org.ietf.jgss.GSSException Java Examples
The following examples show how to use
org.ietf.jgss.GSSException.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: MechTokenMissing.java From jdk8u60 with GNU General Public License v2.0 | 6 votes |
public static void main(String[] args) throws Exception { GSSCredential cred = null; GSSContext ctx = GSSManager.getInstance().createContext(cred); String var = /*0000*/ "60 1C 06 06 2B 06 01 05 05 02 A0 12 30 10 A0 0E " + /*0010*/ "30 0C 06 0A 2B 06 01 04 01 82 37 02 02 0A "; byte[] token = new byte[var.length()/3]; for (int i=0; i<token.length; i++) { token[i] = Integer.valueOf(var.substring(3*i,3*i+2), 16).byteValue(); } try { ctx.acceptSecContext(token, 0, token.length); } catch (GSSException gsse) { System.out.println("Expected exception: " + gsse); } }
Example #2
Source File: OidFormat.java From openjdk-8-source with GNU General Public License v2.0 | 6 votes |
static void testBad(String s) throws Exception { System.err.println("Trying " + s); try { new ObjectIdentifier(s); throw new Exception("should be invalid ObjectIdentifier"); } catch (IOException ioe) { System.err.println(ioe); } try { new Oid(s); throw new Exception("should be invalid Oid"); } catch (GSSException gsse) { ; } try { new EncryptedPrivateKeyInfo(s, new byte[8]); throw new Exception("should be invalid algorithm"); } catch (NoSuchAlgorithmException e) { ; } }
Example #3
Source File: HTTPKerberosAuthInterceptor.java From java-client-api with Apache License 2.0 | 6 votes |
@Override public Object run() { try { Oid krb5Mechanism = new Oid("1.2.840.113554.1.2.2"); Oid krb5PrincipalNameType = new Oid("1.2.840.113554.1.2.2.1"); final GSSManager manager = GSSManager.getInstance(); final GSSName clientName = manager.createName(clientPrincipalName, krb5PrincipalNameType); final GSSCredential clientCred = manager.createCredential(clientName, 8 * 3600, krb5Mechanism, GSSCredential.INITIATE_ONLY); final GSSName serverName = manager.createName(serverPrincipalName, krb5PrincipalNameType); final GSSContext context = manager.createContext(serverName, krb5Mechanism, clientCred, GSSContext.DEFAULT_LIFETIME); byte[] inToken = new byte[0]; byte[] outToken = context.initSecContext(inToken, 0, inToken.length); if (outToken == null) { throw new FailedRequestException("could not initialize the security context"); } context.requestMutualAuth(true); outputToken.append(new String(Base64.getEncoder().encode(outToken))); context.dispose(); } catch (GSSException exception) { throw new FailedRequestException(exception.getMessage(), exception); } return null; }
Example #4
Source File: LockOutRealm.java From Tomcat8-Source-Read with MIT License | 6 votes |
/** * {@inheritDoc} */ @Override public Principal authenticate(GSSContext gssContext, boolean storeCreds) { if (gssContext.isEstablished()) { String username = null; GSSName name = null; try { name = gssContext.getSrcName(); } catch (GSSException e) { log.warn(sm.getString("realmBase.gssNameFail"), e); return null; } username = name.toString(); Principal authenticatedUser = super.authenticate(gssContext, storeCreds); return filterLockedAccounts(username, authenticatedUser); } // Fail in all other cases return null; }
Example #5
Source File: LockOutRealm.java From tomcatsrc with Apache License 2.0 | 6 votes |
/** * {@inheritDoc} */ @Override public Principal authenticate(GSSContext gssContext, boolean storeCreds) { if (gssContext.isEstablished()) { String username = null; GSSName name = null; try { name = gssContext.getSrcName(); } catch (GSSException e) { log.warn(sm.getString("realmBase.gssNameFail"), e); return null; } username = name.toString(); Principal authenticatedUser = super.authenticate(gssContext, storeCreds); return filterLockedAccounts(username, authenticatedUser); } // Fail in all other cases return null; }
Example #6
