List of usage examples for javax.security.sasl Sasl QOP
String QOP
To view the source code for javax.security.sasl Sasl QOP.
Click Source Link
From source file:com.delphix.session.sasl.DigestServer.java
public DigestServer(PasswordStore passwd, UserMapper mapper, String[] realms) { this.passwd = passwd; this.mapper = mapper; // Set the QOP for authentication only properties.put(Sasl.QOP, "auth"); // Set the character encoding to utf-8 properties.put(UTF8_PROPERTY, "true"); /*//from w ww. ja va 2s .c o m * Construct a whitespace delimited string of realms for the DIGEST-MD5 realm property. The value will be * passed to the client during the initial SASL challenge. If not set, the authentication will fall back to * use the server name as the realm. */ if (realms != null && realms.length > 0) { properties.put(REALM_PROPERTY, StringUtils.join(realms, " ")); } }
From source file:backtype.storm.security.auth.kerberos.KerberosSaslTransportPlugin.java
public TTransportFactory getServerTransportFactory() throws IOException { // create an authentication callback handler CallbackHandler server_callback_handler = new ServerCallbackHandler(login_conf, storm_conf); // login our principal Subject subject = null;//from ww w . j av a2s.c om try { // specify a configuration object to be used Configuration.setConfiguration(login_conf); // now login Login login = new Login(AuthUtils.LOGIN_CONTEXT_SERVER, server_callback_handler); subject = login.getSubject(); } catch (LoginException ex) { LOG.error("Server failed to login in principal:" + ex, ex); throw new RuntimeException(ex); } // check the credential of our principal if (subject.getPrivateCredentials(KerberosTicket.class).isEmpty()) { throw new RuntimeException("Fail to verify user principal with section \"" + AuthUtils.LOGIN_CONTEXT_SERVER + "\" in login configuration file " + login_conf); } String principal = AuthUtils.get(login_conf, AuthUtils.LOGIN_CONTEXT_SERVER, "principal"); LOG.debug("principal:" + principal); KerberosName serviceKerberosName = new KerberosName(principal); String serviceName = serviceKerberosName.getServiceName(); String hostName = serviceKerberosName.getHostName(); Map<String, String> props = new TreeMap<String, String>(); props.put(Sasl.QOP, "auth"); props.put(Sasl.SERVER_AUTH, "false"); // create a transport factory that will invoke our auth callback for digest TSaslServerTransport.Factory factory = new TSaslServerTransport.Factory(); factory.addServerDefinition(KERBEROS, serviceName, hostName, props, server_callback_handler); // create a wrap transport factory so that we could apply user credential during connections TUGIAssumingTransportFactory wrapFactory = new TUGIAssumingTransportFactory(factory, subject); LOG.info("SASL GSSAPI transport factory will be used"); return wrapFactory; }
From source file:com.zimbra.cs.security.sasl.GssAuthenticator.java
@Override public boolean initialize() throws IOException { Krb5Keytab keytab = getKeytab(LC.krb5_keytab.value()); if (keytab == null) { sendFailed("mechanism not supported"); return false; }//w w w. j ava 2 s . co m debug("keytab file = %s", keytab.getFile()); final String host; if (LC.krb5_service_principal_from_interface_address.booleanValue()) { String localSocketHostname = localAddress.getCanonicalHostName().toLowerCase(); if (localSocketHostname.length() == 0 || Character.isDigit(localSocketHostname.charAt(0))) localSocketHostname = LC.zimbra_server_hostname.value(); host = localSocketHostname; } else { host = LC.zimbra_server_hostname.value(); } KerberosPrincipal kp = new KerberosPrincipal(getProtocol() + '/' + host); debug("kerberos principal = %s", kp); Subject subject = getSubject(keytab, kp); if (subject == null) { sendFailed(); return false; } debug("subject = %s", subject); final Map<String, String> props = getSaslProperties(); if (DEBUG && props != null) { String qop = props.get(Sasl.QOP); debug("Sent QOP = " + (qop != null ? qop : "auth")); } try { mSaslServer = (SaslServer) Subject.doAs(subject, new PrivilegedExceptionAction<Object>() { @Override public Object run() throws SaslException { return Sasl.createSaslServer(getMechanism(), getProtocol(), host, props, new GssCallbackHandler()); } }); } catch (PrivilegedActionException e) { sendFailed(); getLog().warn("Could not create SaslServer", e.getCause()); return false; } return true; }
From source file:backtype.storm.security.auth.kerberos.KerberosSaslTransportPlugin.java
@Override public TTransport connect(TTransport transport, String serverHost, String asUser) throws TTransportException, IOException { // create an authentication callback handler ClientCallbackHandler client_callback_handler = new ClientCallbackHandler(login_conf); // login our user Login login = null;//from w w w .j a v a 2s.c o m try { // specify a configuration object to be used Configuration.setConfiguration(login_conf); // now login login = new Login(AuthUtils.LOGIN_CONTEXT_CLIENT, client_callback_handler); } catch (LoginException ex) { LOG.error("Server failed to login in principal:" + ex, ex); throw new RuntimeException(ex); } final Subject subject = login.getSubject(); if (subject.getPrivateCredentials(KerberosTicket.class).isEmpty()) { // error throw new RuntimeException("Fail to verify user principal with section \"" + AuthUtils.LOGIN_CONTEXT_CLIENT + "\" in login configuration file " + login_conf); } final String principal = StringUtils.isBlank(asUser) ? getPrincipal(subject) : asUser; String serviceName = AuthUtils.get(login_conf, AuthUtils.LOGIN_CONTEXT_CLIENT, "serviceName"); if (serviceName == null) { serviceName = AuthUtils.SERVICE; } Map<String, String> props = new TreeMap<String, String>(); props.put(Sasl.QOP, "auth"); props.put(Sasl.SERVER_AUTH, "false"); LOG.debug("SASL GSSAPI client transport is being established"); final TTransport sasalTransport = new TSaslClientTransport(KERBEROS, principal, serviceName, serverHost, props, null, transport); // open Sasl transport with the login credential try { Subject.doAs(subject, new PrivilegedExceptionAction<Void>() { public Void run() { try { LOG.debug("do as:" + principal); sasalTransport.open(); } catch (Exception e) { LOG.error( "Client failed to open SaslClientTransport to interact with a server during session initiation: " + e, e); } return null; } }); } catch (PrivilegedActionException e) { throw new RuntimeException(e); } return sasalTransport; }
From source file:org.apache.ambari.view.hive.client.Connection.java
/** * Based on JDBC implementation of HiveConnection.createBinaryTransport * * @return transport//ww w . j a v a2 s. com * @throws HiveClientException */ protected TTransport createBinaryTransport() throws HiveClientException, TTransportException, HiveAuthRequiredException { TTransport transport; boolean assumeSubject = Utils.HiveAuthenticationParams.AUTH_KERBEROS_AUTH_TYPE_FROM_SUBJECT .equals(authParams.get(Utils.HiveAuthenticationParams.AUTH_KERBEROS_AUTH_TYPE)); try { if (!Utils.HiveAuthenticationParams.AUTH_SIMPLE .equalsIgnoreCase(authParams.get(Utils.HiveAuthenticationParams.AUTH_TYPE))) { // If Kerberos Map<String, String> saslProps = new HashMap<String, String>(); SaslQOP saslQOP = SaslQOP.AUTH; if (authParams.containsKey(Utils.HiveAuthenticationParams.AUTH_PRINCIPAL)) { if (authParams.containsKey(Utils.HiveAuthenticationParams.AUTH_QOP)) { try { saslQOP = SaslQOP.fromString(authParams.get(Utils.HiveAuthenticationParams.AUTH_QOP)); } catch (IllegalArgumentException e) { throw new HiveClientException("H040 Invalid " + Utils.HiveAuthenticationParams.AUTH_QOP + " parameter. " + e.getMessage(), e); } } saslProps.put(Sasl.QOP, saslQOP.toString()); saslProps.put(Sasl.SERVER_AUTH, "true"); Configuration conf = new Configuration(); conf.set("hadoop.security.authentication", "kerberos"); UserGroupInformation.setConfiguration(conf); transport = KerberosSaslHelper.getKerberosTransport( authParams.get(Utils.HiveAuthenticationParams.AUTH_PRINCIPAL), host, HiveAuthFactory.getSocketTransport(host, port, 10000), saslProps, assumeSubject); } else { // If there's a delegation token available then use token based connection String tokenStr = getClientDelegationToken(authParams); if (tokenStr != null) { transport = KerberosSaslHelper.getTokenTransport(tokenStr, host, HiveAuthFactory.getSocketTransport(host, port, 10000), saslProps); } else { // we are using PLAIN Sasl connection with user/password String userName = getAuthParamDefault(Utils.HiveAuthenticationParams.AUTH_USER, getUsername()); String passwd = getPassword(); // Note: Thrift returns an SSL socket that is already bound to the specified host:port // Therefore an open called on this would be a no-op later // Hence, any TTransportException related to connecting with the peer are thrown here. // Bubbling them up the call hierarchy so that a retry can happen in openTransport, // if dynamic service discovery is configured. if (isSslConnection()) { // get SSL socket String sslTrustStore = authParams.get(Utils.HiveAuthenticationParams.SSL_TRUST_STORE); String sslTrustStorePassword = authParams .get(Utils.HiveAuthenticationParams.SSL_TRUST_STORE_PASSWORD); if (sslTrustStore == null || sslTrustStore.isEmpty()) { transport = HiveAuthFactory.getSSLSocket(host, port, 10000); } else { transport = HiveAuthFactory.getSSLSocket(host, port, 10000, sslTrustStore, sslTrustStorePassword); } } else { // get non-SSL socket transport transport = HiveAuthFactory.getSocketTransport(host, port, 10000); } // Overlay the SASL transport on top of the base socket transport (SSL or non-SSL) transport = PlainSaslHelper.getPlainTransport(userName, passwd, transport); } } } else { //NOSASL return HiveAuthFactory.getSocketTransport(host, port, 10000); } } catch (SaslException e) { throw new HiveClientException( "H040 Could not create secure connection to " + host + ": " + e.getMessage(), e); } return transport; }
From source file:com.zimbra.cs.security.sasl.GssAuthenticator.java
@Override public void handle(final byte[] data) throws IOException { if (isComplete()) { throw new IllegalStateException("Authentication already completed"); }/*from w ww. ja v a 2s. c o m*/ // Evaluate client response and get challenge bytes byte[] bytes; try { bytes = mSaslServer.evaluateResponse(data); } catch (SaslException e) { getLog().warn("SaslServer.evaluateResponse() failed", e); // Only send if the callback hadn't already sent an error response if (!isComplete()) sendBadRequest(); return; } // If exchange not complete, send additional challenge if (!isComplete()) { assert !mSaslServer.isComplete(); String s = new String(Base64.encodeBase64(bytes), "US-ASCII"); sendContinuation(s); return; } // Authentication complete, so finish up assert mSaslServer.isComplete(); if (DEBUG) dumpNegotiatedProperties(); // If authentication failed, dispose of SaslServer instance if (!isAuthenticated()) { debug("Authentication failed"); dispose(); return; } // Authentication successful, so check if encryption enabled String qop = (String) mSaslServer.getNegotiatedProperty(Sasl.QOP); if (QOP_AUTH_INT.equals(qop) || QOP_AUTH_CONF.equals(qop)) { debug("SASL encryption enabled (%s)", qop); mEncryptionEnabled = true; } else { dispose(); // No need for SaslServer any longer } }
