UserGroupInformation getUGIFromSubject(Subject subject)
    throws IOException {
  if (subject == null) {
    throw new IOException("Subject must not be null");
  }

  if (subject.getPrincipals(KerberosPrincipal.class).isEmpty()) {
    throw new IOException("Provided Subject must contain a KerberosPrincipal");
  }

  KerberosPrincipal principal =
      subject.getPrincipals(KerberosPrincipal.class).iterator().next();

  User ugiUser = new User(principal.getName(),
      AuthenticationMethod.KERBEROS, null);
  subject.getPrincipals().add(ugiUser);
  UserGroupInformation ugi = new UserGroupInformation(subject);
  ugi.setLogin(null);
  ugi.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
  return ugi;
}
 
Example 7
Source File: Krb5Util.java    From jdk8u_jdk with GNU General Public License v2.0 6 votes vote down vote up
public static Credentials ticketToCreds(KerberosTicket kerbTicket)
        throws KrbException, IOException {
    KerberosPrincipal clientAlias = KerberosSecrets
            .getJavaxSecurityAuthKerberosAccess()
            .kerberosTicketGetClientAlias(kerbTicket);
    KerberosPrincipal serverAlias = KerberosSecrets
            .getJavaxSecurityAuthKerberosAccess()
            .kerberosTicketGetServerAlias(kerbTicket);
    return new Credentials(
        kerbTicket.getEncoded(),
        kerbTicket.getClient().getName(),
        (clientAlias != null ? clientAlias.getName() : null),
        kerbTicket.getServer().getName(),
        (serverAlias != null ? serverAlias.getName() : null),
        kerbTicket.getSessionKey().getEncoded(),
        kerbTicket.getSessionKeyType(),
        kerbTicket.getFlags(),
        kerbTicket.getAuthTime(),
        kerbTicket.getStartTime(),
        kerbTicket.getEndTime(),
        kerbTicket.getRenewTill(),
        kerbTicket.getClientAddresses());
}
 
Example 8
Source File: SpnegoAuthScheme.java    From elasticsearch-hadoop with Apache License 2.0 6 votes vote down vote up
/**
 * Creates the negotiator if it is not yet created, or does nothing if the negotiator is already initialized.
 * @param requestURI request being authenticated
 * @param spnegoCredentials The user and service principals
 * @throws UnknownHostException If the service principal is host based, and if the request URI cannot be resolved to a FQDN
 * @throws AuthenticationException If the service principal is malformed
 * @throws GSSException If the negotiator cannot be created.
 */
private void initializeNegotiator(URI requestURI, SpnegoCredentials spnegoCredentials) throws UnknownHostException, AuthenticationException, GSSException {
    // Initialize negotiator
    if (spnegoNegotiator == null) {
        // Determine host principal
        String servicePrincipal = spnegoCredentials.getServicePrincipalName();
        if (spnegoCredentials.getServicePrincipalName().contains(HOSTNAME_PATTERN)) {
            String fqdn = getFQDN(requestURI);
            String[] components = spnegoCredentials.getServicePrincipalName().split("[/@]");
            if (components.length != 3 || !components[1].equals(HOSTNAME_PATTERN)) {
                throw new AuthenticationException("Malformed service principal name [" + spnegoCredentials.getServicePrincipalName()
                        + "]. To use host substitution, the principal must be of the format [serviceName/_HOST@REALM.NAME].");
            }
            servicePrincipal = components[0] + "/" + fqdn.toLowerCase() + "@" + components[2];
        }
        User userInfo = spnegoCredentials.getUserProvider().getUser();
        KerberosPrincipal principal = userInfo.getKerberosPrincipal();
        if (principal == null) {
            throw new EsHadoopIllegalArgumentException("Could not locate Kerberos Principal on currently logged in user.");
        }
        spnegoNegotiator = new SpnegoNegotiator(principal.getName(), servicePrincipal);
    }
}
 