Source File: SpnegoAuthScheme.java From elasticsearch-hadoop with Apache License 2.0 | 6 votes |
/** * Authenticating requests with SPNEGO means that a request will execute before the client is sure that the * server is mutually authenticated. This means that, at best, if mutual auth is requested, the client cannot * trust that the server is giving accurate information, or in the case that the client has already sent data, * further communication with the server should not happen. * @param returnChallenge The Negotiate challenge from the response headers of a successful executed request * @throws AuthenticationException If the response header does not allow for mutual authentication to be established. */ public void ensureMutualAuth(String returnChallenge) throws AuthenticationException { try { processChallenge(returnChallenge); } catch (MalformedChallengeException mce) { throw new AuthenticationException("Received invalid response header for mutual authentication", mce); } try { String token = getNegotiateToken(); if (!spnegoNegotiator.established() || token != null) { throw new AuthenticationException("Could not complete SPNEGO Authentication, Mutual Authentication Failed"); } } catch (GSSException gsse) { throw new AuthenticationException("Could not complete SPNEGO Authentication", gsse); } }
Example #7
Source File: SpnegoAuthInterceptor.java From knox with Apache License 2.0 | 6 votes |
private static <T> T doAs(Subject subject, GssSupplier<T> action) throws GSSException { try { return Subject.doAs(subject, (PrivilegedExceptionAction<T>) action::get); } catch (PrivilegedActionException e) { Throwable t = e.getCause(); if (t instanceof GSSException) { throw (GSSException)t; } else if (t instanceof Error) { throw (Error)t; } else if (t instanceof RuntimeException) { throw (RuntimeException)t; } else { throw new RuntimeException(t); } } }
Example #8
Source File: OidFormat.java From jdk8u-dev-jdk with GNU General Public License v2.0 | 6 votes |
static void testBad(String s) throws Exception { System.err.println("Trying " + s); try { new ObjectIdentifier(s); throw new Exception("should be invalid ObjectIdentifier"); } catch (IOException ioe) { System.err.println(ioe); } try { new Oid(s); throw new Exception("should be invalid Oid"); } catch (GSSException gsse) { ; } try { new EncryptedPrivateKeyInfo(s, new byte[8]); throw new Exception("should be invalid algorithm"); } catch (NoSuchAlgorithmException e) { ; } }
Example #9
Source File: OidFormat.java From hottub with GNU General Public License v2.0 | 6 votes |
static void testBad(String s) throws Exception { System.err.println("Trying " + s); try { new ObjectIdentifier(s); throw new Exception("should be invalid ObjectIdentifier"); } catch (IOException ioe) { System.err.println(ioe); } try { new Oid(s); throw new Exception("should be invalid Oid"); } catch (GSSException gsse) { ; } try { new EncryptedPrivateKeyInfo(s, new byte[8]); throw new Exception("should be invalid algorithm"); } catch (NoSuchAlgorithmException e) { ; } }
Example #10
Source File: KerberosUtil.java From dcos-commons with Apache License 2.0 | 6 votes |
public static Oid getOidInstance(String oidName) throws ClassNotFoundException, GSSException, NoSuchFieldException, IllegalAccessException { Class<?> oidClass; if (IBM_JAVA) { if ("NT_GSS_KRB5_PRINCIPAL".equals(oidName)) { // IBM JDK GSSUtil class does not have field for krb5 principal oid return new Oid("1.2.840.113554.1.2.2.1"); } oidClass = Class.forName("com.ibm.security.jgss.GSSUtil"); } else { oidClass = Class.forName("sun.security.jgss.GSSUtil"); } Field oidField = oidClass.getDeclaredField(oidName); return (Oid)oidField.get(oidClass); }
Example #11
Source File: KnoxSpnegoAuthScheme.java From knox with Apache License 2.0 | 6 votes |
