List of usage examples for javax.security.auth.kerberos KerberosPrincipal KerberosPrincipal
public KerberosPrincipal(String name)
From source file:net.java.jaspicoil.MSPacSpnegoServerAuthModule.java
/** * Create a Kerberos Subject for the Principal whose name is passed * /*from ww w. j a v a 2s . c o m*/ * @param name * the name to use * @return a valid Subject */ private Subject createSubject(GSSName name) { // return com.sun.security.jgss.GSSUtil.createSubject(name, null); // // this was Sun JVM only ;-) final Set<KerberosPrincipal> krb5Principals = new HashSet<KerberosPrincipal>(); try { // First create a canonical string representation of KRB5 final String krb5name = name.canonicalize(GSS_KRB5_MECH_OID).toString(); // Then, create a Kerberos Principal from the canonical name final KerberosPrincipal krbPrinc = new KerberosPrincipal(krb5name); krb5Principals.add(krbPrinc); } catch (final GSSException e) { LOG.log(Level.SEVERE, "Unable to create the Kerberos context", e); } return new Subject(false, krb5Principals, new HashSet<Object>(), new HashSet<Object>()); }
From source file:org.apache.coheigea.cxf.kerberos.authentication.TokenPreAuthTest.java
@org.junit.Test public void unitTokenAuthGSSTest() throws Exception { // 1. Get a TGT from the KDC for the client + create an armor cache KrbClient client = new KrbClient(); client.setKdcHost("localhost"); client.setKdcTcpPort(kerbyServer.getKdcPort()); client.setAllowUdp(false);// ww w . j av a 2 s . c o m client.setKdcRealm(kerbyServer.getKdcSetting().getKdcRealm()); client.init(); TgtTicket tgt = client.requestTgt("alice@service.ws.apache.org", "alice"); assertNotNull(tgt); // Write to cache Credential credential = new Credential(tgt); CredentialCache cCache = new CredentialCache(); cCache.addCredential(credential); cCache.setPrimaryPrincipal(tgt.getClientPrincipal()); File cCacheFile = File.createTempFile("krb5_alice@service.ws.apache.org", "cc"); cCache.store(cCacheFile); // Now read in JAAS config + substitute in the armor cache file path value String basedir = System.getProperty("basedir"); if (basedir == null) { basedir = new File(".").getCanonicalPath(); } File f = new File(basedir + "/target/test-classes/kerberos/kerberos.jaas"); FileInputStream inputStream = new FileInputStream(f); String content = IOUtils.toString(inputStream, "UTF-8"); inputStream.close(); content = content.replaceAll("armorCacheVal", cCacheFile.getPath()); File f2 = new File(basedir + "/target/test-classes/kerberos/kerberos.jaas"); FileOutputStream outputStream = new FileOutputStream(f2); IOUtils.write(content, outputStream, "UTF-8"); outputStream.close(); // 2. Create a JWT token using CXF JwtClaims claims = new JwtClaims(); claims.setSubject("alice"); claims.setIssuer("DoubleItSTSIssuer"); claims.setIssuedAt(new Date().getTime() / 1000L); claims.setExpiryTime(new Date().getTime() + (60L + 1000L)); String address = "krbtgt/service.ws.apache.org@service.ws.apache.org"; claims.setAudiences(Collections.singletonList(address)); KeyStore keystore = KeyStore.getInstance("JKS"); keystore.load(Loader.getResourceAsStream("clientstore.jks"), "cspass".toCharArray()); Properties signingProperties = new Properties(); signingProperties.put(JoseConstants.RSSEC_SIGNATURE_ALGORITHM, SignatureAlgorithm.RS256.name()); signingProperties.put(JoseConstants.RSSEC_KEY_STORE, keystore); signingProperties.put(JoseConstants.RSSEC_KEY_STORE_ALIAS, "myclientkey"); signingProperties.put(JoseConstants.RSSEC_KEY_PSWD, "ckpass"); JwsHeaders jwsHeaders = new JwsHeaders(signingProperties); JwsJwtCompactProducer jws = new JwsJwtCompactProducer(jwsHeaders, claims); JwsSignatureProvider sigProvider = JwsUtils.loadSignatureProvider(signingProperties, jwsHeaders); String signedToken = jws.signWith(sigProvider); // Store the JWT token in the token cache File tokenCache = new File(basedir + "/target/tokencache.txt"); if (!tokenCache.exists()) { tokenCache.createNewFile(); } TokenCache.writeToken(signedToken, tokenCache.getPath()); // 3. Now log in using JAAS LoginContext loginContext = new LoginContext("aliceTokenAuth", new KerberosCallbackHandler()); loginContext.login(); Subject clientSubject = loginContext.getSubject(); //Set<Principal> clientPrincipals = clientSubject.getPrincipals(); //assertFalse(clientPrincipals.isEmpty()); // Get the TGT Set<KerberosTicket> privateCredentials = clientSubject.getPrivateCredentials(KerberosTicket.class); assertFalse(privateCredentials.isEmpty()); // Get the service ticket using GSS KerberosClientExceptionAction action = new KerberosClientExceptionAction( new KerberosPrincipal("alice@service.ws.apache.org"), "bob@service.ws.apache.org"); byte[] ticket = (byte[]) Subject.doAs(clientSubject, action); assertNotNull(ticket); loginContext.logout(); validateServiceTicket(ticket); cCacheFile.delete(); tokenCache.delete(); }
From source file:org.apache.druid.security.kerberos.KerberosAuthenticator.java
private String getPrincipalFromRequestNew(HttpServletRequest req) { String authorization = req//w w w . jav a 2 s .c o m .getHeader(org.apache.hadoop.security.authentication.client.KerberosAuthenticator.AUTHORIZATION); if (authorization == null || !authorization .startsWith(org.apache.hadoop.security.authentication.client.KerberosAuthenticator.NEGOTIATE)) { return null; } else { authorization = authorization.substring( org.apache.hadoop.security.authentication.client.KerberosAuthenticator.NEGOTIATE.length()) .trim(); final Base64 base64 = new Base64(0); final byte[] clientToken = base64.decode(authorization); try { DerInputStream ticketStream = new DerInputStream(clientToken); DerValue[] values = ticketStream.getSet(clientToken.length, true); // see this link for AP-REQ format: https://tools.ietf.org/html/rfc1510#section-5.5.1 for (DerValue value : values) { if (isValueAPReq(value)) { APReq apReq = new APReq(value); Ticket ticket = apReq.ticket; EncryptedData encData = ticket.encPart; int eType = encData.getEType(); // find the server's key EncryptionKey finalKey = null; Subject serverSubj = loginContext.getSubject(); Set<Object> serverCreds = serverSubj.getPrivateCredentials(Object.class); for (Object cred : serverCreds) { if (cred instanceof KeyTab) { KeyTab serverKeyTab = (KeyTab) cred; KerberosPrincipal kerberosPrincipal = new KerberosPrincipal(serverPrincipal); KerberosKey[] serverKeys = serverKeyTab.getKeys(kerberosPrincipal); for (KerberosKey key : serverKeys) { if (key.getKeyType() == eType) { finalKey = new EncryptionKey(key.getKeyType(), key.getEncoded()); break; } } } } if (finalKey == null) { log.error("Could not find matching key from server creds."); return null; } // decrypt the ticket with the server's key byte[] decryptedBytes = encData.decrypt(finalKey, KeyUsage.KU_TICKET); decryptedBytes = encData.reset(decryptedBytes); EncTicketPart decrypted = new EncTicketPart(decryptedBytes); String clientPrincipal = decrypted.cname.toString(); return clientPrincipal; } } } catch (Exception ex) { Throwables.propagate(ex); } } return null; }
From source file:org.apache.druid.security.kerberos.KerberosAuthenticator.java