Example 9
Source File: KerberosTest.java    From jcifs with GNU Lesser General Public License v2.1 5 votes vote down vote up
/**
 * @param principal
 * @return
 * @throws RealmException
 */
protected static PrincipalName convertPrincipal ( KerberosPrincipal principal ) throws RealmException {
    PrincipalName principalName = new PrincipalName(
        principal.getName() + PrincipalName.NAME_REALM_SEPARATOR + principal.getRealm(),
        PrincipalName.KRB_NT_PRINCIPAL);
    return principalName;
}
 
Example 10
Source File: KerberosTest.java    From jcifs-ng with GNU Lesser General Public License v2.1 5 votes vote down vote up
/**
 * @param principal
 * @return
 * @throws RealmException
 */
protected static PrincipalName convertPrincipal ( KerberosPrincipal principal ) throws RealmException {
    PrincipalName principalName = new PrincipalName(
        principal.getName() + PrincipalName.NAME_REALM_SEPARATOR + principal.getRealm(),
        PrincipalName.KRB_NT_PRINCIPAL);
    return principalName;
}
 
Example 11
Source File: JdkUser.java    From elasticsearch-hadoop with Apache License 2.0 5 votes vote down vote up
@Override
public String getUserName() {
    KerberosPrincipal principal = getKerberosPrincipal();
    if (principal == null) {
        return null;
    }
    return principal.getName();
}
 
Example 12
Source File: Samba2FileSystem.java    From iaf with Apache License 2.0 4 votes vote down vote up
private AuthenticationContext authenticate() throws FileSystemException {
	CredentialFactory credentialFactory = new CredentialFactory(getAuthAlias(), getUsername(), getPassword());
	if (StringUtils.isNotEmpty(credentialFactory.getUsername())) {
		if(StringUtils.equalsIgnoreCase(authType, "NTLM")) {
			return new AuthenticationContext(getUsername(), password.toCharArray(), getDomain());
		}else if(StringUtils.equalsIgnoreCase(authType, "SPNEGO")) {

			if(!StringUtils.isEmpty(getKdc()) && !StringUtils.isEmpty(getRealm())) {
				System.setProperty("java.security.krb5.kdc", getKdc());
				System.setProperty("java.security.krb5.realm", getRealm());
			}

			HashMap<String, String> loginParams = new HashMap<String, String>();
			loginParams.put("principal", getUsername());
			LoginContext lc;
			try {
				lc = new LoginContext(getUsername(), null, 
						new UsernameAndPasswordCallbackHandler(getUsername(), getPassword()),
						new KerberosLoginConfiguration(loginParams));
				lc.login();

				Subject subject = lc.getSubject();
				KerberosPrincipal krbPrincipal = subject.getPrincipals(KerberosPrincipal.class).iterator().next();

				Oid spnego = new Oid(SPNEGO_OID);
				Oid kerberos5 = new Oid(KERBEROS5_OID);

				final GSSManager manager = GSSManager.getInstance();

				final GSSName name = manager.createName(krbPrincipal.toString(), GSSName.NT_USER_NAME);
				Set<Oid> mechs = new HashSet<Oid>(Arrays.asList(manager.getMechsForName(name.getStringNameType())));
				final Oid mech;

				if (mechs.contains(kerberos5)) {
					mech = kerberos5;
				} else if (mechs.contains(spnego)) {
					mech = spnego;
				} else {
					throw new IllegalArgumentException("No mechanism found");
				}

				GSSCredential creds = Subject.doAs(subject, new PrivilegedExceptionAction<GSSCredential>() {
					@Override
					public GSSCredential run() throws GSSException {
						return manager.createCredential(name, GSSCredential.DEFAULT_LIFETIME, mech, GSSCredential.INITIATE_ONLY);
					}
				});

				GSSAuthenticationContext auth = new GSSAuthenticationContext(krbPrincipal.getName(), krbPrincipal.getRealm(), subject, creds);
				return auth;

			} catch (Exception e) {
				if(e.getMessage().contains("Cannot locate default realm")) {
					throw new FileSystemException("Please fill the kdc and realm field or provide krb5.conf file including realm",e);
				}
				throw new FileSystemException(e);
			}
		}
	}
	return null;
}