@Override protected byte[] generateToken(final byte[] input, final String authServer) throws GSSException { // This is done to avoid issues with Keberos service ticket replay detection on the service side. synchronized( KnoxSpnegoAuthScheme.class ) { long now; // This just insures that the system clock has advanced to a different nanosecond. // Kerberos uses microsecond resolution and 1ms=1000ns. while( ( now = System.nanoTime() ) == nano ) { try { Thread.sleep( 0 ); } catch( InterruptedException e ) { Thread.currentThread().interrupt(); } } nano = now; return super.generateToken( input, authServer ); } }
Example #12
Source File: MechTokenMissing.java From openjdk-jdk8u-backup with GNU General Public License v2.0 | 6 votes |
public static void main(String[] args) throws Exception { GSSCredential cred = null; GSSContext ctx = GSSManager.getInstance().createContext(cred); String var = /*0000*/ "60 1C 06 06 2B 06 01 05 05 02 A0 12 30 10 A0 0E " + /*0010*/ "30 0C 06 0A 2B 06 01 04 01 82 37 02 02 0A "; byte[] token = new byte[var.length()/3]; for (int i=0; i<token.length; i++) { token[i] = Integer.valueOf(var.substring(3*i,3*i+2), 16).byteValue(); } try { ctx.acceptSecContext(token, 0, token.length); } catch (GSSException gsse) { System.out.println("Expected exception: " + gsse); } }
Example #13
Source File: KerberosUtil.java From big-c with Apache License 2.0 | 6 votes |
public static Oid getOidInstance(String oidName) throws ClassNotFoundException, GSSException, NoSuchFieldException, IllegalAccessException { Class<?> oidClass; if (IBM_JAVA) { if ("NT_GSS_KRB5_PRINCIPAL".equals(oidName)) { // IBM JDK GSSUtil class does not have field for krb5 principal oid return new Oid("1.2.840.113554.1.2.2.1"); } oidClass = Class.forName("com.ibm.security.jgss.GSSUtil"); } else { oidClass = Class.forName("sun.security.jgss.GSSUtil"); } Field oidField = oidClass.getDeclaredField(oidName); return (Oid)oidField.get(oidClass); }
Example #14
Source File: SpnegoAuthScheme.java From elasticsearch-hadoop with Apache License 2.0 | 6 votes |
/** * Creates the negotiator if it is not yet created, or does nothing if the negotiator is already initialized. * @param requestURI request being authenticated * @param spnegoCredentials The user and service principals * @throws UnknownHostException If the service principal is host based, and if the request URI cannot be resolved to a FQDN * @throws AuthenticationException If the service principal is malformed * @throws GSSException If the negotiator cannot be created. */ private void initializeNegotiator(URI requestURI, SpnegoCredentials spnegoCredentials) throws UnknownHostException, AuthenticationException, GSSException { // Initialize negotiator if (spnegoNegotiator == null) { // Determine host principal String servicePrincipal = spnegoCredentials.getServicePrincipalName(); if (spnegoCredentials.getServicePrincipalName().contains(HOSTNAME_PATTERN)) { String fqdn = getFQDN(requestURI); String[] components = spnegoCredentials.getServicePrincipalName().split("[/@]"); if (components.length != 3 || !components[1].equals(HOSTNAME_PATTERN)) { throw new AuthenticationException("Malformed service principal name [" + spnegoCredentials.getServicePrincipalName() + "]. To use host substitution, the principal must be of the format [serviceName/[email protected]]."); } servicePrincipal = components[0] + "/" + fqdn.toLowerCase() + "@" + components[2]; } User userInfo = spnegoCredentials.getUserProvider().getUser(); KerberosPrincipal principal = userInfo.getKerberosPrincipal(); if (principal == null) { throw new EsHadoopIllegalArgumentException("Could not locate Kerberos Principal on currently logged in user."); } spnegoNegotiator = new SpnegoNegotiator(principal.getName(), servicePrincipal); } }
Example #15
Source File: KerberosUtil.java From zeppelin with Apache License 2.0 | 6 votes |