private void initializeKerberosLogin() throws ServletException { String keytab;//from ww w .j a v a 2 s. c o m try { if (serverPrincipal == null || serverPrincipal.trim().length() == 0) { throw new ServletException("Principal not defined in configuration"); } keytab = serverKeytab; if (keytab == null || keytab.trim().length() == 0) { throw new ServletException("Keytab not defined in configuration"); } if (!new File(keytab).exists()) { throw new ServletException("Keytab does not exist: " + keytab); } Set<Principal> principals = new HashSet<Principal>(); principals.add(new KerberosPrincipal(serverPrincipal)); Subject subject = new Subject(false, principals, new HashSet<Object>(), new HashSet<Object>()); DruidKerberosConfiguration kerberosConfiguration = new DruidKerberosConfiguration(keytab, serverPrincipal); log.info("Login using keytab " + keytab + ", for principal " + serverPrincipal); loginContext = new LoginContext("", subject, null, kerberosConfiguration); loginContext.login(); log.info("Initialized, principal %s from keytab %s", serverPrincipal, keytab); } catch (Exception ex) { throw new ServletException(ex); } }
From source file:org.apache.hadoop.registry.secure.AbstractSecureRegistryTest.java
/** * Log in, defaulting to the client context * @param principal principal//from w ww. j a v a 2s . co m * @param context context * @param keytab keytab * @return the logged in context * @throws LoginException failure to log in * @throws FileNotFoundException no keytab */ protected LoginContext login(String principal, String context, File keytab) throws LoginException, FileNotFoundException { LOG.info("Logging in as {} in context {} with keytab {}", principal, context, keytab); if (!keytab.exists()) { throw new FileNotFoundException(keytab.getAbsolutePath()); } Set<Principal> principals = new HashSet<Principal>(); principals.add(new KerberosPrincipal(principal)); Subject subject = new Subject(false, principals, new HashSet<Object>(), new HashSet<Object>()); LoginContext login; login = new LoginContext(context, subject, null, KerberosConfiguration.createClientConfig(principal, keytab)); login.login(); return login; }
From source file:org.apache.hadoop.registry.secure.TestSecureLogins.java
public LoginContext createLoginContextZookeeperLocalhost() throws LoginException { String principalAndRealm = getPrincipalAndRealm(ZOOKEEPER_LOCALHOST); Set<Principal> principals = new HashSet<Principal>(); principals.add(new KerberosPrincipal(ZOOKEEPER_LOCALHOST)); Subject subject = new Subject(false, principals, new HashSet<Object>(), new HashSet<Object>()); return new LoginContext("", subject, null, KerberosConfiguration.createServerConfig(ZOOKEEPER_LOCALHOST, keytab_zk)); }
From source file:org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.java
/** * Initializes the authentication handler instance. * <p/>/*from ww w.j a v a 2 s .c o m*/ * It creates a Kerberos context using the principal and keytab specified in the configuration. * <p/> * This method is invoked by the {@link AuthenticationFilter#init} method. * * @param config configuration properties to initialize the handler. * * @throws ServletException thrown if the handler could not be initialized. */ @Override public void init(Properties config) throws ServletException { try { principal = config.getProperty(PRINCIPAL, principal); if (principal == null || principal.trim().length() == 0) { throw new ServletException("Principal not defined in configuration"); } keytab = config.getProperty(KEYTAB, keytab); if (keytab == null || keytab.trim().length() == 0) { throw new ServletException("Keytab not defined in configuration"); } if (!new File(keytab).exists()) { throw new ServletException("Keytab does not exist: " + keytab); } Set<Principal> principals = new HashSet<Principal>(); principals.add(new KerberosPrincipal(principal)); Subject subject = new Subject(false, principals, new HashSet<Object>(), new HashSet<Object>()); KerberosConfiguration kerberosConfiguration = new