From source file:com.zimbra.cs.mailclient.MailConnection.java
/** * If SASL authentication was used, then returns the negotiated quality * of protection for the connection./*from w w w . j a va 2 s . c o m*/ * * @return the SASL quality of protection, or <tt>null</tt> if not yet * authenticated or SASL authentication was not used */ public String getNegotiatedQop() { return authenticator != null ? authenticator.getNegotiatedProperty(Sasl.QOP) : null; }
From source file:com.zimbra.cs.security.sasl.GssAuthenticator.java
private void dumpNegotiatedProperties() { pp("QOP", Sasl.QOP); pp("MAX_BUFFER", Sasl.MAX_BUFFER); pp("MAX_RECEIVE_SIZE", Sasl.RAW_SEND_SIZE); pp("STRENGTH", Sasl.STRENGTH); }
From source file:com.udps.hive.jdbc.HiveConnection.java
/** * Create transport per the connection options Supported transport options * are: - SASL based transports over + Kerberos + Delegation token + SSL + * non-SSL - Raw (non-SASL) socket//from w w w . j a v a2 s .co m * * Kerberos and Delegation token supports SASL QOP configurations */ private TTransport createBinaryTransport() throws SQLException { try { // handle secure connection if specified if (!HIVE_AUTH_SIMPLE.equals(sessConfMap.get(HIVE_AUTH_TYPE))) { // If Kerberos Map<String, String> saslProps = new HashMap<String, String>(); SaslQOP saslQOP = SaslQOP.AUTH; if (sessConfMap.containsKey(HIVE_AUTH_PRINCIPAL)) { if (sessConfMap.containsKey(HIVE_AUTH_QOP)) { try { saslQOP = SaslQOP.fromString(sessConfMap.get(HIVE_AUTH_QOP)); } catch (IllegalArgumentException e) { throw new SQLException("Invalid " + HIVE_AUTH_QOP + " parameter. " + e.getMessage(), "42000", e); } } saslProps.put(Sasl.QOP, saslQOP.toString()); saslProps.put(Sasl.SERVER_AUTH, "true"); boolean assumeSubject = HIVE_AUTH_KERBEROS_AUTH_TYPE_FROM_SUBJECT .equals(sessConfMap.get(HIVE_AUTH_KERBEROS_AUTH_TYPE)); transport = KerberosSaslHelper.getKerberosTransport(sessConfMap.get(HIVE_AUTH_PRINCIPAL), host, HiveAuthFactory.getSocketTransport(host, port, loginTimeout), saslProps, assumeSubject); } else { // If there's a delegation token available then use token // based connection String tokenStr = getClientDelegationToken(sessConfMap); if (tokenStr != null) { transport = KerberosSaslHelper.getTokenTransport(tokenStr, host, HiveAuthFactory.getSocketTransport(host, port, loginTimeout), saslProps); } else { // we are using PLAIN Sasl connection with user/password String userName = getUserName(); String passwd = getPassword(); if (isSslConnection()) { // get SSL socket String sslTrustStore = sessConfMap.get(HIVE_SSL_TRUST_STORE); String sslTrustStorePassword = sessConfMap.get(HIVE_SSL_TRUST_STORE_PASSWORD); if (sslTrustStore == null || sslTrustStore.isEmpty()) { transport = HiveAuthFactory.getSSLSocket(host, port, loginTimeout); } else { transport = HiveAuthFactory.getSSLSocket(host, port, loginTimeout, sslTrustStore, sslTrustStorePassword); } } else { // get non-SSL socket transport transport = HiveAuthFactory.getSocketTransport(host, port, loginTimeout); } // Overlay the SASL transport on top of the base socket // transport (SSL or non-SSL) transport = PlainSaslHelper.getPlainTransport(userName, passwd, transport); } } } else { // Raw socket connection (non-sasl) transport = HiveAuthFactory.getSocketTransport(host, port, loginTimeout); } } catch (SaslException e) { throw new SQLException("Could not create secure connection to " + jdbcURI + ": " + e.getMessage(), " 08S01", e); } catch (TTransportException e) { throw new SQLException("Could not create connection to " + jdbcURI + ": " + e.getMessage(), " 08S01", e); } return transport; }