public static Oid getOidInstance(String oidName) throws ClassNotFoundException, GSSException, NoSuchFieldException, IllegalAccessException { Class<?> oidClass; if (IBM_JAVA) { if ("NT_GSS_KRB5_PRINCIPAL".equals(oidName)) { // IBM JDK GSSUtil class does not have field for krb5 principal oid return new Oid("1.2.840.113554.1.2.2.1"); } oidClass = Class.forName("com.ibm.security.jgss.GSSUtil"); } else { oidClass = Class.forName("sun.security.jgss.GSSUtil"); } Field oidField = oidClass.getDeclaredField(oidName); return (Oid)oidField.get(oidClass); }
Example #16
Source File: MSOID.java From openjdk-jdk8u with GNU General Public License v2.0 | 5 votes |
public static void main(String[] args) throws Exception { // msoid.txt is a NegTokenInit packet sent from Internet Explorer to // IIS server on a test machine. No sensitive info included. byte[] header = Files.readAllBytes( Paths.get(System.getProperty("test.src"), "msoid.txt")); byte[] token = Base64.getMimeDecoder().decode( Arrays.copyOfRange(header, 10, header.length)); GSSCredential cred = null; GSSContext ctx = GSSManager.getInstance().createContext(cred); try { ctx.acceptSecContext(token, 0, token.length); // Before the fix, GSS_KRB5_MECH_OID_MS is not recognized // and acceptor chooses another mech and goes on throw new Exception("Should fail"); } catch (GSSException gsse) { // After the fix, GSS_KRB5_MECH_OID_MS is recognized but the token // cannot be accepted because we don't have any krb5 credential. gsse.printStackTrace(); if (gsse.getMajor() != GSSException.NO_CRED) { throw gsse; } for (StackTraceElement st: gsse.getStackTrace()) { if (st.getClassName().startsWith("sun.security.jgss.krb5.")) { // Good, it is already in krb5 mech's hand. return; } } throw gsse; } }
Example #17
Source File: KerberosUtil.java From dcos-commons with Apache License 2.0 | 5 votes |
private static Oid getNumericOidInstance(String oidName) { try { return new Oid(oidName); } catch (GSSException ex) { throw new IllegalArgumentException(ex); } }
Example #18
Source File: CtorTests2.java From TencentKona-8 with GNU General Public License v2.0 | 5 votes |
public static void main(String[] argv) throws Exception { try { GSSManager manager = GSSManager.getInstance(); GSSName name = manager.createName("anonymous", GSSName.NT_ANONYMOUS); boolean anonymous = name.isAnonymous(); if (anonymous == false) { throw new RuntimeException("GSSName.isAnonymous() returns false for GSSName.NT_ANONYMOUS"); } } catch (GSSException e) { System.out.println("Not supported, ignored!"); } }
Example #19
Source File: NoneReplayCacheTest.java From TencentKona-8 with GNU General Public License v2.0 | 5 votes |
public static void main(String[] args) throws Exception { new OneKDC(null); System.setProperty("sun.security.krb5.rcache", "none"); System.setProperty("sun.security.krb5.acceptor.subkey", "true"); Context c, s; c = Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false); s = Context.fromUserKtab(OneKDC.SERVER, OneKDC.KTAB, true); c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID); s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID); byte[] first = c.take(new byte[0]); c.take(s.take(first)); byte[] msg = c.wrap("hello".getBytes(), true); s.unwrap(msg, true); s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID); s.take(first); // apreq replay not detectable try { s.unwrap(msg, true); // msg replay detectable throw new Exception("This method should fail"); } catch (GSSException gsse) { gsse.printStackTrace(); } }
Example #20
Source File: MoreKvno.java From openjdk-8 with GNU General Public License v2.0 | 5 votes |