KerberosConfiguration(keytab, principal); LOG.info("Login using keytab " + keytab + ", for principal " + principal); loginContext = new LoginContext("", subject, null, kerberosConfiguration); loginContext.login(); Subject serverSubject = loginContext.getSubject(); try { gssManager = Subject.doAs(serverSubject, new PrivilegedExceptionAction<GSSManager>() { @Override public GSSManager run() throws Exception { return GSSManager.getInstance(); } }); } catch (PrivilegedActionException ex) { throw ex.getException(); } LOG.info("Initialized, principal [{}] from keytab [{}]", principal, keytab); } catch (Exception ex) { throw new ServletException(ex); } }
From source file:org.apache.hadoop.security.token.delegation.web.TestWebDelegationToken.java
public static <T> T doAsKerberosUser(String principal, String keytab, final Callable<T> callable) throws Exception { LoginContext loginContext = null; try {//from w ww.jav a 2 s.com Set<Principal> principals = new HashSet<Principal>(); principals.add(new KerberosPrincipal(principal)); Subject subject = new Subject(false, principals, new HashSet<Object>(), new HashSet<Object>()); loginContext = new LoginContext("", subject, null, new KerberosConfiguration(principal, keytab)); loginContext.login(); subject = loginContext.getSubject(); return Subject.doAs(subject, new PrivilegedExceptionAction<T>() { @Override public T run() throws Exception { return callable.call(); } }); } catch (PrivilegedActionException ex) { throw ex.getException(); } finally { if (loginContext != null) { loginContext.logout(); } } }
From source file:org.apache.lens.client.SpnegoClientFilter.java
private LoginContext buildLoginContext() throws LoginException { ClientLoginConfig loginConfig = new ClientLoginConfig(keyTabLocation, userPrincipal); Subject subject = null;/* w w w . ja va 2 s.co m*/ if (StringUtils.isNotBlank(keyTabLocation) && StringUtils.isNotBlank(userPrincipal)) { Set<Principal> princ = new HashSet<>(1); princ.add(new KerberosPrincipal(userPrincipal)); subject = new Subject(false, princ, new HashSet<>(), new HashSet<>()); } LoginContext lc = new LoginContext("", subject, null, loginConfig); return lc; }
From source file:org.apache.sentry.api.service.thrift.TestSentryWebServerWithKerberos.java
@Test public void testPingWithUnauthorizedUser() throws Exception { // create an unauthorized User with Kerberos String userPrinciple = "user/" + SentryServiceIntegrationBase.SERVER_HOST; String userKerberosName = userPrinciple + "@" + SentryServiceIntegrationBase.REALM; Subject userSubject = new Subject(false, Sets.newHashSet(new KerberosPrincipal(userKerberosName)), new HashSet<Object>(), new HashSet<Object>()); File userKeytab = new File(SentryServiceIntegrationBase.kdcWorkDir, "user.keytab"); SentryServiceIntegrationBase.kdc.createPrincipal(userKeytab, userPrinciple); LoginContext userLoginContext = new LoginContext("", userSubject, null, KerberosConfiguration.createClientConfig(userKerberosName, userKeytab)); userLoginContext.login();/*from w w w .ja va2s. co m*/ Subject.doAs(userLoginContext.getSubject(), new PrivilegedExceptionAction<Void>() { @Override public Void run() throws Exception { final URL url = new URL("http://" + SentryServiceIntegrationBase.SERVER_HOST + ":" + SentryServiceIntegrationBase.webServerPort + "/ping"); try { new AuthenticatedURL(new KerberosAuthenticator()).openConnection(url, new AuthenticatedURL.Token()); fail("Here should fail."); } catch (AuthenticationException e) { String expectedError = "status code: 403"; if (!exceptionContainsMessage(e, expectedError)) { LOG.error("UnexpectedError: " + e.getMessage(), e); fail("UnexpectedError: " + e.getMessage()); } } return null; } }); }