public static void main(String[] args) throws Exception { OneKDC kdc = new OneKDC(null); kdc.writeJAASConf(); // Rewrite keytab, 3 set of keys with different kvno KeyTab ktab = KeyTab.create(OneKDC.KTAB); p = new PrincipalName( OneKDC.SERVER+"@"+OneKDC.REALM, PrincipalName.KRB_NT_SRV_HST); ktab.addEntry(p, "pass1".toCharArray(), 1, true); ktab.addEntry(p, "pass3".toCharArray(), 3, true); ktab.addEntry(p, "pass2".toCharArray(), 2, true); ktab.save(); char[] pass = "pass2".toCharArray(); kdc.addPrincipal(OneKDC.SERVER, pass); go(OneKDC.SERVER, "com.sun.security.jgss.krb5.accept", pass); pass = "pass3".toCharArray(); kdc.addPrincipal(OneKDC.SERVER, pass); // "server" initiate also, check pass2 is used at authentication go(OneKDC.SERVER, "server", pass); try { pass = "pass4".toCharArray(); kdc.addPrincipal(OneKDC.SERVER, pass); go(OneKDC.SERVER, "com.sun.security.jgss.krb5.accept", pass); throw new Exception("This test should fail"); } catch (GSSException gsse) { // Since 7197159, different kvno is accepted, this return code // will never be thrown out again. //KrbException ke = (KrbException)gsse.getCause(); //if (ke.returnCode() != Krb5.KRB_AP_ERR_BADKEYVER) { // throw new Exception("Not expected failure code: " + // ke.returnCode()); //} } }
Example #21
Source File: MSOID.java From TencentKona-8 with GNU General Public License v2.0 | 5 votes |
public static void main(String[] args) throws Exception { // msoid.txt is a NegTokenInit packet sent from Internet Explorer to // IIS server on a test machine. No sensitive info included. byte[] header = Files.readAllBytes( Paths.get(System.getProperty("test.src"), "msoid.txt")); byte[] token = Base64.getMimeDecoder().decode( Arrays.copyOfRange(header, 10, header.length)); GSSCredential cred = null; GSSContext ctx = GSSManager.getInstance().createContext(cred); try { ctx.acceptSecContext(token, 0, token.length); // Before the fix, GSS_KRB5_MECH_OID_MS is not recognized // and acceptor chooses another mech and goes on throw new Exception("Should fail"); } catch (GSSException gsse) { // After the fix, GSS_KRB5_MECH_OID_MS is recognized but the token // cannot be accepted because we don't have any krb5 credential. gsse.printStackTrace(); if (gsse.getMajor() != GSSException.NO_CRED) { throw gsse; } for (StackTraceElement st: gsse.getStackTrace()) { if (st.getClassName().startsWith("sun.security.jgss.krb5.")) { // Good, it is already in krb5 mech's hand. return; } } throw gsse; } }
Example #22
Source File: NegotiatorImpl.java From TencentKona-8 with GNU General Public License v2.0 | 5 votes |
/** * Return the rest tokens of GSS, in SPNEGO, it's called NegTokenTarg * @param token the token received from server * @return the next token * @throws java.io.IOException if the token cannot be created successfully */ @Override public byte[] nextToken(byte[] token) throws IOException { try { return context.initSecContext(token, 0, token.length); } catch (GSSException e) { if (DEBUG) { System.out.println("Negotiate support cannot continue. Reason:"); e.printStackTrace(); } IOException ioe = new IOException("Negotiate support cannot continue"); ioe.initCause(e); throw ioe; } }
Example #23
Source File: Kerb5Context.java From jcifs with GNU Lesser General Public License v2.1 | 5 votes |
Key searchSessionKey ( Subject subject ) throws GSSException { MIEName src = new MIEName(this.gssContext.getSrcName().export()); MIEName targ = new MIEName(this.gssContext.getTargName().export()); ASN1ObjectIdentifier mech = ASN1ObjectIdentifier.getInstance(this.gssContext.getMech().getDER()); for ( KerberosTicket ticket : subject.getPrivateCredentials(KerberosTicket.class) ) { MIEName client = new MIEName(mech, ticket.getClient().getName()); MIEName server = new MIEName(mech, ticket.getServer().getName()); if ( src.equals(client) && targ.equals(server) ) { return ticket.getSessionKey(); } } return null; }
Example #24
Source File: ReplayCacheTest.java From jdk8u-jdk with GNU General Public License v2.0 | 5 votes |
public static void main(String[] args) throws Exception { new OneKDC(null); if (args[0].equals("dfl")) { // Store file in scratch directory args[0] = "dfl:" + System.getProperty("user.dir") + File.separator; System.setProperty("sun.security.krb5.rcache", args[0]); } Context c, s; c = Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false); s = Context.fromUserKtab(OneKDC.SERVER, OneKDC.KTAB, true); c.startAsClient(OneKDC.SERVER, GSSUtil.GSS_KRB5_MECH_OID); s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID); byte[] first = c.take(new byte[0]); c.take(s.take(first)); s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID); try { s.take(first); // Replay the last apreq sent throw new Exception("This method should fail"); } catch (GSSException gsse) { gsse.printStackTrace(); KrbException ke = (KrbException)gsse.getCause(); if (ke.returnCode() != Krb5.KRB_AP_ERR_REPEAT) { throw gsse; } } }
Example #25
Source File: JassAuthenticate.java From sakai with Educational Community License v2.0 | 5 votes |
public Void run() { try { acceptTokens = serverContext.acceptSecContext(initTokens, 0, initTokens.length); } catch (GSSException e) { throw new RuntimeException("Failed to accept.", e); } return null; }
Example #26
Source File: Kerb5Context.java From jcifs with GNU Lesser General Public License v2.1 | 5 votes |
@Override public byte[] initSecContext ( byte[] token, int off, int len ) throws SmbException { try { return this.gssContext.initSecContext(token, off, len); } catch ( GSSException e ) { throw new SmbAuthException("GSSAPI mechanism failed", e); } }
Example #27
Source File: NegotiatorImpl.java From openjdk-8 with GNU General Public License v2.0 | 5 votes |
/** * Return the rest tokens of GSS, in SPNEGO, it's called NegTokenTarg * @param token the token received from server * @return the next token * @throws java.io.IOException if the token cannot be created successfully */ @Override public byte[] nextToken(byte[] token) throws IOException { try { return context.initSecContext(token, 0, token.length); } catch (GSSException e) { if (DEBUG) { System.out.println("Negotiate support cannot continue. Reason:"); e.printStackTrace(); } IOException ioe = new IOException("Negotiate support cannot continue"); ioe.initCause(e); throw ioe; } }
Example #28
Source File: GssMemoryIssues.java From openjdk-jdk9 with GNU General Public License v2.0 | 5 votes |
public static void main(String[] argv) throws Exception { GSSManager man = GSSManager.getInstance(); String s = "me@REALM"; GSSName name = man.createName(s, GSSName.NT_USER_NAME); byte[] exported = name.export(); // Offset of the length of the mech name. Length in big endian int lenOffset = exported.length - s.length() - 4; // Make it huge exported[lenOffset] = 0x7f; try { man.createName(exported, GSSName.NT_EXPORT_NAME); } catch (GSSException gsse) { System.out.println(gsse); } }
Example #29
Source File: Kerb5Context.java From jcifs-ng with GNU Lesser General Public License v2.1 | 5 votes |
Key searchSessionKey ( Subject subject ) throws GSSException { MIEName src = new MIEName(this.gssContext.getSrcName().export()); MIEName targ = new MIEName(this.gssContext.getTargName().export()); ASN1ObjectIdentifier mech = ASN1ObjectIdentifier.getInstance(this.gssContext.getMech().getDER()); for ( KerberosTicket ticket : subject.getPrivateCredentials(KerberosTicket.class) ) { MIEName client = new MIEName(mech, ticket.getClient().getName()); MIEName server = new MIEName(mech, ticket.getServer().getName()); if ( src.equals(client) && targ.equals(server) ) { return ticket.getSessionKey(); } } return null; }
Example #30
Source File: MockingKerberizedClient.java From elasticsearch-shield-kerberos-realm with Apache License 2.0 | 5 votes |
@Override public byte[] initSecContext(final byte[] inputBuf, final int offset, final int len) throws GSSException { if (inputBuf == null || inputBuf.length == 0) { return "mocked_initial_gss_security_context".getBytes(StandardCharsets.UTF_8); } else { return ("|" + new String(inputBuf, offset, len, StandardCharsets.UTF_8)).getBytes(StandardCharsets.UTF_8); } }